Matt Caswell [Tue, 7 Mar 2023 16:52:55 +0000 (16:52 +0000)]
Ensure that EXFLAG_INVALID_POLICY is checked even in leaf certs
Even though we check the leaf cert to confirm it is valid, we
later ignored the invalid flag and did not notice that the leaf
cert was bad.
Fixes: CVE-2023-0465
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20588)
Matt Caswell [Tue, 7 Mar 2023 15:22:40 +0000 (15:22 +0000)]
Generate some certificates with the certificatePolicies extension
Related-to: CVE-2023-0465
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20588)
Pauli [Wed, 22 Mar 2023 01:13:07 +0000 (12:13 +1100)]
Disable the policy tree exponential growth test conditionally
If there is no EC specified, the test won't pass.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/20572)
(cherry picked from commit
f5935fcf8e4bc2191ac4a32e5b7ec32817642f1e)
Pauli [Wed, 15 Mar 2023 03:29:22 +0000 (14:29 +1100)]
changes: note about policy tree size limits and circumvention
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/20569)
Pauli [Wed, 8 Mar 2023 03:39:25 +0000 (14:39 +1100)]
test: add test cases for the policy resource overuse
These trees have pathological properties with respect to building. The small
tree stays within the imposed limit, the large tree doesn't.
The large tree would consume over 150Gb of RAM to process.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/20569)
Pauli [Wed, 8 Mar 2023 04:28:20 +0000 (15:28 +1100)]
x509: excessive resource use verifying policy constraints
A security vulnerability has been identified in all supported versions
of OpenSSL related to the verification of X.509 certificate chains
that include policy constraints. Attackers may be able to exploit this
vulnerability by creating a malicious certificate chain that triggers
exponential use of computational resources, leading to a denial-of-service
(DoS) attack on affected systems.
Fixes CVE-2023-0464
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/20569)
Mike Gilbert [Sun, 12 Feb 2023 22:56:58 +0000 (17:56 -0500)]
Fix Configure test for -mips in CFLAGS
We want to add -mips2 or -mips3 only if the user hasn't already
specified a mips version in CFLAGS. The existing test was a
double-negative.
CLA: trivial
Fixes: https://github.com/openssl/openssl/issues/20214
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20536)
Pauli [Wed, 15 Mar 2023 08:19:35 +0000 (19:19 +1100)]
Fix copyright disclaimer.
The mention of the GPL shouldn't have been there.
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20517)
(cherry picked from commit
c879f8ac56170a5cf929fab8067beb2a5902be2b)
Pauli [Thu, 9 Mar 2023 07:26:32 +0000 (18:26 +1100)]
Fix copyright header
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20473)
Gang Chen [Tue, 21 Feb 2023 06:54:46 +0000 (14:54 +0800)]
crypto/conf: gcc build warning fix
Fix the gcc build warning from conf_sap.c:
variable flags set but not used [-Wunused-but-set-variable]
variable appname set but not used [-Wunused-but-set-variable]
variable filename set but not used [-Wunused-but-set-variable]
CLA: trivial
Signed-off-by: Gang Chen <gang.c.chen@intel.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20347)
Bernd Edlinger [Mon, 13 Feb 2023 11:58:33 +0000 (12:58 +0100)]
Fix failing cms test when no-des is used
The test tries to use DES but that may not be available.
But for the purpose of regression testing CVE-2023-0215
the cipher is not relevant, so we use AES-128 instead.
Fixes #20249
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Todd Short <todd.short@me.com>
(Merged from https://github.com/openssl/openssl/pull/20276)
(cherry picked from commit
c400a1fe477b44a5eacbad2be8d50f2eaa92925c)
Hubert Kario [Wed, 8 Feb 2023 13:13:24 +0000 (14:13 +0100)]
rsa: add msvc intrinsic for non x64 platforms
_umul128() is x86_64 (x64) only, while __umulh() works everywhere, but
doesn't generate optimal code on x64
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20244)
(cherry picked from commit
075652f224479dad2e64b92e791b296177af8705)
Richard Levitte [Tue, 7 Feb 2023 13:37:22 +0000 (14:37 +0100)]
Prepare for 1.1.1u-dev
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Release: yes
Richard Levitte [Tue, 7 Feb 2023 13:37:05 +0000 (14:37 +0100)]
Prepare for 1.1.1t release
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Release: yes
Richard Levitte [Tue, 7 Feb 2023 11:55:04 +0000 (12:55 +0100)]
Update copyright year
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Release: yes
Tomas Mraz [Mon, 23 Jan 2023 17:27:11 +0000 (18:27 +0100)]
Add CHANGES and NEWS entries for the 1.1.1t release
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Hugo Landau [Tue, 17 Jan 2023 17:45:42 +0000 (17:45 +0000)]
CVE-2023-0286: Fix GENERAL_NAME_cmp for x400Address (1.1.1)
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Matt Caswell [Wed, 14 Dec 2022 17:15:18 +0000 (17:15 +0000)]
Check CMS failure during BIO setup with -stream is handled correctly
Test for the issue fixed in the previous commit
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Matt Caswell [Wed, 14 Dec 2022 16:18:14 +0000 (16:18 +0000)]
Fix a UAF resulting from a bug in BIO_new_NDEF
If the aux->asn1_cb() call fails in BIO_new_NDEF then the "out" BIO will
be part of an invalid BIO chain. This causes a "use after free" when the
BIO is eventually freed.
Based on an original patch by Viktor Dukhovni and an idea from Theo
Buehler.
Thanks to Octavio Galland for reporting this issue.
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Matt Caswell [Tue, 13 Dec 2022 15:02:26 +0000 (15:02 +0000)]
Add a test for CVE-2022-4450
Call PEM_read_bio_ex() and expect a failure. There should be no dangling
ptrs and therefore there should be no double free if we free the ptrs on
error.
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Matt Caswell [Tue, 13 Dec 2022 14:54:55 +0000 (14:54 +0000)]
Avoid dangling ptrs in header and data params for PEM_read_bio_ex
In the event of a failure in PEM_read_bio_ex() we free the buffers we
allocated for the header and data buffers. However we were not clearing
the ptrs stored in *header and *data. Since, on success, the caller is
responsible for freeing these ptrs this can potentially lead to a double
free if the caller frees them even on failure.
Thanks to Dawei Wang for reporting this issue.
Based on a proposed patch by Kurt Roeckx.
CVE-2022-4450
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Matt Caswell [Fri, 20 Jan 2023 15:26:54 +0000 (15:26 +0000)]
Fix Timing Oracle in RSA decryption
A timing based side channel exists in the OpenSSL RSA Decryption
implementation which could be sufficient to recover a plaintext across
a network in a Bleichenbacher style attack. To achieve a successful
decryption an attacker would have to be able to send a very large number
of trial messages for decryption. The vulnerability affects all RSA
padding modes: PKCS#1 v1.5, RSA-OEAP and RSASVE.
Patch written by Dmitry Belyavsky and Hubert Kario
CVE-2022-4304
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Richard Levitte [Mon, 30 Jan 2023 14:19:10 +0000 (15:19 +0100)]
Use $config{build_file} instead of $target{build_file}
If the user specifies an alternative build file than the default, this
alternative is recorded in $config{build_file}, not $target{build_file}.
Therefore, the former should be used, leaving the latter as a mere default.
This is a bug.
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/20174)
Gerd Hoffmann [Wed, 12 Jan 2022 09:30:15 +0000 (10:30 +0100)]
crypto/bio: drop float formating for UEFI
Using floating point is not supported in UEFI and can cause build
problems, for example due to SSE being disabled and x64 calling
convention passing floats in SSE registers.
Avoid those problems by not compiling the formating code for floating
point numbers.
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19738)
Hugo Landau [Wed, 18 Jan 2023 15:43:56 +0000 (15:43 +0000)]
Fix corruption when searching for CRLs in hashed directories (1.1)
The by_dir certificate/CRL lookup code uses an OPENSSL_STACK to track
how many sequentially numbered CRL files have been loaded for a given
X509_NAME hash which is being requested. This avoids loading already
loaded CRL files and repeated stat() calls.
This OPENSSL_STACK is searched using sk_find, however this mutates
the OPENSSL_STACK unless it is known to be sorted. This operation
therefore requires a write lock, which was not taken.
Fix this issue by sorting the OPENSSL_STACK whenever it is mutated. This
guarantees no mutation will occur during sk_find. This is chosen over
taking a write lock during sk_find as retrieving a CRL by X509_NAME is
assumed to be a hotter path than the case where a new CRL is installed.
Also optimise the code by avoiding creating the structure to track the
last CRL file sequence number in the circumstance where it would match
the initial value, namely where no CRL with the given hash is installed.
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20127)
Matt Caswell [Fri, 20 Jan 2023 14:08:42 +0000 (14:08 +0000)]
Add DTLS support to the large app data test
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20087)
Matt Caswell [Thu, 19 Jan 2023 11:59:44 +0000 (11:59 +0000)]
Ensure our buffer allocation allows for the Explicit IV
Some ciphers/protocol versions have an explicit IV. We need to make sure we
have sufficient room for it in the underlying buffer.
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20087)
Matt Caswell [Thu, 19 Jan 2023 10:52:45 +0000 (10:52 +0000)]
Add a test for large app data
Test that sending large app data records works correctly.
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20087)
ValdikSS [Wed, 18 Jan 2023 17:14:48 +0000 (20:14 +0300)]
Padlock: fix byte swapping assembly for AES-192 and 256
Byte swapping code incorrectly uses the number of AES rounds to swap expanded
AES key, while swapping only a single dword in a loop, resulting in swapped
key and partially swapped expanded keys, breaking AES encryption and
decryption on VIA Padlock hardware.
This commit correctly sets the number of swapping loops to be done.
Fixes #20073
CLA: trivial
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20077)
(cherry picked from commit
7331e7ef79fe4499d81cc92249e9c97e9ff9291a)
Bernd Edlinger [Mon, 5 Dec 2022 05:50:02 +0000 (06:50 +0100)]
Fix CI failures with ubuntu-22.04
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19930)
Bernd Edlinger [Sun, 4 Dec 2022 13:19:55 +0000 (14:19 +0100)]
Fix various clang-14/15 compiler warnings
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19930)
Bernd Edlinger [Tue, 8 Nov 2022 16:43:22 +0000 (17:43 +0100)]
Limit size of modulus for bn_mul_mont and BN_mod_exp_mont_consttime
Otherwise the alloca can cause an exception.
Issue reported by Jiayi Lin.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19735)
Matt Caswell [Tue, 6 Dec 2022 14:51:54 +0000 (14:51 +0000)]
Ensure ossl_cms_EncryptedContent_init_bio() reports an error on no OID
If the cipher being used in ossl_cms_EncryptedContent_init_bio() has no
associated OID then we should report an error rather than continuing on
regardless. Continuing on still ends up failing - but later on and with a
more cryptic error message.
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19920)
Matt Caswell [Tue, 6 Dec 2022 14:35:53 +0000 (14:35 +0000)]
Fix BIO_f_asn1() to properly report some errors
Some things that may go wrong in asn1_bio_write() are serious errors
that should be reported as -1, rather than 0 (which just means "we wrote
no data").
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19920)
Matt Caswell [Tue, 6 Dec 2022 14:21:23 +0000 (14:21 +0000)]
Fix SMIME_crlf_copy() to properly report an error
If the BIO unexpectedly fails to flush then SMIME_crlf_copy() was not
correctly reporting the error. We modify it to properly propagate the
error condition.
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19920)
Matt Caswell [Tue, 6 Dec 2022 14:18:53 +0000 (14:18 +0000)]
Fix BIO_f_cipher() flushing
If an error occurs during a flush on a BIO_f_cipher() then in some cases
we could get into an infinite loop. We add a check to make sure we are
making progress during flush and exit if not.
This issue was reported by Octavio Galland who also demonstrated an
infinite loop in CMS encryption as a result of this bug.
The security team has assessed this issue as not a CVE. This occurs on
*encryption* only which is typically processing trusted data. We are not
aware of a way to trigger this with untrusted data.
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19920)
Bernd Edlinger [Fri, 16 Dec 2022 18:30:29 +0000 (19:30 +0100)]
Fix a logic flaw in test_mod_exp_zero
Due to the logic flaw, possible test failures
in this test case might be ignored.
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19929)
(cherry picked from commit
42061268ee8f9ae0555d522870740fc91b744f4f)
Bernd Edlinger [Wed, 16 Nov 2022 11:32:06 +0000 (12:32 +0100)]
Fix a memory leak in rsa_priv_encode
If PKCS8_pkey_set0 fails, the memory in rk need to be clear freed
otherwise it is owned by the PKCS8_PRIV_KEY_INFO.
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Todd Short <todd.short@me.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19694)
Matt Caswell [Thu, 27 Oct 2022 13:14:53 +0000 (14:14 +0100)]
Fix the ceiling on how much encryption growth we can have
Stitched ciphersuites can grow by more during encryption than the code
allowed for. We fix the calculation and add an assert to check we go it
right.
Also if we are adding the MAC independently of the cipher algorithm then
the encryption growth will not include that MAC so we should remove it
from the amount of bytes that we reserve for that growth. Otherwise we
might exceed our buffer size and the WPACKET_reserve operation will
fail.
Note that this is not a security issue. Even though we can overflow the
amount of bytes reserved in the WPACKET for the encryption, the underlying
buffer is still big enough.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19585)
Bernd Edlinger [Thu, 10 Nov 2022 17:51:44 +0000 (18:51 +0100)]
Resign test/certs/rootCA.pem to expire in 100 years
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19654)
(cherry picked from commit
43086b1bd48958ce95fadba8459ad88675da4fdf)
Bernd Edlinger [Thu, 10 Nov 2022 17:23:25 +0000 (18:23 +0100)]
Update the validity period of
ed25519 cerificates
Note: The private key is test/certs/root-
ed25519.privkey.pem
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19654)
(cherry picked from commit
42f917432999b34ad8618ae03a5f199738a2b5ba)
Tomas Mraz [Wed, 2 Nov 2022 07:53:36 +0000 (08:53 +0100)]
Update GitHub actions as suggested by dependabot
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19581)
(cherry picked from commit
ec33ed712665ca65cabcd87d446e5db79a64379e)
Tomas Mraz [Tue, 1 Nov 2022 12:36:17 +0000 (13:36 +0100)]
Prepare for 1.1.1t-dev
Reviewed-by: Richard Levitte <levitte@openssl.org>
Release: yes
Tomas Mraz [Tue, 1 Nov 2022 12:36:10 +0000 (13:36 +0100)]
Prepare for 1.1.1s release
Reviewed-by: Richard Levitte <levitte@openssl.org>
Release: yes
Tomas Mraz [Tue, 1 Nov 2022 12:17:34 +0000 (13:17 +0100)]
Update copyright year
Reviewed-by: Richard Levitte <levitte@openssl.org>
Release: yes
(Merged from https://github.com/openssl/openssl/pull/19560)
Tomas Mraz [Tue, 1 Nov 2022 10:50:22 +0000 (11:50 +0100)]
Update CHANGES and NEWS for new release
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19558)
Richard Levitte [Wed, 6 Jul 2022 04:09:01 +0000 (06:09 +0200)]
Make openVMS seeding less dependent of OpenVMS version
SYS$GETTIM_PREC is a very new function, only available on OpenVMS v8.4.
OpenSSL binaries built on OpenVMS v8.4 become unusable on older OpenVM
versions, but building for the older CRTL version will make the high
precision time functions unavailable.
Tests have shown that on Alpha and Itanium, the time update granularity
between SYS$GETTIM and SYS$GETTIM_PREC is marginal, so the former plus
a sequence number turns out to be better to guarantee a unique nonce.
Fixes #18727
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18730)
Todd C. Miller [Mon, 24 Oct 2022 14:00:48 +0000 (08:00 -0600)]
ssl_cipher_process_rulestr: don't read outside rule_str buffer
If rule_str ended in a "-", "l" was incremented one byte past the
end of the buffer. This resulted in an out-of-bounds read when "l"
is dereferenced at the end of the loop. It is safest to just return
early in this case since the condition occurs inside a nested loop.
CLA: trivial
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19166)
(cherry picked from commit
428511ca66670e169a0e1b12e7540714b0be4cf8)
Pauli [Thu, 20 Oct 2022 23:29:09 +0000 (10:29 +1100)]
doc: fix copy/paste error
Fixes #19460
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/19461)
(cherry picked from commit
5b9480fc1e814bf8fa2dce0dbbede147f04d477c)
Dr. David von Oheimb [Fri, 29 Jul 2022 11:09:52 +0000 (13:09 +0200)]
Fix many inconsistencies in doc of CMS_verify() and PKC7_verify() etc.
Also change B< to I< in {CMS,PKCS7}_verify.pod, PKCS7_sign{,_add_signer}.pod
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/19108)
(cherry picked from commit
312a6b3a0327a986344c85aa6bc43e135d70bc6c)
Gibeom Gwon [Tue, 11 Oct 2022 17:57:21 +0000 (02:57 +0900)]
Fix no longer implicitly refresh the cached TBSCertificate
This reverts commit
748df1874f0488ce0c86b6d2d083921abb34b1e3.
Fixes #19388
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19392)
Matt Caswell [Tue, 11 Oct 2022 12:46:07 +0000 (13:46 +0100)]
Prepare for 1.1.1s-dev
Reviewed-by: Richard Levitte <levitte@openssl.org>
Release: yes
Matt Caswell [Tue, 11 Oct 2022 12:45:58 +0000 (13:45 +0100)]
Prepare for 1.1.1r release
Reviewed-by: Richard Levitte <levitte@openssl.org>
Release: yes
Matt Caswell [Tue, 11 Oct 2022 12:13:47 +0000 (13:13 +0100)]
Update copyright year
Reviewed-by: Richard Levitte <levitte@openssl.org>
Release: yes
(Merged from https://github.com/openssl/openssl/pull/19383)
Matt Caswell [Mon, 10 Oct 2022 10:53:46 +0000 (11:53 +0100)]
Updated CHANGES and NEWS for new release
Reviewed-by: Richard Levitte <levitte@openssl.org>
Release: yes
(Merged from https://github.com/openssl/openssl/pull/19381)
Adam Joseph [Sat, 1 Oct 2022 03:55:29 +0000 (20:55 -0700)]
Configurations: mips64*-linux-*abin32 needs bn_ops SIXTY_FOUR_BIT
The IRIX mips64-cpu, n32-abi configurations include SIXTY_FOUR_BIT in bn_ops,
but it is missing from mips64*-linux-*abin32 (which OpenSSL calls
"linux-mips64"). This causes heap corruption when verifying TLS certificates
(which tend to be RSA-signed) with openssl 1.1.1q:
```
nix@oak:~$ /nix/store/4k04dh6a1zs6hxiacwcg4a4nvxvgli2j-openssl-mips64el-unknown-linux-gnuabin32-1.1.1q-bin/bin/openssl s_client -host www.google.com -port 443free(): invalid pointer
Aborted
```
and a slightly different failure with current HEAD:
```
nix@oak:~$ /nix/store/9bqxharxajsl9fid0c8ls6fb9wxp8kdc-openssl-mips64el-unknown-linux-gnuabin32-1.1.1q-bin/bin/openssl s_client -host www.google.com -port 443
Connecting to 142.250.180.4
CONNECTED(
00000003)
Fatal glibc error: malloc assertion failure in sysmalloc: (old_top == initial_top (av) && old_size == 0) || ((unsigned long) (old_size) >= MINSIZE && prev_inuse (old_top) && ((unsigned long) old_end & (pagesize - 1)) == 0)
Aborted
```
Applying this patch and recompiling produces the expected output instead of a
crash.
Note that Gentoo (and to my knowledge all other other distributions which
support mips64n32) use the `linux-generic32` configuration, which uses only
32-bit arithmetic (rather than full 64-bit arithmetic) and lacks assembler
implementations for the SHA hash functions:
https://gitweb.gentoo.org/repo/gentoo.git/tree/dev-libs/openssl/files/gentoo.config-1.0.2#n102
For support in nixpkgs we would like to use the full 64-bit integer registers
and perlasm routines, so I'm submitting this upstream as well.
Fixes #19319
CLA: trivial
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19320)
(cherry picked from commit
d250e8563fa400fd3d9b93cff609c7503149b908)
Gibeom Gwon [Sat, 27 Aug 2022 13:29:28 +0000 (22:29 +0900)]
X509 x_all.c: Set 'modified' flag when ASN1_item_sign{,_ctx} call was successful
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/18879)
Gibeom Gwon [Sat, 27 Aug 2022 13:04:38 +0000 (22:04 +0900)]
X509 x509_req.c: Set 'modified' flag when X509_req_info_st member data updated
We need to reencode X509_req_info_st if member data updated.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/18879)
Daniel Fiala [Sun, 28 Aug 2022 09:53:32 +0000 (11:53 +0200)]
Convert serverinfo in SSL_CTX_use_serverinfo() to v2.
Fixes #18183.
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19081)
Ryan Kelley [Tue, 16 Aug 2022 05:28:50 +0000 (05:28 +0000)]
Moving notify check after the no time check
CLA: trivial
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19007)
(cherry picked from commit
c92c3dfb99485eb2cfb840e92bd0ece8cdd72d0c)
Pauli [Tue, 16 Aug 2022 01:05:02 +0000 (11:05 +1000)]
Coverity
1508506: misuse of time_t
Fixes a bug in the cookie code which would have caused problems for ten
minutes before and after the lower 32 bits of time_t rolled over.
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19022)
Pauli [Tue, 16 Aug 2022 01:05:02 +0000 (11:05 +1000)]
Coverity
1508534 &
1508540: misuses of time_t
Avoid problems when the lower 32 bits of time_t roll over by delaying
the cast to integer until after the time delta has been computed.
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19004)
(cherry picked from commit
a6cadcbdc3b4f3fbd0fd228e41177f0661b68264)
Pauli [Fri, 6 May 2022 06:59:26 +0000 (16:59 +1000)]
bn_nist: fix strict aliasing problem
As of clang-14 the strict aliasing is causing code to magically disappear.
By explicitly inlining the code, the aliasing problem evaporates.
Fixes #18225
Backport of #18258 to 1.1.1.
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18948)
Matt Caswell [Mon, 25 Jul 2022 11:39:52 +0000 (12:39 +0100)]
Test that swapping the first app data record with Finished msg works
If the first app data record arrives before the Finished message we should
be able to buffer it and move on to the Finished message.
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18976)
Matt Caswell [Mon, 25 Jul 2022 14:59:38 +0000 (15:59 +0100)]
Fix SSL_pending() and SSL_has_pending() with DTLS
If app data is received before a Finished message in DTLS then we buffer
it to return later. The function SSL_pending() is supposed to tell you
how much processed app data we have already buffered, and SSL_has_pending()
is supposed to tell you if we have any data buffered (whether processed or
not, and whether app data or not).
Neither SSL_pending() or SSL_has_pending() were taking account of this
DTLS specific app data buffer.
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18976)
Roberto Hueso Gomez [Mon, 1 Aug 2022 18:11:22 +0000 (20:11 +0200)]
Fix EC_KEY_set_private_key() NULL priv_key docs
Updates the docs to describe EC_KEY_set_private_key() function behavior
when a NULL priv_key argument is passed.
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18874)
Roberto Hueso Gomez [Mon, 1 Aug 2022 00:08:47 +0000 (02:08 +0200)]
Add test for EC_KEY_set_private_key()
This tests the behavior and API of the EC_KEY_set_private_key function.
It tests compliance with legacy features related to NULL private keys
too.
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18874)
Roberto Hueso Gomez [Tue, 26 Jul 2022 18:41:02 +0000 (20:41 +0200)]
Fix EC_KEY_set_private_key() priv_key regression
This allows to set EC_KEY's private key to NULL and fixes regression
issue following OTC guideline in
https://github.com/openssl/openssl/issues/18744#issuecomment-
1195175696
Fixes #18744.
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18874)
Dr. David von Oheimb [Fri, 8 Jan 2021 07:27:17 +0000 (08:27 +0100)]
X509_REQ_get_extensions(): Return empty stack if no extensions found
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Todd Short <todd.short@me.com>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/18926)
Bernd Edlinger [Wed, 5 Jan 2022 16:25:02 +0000 (17:25 +0100)]
Fix copyright year issues
Fixes: #13765
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17706)
Pauli [Thu, 28 Jul 2022 01:23:29 +0000 (11:23 +1000)]
Note that EVP_CIPHER_iv_length returns negative values on error
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18894)
valdaarhun [Mon, 25 Jul 2022 13:19:19 +0000 (18:49 +0530)]
Fixes segfault occurrence in PEM_write()
Checks if header is NULL or not before calling strlen().
CLA: trivial
Fixes #18825
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18865)
(cherry picked from commit
205957405d08ef199e6ab654e333a627bbca9ccc)
Pauli [Mon, 25 Jul 2022 03:01:00 +0000 (13:01 +1000)]
Fix error in LHASH documentation
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/18859)
(cherry picked from commit
316fad64c1e541a530910a13160d48b7545ac1e0)
Matt Caswell [Fri, 10 Jun 2022 11:33:45 +0000 (12:33 +0100)]
Fix a crash in v2i_IPAddrBlocks()
If an IP address prefix value is supplied that is too large then a crash
can result. v2i_IPAddrBlocks() should sanity check the prefix value, as
should X509v3_addr_add_prefix().
Reported by Theo Buehler (@botovq)
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18847)
Amir Mohammadi [Wed, 4 Aug 2021 05:14:29 +0000 (09:44 +0430)]
Fix test case for a2i_IPADDRESS
(cherry picked from commit
9b887d5d5a8ef9aa1c3ce6e54a82ddcba25b9415)
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18847)
Christian Heimes [Sat, 15 Aug 2020 18:01:49 +0000 (20:01 +0200)]
Test case for a2i_IPADDRESS
Unit test to show that a2i_IPADDRESS("1.2.3.4.test.example") ignores
trailing data.
See: https://github.com/openssl/openssl/issues/12649
See: https://bugs.python.org/issue41556
(cherry picked from commit
1a9411a30b09a98498366979a1ea4898f70f6d19)
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18847)
Amir Mohammadi [Wed, 4 Aug 2021 05:13:49 +0000 (09:43 +0430)]
Fix ipv4_from_asc behavior on invalid Ip addresses
sscanf() call in ipv4_from_asc does not check that
the string is terminated immediately after the last digit.
(cherry picked from commit
8b9a13b43ba3d71e441fca47a52e800ce79b3d2b)
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18847)
Todd Short [Wed, 20 Jul 2022 20:42:50 +0000 (16:42 -0400)]
Fix re-signing certificates with different key sizes
PR #18129 broke the scenario of signing a certificate (not CSR) with
different-sized key. This works in 3.0, so port the fix from 3.0
(which is to only update the issuer for a request).
Partially undo #18129, but keep setting the issuer only for a CSR
Create two certs (a and ca) then sign a with c (into b):
```
openssl req -x509 -newkey rsa:2048 -keyout a-key.pem -out a-cert.pem -days 365 -nodes -subj /CN=a.example.com
openssl req -x509 -newkey rsa:4096 -keyout ${HERE}/ca-key.pem -out ${HERE}/ca-cert.pem -days 3650 -nodes -subj /CN=ca.example.com
openssl x509 -in a-cert.pem -CA ca-cert.pem -CAkey ca-key.pem -set_serial '
1234567890' -preserve_dates -sha256 -out b-cert.pem
```
The above succeeds in 1.1.1n and 3.0, fails in 1.1.1o (which includes #18129)
The issue in #16080 is also fixed.
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/18836)
Shi Pujin [Wed, 20 Jul 2022 07:42:50 +0000 (15:42 +0800)]
Add loongarch64 target
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18831)
Dr. David von Oheimb [Wed, 20 Jul 2022 06:39:45 +0000 (08:39 +0200)]
X509_STORE_CTX_purpose_inherit(): add missing details to its documentation
Fixes #18801
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/18830)
(cherry picked from commit
c00fd2dece8ba54b2597a61c8db6a001025d05d5)
Dmitry Belyavskiy [Thu, 14 Jul 2022 19:41:48 +0000 (21:41 +0200)]
Fix verify_callback in the openssl s_client/s_server app
We need to check that error cert is available before printing its data
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18805)
(cherry picked from commit
fad0f80eff188ef938fed614245a56ed56110deb)
Dr. David von Oheimb [Tue, 31 May 2022 08:02:02 +0000 (10:02 +0200)]
x509.pod: fix description of certificate serial number storage
Backported from https://github.com/openssl/openssl/pull/18373
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/18803)
Dr. David von Oheimb [Mon, 30 May 2022 14:53:05 +0000 (16:53 +0200)]
APPS/x509: With -CA but both -CAserial and -CAcreateserial not given, use random serial.
Also improve openssl-x509.pod.in and error handling of load_serial() in apps.c.
Backported from https://github.com/openssl/openssl/pull/18373
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/18803)
Varun Sharma [Sat, 9 Jul 2022 14:03:23 +0000 (07:03 -0700)]
ci: add GitHub token permissions for workflows
Signed-off-by: Varun Sharma <varunsh@stepsecurity.io>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18766)
(cherry picked from commit
c6e7f427c82dfa17416a39af7661c40162d57aaf)
(cherry picked from commit
90d6e6a3d5d30c3df4edf4a6430472c3eeb7d7a7)
Allan [Thu, 7 Jul 2022 23:04:09 +0000 (16:04 -0700)]
Fix memory leak in X509V3_add1_i2d when flag is X509V3_ADD_DELETE
Fixes #18677
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18698)
(cherry picked from commit
4798e0680b112993815098ca21d7d68ff31ebc6e)
Viktor Szakats [Sun, 3 Jul 2022 22:30:06 +0000 (22:30 +0000)]
use #pragma comment(lib) with _MSC_VER only
Avoid this warning when compiled with llvm/gcc + mingw-w64 and
`USE_BCRYPTGENRANDOM` enabled:
```
../providers/implementations/rands/seeding/rand_win.c:31:11: warning: unknown pragma ignored [-Wunknown-pragmas]
^
1 warning generated.
```
CLA: trivial
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18709)
(cherry picked from commit
695cb63c744bab090144a86949b68324ee3094d6)
Bernd Edlinger [Sat, 23 Oct 2021 09:58:27 +0000 (11:58 +0200)]
Make the DRBG seed propagation thread safe
Currently there is a race possible because the reseed_counter
of the master drbg may be incremented after the get_entropy call.
Therefore access the parent's reseed_counter while still holding
the rand_drbg_lock.
This improves commit
958fec77928a28350f6af252ac5e8d0e6e081faa
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16900)
Bernd Edlinger [Tue, 5 Jul 2022 18:39:06 +0000 (20:39 +0200)]
Fix a memory leak in tls13_generate_secret
This was found by my Reproducible Error Injection patch (#18356)
Due to the exact location of the injected memory
error the sha256 digest is missing, and this causes much later
the memory leak (and a failed assertion) in tls13_generate_secret.
But the reproduction is a bit challenging, as it requires AESNI
and RDRAND capability.
OPENSSL_ia32cap=0x4200000000000000 ERROR_INJECT=
1657070330 ../util/shlib_wrap.sh ./client-test ./corpora/client/
791afc153e17db072175eeef85385a38d7f6d194
#0 0x7fceaffb7d4f in __sanitizer_print_stack_trace ../../../../src/libsanitizer/asan/asan_stack.cc:36
#1 0x55fb9117f934 in my_malloc fuzz/test-corpus.c:114
#2 0x7fceafa147f3 in OPENSSL_LH_insert crypto/lhash/lhash.c:109
#3 0x7fceafa42639 in lh_OBJ_NAME_insert crypto/objects/obj_local.h:12
#4 0x7fceafa42639 in OBJ_NAME_add crypto/objects/o_names.c:236
#5 0x7fceaf9f7baa in EVP_add_digest crypto/evp/names.c:39
#6 0x7fceaf9c6b97 in openssl_add_all_digests_int crypto/evp/c_alld.c:39
#7 0x7fceafa0f8ec in ossl_init_add_all_digests crypto/init.c:275
#8 0x7fceafa0f8ec in ossl_init_add_all_digests_ossl_ crypto/init.c:264
#9 0x7fceaf69b4de in __pthread_once_slow /build/glibc-SzIz7B/glibc-2.31/nptl/pthread_once.c:116
#10 0x7fceafafb27c in CRYPTO_THREAD_run_once crypto/threads_pthread.c:118
#11 0x7fceafa1000e in OPENSSL_init_crypto crypto/init.c:677
#12 0x7fceafa1000e in OPENSSL_init_crypto crypto/init.c:611
#13 0x7fceafdad3e8 in OPENSSL_init_ssl ssl/ssl_init.c:190
#14 0x55fb9117ee0f in FuzzerInitialize fuzz/client.c:46
#15 0x55fb9117e939 in main fuzz/test-corpus.c:194
#16 0x7fceaf4bc082 in __libc_start_main ../csu/libc-start.c:308
#17 0x55fb9117ec7d in _start (.../openssl/fuzz/client-test+0x2c7d)
#0 0x7fceaffb7d4f in __sanitizer_print_stack_trace ../../../../src/libsanitizer/asan/asan_stack.cc:36
#1 0x55fb9117f934 in my_malloc fuzz/test-corpus.c:114
#2 0x7fceafa147f3 in OPENSSL_LH_insert crypto/lhash/lhash.c:109
#3 0x7fceafa42639 in lh_OBJ_NAME_insert crypto/objects/obj_local.h:12
#4 0x7fceafa42639 in OBJ_NAME_add crypto/objects/o_names.c:236
#5 0x7fceaf9f7baa in EVP_add_digest crypto/evp/names.c:39
#6 0x7fceafdad328 in ossl_init_ssl_base ssl/ssl_init.c:87
#7 0x7fceafdad328 in ossl_init_ssl_base_ossl_ ssl/ssl_init.c:24
#8 0x7fceaf69b4de in __pthread_once_slow /build/glibc-SzIz7B/glibc-2.31/nptl/pthread_once.c:116
#9 0x7fceafafb27c in CRYPTO_THREAD_run_once crypto/threads_pthread.c:118
#10 0x7fceafdad412 in OPENSSL_init_ssl ssl/ssl_init.c:193
#11 0x55fb9117ee0f in FuzzerInitialize fuzz/client.c:46
#12 0x55fb9117e939 in main fuzz/test-corpus.c:194
#13 0x7fceaf4bc082 in __libc_start_main ../csu/libc-start.c:308
#14 0x55fb9117ec7d in _start (.../openssl/fuzz/client-test+0x2c7d)
=================================================================
==
1320996==ERROR: LeakSanitizer: detected memory leaks
Direct leak of 80 byte(s) in 1 object(s) allocated from:
#0 0x7fceaffaa808 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:144
#1 0x7fceafa19425 in CRYPTO_zalloc crypto/mem.c:230
#2 0x7fceafa03a85 in int_ctx_new crypto/evp/pmeth_lib.c:144
#3 0x7fceafa03a85 in EVP_PKEY_CTX_new_id crypto/evp/pmeth_lib.c:250
#4 0x7fceafe38de5 in tls13_generate_secret ssl/tls13_enc.c:174
#5 0x7fceafd9537f in ssl_derive ssl/s3_lib.c:4833
#6 0x7fceafdde91c in tls_parse_stoc_key_share ssl/statem/extensions_clnt.c:1902
#7 0x7fceafdd4ac1 in tls_parse_all_extensions ssl/statem/extensions.c:752
#8 0x7fceafdf8079 in tls_process_server_hello ssl/statem/statem_clnt.c:1698
#9 0x7fceafe01f87 in ossl_statem_client_process_message ssl/statem/statem_clnt.c:1034
#10 0x7fceafdeec0d in read_state_machine ssl/statem/statem.c:636
#11 0x7fceafdeec0d in state_machine ssl/statem/statem.c:434
#12 0x7fceafdb88d7 in SSL_do_handshake ssl/ssl_lib.c:3718
#13 0x55fb9117f07c in FuzzerTestOneInput fuzz/client.c:98
#14 0x55fb9117f463 in testfile fuzz/test-corpus.c:182
#15 0x55fb9117eb92 in main fuzz/test-corpus.c:226
#16 0x7fceaf4bc082 in __libc_start_main ../csu/libc-start.c:308
Indirect leak of 1080 byte(s) in 1 object(s) allocated from:
#0 0x7fceaffaa808 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:144
#1 0x7fceafa19425 in CRYPTO_zalloc crypto/mem.c:230
#2 0x7fceafa11555 in pkey_hkdf_init crypto/kdf/hkdf.c:51
#3 0x7fceafa03b36 in int_ctx_new crypto/evp/pmeth_lib.c:160
#4 0x7fceafa03b36 in EVP_PKEY_CTX_new_id crypto/evp/pmeth_lib.c:250
#5 0x7fceafe38de5 in tls13_generate_secret ssl/tls13_enc.c:174
#6 0x7fceafd9537f in ssl_derive ssl/s3_lib.c:4833
#7 0x7fceafdde91c in tls_parse_stoc_key_share ssl/statem/extensions_clnt.c:1902
#8 0x7fceafdd4ac1 in tls_parse_all_extensions ssl/statem/extensions.c:752
#9 0x7fceafdf8079 in tls_process_server_hello ssl/statem/statem_clnt.c:1698
#10 0x7fceafe01f87 in ossl_statem_client_process_message ssl/statem/statem_clnt.c:1034
#11 0x7fceafdeec0d in read_state_machine ssl/statem/statem.c:636
#12 0x7fceafdeec0d in state_machine ssl/statem/statem.c:434
#13 0x7fceafdb88d7 in SSL_do_handshake ssl/ssl_lib.c:3718
#14 0x55fb9117f07c in FuzzerTestOneInput fuzz/client.c:98
#15 0x55fb9117f463 in testfile fuzz/test-corpus.c:182
#16 0x55fb9117eb92 in main fuzz/test-corpus.c:226
#17 0x7fceaf4bc082 in __libc_start_main ../csu/libc-start.c:308
SUMMARY: AddressSanitizer: 1160 byte(s) leaked in 2 allocation(s).
Reviewed-by: Todd Short <todd.short@me.com>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18725)
Alexander Scheel [Wed, 29 Jun 2022 14:19:58 +0000 (10:19 -0400)]
Fixes OSCP->OCSP typo in ocsp command line
The existing help text says:
> -badsig Corrupt last byte of loaded OSCP response signature (for test)
but this should be OCSP. This is the only occurrence within the project
of this typo.
CLA: trivial
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18684)
(cherry picked from commit
2837b19fcba4bf4ff2ecdc8435c650bf18c27552)
Bernd Edlinger [Sun, 12 Jun 2022 07:37:26 +0000 (09:37 +0200)]
Fix reported performance degradation on aarch64
This restores the implementation prior to
commit
2621751 ("aes/asm/aesv8-armx.pl: avoid 32-bit lane assignment in CTR mode")
for 64bit targets only, since it is reportedly 2-17% slower,
and the silicon errata only affects 32bit targets.
Only for 32bit targets the new algorithm is used.
Fixes #18445
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18539)
Gregor Jasny [Tue, 5 Jul 2022 10:57:06 +0000 (12:57 +0200)]
Add missing header for memcmp
CLA: trivial
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Todd Short <todd.short@me.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18719)
(cherry picked from commit
f9e578e720bb35228948564192adbe3bc503d5fb)
Richard Levitte [Tue, 5 Jul 2022 09:08:48 +0000 (11:08 +0200)]
Prepare for 1.1.1r-dev
Reviewed-by: Paul Dale <pauli@openssl.org>
Release: yes
Richard Levitte [Tue, 5 Jul 2022 09:08:33 +0000 (11:08 +0200)]
Prepare for 1.1.1q release
Reviewed-by: Paul Dale <pauli@openssl.org>
Release: yes
Richard Levitte [Tue, 5 Jul 2022 08:33:00 +0000 (10:33 +0200)]
Update copyright year
Reviewed-by: Paul Dale <pauli@openssl.org>
Release: yes
Richard Levitte [Tue, 5 Jul 2022 08:25:00 +0000 (10:25 +0200)]
Update CHANGES and NEWS for upcoming release 1.1.1q
Reviewed-by: Paul Dale <pauli@openssl.org>
Release: yes
Alex Chernyakhovsky [Thu, 16 Jun 2022 02:02:37 +0000 (12:02 +1000)]
AES OCB test vectors
Add test vectors for AES OCB for x86 AES-NI multiple of 96 byte issue.
Co-authored-by: Alejandro Sedeño <asedeno@google.com>
Co-authored-by: David Benjamin <davidben@google.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Alex Chernyakhovsky [Thu, 16 Jun 2022 02:00:22 +0000 (12:00 +1000)]
Fix AES OCB encrypt/decrypt for x86 AES-NI
aesni_ocb_encrypt and aesni_ocb_decrypt operate by having a fast-path
that performs operations on 6 16-byte blocks concurrently (the
"grandloop") and then proceeds to handle the "short" tail (which can
be anywhere from 0 to 5 blocks) that remain.
As part of initialization, the assembly initializes $len to the true
length, less 96 bytes and converts it to a pointer so that the $inp
can be compared to it. Each iteration of "grandloop" checks to see if
there's a full 96-byte chunk to process, and if so, continues. Once
this has been exhausted, it falls through to "short", which handles
the remaining zero to five blocks.
Unfortunately, the jump at the end of "grandloop" had a fencepost
error, doing a `jb` ("jump below") rather than `jbe` (jump below or
equal). This should be `jbe`, as $inp is pointing to the *end* of the
chunk currently being handled. If $inp == $len, that means that
there's a whole 96-byte chunk waiting to be handled. If $inp > $len,
then there's 5 or fewer 16-byte blocks left to be handled, and the
fall-through is intended.
The net effect of `jb` instead of `jbe` is that the last 16-byte block
of the last 96-byte chunk was completely omitted. The contents of
`out` in this position were never written to. Additionally, since
those bytes were never processed, the authentication tag generated is
also incorrect.
The same fencepost error, and identical logic, exists in both
aesni_ocb_encrypt and aesni_ocb_decrypt.
This addresses CVE-2022-2097.
Co-authored-by: Alejandro Sedeño <asedeno@google.com>
Co-authored-by: David Benjamin <davidben@google.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
slontis [Fri, 1 Jul 2022 03:47:11 +0000 (13:47 +1000)]
Fix bn_gcd code to check return value when calling BN_one()
BN_one() uses the expand function which calls malloc which may fail.
All other places that reference BN_one() check the return value.
The issue is triggered by a memory allocation failure.
Detected by PR #18355
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18697)
(cherry picked from commit
7fe7cc57af3db1e497877f0329ba17609b2efc8b)
xkernel [Mon, 20 Jun 2022 09:46:39 +0000 (17:46 +0800)]
v3_sxnet: add a check for the return of i2s_ASN1_INTEGER()
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/18608)
(cherry picked from commit
9ef1f848a646565d4dd86e56542cf921d4921ad9)
Matt Caswell [Fri, 10 Jun 2022 14:58:58 +0000 (15:58 +0100)]
Fix range_should_be_prefix() to actually return the correct result
range_should_be_prefix() was misidentifying whether an IP address range
should in fact be represented as a prefix. This was due to a bug introduced
in commit
42d7d7dd which made this incorrect change:
- OPENSSL_assert(memcmp(min, max, length) <= 0);
+ if (memcmp(min, max, length) <= 0)
+ return -1;
This error leads to incorrect DER being encoded/accepted.
Reported by Theo Buehler (@botovq)
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18524)
(cherry picked from commit
30532e59f475e0066c030693e4d614311a9e0cae)
(cherry picked from commit
2c6550c6db9b1b69dc24f968b4ceb534edcf4841)