Add riscv64 target for OpenSSL_1_1_1 #14724

luyahan · 2021-03-29T07:46:29Z

Just add riscv64 config.

luyahan · 2021-03-31T02:45:55Z

@t8m Hi Tomáš, can you review this pr?

t8m · 2021-03-31T08:43:19Z

Unfortunately this would require an exception from OTC/OMC as 1.1.1 is bug fix only.

slontis · 2021-04-08T07:32:48Z

The change has been merged to master via #14723

slontis · 2021-04-08T07:33:33Z

Does this need a hold?

paulidale · 2021-04-08T09:28:00Z

We've allow similar changes in the past but the OTC should confirm I think.

luyahan · 2021-04-26T09:08:16Z

We've allow similar changes in the past but the OTC should confirm I think.

Hi paulidale
How to get OTC to confirm ?

levitte · 2021-04-26T10:11:28Z

We've allow similar changes in the past but the OTC should confirm I think.

As a rule, we consider this type of change "new feature" and therefore not applicable on release branches. We have occasionally made an exception to this rule, as per OMC decision / vote.

h-vetinari · 2021-04-26T13:07:51Z

We have occasionally made an exception to this rule, as per OMC decision / vote.

Recent example: #12369, see discussion there on how that was eventually resolved.
I think new architectures that need no adaptation of code (but can be implemented by just adding a config) should get a pass for maintenance branches (especially if the next release is still a while away).

levitte · 2021-04-26T14:49:33Z

I switch to the OMC decision label, to follow the example set by #12369, which @h-vetinari so kindly reminded us of.

openssl-machine · 2021-05-27T00:07:03Z

This PR is in a state where it requires action by @openssl/omc but the last update was 30 days ago

openssl-machine · 2021-06-27T00:06:48Z

This PR is in a state where it requires action by @openssl/omc but the last update was 61 days ago

paulidale · 2021-06-27T07:25:36Z

The vote has passed, this can be merged to 1.1.1.

openssl-machine · 2021-06-29T10:00:18Z

24 hours has passed since 'approval: done' was set, but this PR has failing CI tests. Once the tests pass it will get moved to 'approval: ready to merge' automatically, alternatively please review and set the label manually.

Reviewed-by: Paul Dale <[email protected]> Reviewed-by: Tomas Mraz <[email protected]> (Merged from #14724)

t8m · 2021-06-29T10:19:54Z

Squashed the commits and merged to 1.1.1. Thank you for your contribution.

* Prepare for 1.1.1j-dev Reviewed-by: Richard Levitte <[email protected]> * Fix typo in OPENSSL_malloc.pod CLA: trivial Reviewed-by: Tomas Mraz <[email protected]> Reviewed-by: Matt Caswell <[email protected]> (Merged from https://github.com/openssl/openssl/pull/13632) (cherry picked from commit 74c8dd1c516c7017477a205fd1f5f975cfa86722) * v3nametest: Make the gennames structure static Reviewed-by: Shane Lontis <[email protected]> (Merged from https://github.com/openssl/openssl/pull/13635) (cherry picked from commit 7eea331eabe8b0a7ce03c9602a2bc72e9ddfe676) * Modify is_tls13_capable() to take account of the servername cb A servername cb may change the available certificates, so if we have one set then we cannot rely on the configured certificates to determine if we are capable of negotiating TLSv1.3 or not. Fixes #13291 Reviewed-by: Tomas Mraz <[email protected]> (Merged from https://github.com/openssl/openssl/pull/13305) * Test that we can negotiate TLSv1.3 if we have an SNI callback If an SNI callback has been set then we may have no certificuates suitable for TLSv1.3 use configured for the current SSL_CTX. This should not prevent us from negotiating TLSv1.3, since we may change the SSL_CTX by the time we need a suitable certificate. Reviewed-by: Tomas Mraz <[email protected]> (Merged from https://github.com/openssl/openssl/pull/13305) * Configurations: PowerPC is big endian Define B_ENDIAN on PowerPC because it is a big endian architecture. With this change the BN* related tests pass. Fixes: #12199 Signed-off-by: Sebastian Andrzej Siewior <[email protected]> Reviewed-by: Richard Levitte <[email protected]> Reviewed-by: Paul Dale <[email protected]> Reviewed-by: Tomas Mraz <[email protected]> (Merged from https://github.com/openssl/openssl/pull/12371) (cherry picked from commit 52c6c12c1cad6f1046b34f4139d1aa3e967a5530) * Github CI: run also on repository pushes Reviewed-by: Richard Levitte <[email protected]> (Merged from https://github.com/openssl/openssl/pull/13686) (cherry picked from commit 4159ebca3cb3d9586d6709c7a0166a4af5676f91) * Document OCSP_REQ_CTX_i2d. This is a backport of the documentation from #13620. Reviewed-by: David von Oheimb <[email protected]> Reviewed-by: Tomas Mraz <[email protected]> (Merged from https://github.com/openssl/openssl/pull/13691) * GitHub CI: Add 'check-update' and 'check-docs' 'check-update' runs a 'make update' to check that it wasn't forgotten. 'check-docs' runs 'make doc-nits'. We have that as a separate job to make it more prominent. Reviewed-by: Tomas Mraz <[email protected]> Reviewed-by: Kurt Roeckx <[email protected]> (Merged from https://github.com/openssl/openssl/pull/13701) (cherry picked from commit 8175476b81c6b54bfa1c8555b35561099b202c4d) * Fix NULL pointer access caused by X509_ATTRIBUTE_create() When X509_ATTRIBUTE_create() receives an invalid NID (e.g., -1), return failure rather than silently constructing a broken X509_ATTRIBUTE object that might cause NULL pointer accesses later on. This matters because X509_ATTRIBUTE_create() is used by API functions like PKCS7_add_attribute(3) and the NID comes straight from the user. This bug was found while working on LibreSSL documentation. Reviewed-by: Theo Buehler <[email protected]> CLA: trivial Reviewed-by: Matt Caswell <[email protected]> Reviewed-by: Tomas Mraz <[email protected]> (Merged from https://github.com/openssl/openssl/pull/12052) (cherry picked from commit c4b2c53fadb158bee34aef90d5a7d500aead1f70) * CRYPTO_secure_malloc_init: BSD support improvements. Backport of #13394 Reviewed-by: Tomas Mraz <[email protected]> Reviewed-by: Ben Kaduk <[email protected]> (Merged from https://github.com/openssl/openssl/pull/13637) * Update copyright years of auto-generated headers (make update) This backports #13764. Reviewed-by: Tim Hudson <[email protected]> (Merged from https://github.com/openssl/openssl/pull/13769) * poly1305/asm/poly1305-armv4.pl: fix Clang compatibility issue I.e.: error: out of range immediate fixup value This fix is identical to one of the changes made in 3405db9, which I discovered right after taking a quick stab at fixing this. CLA: trivial Fixes #7878 Reviewed-by: Kurt Roeckx <[email protected]> Reviewed-by: Tomas Mraz <[email protected]> (Merged from https://github.com/openssl/openssl/pull/13757) * Ensure DTLS free functions can handle NULL Our free functions should be able to deal with the case where the object being freed is NULL. This turns out to not be quite the case for DTLS related objects. Fixes #13649 Reviewed-by: Tomas Mraz <[email protected]> (Merged from https://github.com/openssl/openssl/pull/13655) (cherry picked from commit d0afb30ef3950cacff50ec539e90073b95a276df) * Fix for negative return value from `SSL_CTX_sess_accept()` Fixes #13183 From the original issue report, before this commit, on master and on 1.1.1, the issue can be detected with the following steps: - Start with a default SSL_CTX, initiate a TLS 1.3 connection with SNI, "Accept" count of default context gets incremented - After servername lookup, "Accept" count of default context gets decremented and that of SNI context is incremented - Server sends a "Hello Retry Request" - Client sends the second "Client Hello", now again "Accept" count of default context is decremented. Hence giving a negative value. This commit fixes it by adding a check on `s->hello_retry_request` in addition to `SSL_IS_FIRST_HANDSHAKE(s)`, to ensure the counter is moved only on the first ClientHello. CLA: trivial Reviewed-by: Matt Caswell <[email protected]> Reviewed-by: Paul Dale <[email protected]> (Merged from https://github.com/openssl/openssl/pull/13297) * [crypto/dh] side channel hardening for computing DH shared keys (1.1.1) Reviewed-by: Tomas Mraz <[email protected]> Reviewed-by: Nicola Tuveri <[email protected]> (Merged from https://github.com/openssl/openssl/pull/13772) * OPENSSL_cpuid_setup FreeBSD PowerPC update Reviewed-by: Ben Kaduk <[email protected]> Reviewed-by: Matt Caswell <[email protected]> (Merged from https://github.com/openssl/openssl/pull/13821) (cherry picked from commit b57ec7394aace731c460b509aa84039274337600) * OPENSSL_cpuid_setup FreeBSD arm update. when possible using the getauxval equivalent which has similar ids as Linux, instead of bad instructions catch approach. Reviewed-by: Ben Kaduk <[email protected]> Reviewed-by: Matt Caswell <[email protected]> (Merged from https://github.com/openssl/openssl/pull/13650) (cherry picked from commit 5eb24fbd1c3e0d130ba7f81f1ccf457a2b9d75ad) * Fix -static builds Pull in check from #10878 Move disabling of pic, threads and statics up higher before they are checked. Fixes #12772 Reviewed-by: Tomas Mraz <[email protected]> Reviewed-by: Richard Levitte <[email protected]> (Merged from https://github.com/openssl/openssl/pull/12773) * Skip BOM when reading the config file Fixes #13840 Reviewed-by: Richard Levitte <[email protected]> (Merged from https://github.com/openssl/openssl/pull/13857) (cherry picked from commit 4369a882a565c42673b28c586a5c46a8bca98d17) * X509_cmp(): Fix comparison in case x509v3_cache_extensions() failed to due to invalid cert This is the backport of #13755 to v1.1.1. Fixes #13698 Reviewed-by: Tomas Mraz <[email protected]> (Merged from https://github.com/openssl/openssl/pull/13756) * x509_vfy.c: Fix a regression in find_isser() ...in case the candidate issuer cert is identical to the target cert. Fixes #13739 Reviewed-by: Tomas Mraz <[email protected]> (Merged from https://github.com/openssl/openssl/pull/13749) * DOCS: Fix incorrect pass phrase options references There were a number of older style references to the pass phrase options section, now streamlined with the current openssl(1). Fixes #13883 Reviewed-by: Kurt Roeckx <[email protected]> (Merged from https://github.com/openssl/openssl/pull/13886) * Fix regression in no-deprecated build Also add a new no-deprecated CI build to test it. Fixes #13896 Reviewed-by: David von Oheimb <[email protected]> (Merged from https://github.com/openssl/openssl/pull/13902) * Ensure SRP BN_mod_exp follows the constant time path SRP_Calc_client_key calls BN_mod_exp with private data. However it was not setting BN_FLG_CONSTTIME and therefore not using the constant time implementation. This could be exploited in a side channel attack to recover the password. Since the attack is local host only this is outside of the current OpenSSL threat model and therefore no CVE is assigned. Thanks to Mohammed Sabt and Daniel De Almeida Braga for reporting this issue. Reviewed-by: Tomas Mraz <[email protected]> (Merged from https://github.com/openssl/openssl/pull/13889) * Fix typo in crl2pkcs documentation Fixes #13910 CLA: trivial Reviewed-by: Tim Hudson <[email protected]> Reviewed-by: Matt Caswell <[email protected]> Reviewed-by: Tomas Mraz <[email protected]> (Merged from https://github.com/openssl/openssl/pull/13911) (cherry picked from commit 6857058016e91d3182c2117922dd8001b27f5639) * CI: Add some legacy stuff that we do not test in GitHub CI yet There are some options that seem to belong to the legacy build. Reviewed-by: Dmitry Belyavskiy <[email protected]> (Merged from https://github.com/openssl/openssl/pull/13903) (cherry picked from commit adcaebc3148fe0fde3f7641c4b607f30e1479986) * Drop Travis At this point, we have transitioned completely from Travis to GitHub Actions Reviewed-by: Tim Hudson <[email protected]> Reviewed-by: Paul Dale <[email protected]> (Merged from https://github.com/openssl/openssl/pull/13941) * check_sig_alg_match(): weaken sig nid comparison to base alg This (re-)allows RSA-PSS signers Fixes #13931 Reviewed-by: Tomas Mraz <[email protected]> (Merged from https://github.com/openssl/openssl/pull/13982) * Add some missing committers to the AUTHORS list Fixes #13815 Reviewed-by: Richard Levitte <[email protected]> Reviewed-by: Paul Dale <[email protected]> (Merged from https://github.com/openssl/openssl/pull/14029) (cherry picked from commit af403db090ee66715e81f0062d1ef614e8d921b5) * apps/ca: Properly handle certificate expiration times in do_updatedb Fixes #13944 + changed ASN1_UTCTIME to ASN1_TIME + removed all Y2K code from do_updatedb + changed compare to ASN1_TIME_compare Reviewed-by: Paul Dale <[email protected]> Reviewed-by: Tomas Mraz <[email protected]> (Merged from https://github.com/openssl/openssl/pull/14026) * Prevent creating empty folder "../apps/include" This folder "../apps/include" is accidentally created. This prevents this glitch. Fixes 19b4fe5844b ("Add a CMAC test") Reviewed-by: Tomas Mraz <[email protected]> (Merged from https://github.com/openssl/openssl/pull/14051) * NOTES.WIN: fix typo CLA: trivial Reviewed-by: Paul Dale <[email protected]> Reviewed-by: Richard Levitte <[email protected]> Reviewed-by: Matthias St. Pierre <[email protected]> (Merged from https://github.com/openssl/openssl/pull/14078) * configdata.pm: Better display of enabled/disabled options The options listed in the array @disablables are regular expressions. For most of them, it's not visible, but there are a few. However, configdata.pm didn't quite treat them that way, which meant that the few that are visibly regular expressions, there's a difference between that and the corresponding the key in %disabled, which is never a regular expression. To correctly display the enabled and disabled options with --dump, we must therefore go through a bit of Perl gymnastics to get the output correct enough, primarly so that disabled features don't look enabled. Fixes #13790 Reviewed-by: Paul Dale <[email protected]> (Merged from https://github.com/openssl/openssl/pull/14081) * Configuration: ensure that 'no-tests' works correctly 'no-tests' wasn't entirely respected by test/build.info. Reviewed-by: Paul Dale <[email protected]> (Merged from https://github.com/openssl/openssl/pull/14081) * Remove unused 'peer_type' from SSL_SESSION This field has not been used since #3858 was merged in 2017 when we moved to a table-based lookup for certificate type properties instead of an index-based one. Reviewed-by: Kurt Roeckx <[email protected]> (Merged from https://github.com/openssl/openssl/pull/13991) (cherry picked from commit 3bc0b621a7baf1a11bc5cad69a287ad093674d68) * Configurations/descrip.mms.tmpl: avoid enormous PIPE commands DCL has a total command line limitation that's too easily broken by them. We solve them by creating separate message scripts and using them. Fixes #13789 Reviewed-by: Tomas Mraz <[email protected]> (Merged from https://github.com/openssl/openssl/pull/13834) * VMS documentation fixes This mostly clarifies details. Fixes #13789 Reviewed-by: Tomas Mraz <[email protected]> (Merged from https://github.com/openssl/openssl/pull/13834) * Fix Null pointer deref in X509_issuer_and_serial_hash() The OpenSSL public API function X509_issuer_and_serial_hash() attempts to create a unique hash value based on the issuer and serial number data contained within an X509 certificate. However it fails to correctly handle any errors that may occur while parsing the issuer field (which might occur if the issuer field is maliciously constructed). This may subsequently result in a NULL pointer deref and a crash leading to a potential denial of service attack. The function X509_issuer_and_serial_hash() is never directly called by OpenSSL itself so applications are only vulnerable if they use this function directly and they use it on certificates that may have been obtained from untrusted sources. CVE-2021-23841 Reviewed-by: Richard Levitte <[email protected]> Reviewed-by: Paul Dale <[email protected]> (cherry picked from commit 8130d654d1de922ea224fa18ee3bc7262edc39c0) * Test that X509_issuer_and_serial_hash doesn't crash Provide a certificate with a bad issuer and check that X509_issuer_and_serial_hash doesn't crash. Reviewed-by: Richard Levitte <[email protected]> Reviewed-by: Paul Dale <[email protected]> (cherry picked from commit 55869f594f052561b11a2db6a7c42690051868de) * Refactor rsa_test Reduce code copying by factoring out common code into a separate function. Reviewed-by: Paul Dale <[email protected]> * Fix the RSA_SSLV23_PADDING padding type This also fixes the public function RSA_padding_check_SSLv23. Commit 6555a89 changed the padding check logic in RSA_padding_check_SSLv23 so that padding is rejected if the nul delimiter byte is not immediately preceded by at least 8 bytes containing 0x03. Prior to that commit the padding is rejected if it *is* preceded by at least 8 bytes containing 0x03. Presumably this change was made to be consistent with what it says in appendix E.3 of RFC 5246. Unfortunately that RFC is in error, and the original behaviour was correct. This is fixed in later errata issued for that RFC. This has no impact on libssl for modern versions of OpenSSL because there is no protocol support for SSLv2 in these versions. However applications that call RSA_paddin_check_SSLv23 directly, or use the RSA_SSLV23_PADDING mode may still be impacted. The effect of the original error is that an RSA message encrypted by an SSLv2 only client will fail to be decrypted properly by a TLS capable server, or a message encrypted by a TLS capable client will fail to decrypt on an SSLv2 only server. Most significantly an RSA message encrypted by a TLS capable client will be successfully decrypted by a TLS capable server. This last case should fail due to a rollback being detected. Thanks to D. Katz and Joel Luellwitz (both from Trustwave) for reporting this issue. CVE-2021-23839 Reviewed-by: Paul Dale <[email protected]> * Fix rsa_test to properly test RSA_SSLV23_PADDING We test all three cases: - An SSLv2 only client talking to a TLS capable server - A TLS capable client talking to an SSLv2 only server - A TLS capable client talking to a TLS capable server (should fail due to detecting a rollback attack) Reviewed-by: Paul Dale <[email protected]> * Don't overflow the output length in EVP_CipherUpdate calls CVE-2021-23840 Reviewed-by: Paul Dale <[email protected]> * Update CHANGES and NEWS for new release Reviewed-by: Richard Levitte <[email protected]> * Update copyright year Reviewed-by: Richard Levitte <[email protected]> * Prepare for 1.1.1j release Reviewed-by: Richard Levitte <[email protected]> * Prepare for 1.1.1k-dev Reviewed-by: Richard Levitte <[email protected]> * TEST: Add missing initialization Compiler complained. Reviewed-by: Matt Caswell <[email protected]> (Merged from https://github.com/openssl/openssl/pull/14204) (cherry picked from commit 55e9d8cfffc1a40b0ab72e014ff62d5ef2a0ed63) * Use CRIOGET to fetch a crypto descriptor when present. FreeBSD's current /dev/crypto implementation requires that consumers clone a separate file descriptor via the CRIOGET ioctl that can then be used with other ioctls such as CIOCGSESSION. Reviewed-by: Matt Caswell <[email protected]> Reviewed-by: Ben Kaduk <[email protected]> (cherry picked from commit b39c215decf6e68c28cb64dcfaf5ae5a7e8d35b4) Reviewed-by: Paul Dale <[email protected]> (Merged from https://github.com/openssl/openssl/pull/13853) * Close /dev/crypto file descriptor after CRIOGET ioctl(). Reviewed-by: Matt Caswell <[email protected]> Reviewed-by: Ben Kaduk <[email protected]> (cherry picked from commit 3ddf44ea5a2c1c8c55f4f4072a611791c79d4e7c) Reviewed-by: Paul Dale <[email protected]> (Merged from https://github.com/openssl/openssl/pull/13853) * CRYPTO_gcm128_decrypt: fix mac or tag calculation The incorrect code is in #ifdef branch that is normally not compiled in. Signed-off-by: Zhang Jinde <[email protected]> Reviewed-by: Paul Dale <[email protected]> Reviewed-by: Tomas Mraz <[email protected]> (Merged from https://github.com/openssl/openssl/pull/12968) (cherry picked from commit 1d724b5e82ba36fb50fd24db3cd664da570daf84) * Fix an integer overflow in o_time.c If input offset_sec is sufficiently large (> INT32_MAX * SECS_PER_DAY, which is possible for a long on 64-bit platforms), then the first assignment contains an overflow. I think leaving offset_hms as an int is still safe. Reviewed-by: Tomas Mraz <[email protected]> Reviewed-by: Paul Dale <[email protected]> (Merged from https://github.com/openssl/openssl/pull/14252) (cherry picked from commit 75de54363506e2b2480fc6baf0cd45b1f7fc8816) * Fix filename escaping in c_rehash CLA: trivial Reviewed-by: Richard Levitte <[email protected]> Reviewed-by: Tomas Mraz <[email protected]> Reviewed-by: Paul Dale <[email protected]> (Merged from https://github.com/openssl/openssl/pull/14301) (cherry picked from commit 2d968951227acd422f0e712035de3216d47fc980) * Check ASN1_item_ndef_i2d() return value. Return an error instead of trying to malloc a negative number. The other usage in this file already had a similar check, and the caller should have put an entry on the error stack already. Note that we only check the initial calls to obtain the encoded length, and assume that the follow-up call to actually encode to the allocated storage will succeed if the first one did. Fixes: #14177 Reviewed-by: Shane Lontis <[email protected]> (Merged from https://github.com/openssl/openssl/pull/14308) (cherry picked from commit 90b4247cc5dca58cee9da5f6975bb38fd200100a) * [github-ci] Add a out-of-tree_build job This adds a new job to trigger the bug reported in <https://github.com/openssl/openssl/issues/11940> Reviewed-by: Richard Levitte <[email protected]> (Merged from https://github.com/openssl/openssl/pull/14388) * [1.1.1] Fix `make update` for out-of-tree builds Fixes #11940 Reviewed-by: Nicola Tuveri <[email protected]> (Merged from https://github.com/openssl/openssl/pull/14388) * Check SSL_set1_chain error in set_cert_cb CLA: trivial Reviewed-by: Shane Lontis <[email protected]> Reviewed-by: Tomas Mraz <[email protected]> (Merged from https://github.com/openssl/openssl/pull/14469) (cherry picked from commit 1aa7ecd0d3f6d9c3739cf2e2d87673a3be03b352) * modes: fix coverity 1449860: overlapping memory copy Reviewed-by: Tomas Mraz <[email protected]> (Merged from https://github.com/openssl/openssl/pull/14584) (cherry picked from commit 145f12d12dc83c737676883c625c2a95d34251ed) * modes: fix coverity 1449851: overlapping memory copy Reviewed-by: Tomas Mraz <[email protected]> (Merged from https://github.com/openssl/openssl/pull/14584) (cherry picked from commit b875e0e820b07420429ebb90724ed28686a98853) * ssl: fix coverity 1451515: out of bounds memory access Reviewed-by: Tomas Mraz <[email protected]> (Merged from https://github.com/openssl/openssl/pull/14585) (cherry picked from commit 3de7f014a985637361bdee775f78209300c88aae) * apps: fix coverity 966560: division by zero Reviewed-by: Tomas Mraz <[email protected]> Reviewed-by: Richard Levitte <[email protected]> (Merged from https://github.com/openssl/openssl/pull/14586) (cherry picked from commit 7e7e034a10842dad3866c9447481b8527024bf44) * Add a missing RUN_ONCE in rand_lib.c Some of the callbacks in rand_lib.c were being invoked without the RUN_ONCE for that file being called. We add it during rand_pool_new which should cover all cases. Fixes #7870 Fixes #11144 Reviewed-by: Tomas Mraz <[email protected]> Reviewed-by: Paul Dale <[email protected]> (Merged from https://github.com/openssl/openssl/pull/14603) * ASN1: Reset the content dump flag after dumping When encountering a badly coded item, the DER printer (ASN1_print_dump()) sets a flag to ensure that an additional hex dump of the offending content is printed as part of the output. Unfortunately, this flag is never reset, which means that all following items are printed with the extra hex dump, whether they are faulty or not. Resetting the flag after hex dumping ensures that only the faulty contents are printed with the additional hex dump. Fixes #14626 Reviewed-by: Tim Hudson <[email protected]> (Merged from https://github.com/openssl/openssl/pull/14627) (cherry picked from commit 6e34a1048ce4871371eac224b995c3b4338f6166) * Fix missing INVALID_EXTENSION Reviewed-by: Matt Caswell <[email protected]> Reviewed-by: Ben Kaduk <[email protected]> Reviewed-by: Tomas Mraz <[email protected]> (Merged from https://github.com/openssl/openssl/pull/14639) * check_chain_extensions: Do not override error return value by check_curve The X509_V_FLAG_X509_STRICT flag enables additional security checks of the certificates present in a certificate chain. It is not set by default. Starting from OpenSSL version 1.1.1h a check to disallow certificates with explicitly encoded elliptic curve parameters in the chain was added to the strict checks. An error in the implementation of this check meant that the result of a previous check to confirm that certificates in the chain are valid CA certificates was overwritten. This effectively bypasses the check that non-CA certificates must not be able to issue other certificates. If a "purpose" has been configured then a subsequent check that the certificate is consistent with that purpose also checks that it is a valid CA. Therefore where a purpose is set the certificate chain will still be rejected even when the strict flag has been used. A purpose is set by default in libssl client and server certificate verification routines, but it can be overriden by an application. Affected applications explicitly set the X509_V_FLAG_X509_STRICT verification flag and either do not set a purpose for the certificate verification or, in the case of TLS client or server applications, override the default purpose to make it not set. CVE-2021-3450 Reviewed-by: Matt Caswell <[email protected]> Reviewed-by: Paul Dale <[email protected]> * Teach TLSProxy how to encrypt <= TLSv1.2 ETM records Previously TLSProxy only knew how to "repack" messages for TLSv1.3. Most of the handshake in <= TLSv1.2 is unencrypted so this hasn't been too much of restriction. However we now want to modify reneg handshakes which are encrypted so we need to add that capability. Reviewed-by: Tomas Mraz <[email protected]> Reviewed-by: Paul Dale <[email protected]> * Add a test for CVE-2021-3449 We perform a reneg handshake, where the second ClientHello drops the sig_algs extension. It must also contain cert_sig_algs for the test to work. Reviewed-by: Tomas Mraz <[email protected]> Reviewed-by: Paul Dale <[email protected]> * ssl sigalg extension: fix NULL pointer dereference As the variable peer_sigalgslen is not cleared on ssl rehandshake, it's possible to crash an openssl tls secured server remotely by sending a manipulated hello message in a rehandshake. On such a manipulated rehandshake, tls1_set_shared_sigalgs() calls tls12_shared_sigalgs() with the peer_sigalgslen of the previous handshake, while the peer_sigalgs has been freed. As a result tls12_shared_sigalgs() walks over the available peer_sigalgs and tries to access data of a NULL pointer. This issue was introduced by c589c34e61 (Add support for the TLS 1.3 signature_algorithms_cert extension, 2018-01-11). Signed-off-by: Peter Kästle <[email protected]> Signed-off-by: Samuel Sapalski <[email protected]> CVE-2021-3449 CLA: trivial Reviewed-by: Tomas Mraz <[email protected]> Reviewed-by: Paul Dale <[email protected]> Reviewed-by: Matt Caswell <[email protected]> * Ensure buffer/length pairs are always in sync Following on from CVE-2021-3449 which was caused by a non-zero length associated with a NULL buffer, other buffer/length pairs are updated to ensure that they too are always in sync. Reviewed-by: Tomas Mraz <[email protected]> Reviewed-by: Paul Dale <[email protected]> * Update CHANGES and NEWS for new release Reviewed-by: Tomas Mraz <[email protected]> * Update copyright year Reviewed-by: Tomas Mraz <[email protected]> * Prepare for 1.1.1k release Reviewed-by: Tomas Mraz <[email protected]> * Prepare for 1.1.1l-dev Reviewed-by: Tomas Mraz <[email protected]> * Fix BIO_new_ssl_connect() to not leak memory CLA: trivial Reviewed-by: Paul Dale <[email protected]> Reviewed-by: Tomas Mraz <[email protected]> (Merged from https://github.com/openssl/openssl/pull/14719) (cherry picked from commit 7947a1eb13c221bbc034796bd394ba00b0e2387d) * Fix typo in BIO_push.pod CLA: trivial Reviewed-by: Paul Dale <[email protected]> Reviewed-by: Tomas Mraz <[email protected]> (Merged from https://github.com/openssl/openssl/pull/14718) (cherry picked from commit 2db9bef264ba39e173d6b6a3a800595e15eef31b) * Print correct error message in utils/mkdir-p.pl Commit 70a56b914772e6b21cda2a5742817ae4bb7290f1 introduced a regression. If utils/mkdir-p.pl fails to create a target dir because of insufficient file system permissions, the subsequent test for dir existence always fails and overwrites the system error. As a result, a user is presented with a misleading error message. E.g. if a user tries to create a dir under /usr/local and does not have permissions for it, the reported error message is "Cannot create directory /usr/local/lib: No such file or directory", whereas the expected error message is "Cannot create directory /usr/local/lib: Permission denied". This commit introduces a fix by declaring an additional local variable to cache the original error message from mkdir. If -d check fails and overwrites the system error, the user is still presented with the original error from mkdir. CLA: Trivial Reviewed-by: Shane Lontis <[email protected]> Reviewed-by: Richard Levitte <[email protected]> Reviewed-by: Tomas Mraz <[email protected]> (Merged from https://github.com/openssl/openssl/pull/14487) (cherry picked from commit af2e1e9c81110ca1a156430686e2f171e80ebfa0) * doc: fix enc -z option documentation CLA: trivial Reviewed-by: Matt Caswell <[email protected]> Reviewed-by: Tomas Mraz <[email protected]> (Merged from https://github.com/openssl/openssl/pull/14499) (cherry picked from commit 6635ea531e9f7709e5880dd77fd4c3403a5c3db7) * Remove unnecessary BIO_do_handshake()s Since BIO_do_connect() and BIO_do_handshake() are same, no need to invoke BIO_do_handshake() once more after BIO_do_connect(). Reviewed-by: Paul Dale <[email protected]> Reviewed-by: Tomas Mraz <[email protected]> (Merged from https://github.com/openssl/openssl/pull/14725) (cherry picked from commit 975e37cd016f86985d16f1ee646e88213494854a) * Fix potential double free in sslapitest.c Reviewed-by: Tomas Mraz <[email protected]> Reviewed-by: Paul Dale <[email protected]> (Merged from https://github.com/openssl/openssl/pull/14758) (cherry picked from commit 493e78986f9677c2b321273da51c276b9a8182d8) * Fix typos in x509.pod CLA: trivial Reviewed-by: Tomas Mraz <[email protected]> Reviewed-by: Paul Dale <[email protected]> (Merged from https://github.com/openssl/openssl/pull/14783) (cherry picked from commit 4c979cbeeb9792b170670fa15e29d077597e7ee0) * crl2pkcs7 shouldn't include empty optional sets If using crl2pkcs7 -nocrl and with no -certfiles, we shouldn't include the implicitly tagged [0] certs and [1] crls sets as they are marked optional and would be empty. Reviewed-by: Paul Dale <[email protected]> Reviewed-by: Tomas Mraz <[email protected]> (Merged from https://github.com/openssl/openssl/pull/14781) (cherry picked from commit d3a5898a7f4980bc0fa6345c408f88007573c405) * Handle set_alpn_protos inputs better. It's possible to set an invalid protocol list that will be sent in a ClientHello. This validates the inputs to make sure this does not happen. Reviewed-by: Matt Caswell <[email protected]> Reviewed-by: Tomas Mraz <[email protected]> (Merged from https://github.com/openssl/openssl/pull/14679) * srp: fix double free, In function SRP_create_verifier_ex, it calls SRP_create_verifier_BN_ex(..., &v, ..) at line 653. In the implementation of SRP_create_verifier_BN_ex(), *verify (which is the paremeter of v) is allocated a pointer via BN_new() at line 738. And *verify is freed via BN_clear_free() at line 743, and return 0. Then the execution continues up to goto err at line 655, and the freed v is freed again at line 687. Bug reported by @Yunlongs Fixes #14913 Reviewed-by: Tomas Mraz <[email protected]> (Merged from https://github.com/openssl/openssl/pull/14921) (cherry picked from commit b06450bcf763735a89b65ca3ec176600fe7fceed) * ts: fix double free on error path. In function int_ts_RESP_verify_token, if (flags & TS_VFY_DATA) is true, function ts_compute_imprint() will be called at line 299. In the implementation of ts_compute_imprint, it allocates md_alg at line 406. But after the allocation, if the execution goto err, then md_alg will be freed in the first time by X509_ALGOR_free at line 439. After that, ts_compute_imprint returns 0 and the execution goto err branch of int_ts_RESP_verify_token. In the err branch, md_alg will be freed in the second time at line 320. Bug reported by @Yunlongs Fixes #14914 Reviewed-by: Tomas Mraz <[email protected]> (Merged from https://github.com/openssl/openssl/pull/14921) (cherry picked from commit db78c84eb2fa9c41124690bcc2ea50e05f5fc7b7) * engine: fix double free on error path. In function try_decode_PKCS8Encrypted, p8 is freed via X509_SIG_free() at line 481. If function new_EMBEDDED() returns a null pointer at line 483, the execution will goto nop8. In the nop8 branch, p8 is freed again at line 491. Bug reported by @Yunlongs Fixes #14915 Reviewed-by: Tomas Mraz <[email protected]> (Merged from https://github.com/openssl/openssl/pull/14921) (cherry picked from commit efe8d69daa1a68be0a7f0f73220947c848e7ed1d) * Some compilers define __STDC_VERSION__ in c++ Some compilers(g++ on Solaris/Illumos) define __STDC__VERSION__ in c++ . This causes c++ code that uses openssl to break on these compilers since _Noreturn is not a keyword in c++ . CLA: trivial Reviewed-by: Richard Levitte <[email protected]> Reviewed-by: Paul Dale <[email protected]> Reviewed-by: Tomas Mraz <[email protected]> (Merged from https://github.com/openssl/openssl/pull/14944) (cherry picked from commit 1f3b58d8413cfa3824e9c0a146dee6ceedbc367e) * Test that EVP_PKEY_cmp() returns 1 when comparing a key to itself Reviewed-by: Paul Dale <[email protected]> (Merged from https://github.com/openssl/openssl/pull/14982) * Correct the return value on match and mismatch for MAC pkeys Fixes #14147 Reviewed-by: Paul Dale <[email protected]> (Merged from https://github.com/openssl/openssl/pull/14982) * Don't remove $(TARFILE) when cleaning This file is outside the source tree, so we have no business removing it. This is especially concerning if that was the tarball the user had to create the source tree. Fixes #14981 Reviewed-by: Tomas Mraz <[email protected]> (Merged from https://github.com/openssl/openssl/pull/14985) (cherry picked from commit f58f7ec9397de7b752aa547e2677933559a657db) * ASN1: Ensure that d2i_ASN1_OBJECT() frees the strings on ASN1_OBJECT reuse The 'sn' and 'ln' strings may be dynamically allocated, and the ASN1_OBJECT flags have a bit set to say this. If an ASN1_OBJECT with such strings is passed to d2i_ASN1_OBJECT() for reuse, the strings must be freed, or there is a memory leak. Fixes #14667 Reviewed-by: Shane Lontis <[email protected]> (Merged from https://github.com/openssl/openssl/pull/14938) * Test that we don't have a memory leak in d2i_ASN1_OBJECT. Fixes #14667 Reworked test supplied by @smcpeak into a unit test. Reviewed-by: Richard Levitte <[email protected]> (Merged from https://github.com/openssl/openssl/pull/14938) * man: s_server: fix typo in -alpn option description Reviewed-by: Tomas Mraz <[email protected]> Reviewed-by: Dmitry Belyavskiy <[email protected]> (Merged from https://github.com/openssl/openssl/pull/15098) * Use OCSP-specific error code for clarity Fixes #12735 for 1.1.1 Reviewed-by: Tomas Mraz <[email protected]> (Merged from https://github.com/openssl/openssl/pull/15109) * Support for Android NDK r22 This is a backport of #13434, Fixes #13685. I think builds using standalone toolchain are fine so I left them alone, but `Configure` will fail if using the NDK directly because the `platforms` and `sysroot` directories were removed. If `sysroot` is missing, omit the `--sysroot` and `-gcc-toolchain` arguments and use the triplet form clang command. Also since `platforms` was being used for the default API level, use `meta/platforms.json` instead if needed. Reviewed-by: Tim Hudson <[email protected]> Reviewed-by: Matt Caswell <[email protected]> (Merged from https://github.com/openssl/openssl/pull/13694) * Avoid sending alerts after shutdown Fixes #11388 Reviewed-by: Matt Caswell <[email protected]> (Merged from https://github.com/openssl/openssl/pull/15159) (cherry picked from commit 22d1138fe2fde9a16e80b81de1d848ae6fa879ef) * BIO_listen: disable setting ipv6_v6only on OpenBSD as it is a read only data and true Reviewed-by: Tomas Mraz <[email protected]> Reviewed-by: Ben Kaduk <[email protected]> (Merged from https://github.com/openssl/openssl/pull/15015) (cherry picked from commit f7f0632b01cf16efccb133e395cf115c194bd003) * Try to parse private key as PKCS#8 first, fallback afterwards Fixes #15022 Reviewed-by: Tomas Mraz <[email protected]> (Merged from https://github.com/openssl/openssl/pull/15075) * Testing private keys with extra attributes Reviewed-by: Tomas Mraz <[email protected]> (Merged from https://github.com/openssl/openssl/pull/15075) * check i2d_ASN1_TYPE return value add a length check to the return value of function i2d_ASN1_TYPE. Return an error instead of trying to malloc a negative number. CLA: trivial Reviewed-by: Tomas Mraz <[email protected]> Reviewed-by: Paul Dale <[email protected]> (Merged from https://github.com/openssl/openssl/pull/14828) (cherry picked from commit c65abf2213117eb5348a46fbc18f706aca052e85) * Improve RFC 8446 PSK key exchange mode compliance It's a MUST-level requirement that if the client sends a pre_shared_key extension not accompanied by a psk_key_exchange_modes extension, the server must abort the handshake. Prior to this commit the server would continue on. Reviewed-by: Tomas Mraz <[email protected]> (cherry picked from commit efe0f315354b020213097885c79ce856a2f5ac68) (Merged from https://github.com/openssl/openssl/pull/15255) * make update Reviewed-by: Tomas Mraz <[email protected]> (Merged from https://github.com/openssl/openssl/pull/15255) * Don't send key_share for PSK-only key exchange TLS 1.3 allows for the "psk_ke" and "psk_dhe_ke" key-exchange modes. Only the latter mode introduces a new ephemeral (Diffie-Hellman) key exchange, with the PSK being the only key material used in the former case. It's a compliance requirement of RFC 8446 that the server MUST NOT send a KeyShareEntry when using the "psk_ke" mode, but prior to this commit we would send a key-share based solely on whether the client sent one. This bug goes unnoticed in our internal test suite since openssl communicating with openssl can never negotiate the PSK-only key-exchange mode. However, we should still be compliant with the spec, so check whether the DHE mode was offered and don't send a key-share if it wasn't. Reviewed-by: Tomas Mraz <[email protected]> (cherry picked from commit e776858bce32d473bd7a69c616ad7f6c2f979dfc) (Merged from https://github.com/openssl/openssl/pull/15255) * Update expected results for tls13kexmodes tests One of the scenarios constructed in these tests was erroneously producing successful handshakes until the previous commits, but should have been failing. Update our expected behavior to match the specification requirements, and adjust the commentary slightly for a test case relevant for the other preceding commit. Reviewed-by: Tomas Mraz <[email protected]> (cherry picked from commit 80c25611abd7067815943187f36f5e1879201678) (Merged from https://github.com/openssl/openssl/pull/15255) * Avoid division by zero in hybrid point encoding In hybrid and compressed point encodings, the form octet contains a bit of information allowing to calculate y from x. For a point on a binary curve, this bit is zero if x is zero, otherwise it must match the rightmost bit of of the field element y / x. The existing code only considers the second possibility. It could thus incorrecly fail with a division by zero error as found by Guido Vranken's cryptofuzz. This commit adds a few explanatory comments to oct2point. The only actual code change is in the last hunk which adds a BN_is_zero(x) check to avoid the division by zero. Fixes #15021 Reviewed-by: Nicola Tuveri <[email protected]> Reviewed-by: Matt Caswell <[email protected]> Reviewed-by: Tomas Mraz <[email protected]> (Merged from https://github.com/openssl/openssl/pull/15112) * Test oct2point for hybrid point encoding of (0, y) Reviewed-by: Nicola Tuveri <[email protected]> Reviewed-by: Matt Caswell <[email protected]> Reviewed-by: Tomas Mraz <[email protected]> (Merged from https://github.com/openssl/openssl/pull/15112) * Inherit hostflags verify params even without hosts X509_VERIFY_PARAM_inherit() now copies hostflags independently of hosts. Previously hostflags were only copied when at least one host was set. Typically applications don't configure hosts on SSL_CTX. The change enables applications to configure hostflags on SSL_CTX and have OpenSSL copy the flags from SSL_CTX to SSL. Fixes: https://github.com/openssl/openssl/issues/14579 Signed-off-by: Christian Heimes <[email protected]> Reviewed-by: Paul Dale <[email protected]> Reviewed-by: Tomas Mraz <[email protected]> (Merged from https://github.com/openssl/openssl/pull/14856) * Properly restore XMM registers in ChaCha20's AVX-512(VL) assembly Reviewed-by: Paul Dale <[email protected]> Reviewed-by: Tomas Mraz <[email protected]> (Merged from https://github.com/openssl/openssl/pull/15315) (cherry picked from commit 6d3f798cba8075e700003aaf34f1e72bb930086c) * Cleanup the peer point formats on regotiation Fixes #14875 Reviewed-by: Ben Kaduk <[email protected]> Reviewed-by: Matt Caswell <[email protected]> (Merged from https://github.com/openssl/openssl/pull/15383) (cherry picked from commit 3f987381929ee725daf4746591144dde18f313e1) * s_client.pod: Fix grammar in NOTES section. Reviewed-by: Paul Dale <[email protected]> (Merged from https://github.com/openssl/openssl/pull/12907) * Call SSLfatal when the generate_ticket_cb returns 0 Otherwise, the state machine ends up being in a bad state: ``` SSL routines:write_state_machine:missing fatal:ssl/statem/statem.c:850: ``` Reviewed-by: Matt Caswell <[email protected]> Reviewed-by: Ben Kaduk <[email protected]> (Merged from https://github.com/openssl/openssl/pull/15485) * Put init_ec_point_formats() inside #ifndef OPENSSL_NO_EC Reviewed-by: Matt Caswell <[email protected]> Reviewed-by: Dmitry Belyavskiy <[email protected]> (Merged from https://github.com/openssl/openssl/pull/15518) * Modify ssl_handshake_hash to call SSLfatal When EVP_MD_CTX_new fails call SSLfatal before the goto err. This resolves a state machine issue on the out of memory condition: ssl/statem/statem.c:643: OpenSSL internal error: Assertion failed: (s)->statem.in_init && (s)->statem.state == MSG_FLOW_ERROR Fixes #15491. CLA: trivial Reviewed-by: Ben Kaduk <[email protected]> Reviewed-by: Paul Dale <[email protected]> Reviewed-by: Tomas Mraz <[email protected]> (Merged from https://github.com/openssl/openssl/pull/15511) * ee-self-signed.pem: Restore original version, adding -attime to 25-test_verify.t Reviewed-by: Tomas Mraz <[email protected]> (Merged from https://github.com/openssl/openssl/pull/15505) * Check the return value of ASN1_STRING_length ASN1_STRING_length gets the field 'length' of msg, which can be manipulated through a crafted input. Add a check to avoid error execution of OPENSSL_malloc(). CLA: trivial Reviewed-by: Matt Caswell <[email protected]> Reviewed-by: Paul Dale <[email protected]> Reviewed-by: Tomas Mraz <[email protected]> (Merged from https://github.com/openssl/openssl/pull/15583) (cherry picked from commit effb0dcf864110a4595f1a243adb9c1dd09eb516) * Only call dtls1_start_timer() once The function dtls1_handle_timeout() calls dtls1_double_timeout() which was calling dtls1_start_timer(). However dtls1_start_timer() is also called directly by dtls1_handle_timeout(). We only need to start the timer once. Fixes #15561 Reviewed-by: Paul Dale <[email protected]> (Merged from https://github.com/openssl/openssl/pull/15595) (cherry picked from commit f570d33b02d824e2a3f676f718c4692572f45333) * s390x: cipher must set EVP_CIPH_ALWAYS_CALL_INIT flag The s390x cipher implementations must call their init function even if the key argument is NULL to allow initializing the cipher operation's context in any order. Signed-off-by: Patrick Steuer <[email protected]> Reviewed-by: Tomas Mraz <[email protected]> (Merged from https://github.com/openssl/openssl/pull/14900) * Test EVP_CipherInit sequences and resets Various EVP_CipherInit sequences including partial inits and initializations with different "enc" flags caused problems on s390x. Similarly, cipher reinitialization and especially GCM reinitialization with different tag length led to wrong results. Add some unit tests to cover these rather exotic use cases. Signed-off-by: Patrick Steuer <[email protected]> Reviewed-by: Tomas Mraz <[email protected]> (Merged from https://github.com/openssl/openssl/pull/14900) * Clean away remaining Travis related files Reviewed-by: Paul Dale <[email protected]> (Merged from https://github.com/openssl/openssl/pull/15693) * enable getauxval on android 10 Fixes #9498 Reviewed-by: Tomas Mraz <[email protected]> Reviewed-by: Paul Dale <[email protected]> (Merged from https://github.com/openssl/openssl/pull/15870) * Use getauxval on Android with API level > 18 We received analytics that devices of the device family Oppo A37x are crashing with SIGILL when trying to load libcrypto.so. These crashes were fixed by using the system-supplied getauxval function. Reviewed-by: Paul Dale <[email protected]> Reviewed-by: Tomas Mraz <[email protected]> (Merged from https://github.com/openssl/openssl/pull/15763) * Add riscv64 target Reviewed-by: Paul Dale <[email protected]> Reviewed-by: Tomas Mraz <[email protected]> (Merged from https://github.com/openssl/openssl/pull/14724) * apple getentropy removal backport of #15924 Reviewed-by: Tomas Mraz <[email protected]> Reviewed-by: Paul Dale <[email protected]> (Merged from https://github.com/openssl/openssl/pull/15935) * Fix use of uninitialized memory in test_rsa_oaep 48f1739600f33c92387debce2002acec6e365f1d did not convert the RSA OAEP tests correctly. The corrupted ciphertext and truncation tests were really decrypting uninitialized memory, rather than the sample ciphertext. This results in an error in tools like MSan. The test is somewhat roundabout. In the original version, before the conversion, ctext_ex was an OAEP test vector from key1(), etc., functions. The test would: 1. Encrypt ptext_ex as ctext. 2. Decrypt ctext and check it gives ptext_ex. 3. Decrypt ctext_ex and check it gives ptext_ex. 4. Try corrupted and truncated versions of ctext. 48f1739600f33c92387debce2002acec6e365f1d then moved steps 1 and 2 into test_rsa_simple, which meant ctext is no longer available for step 4. It then mistakenly left the variable around, but uninitialized, so the test wasn't testing anything. (Confusingly, test_rsa_simple outputs ctext_ex to the caller, but doesn't do anything with it. The ctext_ex output is also only usable for OAEP, not PKCS#1 v1.5.) It doesn't really matter whether we use ctext or ctext_ex for step 4, so this PR fixes it by using ctext_ex instead. Reviewed-by: Shane Lontis <[email protected]> Reviewed-by: Paul Dale <[email protected]> (Merged from https://github.com/openssl/openssl/pull/15950) (cherry picked from commit 36a4637e158508f5d2fb7750e4870888072a56f9) * doc: Mention the update of der data pointers in d2i/i2d Fixes #15958 Reviewed-by: Richard Levitte <[email protected]> Reviewed-by: Paul Dale <[email protected]> (Merged from https://github.com/openssl/openssl/pull/15973) * bn: procduce correct sign for result of BN_mod() There is a problem that appears when calling BN_div(a, c, a, b) with negative b. In this case, the sign of the remainder c is incorrect. The problem only occurs if the dividend and the quotient are the same BIGNUM. Fixes #15982 Reviewed-by: Nicola Tuveri <[email protected]> (Merged from https://github.com/openssl/openssl/pull/15991) (cherry picked from commit 105c83150f15af3f78ea0758859062842bdbe30e) * Fix memory leak in i2d_ASN1_bio_stream When creating a signed S/MIME message using SMIME_write_CMS() if the reading from the bio fails, the state is therefore still ASN1_STATE_START when BIO_flush() is called by i2d_ASN1_bio_stream(). This results in calling asn1_bio_flush_ex cleanup but will only reset retry flags as the state is not ASN1_STATE_POST_COPY. Therefore 48 bytes (Linux x86_64) leaked since the ndef_prefix_free / ndef_suffix_free callbacks are not executed and the ndef_aux structure is not freed. By always calling free function callback in asn1_bio_free() the memory leak is fixed. (cherry picked from commit 3a1d2b59522163ebb83bb68e13c896188dc222c6) Reviewed-by: Paul Dale <[email protected]> Reviewed-by: Tomas Mraz <[email protected]> (Merged from https://github.com/openssl/openssl/pull/15999) * ssl: do not choose auto DH groups that are weaker than the security level manual merge from https://github.com/openssl/openssl/pull/15818 id d7b5c648d682b499b71320a03747602a6ba4dec3 Reviewed-by: Tomas Mraz <[email protected]> (Merged from https://github.com/openssl/openssl/pull/15832) * test: add test for auto DH security level meets the minimum Manual merge from https://github.com/openssl/openssl/pull/15818 Commit id d0e5230dcecc6013d351545ceb275aa2ba5baa80 Reviewed-by: Tomas Mraz <[email protected]> (Merged from https://github.com/openssl/openssl/pull/15832) * Fix s_server PSK handling Issue #15951 describes a scenario which causes s_server to fail when using a PSK. In the originally described issue this only impacted master and not 1.1.1. However, in fact this issue does also impact 1.1.1 - but only if you additionally supply the option "-no_ticket" to the s_server command line. The difference between the behaviour in master and 1.1.1 is due to 9c13b49, which changed PSK_MAX_IDENTITY_LEN from 128 to 256. It just so happens that a default OpenSSL TLSv1.3 ticket length happens to fall between those 2 values. Tickets are presented in TLSv1.3 as a PSK "identity". Passing "no_ticket" doesn't actually stop TLSv1.3 tickets completely, it just forces the use of "session ids as a ticket" instead. This significantly reduces the ticket size to below 128 in 1.1.1. The problem was due to s_server setting a TLSv1.2 PSK callback and a TLSv1.3 PSK callback. For backwards compat reasons the TLSv1.2 PSK callbacks also work in TLSv1.3 but are not preferred. In the described scenario we use a PSK to create the initial connection. Subsequent to that we attempt a resumption using a TLSv1.3 ticket (psk). If the psk length is below PSK_MAX_IDENTITY_LEN then we first call the TLSv1.2 PSK callback. Subsequently we call the TLSv1.3 PSK callback. Unfortunately s_server's TLSv1.2 PSK callback accepts the identity regardless, even though it is an unexpected value, and hence the binder subsequently fails to verify. The fix is to bail early in the TLSv1.2 callback if we detect we are being called from a TLSv1.3 connection. Fixes #15951 Reviewed-by: Ben Kaduk <[email protected]> Reviewed-by: Paul Dale <[email protected]> (Merged from https://github.com/openssl/openssl/pull/16008) (cherry picked from commit 0007ff257c95f5cd046799e492436f41caf4ecb2) * TEST: Check that i2d refuses to encode non-optional items with no content The test case creates an RSA public key and tries to pass it through i2d_PrivateKey(). This SHOULD fail, since the private bits are missing. Reviewed-by: Tomas Mraz <[email protected]> (Merged from https://github.com/openssl/openssl/pull/16027) * ASN.1: Refuse to encode to DER if non-optional items are missing Fixes #16026 Reviewed-by: Tomas Mraz <[email protected]> (Merged from https://github.com/openssl/openssl/pull/16027) * Fix test/asn1_encode_test.c to not use ASN1_FBOOLEAN ASN1_FBOOLEAN is designed to use as a default for optional ASN1 items. This test program used it for non-optional items, which doesn't encode well. Reviewed-by: Tomas Mraz <[email protected]> (Merged from https://github.com/openssl/openssl/pull/16027) * Fix test/asn1_encode_test.c to handle encoding/decoding failure Make it only report (and fail on) encoding/decoding failures when success is expected. Reviewed-by: Tomas Mraz <[email protected]> (Merged from https://github.com/openssl/openssl/pull/16027) * make update (adds a new function code) Reviewed-by: Tomas Mraz <[email protected]> (Merged from https://github.com/openssl/openssl/pull/16027) * Avoid "excessive message size" for session tickets We received a report of an "excessive message size" for a received session ticket. Our maximum size was significantly less than the theoretical maximum. The server may put any data it likes in the session ticket including (for example) the full certificate chain so we should be able to handle longer tickets. Update the value to the maximum allowed by the spec. Reviewed-by: Paul Dale <[email protected]> (Merged from https://github.com/openssl/openssl/pull/15877) (cherry picked from commit e54f0c9b2fe3dd2dcb5e8100e2c69e5b2f6eb681) * BIO_lookup_ex: use AI_ADDRCONFIG only if explicit host name is given The flag only affects which record types are queried via DNS (A or AAAA, or both). When node is NULL and AF_UNSPEC is used, it prevents getaddrinfo returning the right address associated with the loopback interface. Signed-off-by: Daiki Ueno <[email protected]> Reviewed-by: Dmitry Belyavskiy <[email protected]> Reviewed-by: Paul Dale <[email protected]> (Merged from https://github.com/openssl/openssl/pull/16039) * Avoid empty lines in nmake rule bodies nmake is tolerant of those empty lines, but jom isn't. That tolerance isn't standard make behaviour, so we lean towards avoiding them. We simply use '@rem' instead. Fixes #16014 Reviewed-by: Tomas Mraz <[email protected]> Reviewed-by: Paul Dale <[email protected]> (Merged from https://github.com/openssl/openssl/pull/16047) * apps: Use the first detected address family if IPv6 is not available This is a follow up of 15729bef385211bc2a0497e2d53a45c45d677d2c. Even when the host does not support IPv6 at all, BIO_lookup_ex may now return IN6ADDR_ANY in addition to INADDR_ANY, as the second element of the ai_next field. After eee8a40aa5e06841eed6fa8eb4f6109238d59aea, the do_server function prefers the IPv6 address and fails on the BIO_socket call. This adds a fallback code to retry with the IPv4 address returned as the first element to avoid the error. The failure had been partially avoided in the previous code with AI_ADDRCONFIG, because getaddrinfo returns only IPv4 address if no IPv6 address is associated with external interface. However, it would be still a problem if the external interface has an IPv6 address assigned, while the loopback interface doesn't. Signed-off-by: Daiki Ueno <[email protected]> Reviewed-by: Paul Dale <[email protected]> Reviewed-by: Tomas Mraz <[email protected]> (Merged from https://github.com/openssl/openssl/pull/16078) * Don't reset the packet pointer in ssl3_setup_read_buffer Sometimes this function gets called when the buffers have already been set up. If there is already a partial packet in the read buffer then the packet pointer will be set to an incorrect value. The packet pointer already gets reset to the correct value when we first read a packet anyway, so we don't also need to do it in ssl3_setup_read_buffer. Fixes #13729 Reviewed-by: Ben Kaduk <[email protected]> Reviewed-by: Tomas Mraz <[email protected]> (Merged from https://github.com/openssl/openssl/pull/16098) * Disallow SSL_key_update() if there are writes pending If an application is halfway through writing application data it should not be allowed to attempt an SSL_key_update() operation. Instead the SSL_write() operation should be completed. Fixes #12485 Reviewed-by: Ben Kaduk <[email protected]> Reviewed-by: Tomas Mraz <[email protected]> (Merged from https://github.com/openssl/openssl/pull/16098) * Fix some minor record layer issues Various comments referred to s->packet and s->packet_length instead of s->rlayer.packet and s->rlayer.packet_length. Also fixed is a spot where RECORD_LAYER_write_pending() should have been used. Based on the review comments in #16077. Reviewed-by: Tomas Mraz <[email protected]> Reviewed-by: Ben Kaduk <[email protected]> (cherry picked from commit ca001524971ccd595bc0e9843611e6784adfc981) Reviewed-by: Paul Dale <[email protected]> (Merged from https://github.com/openssl/openssl/pull/16105) * Fix a read buffer overrun in X509_aux_print(). The ASN1_STRING_get0_data(3) manual explitely cautions the reader that the data is not necessarily NUL-terminated, and the function X509_alias_set1(3) does not sanitize the data passed into it in any way either, so we must assume the return value from X509_alias_get0(3) is merely a byte array and not necessarily a string in the sense of the C language. I found this bug while writing manual pages for X509_print_ex(3) and related functions. Theo Buehler <[email protected]> checked my patch to fix the same bug in LibreSSL, see http://cvsweb.openbsd.org/src/lib/libcrypto/asn1/t_x509a.c#rev1.9 As an aside, note that the function still produces incomplete and misleading results when the data contains a NUL byte in the middle and that error handling is consistently absent throughout, even though the function provides an "int" return value obviously intended to be 1 for success and 0 for failure, and even though this function is called by another function that also wants to return 1 for success and 0 for failure and even does so in many of its code paths, though not in others. But let's stay focussed. Many things would be nice to have in the wide wild world, but a buffer overflow must not be allowed to remain in our backyard. CLA: trivial Reviewed-by: Tim Hudson <[email protected]> Reviewed-by: Paul Dale <[email protected]> Reviewed-by: Tomas Mraz <[email protected]> (Merged from https://github.com/openssl/openssl/pull/16108) (cherry picked from commit c5dc9ab965f2a69bca964c709e648158f3e4cd67) * DSA/RSA_print(): Fix potential memory leak Fixes #10777 Reviewed-by: Paul Dale <[email protected]> (Merged from https://github.com/openssl/openssl/pull/16130) (cherry picked from commit 40184c96103a388209939c1c19920971c05bb78c) * [doc/man3] documentation: BN_cmp manpage updates Reviewed-by: Paul Dale <[email protected]> Reviewed-by: Nicola Tuveri <[email protected]> Reviewed-by: Dmitry Belyavskiy <[email protected]> (Merged from https://github.com/openssl/openssl/pull/16214) (cherry picked from commit 3d4ca443b4778e3230ff23f17625f58f815a9142) * Revert "make update (adds a new function code)" This reverts commit ea26844c4f624ef515d9228d3b623761a369b049. Reviewed-by: Dmitry Belyavskiy <[email protected]> (Merged from https://github.com/openssl/openssl/pull/16308) * Revert "Fix test/asn1_encode_test.c to handle encoding/decoding failure" This reverts commit f1d97905bbd8679b7647c992b97f526791069040. Reviewed-by: Dmitry Belyavskiy <[email protected]> (Merged from https://github.com/openssl/openssl/pull/16308) * Revert "Fix test/asn1_encode_test.c to not use ASN1_FBOOLEAN" This reverts commit 5434acb6c4d56507d761b28f7e142ccab808a8fa. Reviewed-by: Dmitry Belyavskiy <[email protected]> (Merged from https://github.com/openssl/openssl/pull/16308) * Revert "ASN.1: Refuse to encode to DER if non-optional items are missing" This reverts commit 006906cddda37e24a66443199444ef4476697477. Reviewed-by: Dmitry Belyavskiy <[email protected]> (Merged from https://github.com/openssl/openssl/pull/16308) * Revert "TEST: Check that i2d refuses to encode non-optional items with no content" This reverts commit 12e9b74c513a8ed3c1c260cf25221a465ae14b84. Reviewed-by: Dmitry Belyavskiy <[email protected]> (Merged from https://github.com/openssl/openssl/pull/16308) * Fix potential double-free The `sk` variable is assigned to `s->session->peer_chain`. If `ssl3_digest_cached_records()` were to fail, then `sk` would still be non-NULL, and subsequently freed on the error return. When the session is freed, it will then attempt to free `s->session->peer_chain`, resulting in a double-free (of `sk`). Reviewed-by: Matt Caswell <[email protected]> Reviewed-by: Tomas Mraz <[email protected]> (Merged from https://github.com/openssl/openssl/pull/16309) (cherry picked from commit 0449702abc95a3af24c049cb02c01ca6a8015cef) * s390x: AES OFB/CFB: Maintain running IV from cipher context Copy the current IV from the cipher context into the kmo/kmf param before the operation, and copy the modified IV back to the context afterwards. Without this, an application that obtains the running IV from the context would still get the original IV, but not the updated one. Signed-off-by: Ingo Franzki <[email protected]> Reviewed-by: Patrick Steuer <[email protected]> Reviewed-by: Tomas Mraz <[email protected]> (Merged from https://github.com/openssl/openssl/pull/16292) * Test EVP Cipher updating the context's IV Ensure that an EVP_CipherUpdate operation updates the context's IV for AES CBC, CFB, OFB, and CTR. An application can get the updated IV via EVP_CIPHER_CTX_iv(). The s390x implementation of the CFB and OFB ciphers did not update the IV in the context, but only within its s390x specific context data. Signed-off-by: Ingo Franzki <[email protected]> Reviewed-by: Patrick Steuer <[email protected]> Reviewed-by: Tomas Mraz <[email protected]> (Merged from https://github.com/openssl/openssl/pull/16292) * pkcs12: check for zero length digest to avoid division by zero Fixes #16331 Reviewed-by: Dmitry Belyavskiy <[email protected]> Reviewed-by: Kurt Roeckx <[email protected]> (Merged from https://github.com/openssl/openssl/pull/16333) * [github-ci] Sync ci.yml workflow with master Reviewed-by: Paul Dale <[email protected]> (Merged from https://github.com/openssl/openssl/pull/16252) * [github-ci] Import windows.yml workflow from master Reviewed-by: Paul Dale <[email protected]> (Merged from https://github.com/openssl/openssl/pull/16252) * [github-ci] Import cross-compiles.yml workflow from master Reviewed-by: Paul Dale <[email protected]> (Merged from https://github.com/openssl/openssl/pull/16252) * [github-ci] Import run-checker workflows from master This commit does not include the daily run-checker workflow. Reviewed-by: Paul Dale <[email protected]> (Merged from https://github.com/openssl/openssl/pull/16252) * [github-ci] Import run-checker daily workflow from master The daily run-checker is scheduled to start at 6:42, instead of the start of the hour. The official GitHub documentation remarks the following regarding scheduled workflows: > Note: The schedule event can be delayed during periods of high loads > of GitHub Actions workflow runs. High load times include the start of > every hour. To decrease the chance of delay, schedule your workflow to > run at a different time of the hour. 42, obviously, has been picked because it is the answer to the ultimate question of life, the universe, and everything. Reviewed-by: Paul Dale <[email protected]> (Merged from https://github.com/openssl/openssl/pull/16252) * [github-ci][cross-compiles.yml] Disable sparcv9 This commit temporarily disables cross-compiling tests for sparcv9, due to failures to be investigated in a dedicated PR. Reviewed-by: Paul Dale <[email protected]> (Merged from https://github.com/openssl/openssl/pull/16252) * [github-ci][ci.yml] Disable krb5 external tests This commit temporarily disables krb5 external tests, due to failures to be investigated in a dedicated PR. Reviewed-by: Paul Dale <[email protected]> (Merged from https://github.com/openssl/openssl/pull/16252) * [github-ci][ci.yml] Disable pyca external tests This commit temporarily disables pyca external tests, due to failures to be investigated in a dedicated PR. Reviewed-by: Paul Dale <[email protected]> (Merged from https://github.com/openssl/openssl/pull/16252) * [github-ci][run-checker-ci.yml] Disable no-tls1_3 tests This commit temporarily disables tests for no-tls1_3, due to failures to be investigated in a dedicated PR. Reviewed-by: Paul Dale <[email protected]> (Merged from https://github.com/openssl/openssl/pull/16252) * [github-ci][ci.yml] Disable memory sanitizer build In 1.1.1 currently we do not support running multiple tests in parallel, and the `--debug -O1` msan build required more than 3h to run the tests. This commit temporarily disables this build configuration. Reviewed-by: Paul Dale <[email protected]> (Merged from https://github.com/openssl/openssl/pull/16252) * [github-ci][run-checker-merge.yml] Disable ubsan build This commit temporarily disables the ubsan build, due to failures to be investigated in a dedicated PR. Reviewed-by: Paul Dale <[email protected]> (Merged from https://github.com/openssl/openssl/pull/16252) * [github-ci] Add comment about our approach to GitHub Actions CI Reviewed-by: Nicola Tuveri …

* Skip BOM when reading the config file Fixes #13840 Reviewed-by: Richard Levitte <[email protected]> (Merged from https://github.com/openssl/openssl/pull/13857) (cherry picked from commit 4369a882a565c42673b28c586a5c46a8bca98d17) * X509_cmp(): Fix comparison in case x509v3_cache_extensions() failed to due to invalid cert This is the backport of #13755 to v1.1.1. Fixes #13698 Reviewed-by: Tomas Mraz <[email protected]> (Merged from https://github.com/openssl/openssl/pull/13756) * x509_vfy.c: Fix a regression in find_isser() ...in case the candidate issuer cert is identical to the target cert. Fixes #13739 Reviewed-by: Tomas Mraz <[email protected]> (Merged from https://github.com/openssl/openssl/pull/13749) * DOCS: Fix incorrect pass phrase options references There were a number of older style references to the pass phrase options section, now streamlined with the current openssl(1). Fixes #13883 Reviewed-by: Kurt Roeckx <[email protected]> (Merged from https://github.com/openssl/openssl/pull/13886) * Fix regression in no-deprecated build Also add a new no-deprecated CI build to test it. Fixes #13896 Reviewed-by: David von Oheimb <[email protected]> (Merged from https://github.com/openssl/openssl/pull/13902) * Ensure SRP BN_mod_exp follows the constant time path SRP_Calc_client_key calls BN_mod_exp with private data. However it was not setting BN_FLG_CONSTTIME and therefore not using the constant time implementation. This could be exploited in a side channel attack to recover the password. Since the attack is local host only this is outside of the current OpenSSL threat model and therefore no CVE is assigned. Thanks to Mohammed Sabt and Daniel De Almeida Braga for reporting this issue. Reviewed-by: Tomas Mraz <[email protected]> (Merged from https://github.com/openssl/openssl/pull/13889) * Fix typo in crl2pkcs documentation Fixes #13910 CLA: trivial Reviewed-by: Tim Hudson <[email protected]> Reviewed-by: Matt Caswell <[email protected]> Reviewed-by: Tomas Mraz <[email protected]> (Merged from https://github.com/openssl/openssl/pull/13911) (cherry picked from commit 6857058016e91d3182c2117922dd8001b27f5639) * CI: Add some legacy stuff that we do not test in GitHub CI yet There are some options that seem to belong to the legacy build. Reviewed-by: Dmitry Belyavskiy <[email protected]> (Merged from https://github.com/openssl/openssl/pull/13903) (cherry picked from commit adcaebc3148fe0fde3f7641c4b607f30e1479986) * Drop Travis At this point, we have transitioned completely from Travis to GitHub Actions Reviewed-by: Tim Hudson <[email protected]> Reviewed-by: Paul Dale <[email protected]> (Merged from https://github.com/openssl/openssl/pull/13941) * check_sig_alg_match(): weaken sig nid comparison to base alg This (re-)allows RSA-PSS signers Fixes #13931 Reviewed-by: Tomas Mraz <[email protected]> (Merged from https://github.com/openssl/openssl/pull/13982) * Add some missing committers to the AUTHORS list Fixes #13815 Reviewed-by: Richard Levitte <[email protected]> Reviewed-by: Paul Dale <[email protected]> (Merged from https://github.com/openssl/openssl/pull/14029) (cherry picked from commit af403db090ee66715e81f0062d1ef614e8d921b5) * apps/ca: Properly handle certificate expiration times in do_updatedb Fixes #13944 + changed ASN1_UTCTIME to ASN1_TIME + removed all Y2K code from do_updatedb + changed compare to ASN1_TIME_compare Reviewed-by: Paul Dale <[email protected]> Reviewed-by: Tomas Mraz <[email protected]> (Merged from https://github.com/openssl/openssl/pull/14026) * Prevent creating empty folder "../apps/include" This folder "../apps/include" is accidentally created. This prevents this glitch. Fixes 19b4fe5844b ("Add a CMAC test") Reviewed-by: Tomas Mraz <[email protected]> (Merged from https://github.com/openssl/openssl/pull/14051) * NOTES.WIN: fix typo CLA: trivial Reviewed-by: Paul Dale <[email protected]> Reviewed-by: Richard Levitte <[email protected]> Reviewed-by: Matthias St. Pierre <[email protected]> (Merged from https://github.com/openssl/openssl/pull/14078) * configdata.pm: Better display of enabled/disabled options The options listed in the array @disablables are regular expressions. For most of them, it's not visible, but there are a few. However, configdata.pm didn't quite treat them that way, which meant that the few that are visibly regular expressions, there's a difference between that and the corresponding the key in %disabled, which is never a regular expression. To correctly display the enabled and disabled options with --dump, we must therefore go through a bit of Perl gymnastics to get the output correct enough, primarly so that disabled features don't look enabled. Fixes #13790 Reviewed-by: Paul Dale <[email protected]> (Merged from https://github.com/openssl/openssl/pull/14081) * Configuration: ensure that 'no-tests' works correctly 'no-tests' wasn't entirely respected by test/build.info. Reviewed-by: Paul Dale <[email protected]> (Merged from https://github.com/openssl/openssl/pull/14081) * Remove unused 'peer_type' from SSL_SESSION This field has not been used since #3858 was merged in 2017 when we moved to a table-based lookup for certificate type properties instead of an index-based one. Reviewed-by: Kurt Roeckx <[email protected]> (Merged from https://github.com/openssl/openssl/pull/13991) (cherry picked from commit 3bc0b621a7baf1a11bc5cad69a287ad093674d68) * Configurations/descrip.mms.tmpl: avoid enormous PIPE commands DCL has a total command line limitation that's too easily broken by them. We solve them by creating separate message scripts and using them. Fixes #13789 Reviewed-by: Tomas Mraz <[email protected]> (Merged from https://github.com/openssl/openssl/pull/13834) * VMS documentation fixes This mostly clarifies details. Fixes #13789 Reviewed-by: Tomas Mraz <[email protected]> (Merged from https://github.com/openssl/openssl/pull/13834) * Fix Null pointer deref in X509_issuer_and_serial_hash() The OpenSSL public API function X509_issuer_and_serial_hash() attempts to create a unique hash value based on the issuer and serial number data contained within an X509 certificate. However it fails to correctly handle any errors that may occur while parsing the issuer field (which might occur if the issuer field is maliciously constructed). This may subsequently result in a NULL pointer deref and a crash leading to a potential denial of service attack. The function X509_issuer_and_serial_hash() is never directly called by OpenSSL itself so applications are only vulnerable if they use this function directly and they use it on certificates that may have been obtained from untrusted sources. CVE-2021-23841 Reviewed-by: Richard Levitte <[email protected]> Reviewed-by: Paul Dale <[email protected]> (cherry picked from commit 8130d654d1de922ea224fa18ee3bc7262edc39c0) * Test that X509_issuer_and_serial_hash doesn't crash Provide a certificate with a bad issuer and check that X509_issuer_and_serial_hash doesn't crash. Reviewed-by: Richard Levitte <[email protected]> Reviewed-by: Paul Dale <[email protected]> (cherry picked from commit 55869f594f052561b11a2db6a7c42690051868de) * Refactor rsa_test Reduce code copying by factoring out common code into a separate function. Reviewed-by: Paul Dale <[email protected]> * Fix the RSA_SSLV23_PADDING padding type This also fixes the public function RSA_padding_check_SSLv23. Commit 6555a89 changed the padding check logic in RSA_padding_check_SSLv23 so that padding is rejected if the nul delimiter byte is not immediately preceded by at least 8 bytes containing 0x03. Prior to that commit the padding is rejected if it *is* preceded by at least 8 bytes containing 0x03. Presumably this change was made to be consistent with what it says in appendix E.3 of RFC 5246. Unfortunately that RFC is in error, and the original behaviour was correct. This is fixed in later errata issued for that RFC. This has no impact on libssl for modern versions of OpenSSL because there is no protocol support for SSLv2 in these versions. However applications that call RSA_paddin_check_SSLv23 directly, or use the RSA_SSLV23_PADDING mode may still be impacted. The effect of the original error is that an RSA message encrypted by an SSLv2 only client will fail to be decrypted properly by a TLS capable server, or a message encrypted by a TLS capable client will fail to decrypt on an SSLv2 only server. Most significantly an RSA message encrypted by a TLS capable client will be successfully decrypted by a TLS capable server. This last case should fail due to a rollback being detected. Thanks to D. Katz and Joel Luellwitz (both from Trustwave) for reporting this issue. CVE-2021-23839 Reviewed-by: Paul Dale <[email protected]> * Fix rsa_test to properly test RSA_SSLV23_PADDING We test all three cases: - An SSLv2 only client talking to a TLS capable server - A TLS capable client talking to an SSLv2 only server - A TLS capable client talking to a TLS capable server (should fail due to detecting a rollback attack) Reviewed-by: Paul Dale <[email protected]> * Don't overflow the output length in EVP_CipherUpdate calls CVE-2021-23840 Reviewed-by: Paul Dale <[email protected]> * Update CHANGES and NEWS for new release Reviewed-by: Richard Levitte <[email protected]> * Update copyright year Reviewed-by: Richard Levitte <[email protected]> * Prepare for 1.1.1j release Reviewed-by: Richard Levitte <[email protected]> * Prepare for 1.1.1k-dev Reviewed-by: Richard Levitte <[email protected]> * TEST: Add missing initialization Compiler complained. Reviewed-by: Matt Caswell <[email protected]> (Merged from https://github.com/openssl/openssl/pull/14204) (cherry picked from commit 55e9d8cfffc1a40b0ab72e014ff62d5ef2a0ed63) * Use CRIOGET to fetch a crypto descriptor when present. FreeBSD's current /dev/crypto implementation requires that consumers clone a separate file descriptor via the CRIOGET ioctl that can then be used with other ioctls such as CIOCGSESSION. Reviewed-by: Matt Caswell <[email protected]> Reviewed-by: Ben Kaduk <[email protected]> (cherry picked from commit b39c215decf6e68c28cb64dcfaf5ae5a7e8d35b4) Reviewed-by: Paul Dale <[email protected]> (Merged from https://github.com/openssl/openssl/pull/13853) * Close /dev/crypto file descriptor after CRIOGET ioctl(). Reviewed-by: Matt Caswell <[email protected]> Reviewed-by: Ben Kaduk <[email protected]> (cherry picked from commit 3ddf44ea5a2c1c8c55f4f4072a611791c79d4e7c) Reviewed-by: Paul Dale <[email protected]> (Merged from https://github.com/openssl/openssl/pull/13853) * CRYPTO_gcm128_decrypt: fix mac or tag calculation The incorrect code is in #ifdef branch that is normally not compiled in. Signed-off-by: Zhang Jinde <[email protected]> Reviewed-by: Paul Dale <[email protected]> Reviewed-by: Tomas Mraz <[email protected]> (Merged from https://github.com/openssl/openssl/pull/12968) (cherry picked from commit 1d724b5e82ba36fb50fd24db3cd664da570daf84) * Fix an integer overflow in o_time.c If input offset_sec is sufficiently large (> INT32_MAX * SECS_PER_DAY, which is possible for a long on 64-bit platforms), then the first assignment contains an overflow. I think leaving offset_hms as an int is still safe. Reviewed-by: Tomas Mraz <[email protected]> Reviewed-by: Paul Dale <[email protected]> (Merged from https://github.com/openssl/openssl/pull/14252) (cherry picked from commit 75de54363506e2b2480fc6baf0cd45b1f7fc8816) * Fix filename escaping in c_rehash CLA: trivial Reviewed-by: Richard Levitte <[email protected]> Reviewed-by: Tomas Mraz <[email protected]> Reviewed-by: Paul Dale <[email protected]> (Merged from https://github.com/openssl/openssl/pull/14301) (cherry picked from commit 2d968951227acd422f0e712035de3216d47fc980) * Check ASN1_item_ndef_i2d() return value. Return an error instead of trying to malloc a negative number. The other usage in this file already had a similar check, and the caller should have put an entry on the error stack already. Note that we only check the initial calls to obtain the encoded length, and assume that the follow-up call to actually encode to the allocated storage will succeed if the first one did. Fixes: #14177 Reviewed-by: Shane Lontis <[email protected]> (Merged from https://github.com/openssl/openssl/pull/14308) (cherry picked from commit 90b4247cc5dca58cee9da5f6975bb38fd200100a) * [github-ci] Add a out-of-tree_build job This adds a new job to trigger the bug reported in <https://github.com/openssl/openssl/issues/11940> Reviewed-by: Richard Levitte <[email protected]> (Merged from https://github.com/openssl/openssl/pull/14388) * [1.1.1] Fix `make update` for out-of-tree builds Fixes #11940 Reviewed-by: Nicola Tuveri <[email protected]> (Merged from https://github.com/openssl/openssl/pull/14388) * Check SSL_set1_chain error in set_cert_cb CLA: trivial Reviewed-by: Shane Lontis <[email protected]> Reviewed-by: Tomas Mraz <[email protected]> (Merged from https://github.com/openssl/openssl/pull/14469) (cherry picked from commit 1aa7ecd0d3f6d9c3739cf2e2d87673a3be03b352) * modes: fix coverity 1449860: overlapping memory copy Reviewed-by: Tomas Mraz <[email protected]> (Merged from https://github.com/openssl/openssl/pull/14584) (cherry picked from commit 145f12d12dc83c737676883c625c2a95d34251ed) * modes: fix coverity 1449851: overlapping memory copy Reviewed-by: Tomas Mraz <[email protected]> (Merged from https://github.com/openssl/openssl/pull/14584) (cherry picked from commit b875e0e820b07420429ebb90724ed28686a98853) * ssl: fix coverity 1451515: out of bounds memory access Reviewed-by: Tomas Mraz <[email protected]> (Merged from https://github.com/openssl/openssl/pull/14585) (cherry picked from commit 3de7f014a985637361bdee775f78209300c88aae) * apps: fix coverity 966560: division by zero Reviewed-by: Tomas Mraz <[email protected]> Reviewed-by: Richard Levitte <[email protected]> (Merged from https://github.com/openssl/openssl/pull/14586) (cherry picked from commit 7e7e034a10842dad3866c9447481b8527024bf44) * Add a missing RUN_ONCE in rand_lib.c Some of the callbacks in rand_lib.c were being invoked without the RUN_ONCE for that file being called. We add it during rand_pool_new which should cover all cases. Fixes #7870 Fixes #11144 Reviewed-by: Tomas Mraz <[email protected]> Reviewed-by: Paul Dale <[email protected]> (Merged from https://github.com/openssl/openssl/pull/14603) * ASN1: Reset the content dump flag after dumping When encountering a badly coded item, the DER printer (ASN1_print_dump()) sets a flag to ensure that an additional hex dump of the offending content is printed as part of the output. Unfortunately, this flag is never reset, which means that all following items are printed with the extra hex dump, whether they are faulty or not. Resetting the flag after hex dumping ensures that only the faulty contents are printed with the additional hex dump. Fixes #14626 Reviewed-by: Tim Hudson <[email protected]> (Merged from https://github.com/openssl/openssl/pull/14627) (cherry picked from commit 6e34a1048ce4871371eac224b995c3b4338f6166) * Fix missing INVALID_EXTENSION Reviewed-by: Matt Caswell <[email protected]> Reviewed-by: Ben Kaduk <[email protected]> Reviewed-by: Tomas Mraz <[email protected]> (Merged from https://github.com/openssl/openssl/pull/14639) * check_chain_extensions: Do not override error return value by check_curve The X509_V_FLAG_X509_STRICT flag enables additional security checks of the certificates present in a certificate chain. It is not set by default. Starting from OpenSSL version 1.1.1h a check to disallow certificates with explicitly encoded elliptic curve parameters in the chain was added to the strict checks. An error in the implementation of this check meant that the result of a previous check to confirm that certificates in the chain are valid CA certificates was overwritten. This effectively bypasses the check that non-CA certificates must not be able to issue other certificates. If a "purpose" has been configured then a subsequent check that the certificate is consistent with that purpose also checks that it is a valid CA. Therefore where a purpose is set the certificate chain will still be rejected even when the strict flag has been used. A purpose is set by default in libssl client and server certificate verification routines, but it can be overriden by an application. Affected applications explicitly set the X509_V_FLAG_X509_STRICT verification flag and either do not set a purpose for the certificate verification or, in the case of TLS client or server applications, override the default purpose to make it not set. CVE-2021-3450 Reviewed-by: Matt Caswell <[email protected]> Reviewed-by: Paul Dale <[email protected]> * Teach TLSProxy how to encrypt <= TLSv1.2 ETM records Previously TLSProxy only knew how to "repack" messages for TLSv1.3. Most of the handshake in <= TLSv1.2 is unencrypted so this hasn't been too much of restriction. However we now want to modify reneg handshakes which are encrypted so we need to add that capability. Reviewed-by: Tomas Mraz <[email protected]> Reviewed-by: Paul Dale <[email protected]> * Add a test for CVE-2021-3449 We perform a reneg handshake, where the second ClientHello drops the sig_algs extension. It must also contain cert_sig_algs for the test to work. Reviewed-by: Tomas Mraz <[email protected]> Reviewed-by: Paul Dale <[email protected]> * ssl sigalg extension: fix NULL pointer dereference As the variable peer_sigalgslen is not cleared on ssl rehandshake, it's possible to crash an openssl tls secured server remotely by sending a manipulated hello message in a rehandshake. On such a manipulated rehandshake, tls1_set_shared_sigalgs() calls tls12_shared_sigalgs() with the peer_sigalgslen of the previous handshake, while the peer_sigalgs has been freed. As a result tls12_shared_sigalgs() walks over the available peer_sigalgs and tries to access data of a NULL pointer. This issue was introduced by c589c34e61 (Add support for the TLS 1.3 signature_algorithms_cert extension, 2018-01-11). Signed-off-by: Peter Kästle <[email protected]> Signed-off-by: Samuel Sapalski <[email protected]> CVE-2021-3449 CLA: trivial Reviewed-by: Tomas Mraz <[email protected]> Reviewed-by: Paul Dale <[email protected]> Reviewed-by: Matt Caswell <[email protected]> * Ensure buffer/length pairs are always in sync Following on from CVE-2021-3449 which was caused by a non-zero length associated with a NULL buffer, other buffer/length pairs are updated to ensure that they too are always in sync. Reviewed-by: Tomas Mraz <[email protected]> Reviewed-by: Paul Dale <[email protected]> * Update CHANGES and NEWS for new release Reviewed-by: Tomas Mraz <[email protected]> * Update copyright year Reviewed-by: Tomas Mraz <[email protected]> * Prepare for 1.1.1k release Reviewed-by: Tomas Mraz <[email protected]> * Prepare for 1.1.1l-dev Reviewed-by: Tomas Mraz <[email protected]> * Fix BIO_new_ssl_connect() to not leak memory CLA: trivial Reviewed-by: Paul Dale <[email protected]> Reviewed-by: Tomas Mraz <[email protected]> (Merged from https://github.com/openssl/openssl/pull/14719) (cherry picked from commit 7947a1eb13c221bbc034796bd394ba00b0e2387d) * Fix typo in BIO_push.pod CLA: trivial Reviewed-by: Paul Dale <[email protected]> Reviewed-by: Tomas Mraz <[email protected]> (Merged from https://github.com/openssl/openssl/pull/14718) (cherry picked from commit 2db9bef264ba39e173d6b6a3a800595e15eef31b) * Print correct error message in utils/mkdir-p.pl Commit 70a56b914772e6b21cda2a5742817ae4bb7290f1 introduced a regression. If utils/mkdir-p.pl fails to create a target dir because of insufficient file system permissions, the subsequent test for dir existence always fails and overwrites the system error. As a result, a user is presented with a misleading error message. E.g. if a user tries to create a dir under /usr/local and does not have permissions for it, the reported error message is "Cannot create directory /usr/local/lib: No such file or directory", whereas the expected error message is "Cannot create directory /usr/local/lib: Permission denied". This commit introduces a fix by declaring an additional local variable to cache the original error message from mkdir. If -d check fails and overwrites the system error, the user is still presented with the original error from mkdir. CLA: Trivial Reviewed-by: Shane Lontis <[email protected]> Reviewed-by: Richard Levitte <[email protected]> Reviewed-by: Tomas Mraz <[email protected]> (Merged from https://github.com/openssl/openssl/pull/14487) (cherry picked from commit af2e1e9c81110ca1a156430686e2f171e80ebfa0) * doc: fix enc -z option documentation CLA: trivial Reviewed-by: Matt Caswell <[email protected]> Reviewed-by: Tomas Mraz <[email protected]> (Merged from https://github.com/openssl/openssl/pull/14499) (cherry picked from commit 6635ea531e9f7709e5880dd77fd4c3403a5c3db7) * Remove unnecessary BIO_do_handshake()s Since BIO_do_connect() and BIO_do_handshake() are same, no need to invoke BIO_do_handshake() once more after BIO_do_connect(). Reviewed-by: Paul Dale <[email protected]> Reviewed-by: Tomas Mraz <[email protected]> (Merged from https://github.com/openssl/openssl/pull/14725) (cherry picked from commit 975e37cd016f86985d16f1ee646e88213494854a) * Fix potential double free in sslapitest.c Reviewed-by: Tomas Mraz <[email protected]> Reviewed-by: Paul Dale <[email protected]> (Merged from https://github.com/openssl/openssl/pull/14758) (cherry picked from commit 493e78986f9677c2b321273da51c276b9a8182d8) * Fix typos in x509.pod CLA: trivial Reviewed-by: Tomas Mraz <[email protected]> Reviewed-by: Paul Dale <[email protected]> (Merged from https://github.com/openssl/openssl/pull/14783) (cherry picked from commit 4c979cbeeb9792b170670fa15e29d077597e7ee0) * crl2pkcs7 shouldn't include empty optional sets If using crl2pkcs7 -nocrl and with no -certfiles, we shouldn't include the implicitly tagged [0] certs and [1] crls sets as they are marked optional and would be empty. Reviewed-by: Paul Dale <[email protected]> Reviewed-by: Tomas Mraz <[email protected]> (Merged from https://github.com/openssl/openssl/pull/14781) (cherry picked from commit d3a5898a7f4980bc0fa6345c408f88007573c405) * Handle set_alpn_protos inputs better. It's possible to set an invalid protocol list that will be sent in a ClientHello. This validates the inputs to make sure this does not happen. Reviewed-by: Matt Caswell <[email protected]> Reviewed-by: Tomas Mraz <[email protected]> (Merged from https://github.com/openssl/openssl/pull/14679) * srp: fix double free, In function SRP_create_verifier_ex, it calls SRP_create_verifier_BN_ex(..., &v, ..) at line 653. In the implementation of SRP_create_verifier_BN_ex(), *verify (which is the paremeter of v) is allocated a pointer via BN_new() at line 738. And *verify is freed via BN_clear_free() at line 743, and return 0. Then the execution continues up to goto err at line 655, and the freed v is freed again at line 687. Bug reported by @Yunlongs Fixes #14913 Reviewed-by: Tomas Mraz <[email protected]> (Merged from https://github.com/openssl/openssl/pull/14921) (cherry picked from commit b06450bcf763735a89b65ca3ec176600fe7fceed) * ts: fix double free on error path. In function int_ts_RESP_verify_token, if (flags & TS_VFY_DATA) is true, function ts_compute_imprint() will be called at line 299. In the implementation of ts_compute_imprint, it allocates md_alg at line 406. But after the allocation, if the execution goto err, then md_alg will be freed in the first time by X509_ALGOR_free at line 439. After that, ts_compute_imprint returns 0 and the execution goto err branch of int_ts_RESP_verify_token. In the err branch, md_alg will be freed in the second time at line 320. Bug reported by @Yunlongs Fixes #14914 Reviewed-by: Tomas Mraz <[email protected]> (Merged from https://github.com/openssl/openssl/pull/14921) (cherry picked from commit db78c84eb2fa9c41124690bcc2ea50e05f5fc7b7) * engine: fix double free on error path. In function try_decode_PKCS8Encrypted, p8 is freed via X509_SIG_free() at line 481. If function new_EMBEDDED() returns a null pointer at line 483, the execution will goto nop8. In the nop8 branch, p8 is freed again at line 491. Bug reported by @Yunlongs Fixes #14915 Reviewed-by: Tomas Mraz <[email protected]> (Merged from https://github.com/openssl/openssl/pull/14921) (cherry picked from commit efe8d69daa1a68be0a7f0f73220947c848e7ed1d) * Some compilers define __STDC_VERSION__ in c++ Some compilers(g++ on Solaris/Illumos) define __STDC__VERSION__ in c++ . This causes c++ code that uses openssl to break on these compilers since _Noreturn is not a keyword in c++ . CLA: trivial Reviewed-by: Richard Levitte <[email protected]> Reviewed-by: Paul Dale <[email protected]> Reviewed-by: Tomas Mraz <[email protected]> (Merged from https://github.com/openssl/openssl/pull/14944) (cherry picked from commit 1f3b58d8413cfa3824e9c0a146dee6ceedbc367e) * Test that EVP_PKEY_cmp() returns 1 when comparing a key to itself Reviewed-by: Paul Dale <[email protected]> (Merged from https://github.com/openssl/openssl/pull/14982) * Correct the return value on match and mismatch for MAC pkeys Fixes #14147 Reviewed-by: Paul Dale <[email protected]> (Merged from https://github.com/openssl/openssl/pull/14982) * Don't remove $(TARFILE) when cleaning This file is outside the source tree, so we have no business removing it. This is especially concerning if that was the tarball the user had to create the source tree. Fixes #14981 Reviewed-by: Tomas Mraz <[email protected]> (Merged from https://github.com/openssl/openssl/pull/14985) (cherry picked from commit f58f7ec9397de7b752aa547e2677933559a657db) * ASN1: Ensure that d2i_ASN1_OBJECT() frees the strings on ASN1_OBJECT reuse The 'sn' and 'ln' strings may be dynamically allocated, and the ASN1_OBJECT flags have a bit set to say this. If an ASN1_OBJECT with such strings is passed to d2i_ASN1_OBJECT() for reuse, the strings must be freed, or there is a memory leak. Fixes #14667 Reviewed-by: Shane Lontis <[email protected]> (Merged from https://github.com/openssl/openssl/pull/14938) * Test that we don't have a memory leak in d2i_ASN1_OBJECT. Fixes #14667 Reworked test supplied by @smcpeak into a unit test. Reviewed-by: Richard Levitte <[email protected]> (Merged from https://github.com/openssl/openssl/pull/14938) * man: s_server: fix typo in -alpn option description Reviewed-by: Tomas Mraz <[email protected]> Reviewed-by: Dmitry Belyavskiy <[email protected]> (Merged from https://github.com/openssl/openssl/pull/15098) * Use OCSP-specific error code for clarity Fixes #12735 for 1.1.1 Reviewed-by: Tomas Mraz <[email protected]> (Merged from https://github.com/openssl/openssl/pull/15109) * Support for Android NDK r22 This is a backport of #13434, Fixes #13685. I think builds using standalone toolchain are fine so I left them alone, but `Configure` will fail if using the NDK directly because the `platforms` and `sysroot` directories were removed. If `sysroot` is missing, omit the `--sysroot` and `-gcc-toolchain` arguments and use the triplet form clang command. Also since `platforms` was being used for the default API level, use `meta/platforms.json` instead if needed. Reviewed-by: Tim Hudson <[email protected]> Reviewed-by: Matt Caswell <[email protected]> (Merged from https://github.com/openssl/openssl/pull/13694) * Avoid sending alerts after shutdown Fixes #11388 Reviewed-by: Matt Caswell <[email protected]> (Merged from https://github.com/openssl/openssl/pull/15159) (cherry picked from commit 22d1138fe2fde9a16e80b81de1d848ae6fa879ef) * BIO_listen: disable setting ipv6_v6only on OpenBSD as it is a read only data and true Reviewed-by: Tomas Mraz <[email protected]> Reviewed-by: Ben Kaduk <[email protected]> (Merged from https://github.com/openssl/openssl/pull/15015) (cherry picked from commit f7f0632b01cf16efccb133e395cf115c194bd003) * Try to parse private key as PKCS#8 first, fallback afterwards Fixes #15022 Reviewed-by: Tomas Mraz <[email protected]> (Merged from https://github.com/openssl/openssl/pull/15075) * Testing private keys with extra attributes Reviewed-by: Tomas Mraz <[email protected]> (Merged from https://github.com/openssl/openssl/pull/15075) * check i2d_ASN1_TYPE return value add a length check to the return value of function i2d_ASN1_TYPE. Return an error instead of trying to malloc a negative number. CLA: trivial Reviewed-by: Tomas Mraz <[email protected]> Reviewed-by: Paul Dale <[email protected]> (Merged from https://github.com/openssl/openssl/pull/14828) (cherry picked from commit c65abf2213117eb5348a46fbc18f706aca052e85) * Improve RFC 8446 PSK key exchange mode compliance It's a MUST-level requirement that if the client sends a pre_shared_key extension not accompanied by a psk_key_exchange_modes extension, the server must abort the handshake. Prior to this commit the server would continue on. Reviewed-by: Tomas Mraz <[email protected]> (cherry picked from commit efe0f315354b020213097885c79ce856a2f5ac68) (Merged from https://github.com/openssl/openssl/pull/15255) * make update Reviewed-by: Tomas Mraz <[email protected]> (Merged from https://github.com/openssl/openssl/pull/15255) * Don't send key_share for PSK-only key exchange TLS 1.3 allows for the "psk_ke" and "psk_dhe_ke" key-exchange modes. Only the latter mode introduces a new ephemeral (Diffie-Hellman) key exchange, with the PSK being the only key material used in the former case. It's a compliance requirement of RFC 8446 that the server MUST NOT send a KeyShareEntry when using the "psk_ke" mode, but prior to this commit we would send a key-share based solely on whether the client sent one. This bug goes unnoticed in our internal test suite since openssl communicating with openssl can never negotiate the PSK-only key-exchange mode. However, we should still be compliant with the spec, so check whether the DHE mode was offered and don't send a key-share if it wasn't. Reviewed-by: Tomas Mraz <[email protected]> (cherry picked from commit e776858bce32d473bd7a69c616ad7f6c2f979dfc) (Merged from https://github.com/openssl/openssl/pull/15255) * Update expected results for tls13kexmodes tests One of the scenarios constructed in these tests was erroneously producing successful handshakes until the previous commits, but should have been failing. Update our expected behavior to match the specification requirements, and adjust the commentary slightly for a test case relevant for the other preceding commit. Reviewed-by: Tomas Mraz <[email protected]> (cherry picked from commit 80c25611abd7067815943187f36f5e1879201678) (Merged from https://github.com/openssl/openssl/pull/15255) * Avoid division by zero in hybrid point encoding In hybrid and compressed point encodings, the form octet contains a bit of information allowing to calculate y from x. For a point on a binary curve, this bit is zero if x is zero, otherwise it must match the rightmost bit of of the field element y / x. The existing code only considers the second possibility. It could thus incorrecly fail with a division by zero error as found by Guido Vranken's cryptofuzz. This commit adds a few explanatory comments to oct2point. The only actual code change is in the last hunk which adds a BN_is_zero(x) check to avoid the division by zero. Fixes #15021 Reviewed-by: Nicola Tuveri <[email protected]> Reviewed-by: Matt Caswell <[email protected]> Reviewed-by: Tomas Mraz <[email protected]> (Merged from https://github.com/openssl/openssl/pull/15112) * Test oct2point for hybrid point encoding of (0, y) Reviewed-by: Nicola Tuveri <[email protected]> Reviewed-by: Matt Caswell <[email protected]> Reviewed-by: Tomas Mraz <[email protected]> (Merged from https://github.com/openssl/openssl/pull/15112) * Inherit hostflags verify params even without hosts X509_VERIFY_PARAM_inherit() now copies hostflags independently of hosts. Previously hostflags were only copied when at least one host was set. Typically applications don't configure hosts on SSL_CTX. The change enables applications to configure hostflags on SSL_CTX and have OpenSSL copy the flags from SSL_CTX to SSL. Fixes: https://github.com/openssl/openssl/issues/14579 Signed-off-by: Christian Heimes <[email protected]> Reviewed-by: Paul Dale <[email protected]> Reviewed-by: Tomas Mraz <[email protected]> (Merged from https://github.com/openssl/openssl/pull/14856) * Properly restore XMM registers in ChaCha20's AVX-512(VL) assembly Reviewed-by: Paul Dale <[email protected]> Reviewed-by: Tomas Mraz <[email protected]> (Merged from https://github.com/openssl/openssl/pull/15315) (cherry picked from commit 6d3f798cba8075e700003aaf34f1e72bb930086c) * Cleanup the peer point formats on regotiation Fixes #14875 Reviewed-by: Ben Kaduk <[email protected]> Reviewed-by: Matt Caswell <[email protected]> (Merged from https://github.com/openssl/openssl/pull/15383) (cherry picked from commit 3f987381929ee725daf4746591144dde18f313e1) * s_client.pod: Fix grammar in NOTES section. Reviewed-by: Paul Dale <[email protected]> (Merged from https://github.com/openssl/openssl/pull/12907) * Call SSLfatal when the generate_ticket_cb returns 0 Otherwise, the state machine ends up being in a bad state: ``` SSL routines:write_state_machine:missing fatal:ssl/statem/statem.c:850: ``` Reviewed-by: Matt Caswell <[email protected]> Reviewed-by: Ben Kaduk <[email protected]> (Merged from https://github.com/openssl/openssl/pull/15485) * Put init_ec_point_formats() inside #ifndef OPENSSL_NO_EC Reviewed-by: Matt Caswell <[email protected]> Reviewed-by: Dmitry Belyavskiy <[email protected]> (Merged from https://github.com/openssl/openssl/pull/15518) * Modify ssl_handshake_hash to call SSLfatal When EVP_MD_CTX_new fails call SSLfatal before the goto err. This resolves a state machine issue on the out of memory condition: ssl/statem/statem.c:643: OpenSSL internal error: Assertion failed: (s)->statem.in_init && (s)->statem.state == MSG_FLOW_ERROR Fixes #15491. CLA: trivial Reviewed-by: Ben Kaduk <[email protected]> Reviewed-by: Paul Dale <[email protected]> Reviewed-by: Tomas Mraz <[email protected]> (Merged from https://github.com/openssl/openssl/pull/15511) * ee-self-signed.pem: Restore original version, adding -attime to 25-test_verify.t Reviewed-by: Tomas Mraz <[email protected]> (Merged from https://github.com/openssl/openssl/pull/15505) * Check the return value of ASN1_STRING_length ASN1_STRING_length gets the field 'length' of msg, which can be manipulated through a crafted input. Add a check to avoid error execution of OPENSSL_malloc(). CLA: trivial Reviewed-by: Matt Caswell <[email protected]> Reviewed-by: Paul Dale <[email protected]> Reviewed-by: Tomas Mraz <[email protected]> (Merged from https://github.com/openssl/openssl/pull/15583) (cherry picked from commit effb0dcf864110a4595f1a243adb9c1dd09eb516) * Only call dtls1_start_timer() once The function dtls1_handle_timeout() calls dtls1_double_timeout() which was calling dtls1_start_timer(). However dtls1_start_timer() is also called directly by dtls1_handle_timeout(). We only need to start the timer once. Fixes #15561 Reviewed-by: Paul Dale <[email protected]> (Merged from https://github.com/openssl/openssl/pull/15595) (cherry picked from commit f570d33b02d824e2a3f676f718c4692572f45333) * s390x: cipher must set EVP_CIPH_ALWAYS_CALL_INIT flag The s390x cipher implementations must call their init function even if the key argument is NULL to allow initializing the cipher operation's context in any order. Signed-off-by: Patrick Steuer <[email protected]> Reviewed-by: Tomas Mraz <[email protected]> (Merged from https://github.com/openssl/openssl/pull/14900) * Test EVP_CipherInit sequences and resets Various EVP_CipherInit sequences including partial inits and initializations with different "enc" flags caused problems on s390x. Similarly, cipher reinitialization and especially GCM reinitialization with different tag length led to wrong results. Add some unit tests to cover these rather exotic use cases. Signed-off-by: Patrick Steuer <[email protected]> Reviewed-by: Tomas Mraz <[email protected]> (Merged from https://github.com/openssl/openssl/pull/14900) * Clean away remaining Travis related files Reviewed-by: Paul Dale <[email protected]> (Merged from https://github.com/openssl/openssl/pull/15693) * enable getauxval on android 10 Fixes #9498 Reviewed-by: Tomas Mraz <[email protected]> Reviewed-by: Paul Dale <[email protected]> (Merged from https://github.com/openssl/openssl/pull/15870) * Use getauxval on Android with API level > 18 We received analytics that devices of the device family Oppo A37x are crashing with SIGILL when trying to load libcrypto.so. These crashes were fixed by using the system-supplied getauxval function. Reviewed-by: Paul Dale <[email protected]> Reviewed-by: Tomas Mraz <[email protected]> (Merged from https://github.com/openssl/openssl/pull/15763) * Add riscv64 target Reviewed-by: Paul Dale <[email protected]> Reviewed-by: Tomas Mraz <[email protected]> (Merged from https://github.com/openssl/openssl/pull/14724) * apple getentropy removal backport of #15924 Reviewed-by: Tomas Mraz <[email protected]> Reviewed-by: Paul Dale <[email protected]> (Merged from https://github.com/openssl/openssl/pull/15935) * Fix use of uninitialized memory in test_rsa_oaep 48f1739600f33c92387debce2002acec6e365f1d did not convert the RSA OAEP tests correctly. The corrupted ciphertext and truncation tests were really decrypting uninitialized memory, rather than the sample ciphertext. This results in an error in tools like MSan. The test is somewhat roundabout. In the original version, before the conversion, ctext_ex was an OAEP test vector from key1(), etc., functions. The test would: 1. Encrypt ptext_ex as ctext. 2. Decrypt ctext and check it gives ptext_ex. 3. Decrypt ctext_ex and check it gives ptext_ex. 4. Try corrupted and truncated versions of ctext. 48f1739600f33c92387debce2002acec6e365f1d then moved steps 1 and 2 into test_rsa_simple, which meant ctext is no longer available for step 4. It then mistakenly left the variable around, but uninitialized, so the test wasn't testing anything. (Confusingly, test_rsa_simple outputs ctext_ex to the caller, but doesn't do anything with it. The ctext_ex output is also only usable for OAEP, not PKCS#1 v1.5.) It doesn't really matter whether we use ctext or ctext_ex for step 4, so this PR fixes it by using ctext_ex instead. Reviewed-by: Shane Lontis <[email protected]> Reviewed-by: Paul Dale <[email protected]> (Merged from https://github.com/openssl/openssl/pull/15950) (cherry picked from commit 36a4637e158508f5d2fb7750e4870888072a56f9) * doc: Mention the update of der data pointers in d2i/i2d Fixes #15958 Reviewed-by: Richard Levitte <[email protected]> Reviewed-by: Paul Dale <[email protected]> (Merged from https://github.com/openssl/openssl/pull/15973) * bn: procduce correct sign for result of BN_mod() There is a problem that appears when calling BN_div(a, c, a, b) with negative b. In this case, the sign of the remainder c is incorrect. The problem only occurs if the dividend and the quotient are the same BIGNUM. Fixes #15982 Reviewed-by: Nicola Tuveri <[email protected]> (Merged from https://github.com/openssl/openssl/pull/15991) (cherry picked from commit 105c83150f15af3f78ea0758859062842bdbe30e) * Fix memory leak in i2d_ASN1_bio_stream When creating a signed S/MIME message using SMIME_write_CMS() if the reading from the bio fails, the state is therefore still ASN1_STATE_START when BIO_flush() is called by i2d_ASN1_bio_stream(). This results in calling asn1_bio_flush_ex cleanup but will only reset retry flags as the state is not ASN1_STATE_POST_COPY. Therefore 48 bytes (Linux x86_64) leaked since the ndef_prefix_free / ndef_suffix_free callbacks are not executed and the ndef_aux structure is not freed. By always calling free function callback in asn1_bio_free() the memory leak is fixed. (cherry picked from commit 3a1d2b59522163ebb83bb68e13c896188dc222c6) Reviewed-by: Paul Dale <[email protected]> Reviewed-by: Tomas Mraz <[email protected]> (Merged from https://github.com/openssl/openssl/pull/15999) * ssl: do not choose auto DH groups that are weaker than the security level manual merge from https://github.com/openssl/openssl/pull/15818 id d7b5c648d682b499b71320a03747602a6ba4dec3 Reviewed-by: Tomas Mraz <[email protected]> (Merged from https://github.com/openssl/openssl/pull/15832) * test: add test for auto DH security level meets the minimum Manual merge from https://github.com/openssl/openssl/pull/15818 Commit id d0e5230dcecc6013d351545ceb275aa2ba5baa80 Reviewed-by: Tomas Mraz <[email protected]> (Merged from https://github.com/openssl/openssl/pull/15832) * Fix s_server PSK handling Issue #15951 describes a scenario which causes s_server to fail when using a PSK. In the originally described issue this only impacted master and not 1.1.1. However, in fact this issue does also impact 1.1.1 - but only if you additionally supply the option "-no_ticket" to the s_server command line. The difference between the behaviour in master and 1.1.1 is due to 9c13b49, which changed PSK_MAX_IDENTITY_LEN from 128 to 256. It just so happens that a default OpenSSL TLSv1.3 ticket length happens to fall between those 2 values. Tickets are presented in TLSv1.3 as a PSK "identity". Passing "no_ticket" doesn't actually stop TLSv1.3 tickets completely, it just forces the use of "session ids as a ticket" instead. This significantly reduces the ticket size to below 128 in 1.1.1. The problem was due to s_server setting a TLSv1.2 PSK callback and a TLSv1.3 PSK callback. For backwards compat reasons the TLSv1.2 PSK callbacks also work in TLSv1.3 but are not preferred. In the described scenario we use a PSK to create the initial connection. Subsequent to that we attempt a resumption using a TLSv1.3 ticket (psk). If the psk length is below PSK_MAX_IDENTITY_LEN then we first call the TLSv1.2 PSK callback. Subsequently we call the TLSv1.3 PSK callback. Unfortunately s_server's TLSv1.2 PSK callback accepts the identity regardless, even though it is an unexpected value, and hence the binder subsequently fails to verify. The fix is to bail early in the TLSv1.2 callback if we detect we are being called from a TLSv1.3 connection. Fixes #15951 Reviewed-by: Ben Kaduk <[email protected]> Reviewed-by: Paul Dale <[email protected]> (Merged from https://github.com/openssl/openssl/pull/16008) (cherry picked from commit 0007ff257c95f5cd046799e492436f41caf4ecb2) * TEST: Check that i2d refuses to encode non-optional items with no content The test case creates an RSA public key and tries to pass it through i2d_PrivateKey(). This SHOULD fail, since the private bits are missing. Reviewed-by: Tomas Mraz <[email protected]> (Merged from https://github.com/openssl/openssl/pull/16027) * ASN.1: Refuse to encode to DER if non-optional items are missing Fixes #16026 Reviewed-by: Tomas Mraz <[email protected]> (Merged from https://github.com/openssl/openssl/pull/16027) * Fix test/asn1_encode_test.c to not use ASN1_FBOOLEAN ASN1_FBOOLEAN is designed to use as a default for optional ASN1 items. This test program used it for non-optional items, which doesn't encode well. Reviewed-by: Tomas Mraz <[email protected]> (Merged from https://github.com/openssl/openssl/pull/16027) * Fix test/asn1_encode_test.c to handle encoding/decoding failure Make it only report (and fail on) encoding/decoding failures when success is expected. Reviewed-by: Tomas Mraz <[email protected]> (Merged from https://github.com/openssl/openssl/pull/16027) * make update (adds a new function code) Reviewed-by: Tomas Mraz <[email protected]> (Merged from https://github.com/openssl/openssl/pull/16027) * Avoid "excessive message size" for session tickets We received a report of an "excessive message size" for a received session ticket. Our maximum size was significantly less than the theoretical maximum. The server may put any data it likes in the session ticket including (for example) the full certificate chain so we should be able to handle longer tickets. Update the value to the maximum allowed by the spec. Reviewed-by: Paul Dale <[email protected]> (Merged from https://github.com/openssl/openssl/pull/15877) (cherry picked from commit e54f0c9b2fe3dd2dcb5e8100e2c69e5b2f6eb681) * BIO_lookup_ex: use AI_ADDRCONFIG only if explicit host name is given The flag only affects which record types are queried via DNS (A or AAAA, or both). When node is NULL and AF_UNSPEC is used, it prevents getaddrinfo returning the right address associated with the loopback interface. Signed-off-by: Daiki Ueno <[email protected]> Reviewed-by: Dmitry Belyavskiy <[email protected]> Reviewed-by: Paul Dale <[email protected]> (Merged from https://github.com/openssl/openssl/pull/16039) * Avoid empty lines in nmake rule bodies nmake is tolerant of those empty lines, but jom isn't. That tolerance isn't standard make behaviour, so we lean towards avoiding them. We simply use '@rem' instead. Fixes #16014 Reviewed-by: Tomas Mraz <[email protected]> Reviewed-by: Paul Dale <[email protected]> (Merged from https://github.com/openssl/openssl/pull/16047) * apps: Use the first detected address family if IPv6 is not available This is a follow up of 15729bef385211bc2a0497e2d53a45c45d677d2c. Even when the host does not support IPv6 at all, BIO_lookup_ex may now return IN6ADDR_ANY in addition to INADDR_ANY, as the second element of the ai_next field. After eee8a40aa5e06841eed6fa8eb4f6109238d59aea, the do_server function prefers the IPv6 address and fails on the BIO_socket call. This adds a fallback code to retry with the IPv4 address returned as the first element to avoid the error. The failure had been partially avoided in the previous code with AI_ADDRCONFIG, because getaddrinfo returns only IPv4 address if no IPv6 address is associated with external interface. However, it would be still a problem if the external interface has an IPv6 address assigned, while the loopback interface doesn't. Signed-off-by: Daiki Ueno <[email protected]> Reviewed-by: Paul Dale <[email protected]> Reviewed-by: Tomas Mraz <[email protected]> (Merged from https://github.com/openssl/openssl/pull/16078) * Don't reset the packet pointer in ssl3_setup_read_buffer Sometimes this function gets called when the buffers have already been set up. If there is already a partial packet in the read buffer then the packet pointer will be set to an incorrect value. The packet pointer already gets reset to the correct value when we first read a packet anyway, so we don't also need to do it in ssl3_setup_read_buffer. Fixes #13729 Reviewed-by: Ben Kaduk <[email protected]> Reviewed-by: Tomas Mraz <[email protected]> (Merged from https://github.com/openssl/openssl/pull/16098) * Disallow SSL_key_update() if there are writes pending If an application is halfway through writing application data it should not be allowed to attempt an SSL_key_update() operation. Instead the SSL_write() operation should be completed. Fixes #12485 Reviewed-by: Ben Kaduk <[email protected]> Reviewed-by: Tomas Mraz <[email protected]> (Merged from https://github.com/openssl/openssl/pull/16098) * Fix some minor record layer issues Various comments referred to s->packet and s->packet_length instead of s->rlayer.packet and s->rlayer.packet_length. Also fixed is a spot where RECORD_LAYER_write_pending() should have been used. Based on the review comments in #16077. Reviewed-by: Tomas Mraz <[email protected]> Reviewed-by: Ben Kaduk <[email protected]> (cherry picked from commit ca001524971ccd595bc0e9843611e6784adfc981) Reviewed-by: Paul Dale <[email protected]> (Merged from https://github.com/openssl/openssl/pull/16105) * Fix a read buffer overrun in X509_aux_print(). The ASN1_STRING_get0_data(3) manual explitely cautions the reader that the data is not necessarily NUL-terminated, and the function X509_alias_set1(3) does not sanitize the data passed into it in any way either, so we must assume the return value from X509_alias_get0(3) is merely a byte array and not necessarily a string in the sense of the C language. I found this bug while writing manual pages for X509_print_ex(3) and related functions. Theo Buehler <[email protected]> checked my patch to fix the same bug in LibreSSL, see http://cvsweb.openbsd.org/src/lib/libcrypto/asn1/t_x509a.c#rev1.9 As an aside, note that the function still produces incomplete and misleading results when the data contains a NUL byte in the middle and that error handling is consistently absent throughout, even though the function provides an "int" return value obviously intended to be 1 for success and 0 for failure, and even though this function is called by another function that also wants to return 1 for success and 0 for failure and even does so in many of its code paths, though not in others. But let's stay focussed. Many things would be nice to have in the wide wild world, but a buffer overflow must not be allowed to remain in our backyard. CLA: trivial Reviewed-by: Tim Hudson <[email protected]> Reviewed-by: Paul Dale <[email protected]> Reviewed-by: Tomas Mraz <[email protected]> (Merged from https://github.com/openssl/openssl/pull/16108) (cherry picked from commit c5dc9ab965f2a69bca964c709e648158f3e4cd67) * DSA/RSA_print(): Fix potential memory leak Fixes #10777 Reviewed-by: Paul Dale <[email protected]> (Merged from https://github.com/openssl/openssl/pull/16130) (cherry picked from commit 40184c96103a388209939c1c19920971c05bb78c) * [doc/man3] documentation: BN_cmp manpage updates Reviewed-by: Paul Dale <[email protected]> Reviewed-by: Nicola Tuveri <[email protected]> Reviewed-by: Dmitry Belyavskiy <[email protected]> (Merged from https://github.com/openssl/openssl/pull/16214) (cherry picked from commit 3d4ca443b4778e3230ff23f17625f58f815a9142) * Revert "make update (adds a new function code)" This reverts commit ea26844c4f624ef515d9228d3b623761a369b049. Reviewed-by: Dmitry Belyavskiy <[email protected]> (Merged from https://github.com/openssl/openssl/pull/16308) * Revert "Fix test/asn1_encode_test.c to handle encoding/decoding failure" This reverts commit f1d97905bbd8679b7647c992b97f526791069040. Reviewed-by: Dmitry Belyavskiy <[email protected]> (Merged from https://github.com/openssl/openssl/pull/16308) * Revert "Fix test/asn1_encode_test.c to not use ASN1_FBOOLEAN" This reverts commit 5434acb6c4d56507d761b28f7e142ccab808a8fa. Reviewed-by: Dmitry Belyavskiy <[email protected]> (Merged from https://github.com/openssl/openssl/pull/16308) * Revert "ASN.1: Refuse to encode to DER if non-optional items are missing" This reverts commit 006906cddda37e24a66443199444ef4476697477. Reviewed-by: Dmitry Belyavskiy <[email protected]> (Merged from https://github.com/openssl/openssl/pull/16308) * Revert "TEST: Check that i2d refuses to encode non-optional items with no content" This reverts commit 12e9b74c513a8ed3c1c260cf25221a465ae14b84. Reviewed-by: Dmitry Belyavskiy <[email protected]> (Merged from https://github.com/openssl/openssl/pull/16308) * Fix potential double-free The `sk` variable is assigned to `s->session->peer_chain`. If `ssl3_digest_cached_records()` were to fail, then `sk` would still be non-NULL, and subsequently freed on the error return. When the session is freed, it will then attempt to free `s->session->peer_chain`, resulting in a double-free (of `sk`). Reviewed-by: Matt Caswell <[email protected]> Reviewed-by: Tomas Mraz <[email protected]> (Merged from https://github.com/openssl/openssl/pull/16309) (cherry picked from commit 0449702abc95a3af24c049cb02c01ca6a8015cef) * s390x: AES OFB/CFB: Maintain running IV from cipher context Copy the current IV from the cipher context into the kmo/kmf param before the operation, and copy the modified IV back to the context afterwards. Without this, an application that obtains the running IV from the context would still get the original IV, but not the updated one. Signed-off-by: Ingo Franzki <[email protected]> Reviewed-by: Patrick Steuer <[email protected]> Reviewed-by: Tomas Mraz <[email protected]> (Merged from https://github.com/openssl/openssl/pull/16292) * Test EVP Cipher updating the context's IV Ensure that an EVP_CipherUpdate operation updates the context's IV for AES CBC, CFB, OFB, and CTR. An application can get the updated IV via EVP_CIPHER_CTX_iv(). The s390x implementation of the CFB and OFB ciphers did not update the IV in the context, but only within its s390x specific context data. Signed-off-by: Ingo Franzki <[email protected]> Reviewed-by: Patrick Steuer <[email protected]> Reviewed-by: Tomas Mraz <[email protected]> (Merged from https://github.com/openssl/openssl/pull/16292) * pkcs12: check for zero length digest to avoid division by zero Fixes #16331 Reviewed-by: Dmitry Belyavskiy <[email protected]> Reviewed-by: Kurt Roeckx <[email protected]> (Merged from https://github.com/openssl/openssl/pull/16333) * [github-ci] Sync ci.yml workflow with master Reviewed-by: Paul Dale <[email protected]> (Merged from https://github.com/openssl/openssl/pull/16252) * [github-ci] Import windows.yml workflow from master Reviewed-by: Paul Dale <[email protected]> (Merged from https://github.com/openssl/openssl/pull/16252) * [github-ci] Import cross-compiles.yml workflow from master Reviewed-by: Paul Dale <[email protected]> (Merged from https://github.com/openssl/openssl/pull/16252) * [github-ci] Import run-checker workflows from master This commit does not include the daily run-checker workflow. Reviewed-by: Paul Dale <[email protected]> (Merged from https://github.com/openssl/openssl/pull/16252) * [github-ci] Import run-checker daily workflow from master The daily run-checker is scheduled to start at 6:42, instead of the start of the hour. The official GitHub documentation remarks the following regarding scheduled workflows: > Note: The schedule event can be delayed during periods of high loads > of GitHub Actions workflow runs. High load times include the start of > every hour. To decrease the chance of delay, schedule your workflow to > run at a different time of the hour. 42, obviously, has been picked because it is the answer to the ultimate question of life, the universe, and everything. Reviewed-by: Paul Dale <[email protected]> (Merged from https://github.com/openssl/openssl/pull/16252) * [github-ci][cross-compiles.yml] Disable sparcv9 This commit temporarily disables cross-compiling tests for sparcv9, due to failures to be investigated in a dedicated PR. Reviewed-by: Paul Dale <[email protected]> (Merged from https://github.com/openssl/openssl/pull/16252) * [github-ci][ci.yml] Disable krb5 external tests This commit temporarily disables krb5 external tests, due to failures to be investigated in a dedicated PR. Reviewed-by: Paul Dale <[email protected]> (Merged from https://github.com/openssl/openssl/pull/16252) * [github-ci][ci.yml] Disable pyca external tests This commit temporarily disables pyca external tests, due to failures to be investigated in a dedicated PR. Reviewed-by: Paul Dale <[email protected]> (Merged from https://github.com/openssl/openssl/pull/16252) * [github-ci][run-checker-ci.yml] Disable no-tls1_3 tests This commit temporarily disables tests for no-tls1_3, due to failures to be investigated in a dedicated PR. Reviewed-by: Paul Dale <[email protected]> (Merged from https://github.com/openssl/openssl/pull/16252) * [github-ci][ci.yml] Disable memory sanitizer build In 1.1.1 currently we do not support running multiple tests in parallel, and the `--debug -O1` msan build required more than 3h to run the tests. This commit temporarily disables this build configuration. Reviewed-by: Paul Dale <[email protected]> (Merged from https://github.com/openssl/openssl/pull/16252) * [github-ci][run-checker-merge.yml] Disable ubsan build This commit temporarily disables the ubsan build, due to failures to be investigated in a dedicated PR. Reviewed-by: Paul Dale <[email protected]> (Merged from https://github.com/openssl/openssl/pull/16252) * [github-ci] Add comment about our approach to GitHub Actions CI Reviewed-by: Nicola Tuveri <[email protected]> (Merged from https://github.com/openssl/openssl/pull/16252) * Revert "[github-ci][cross-compiles.yml] Disable sparcv9" This reverts commit aa23aa759cf33b4f481fc719d42cb7bae8b2eaf0. Reviewed-by: Paul Dale <[email protected]> (Merged from https://github.com/openssl/openssl/pull/16336) * sparc: fix cross compile build (cherry picked from commit 64fac96de81d3dc19cc0c9045c341f0dec818075) Reviewed-by: Nicola Tuveri <[email protected]> (Merged from https://github.com/openssl/openssl/pull/16336) * Fix i2v_GENERAL_NAME to not assume NUL terminated strings ASN.1 strings may not be NUL terminated. Don't assume they are. CVE-2021-3712 Reviewed-by: Viktor Dukhovni <[email protected]> Reviewed-by: Paul Dale <[email protected]> * Fix POLICYINFO printing to not assume NUL terminated strings ASN.1 strings may not be NUL terminated. Don't assume they are. CVE-2021-3712 Reviewed-by: Viktor Dukhovni <[email protected]> Reviewed-by: Paul Dale <[email protected]> * Fix printing of PROXY_CERT_INFO_EXTENSION to not assume NUL terminated strings ASN.1 strings may not be NUL terminated. Don't assume they are. CVE-2021-3712 Reviewed-by: Viktor Dukhovni <[email protected]> Reviewed-by: Paul Dale <[email protected]> * Fix the name constraints code to not assume NUL terminated strings ASN.1 strings may not be NUL terminated. Don't assume they are. CVE-2021-3712 Reviewed-by: Viktor Dukhovni <[email protected]> Reviewed-by: Paul Dale <[email protected]> * Fix test code to not assume NUL terminated strings ASN.1 strings may not be NUL terminated. Don't assume they are. CVE-2021-3712 Reviewed-by: Viktor Dukhovni <[email protected]> Reviewed-by: Paul Dale <[email protected]> * Fix append_ia5 function to not assume NUL terminated strings ASN.1 strings may not be NUL terminated. Don't assume they are. CVE-2021-3712 Reviewed-by: Viktor Dukhovni <[email protected]> Reviewed-by: Paul Dale <[email protected]> * Fix NETSCAPE_SPKI_print function to not assume NUL terminated strings ASN.1 strings may not be NUL terminated. Don't assume they are. CVE-2021-3712 Reviewed-by: Viktor Dukhovni <[email protected]> Reviewed-by: Paul Dale <[email protected]> * Fix EC_GROUP_new_from_ecparameters to check the base length Check that there's at least one byte in params->base before trying to read it. CVE-2021-3712 Reviewed-by: Viktor Dukhovni <[email protected]> Reviewed-by: Paul Dale <[email protected]> * Allow fuzz builds to detect string overruns If FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION is defined then we don't NUL terminate ASN1_STRING datatypes. This shouldn't be necessary but we add it any for safety in normal builds. Reviewed-by: Viktor Dukhovni <[email protected]> Reviewed-by: Paul Dale <[email protected]> * Fix the error handling in i2v_AUTHORITY_KEYID Previously if an error path is entered a leak could result. Reviewed-by: Viktor Dukhovni <[email protected]> Reviewed-by: Paul Dale <[email protected]> * Correctly calculate the length of SM2 plaintext given the ciphertext Previously the length of the SM2 plaintext could be incorrectly calculated. The plaintext length was calculated by taking the ciphertext length and taking off an "overhead" value. The overhead value was assumed to have a "fixed" element of 10 bytes. This is incorrect since in some circumstances it can be more than 10 bytes. Additionally the overhead included the length of two integers C1x and C1y, which were assumed to be the same length as the field size (32 bytes for the SM2 curve). However in some cases these integers can have an additional padding byte when the msb is set, to disambiguate them from negative integers. Additionally the integers can also be less than 32 bytes in length in some cases. If the calculated overhead is incorrect and larger than the actual value this can result in the calculated plaintext length being too small. Applications are likely to allocate buffer sizes based on this and therefore a buffer overrun can occur. CVE-2021-3711 Issue reported by John Ouyang. Reviewed-by: Paul Dale <[email protected]> Reviewed-by: Nicola Tuveri <[email protected]> * Extend tests for SM2 decryption Check the case where C1y < 32 bytes in length (i.e. short overhead), and also the case with longer plaintext and C1x and C1y > 32 bytes in length (i.e. long overhead) Reviewed-by: Paul Dale <[email protected]> Reviewed-by: Nicola Tuveri <[email protected]> * Check the plaintext buffer is large enough when decrypting SM2 Previously there was no check that the supplied buffer was large enough. It was just assumed to be sufficient. Instead we should check and fail if not. Reviewed-by: Paul Dale <[email protected]> Reviewed-by: Nicola Tuveri <[email protected]> * Updates to CHANGES and NEWS for the new release Reviewed-by: Richard Levitte <[email protected]> * Update copyright year Reviewed-by: Richard Levitte <[email protected]> * Run make update Reviewed-by: Richard Levitte <[email protected]> * Prepare for 1.1.1l release Reviewed-by: Richard Levitte <[email protected]> * Prepare for 1.1.1m-dev Reviewed-by: Richard Levitte <[email protected]> * Fix the array size of dtlsseq in tls1_enc Reviewed-by: Tomas Mraz <[email protected]> (Merged from https://github.com/openssl/openssl/pull/16385) (cherry picked from commit 562d4cd3c35b32f2bc6ac0770b80ce394f8d76a4) * Avoid using undefined value in generate_stateless_cookie_callback Reviewed-by: Paul Yang <[email protected]> Reviewed-by: Paul Dale <[email protected]> Reviewed-by: Tomas Mraz <[email protected]> (Merged from https://github.com/openssl/openssl/pull/16381) * Fix some strict gcc-12 warnings Reviewed-by: Paul Dale <[email protected]> Reviewed-by: Richard Levitte <[email protected]> Reviewed-by: Tomas Mraz <[email protected]> (Merged from https://github.com/openssl/openssl/pull/16375) * apps/ciphers: Fix wrong return value when using -convert parameter Command 'openssl ciphers -convert <name>' always returns failure, this patch set the correct return value. Signed-off-by: Tianjia Zhang <[email protected]> Reviewed-by: Paul Yang <[email protected]> Reviewed-by: Paul Dale <[email protected]> Reviewed-by: Tomas Mraz <[email protected]> (Merged from https://github.com/openssl/openssl/pull/16383) (cherry picked from commit 8b4e9c5265ffd3457ad37133502a9d8a4e8daccd) * Check for null-pointer dereference in dh_cms_set_peerkey Reviewed-by: Paul Dale <[email protected]> Reviewed-by: Tomas Mraz <[email protected]> (Merged from https://github.com/openssl/openssl/pull/16382) * ts: fix memleaks caused by TS_VERIFY_CTX_set_imprint CLA: trivial Reviewed-by: Paul Dale <[email protected]> Reviewed-by: Tomas Mraz <[email protected]> (Merged from https://github.com/openssl/openssl/pull/16347) (cherry picked from commit 62bae84d4587ec9a56d0ce830e36e4a5b2fa8a33) * Darwin platform allows to build on releases before Yosemite/ios 8. …

* ASN1: Reset the content dump flag after dumping When encountering a badly coded item, the DER printer (ASN1_print_dump()) sets a flag to ensure that an additional hex dump of the offending content is printed as part of the output. Unfortunately, this flag is never reset, which means that all following items are printed with the extra hex dump, whether they are faulty or not. Resetting the flag after hex dumping ensures that only the faulty contents are printed with the additional hex dump. Fixes #14626 Reviewed-by: Tim Hudson <[email protected]> (Merged from https://github.com/openssl/openssl/pull/14627) (cherry picked from commit 6e34a1048ce4871371eac224b995c3b4338f6166) * Fix missing INVALID_EXTENSION Reviewed-by: Matt Caswell <[email protected]> Reviewed-by: Ben Kaduk <[email protected]> Reviewed-by: Tomas Mraz <[email protected]> (Merged from https://github.com/openssl/openssl/pull/14639) * check_chain_extensions: Do not override error return value by check_curve The X509_V_FLAG_X509_STRICT flag enables additional security checks of the certificates present in a certificate chain. It is not set by default. Starting from OpenSSL version 1.1.1h a check to disallow certificates with explicitly encoded elliptic curve parameters in the chain was added to the strict checks. An error in the implementation of this check meant that the result of a previous check to confirm that certificates in the chain are valid CA certificates was overwritten. This effectively bypasses the check that non-CA certificates must not be able to issue other certificates. If a "purpose" has been configured then a subsequent check that the certificate is consistent with that purpose also checks that it is a valid CA. Therefore where a purpose is set the certificate chain will still be rejected even when the strict flag has been used. A purpose is set by default in libssl client and server certificate verification routines, but it can be overriden by an application. Affected applications explicitly set the X509_V_FLAG_X509_STRICT verification flag and either do not set a purpose for the certificate verification or, in the case of TLS client or server applications, override the default purpose to make it not set. CVE-2021-3450 Reviewed-by: Matt Caswell <[email protected]> Reviewed-by: Paul Dale <[email protected]> * Teach TLSProxy how to encrypt <= TLSv1.2 ETM records Previously TLSProxy only knew how to "repack" messages for TLSv1.3. Most of the handshake in <= TLSv1.2 is unencrypted so this hasn't been too much of restriction. However we now want to modify reneg handshakes which are encrypted so we need to add that capability. Reviewed-by: Tomas Mraz <[email protected]> Reviewed-by: Paul Dale <[email protected]> * Add a test for CVE-2021-3449 We perform a reneg handshake, where the second ClientHello drops the sig_algs extension. It must also contain cert_sig_algs for the test to work. Reviewed-by: Tomas Mraz <[email protected]> Reviewed-by: Paul Dale <[email protected]> * ssl sigalg extension: fix NULL pointer dereference As the variable peer_sigalgslen is not cleared on ssl rehandshake, it's possible to crash an openssl tls secured server remotely by sending a manipulated hello message in a rehandshake. On such a manipulated rehandshake, tls1_set_shared_sigalgs() calls tls12_shared_sigalgs() with the peer_sigalgslen of the previous handshake, while the peer_sigalgs has been freed. As a result tls12_shared_sigalgs() walks over the available peer_sigalgs and tries to access data of a NULL pointer. This issue was introduced by c589c34e61 (Add support for the TLS 1.3 signature_algorithms_cert extension, 2018-01-11). Signed-off-by: Peter Kästle <[email protected]> Signed-off-by: Samuel Sapalski <[email protected]> CVE-2021-3449 CLA: trivial Reviewed-by: Tomas Mraz <[email protected]> Reviewed-by: Paul Dale <[email protected]> Reviewed-by: Matt Caswell <[email protected]> * Ensure buffer/length pairs are always in sync Following on from CVE-2021-3449 which was caused by a non-zero length associated with a NULL buffer, other buffer/length pairs are updated to ensure that they too are always in sync. Reviewed-by: Tomas Mraz <[email protected]> Reviewed-by: Paul Dale <[email protected]> * Update CHANGES and NEWS for new release Reviewed-by: Tomas Mraz <[email protected]> * Update copyright year Reviewed-by: Tomas Mraz <[email protected]> * Prepare for 1.1.1k release Reviewed-by: Tomas Mraz <[email protected]> * Prepare for 1.1.1l-dev Reviewed-by: Tomas Mraz <[email protected]> * Fix BIO_new_ssl_connect() to not leak memory CLA: trivial Reviewed-by: Paul Dale <[email protected]> Reviewed-by: Tomas Mraz <[email protected]> (Merged from https://github.com/openssl/openssl/pull/14719) (cherry picked from commit 7947a1eb13c221bbc034796bd394ba00b0e2387d) * Fix typo in BIO_push.pod CLA: trivial Reviewed-by: Paul Dale <[email protected]> Reviewed-by: Tomas Mraz <[email protected]> (Merged from https://github.com/openssl/openssl/pull/14718) (cherry picked from commit 2db9bef264ba39e173d6b6a3a800595e15eef31b) * Print correct error message in utils/mkdir-p.pl Commit 70a56b914772e6b21cda2a5742817ae4bb7290f1 introduced a regression. If utils/mkdir-p.pl fails to create a target dir because of insufficient file system permissions, the subsequent test for dir existence always fails and overwrites the system error. As a result, a user is presented with a misleading error message. E.g. if a user tries to create a dir under /usr/local and does not have permissions for it, the reported error message is "Cannot create directory /usr/local/lib: No such file or directory", whereas the expected error message is "Cannot create directory /usr/local/lib: Permission denied". This commit introduces a fix by declaring an additional local variable to cache the original error message from mkdir. If -d check fails and overwrites the system error, the user is still presented with the original error from mkdir. CLA: Trivial Reviewed-by: Shane Lontis <[email protected]> Reviewed-by: Richard Levitte <[email protected]> Reviewed-by: Tomas Mraz <[email protected]> (Merged from https://github.com/openssl/openssl/pull/14487) (cherry picked from commit af2e1e9c81110ca1a156430686e2f171e80ebfa0) * doc: fix enc -z option documentation CLA: trivial Reviewed-by: Matt Caswell <[email protected]> Reviewed-by: Tomas Mraz <[email protected]> (Merged from https://github.com/openssl/openssl/pull/14499) (cherry picked from commit 6635ea531e9f7709e5880dd77fd4c3403a5c3db7) * Remove unnecessary BIO_do_handshake()s Since BIO_do_connect() and BIO_do_handshake() are same, no need to invoke BIO_do_handshake() once more after BIO_do_connect(). Reviewed-by: Paul Dale <[email protected]> Reviewed-by: Tomas Mraz <[email protected]> (Merged from https://github.com/openssl/openssl/pull/14725) (cherry picked from commit 975e37cd016f86985d16f1ee646e88213494854a) * Fix potential double free in sslapitest.c Reviewed-by: Tomas Mraz <[email protected]> Reviewed-by: Paul Dale <[email protected]> (Merged from https://github.com/openssl/openssl/pull/14758) (cherry picked from commit 493e78986f9677c2b321273da51c276b9a8182d8) * Fix typos in x509.pod CLA: trivial Reviewed-by: Tomas Mraz <[email protected]> Reviewed-by: Paul Dale <[email protected]> (Merged from https://github.com/openssl/openssl/pull/14783) (cherry picked from commit 4c979cbeeb9792b170670fa15e29d077597e7ee0) * crl2pkcs7 shouldn't include empty optional sets If using crl2pkcs7 -nocrl and with no -certfiles, we shouldn't include the implicitly tagged [0] certs and [1] crls sets as they are marked optional and would be empty. Reviewed-by: Paul Dale <[email protected]> Reviewed-by: Tomas Mraz <[email protected]> (Merged from https://github.com/openssl/openssl/pull/14781) (cherry picked from commit d3a5898a7f4980bc0fa6345c408f88007573c405) * Handle set_alpn_protos inputs better. It's possible to set an invalid protocol list that will be sent in a ClientHello. This validates the inputs to make sure this does not happen. Reviewed-by: Matt Caswell <[email protected]> Reviewed-by: Tomas Mraz <[email protected]> (Merged from https://github.com/openssl/openssl/pull/14679) * srp: fix double free, In function SRP_create_verifier_ex, it calls SRP_create_verifier_BN_ex(..., &v, ..) at line 653. In the implementation of SRP_create_verifier_BN_ex(), *verify (which is the paremeter of v) is allocated a pointer via BN_new() at line 738. And *verify is freed via BN_clear_free() at line 743, and return 0. Then the execution continues up to goto err at line 655, and the freed v is freed again at line 687. Bug reported by @Yunlongs Fixes #14913 Reviewed-by: Tomas Mraz <[email protected]> (Merged from https://github.com/openssl/openssl/pull/14921) (cherry picked from commit b06450bcf763735a89b65ca3ec176600fe7fceed) * ts: fix double free on error path. In function int_ts_RESP_verify_token, if (flags & TS_VFY_DATA) is true, function ts_compute_imprint() will be called at line 299. In the implementation of ts_compute_imprint, it allocates md_alg at line 406. But after the allocation, if the execution goto err, then md_alg will be freed in the first time by X509_ALGOR_free at line 439. After that, ts_compute_imprint returns 0 and the execution goto err branch of int_ts_RESP_verify_token. In the err branch, md_alg will be freed in the second time at line 320. Bug reported by @Yunlongs Fixes #14914 Reviewed-by: Tomas Mraz <[email protected]> (Merged from https://github.com/openssl/openssl/pull/14921) (cherry picked from commit db78c84eb2fa9c41124690bcc2ea50e05f5fc7b7) * engine: fix double free on error path. In function try_decode_PKCS8Encrypted, p8 is freed via X509_SIG_free() at line 481. If function new_EMBEDDED() returns a null pointer at line 483, the execution will goto nop8. In the nop8 branch, p8 is freed again at line 491. Bug reported by @Yunlongs Fixes #14915 Reviewed-by: Tomas Mraz <[email protected]> (Merged from https://github.com/openssl/openssl/pull/14921) (cherry picked from commit efe8d69daa1a68be0a7f0f73220947c848e7ed1d) * Some compilers define __STDC_VERSION__ in c++ Some compilers(g++ on Solaris/Illumos) define __STDC__VERSION__ in c++ . This causes c++ code that uses openssl to break on these compilers since _Noreturn is not a keyword in c++ . CLA: trivial Reviewed-by: Richard Levitte <[email protected]> Reviewed-by: Paul Dale <[email protected]> Reviewed-by: Tomas Mraz <[email protected]> (Merged from https://github.com/openssl/openssl/pull/14944) (cherry picked from commit 1f3b58d8413cfa3824e9c0a146dee6ceedbc367e) * Test that EVP_PKEY_cmp() returns 1 when comparing a key to itself Reviewed-by: Paul Dale <[email protected]> (Merged from https://github.com/openssl/openssl/pull/14982) * Correct the return value on match and mismatch for MAC pkeys Fixes #14147 Reviewed-by: Paul Dale <[email protected]> (Merged from https://github.com/openssl/openssl/pull/14982) * Don't remove $(TARFILE) when cleaning This file is outside the source tree, so we have no business removing it. This is especially concerning if that was the tarball the user had to create the source tree. Fixes #14981 Reviewed-by: Tomas Mraz <[email protected]> (Merged from https://github.com/openssl/openssl/pull/14985) (cherry picked from commit f58f7ec9397de7b752aa547e2677933559a657db) * ASN1: Ensure that d2i_ASN1_OBJECT() frees the strings on ASN1_OBJECT reuse The 'sn' and 'ln' strings may be dynamically allocated, and the ASN1_OBJECT flags have a bit set to say this. If an ASN1_OBJECT with such strings is passed to d2i_ASN1_OBJECT() for reuse, the strings must be freed, or there is a memory leak. Fixes #14667 Reviewed-by: Shane Lontis <[email protected]> (Merged from https://github.com/openssl/openssl/pull/14938) * Test that we don't have a memory leak in d2i_ASN1_OBJECT. Fixes #14667 Reworked test supplied by @smcpeak into a unit test. Reviewed-by: Richard Levitte <[email protected]> (Merged from https://github.com/openssl/openssl/pull/14938) * man: s_server: fix typo in -alpn option description Reviewed-by: Tomas Mraz <[email protected]> Reviewed-by: Dmitry Belyavskiy <[email protected]> (Merged from https://github.com/openssl/openssl/pull/15098) * Use OCSP-specific error code for clarity Fixes #12735 for 1.1.1 Reviewed-by: Tomas Mraz <[email protected]> (Merged from https://github.com/openssl/openssl/pull/15109) * Support for Android NDK r22 This is a backport of #13434, Fixes #13685. I think builds using standalone toolchain are fine so I left them alone, but `Configure` will fail if using the NDK directly because the `platforms` and `sysroot` directories were removed. If `sysroot` is missing, omit the `--sysroot` and `-gcc-toolchain` arguments and use the triplet form clang command. Also since `platforms` was being used for the default API level, use `meta/platforms.json` instead if needed. Reviewed-by: Tim Hudson <[email protected]> Reviewed-by: Matt Caswell <[email protected]> (Merged from https://github.com/openssl/openssl/pull/13694) * Avoid sending alerts after shutdown Fixes #11388 Reviewed-by: Matt Caswell <[email protected]> (Merged from https://github.com/openssl/openssl/pull/15159) (cherry picked from commit 22d1138fe2fde9a16e80b81de1d848ae6fa879ef) * BIO_listen: disable setting ipv6_v6only on OpenBSD as it is a read only data and true Reviewed-by: Tomas Mraz <[email protected]> Reviewed-by: Ben Kaduk <[email protected]> (Merged from https://github.com/openssl/openssl/pull/15015) (cherry picked from commit f7f0632b01cf16efccb133e395cf115c194bd003) * Try to parse private key as PKCS#8 first, fallback afterwards Fixes #15022 Reviewed-by: Tomas Mraz <[email protected]> (Merged from https://github.com/openssl/openssl/pull/15075) * Testing private keys with extra attributes Reviewed-by: Tomas Mraz <[email protected]> (Merged from https://github.com/openssl/openssl/pull/15075) * check i2d_ASN1_TYPE return value add a length check to the return value of function i2d_ASN1_TYPE. Return an error instead of trying to malloc a negative number. CLA: trivial Reviewed-by: Tomas Mraz <[email protected]> Reviewed-by: Paul Dale <[email protected]> (Merged from https://github.com/openssl/openssl/pull/14828) (cherry picked from commit c65abf2213117eb5348a46fbc18f706aca052e85) * Improve RFC 8446 PSK key exchange mode compliance It's a MUST-level requirement that if the client sends a pre_shared_key extension not accompanied by a psk_key_exchange_modes extension, the server must abort the handshake. Prior to this commit the server would continue on. Reviewed-by: Tomas Mraz <[email protected]> (cherry picked from commit efe0f315354b020213097885c79ce856a2f5ac68) (Merged from https://github.com/openssl/openssl/pull/15255) * make update Reviewed-by: Tomas Mraz <[email protected]> (Merged from https://github.com/openssl/openssl/pull/15255) * Don't send key_share for PSK-only key exchange TLS 1.3 allows for the "psk_ke" and "psk_dhe_ke" key-exchange modes. Only the latter mode introduces a new ephemeral (Diffie-Hellman) key exchange, with the PSK being the only key material used in the former case. It's a compliance requirement of RFC 8446 that the server MUST NOT send a KeyShareEntry when using the "psk_ke" mode, but prior to this commit we would send a key-share based solely on whether the client sent one. This bug goes unnoticed in our internal test suite since openssl communicating with openssl can never negotiate the PSK-only key-exchange mode. However, we should still be compliant with the spec, so check whether the DHE mode was offered and don't send a key-share if it wasn't. Reviewed-by: Tomas Mraz <[email protected]> (cherry picked from commit e776858bce32d473bd7a69c616ad7f6c2f979dfc) (Merged from https://github.com/openssl/openssl/pull/15255) * Update expected results for tls13kexmodes tests One of the scenarios constructed in these tests was erroneously producing successful handshakes until the previous commits, but should have been failing. Update our expected behavior to match the specification requirements, and adjust the commentary slightly for a test case relevant for the other preceding commit. Reviewed-by: Tomas Mraz <[email protected]> (cherry picked from commit 80c25611abd7067815943187f36f5e1879201678) (Merged from https://github.com/openssl/openssl/pull/15255) * Avoid division by zero in hybrid point encoding In hybrid and compressed point encodings, the form octet contains a bit of information allowing to calculate y from x. For a point on a binary curve, this bit is zero if x is zero, otherwise it must match the rightmost bit of of the field element y / x. The existing code only considers the second possibility. It could thus incorrecly fail with a division by zero error as found by Guido Vranken's cryptofuzz. This commit adds a few explanatory comments to oct2point. The only actual code change is in the last hunk which adds a BN_is_zero(x) check to avoid the division by zero. Fixes #15021 Reviewed-by: Nicola Tuveri <[email protected]> Reviewed-by: Matt Caswell <[email protected]> Reviewed-by: Tomas Mraz <[email protected]> (Merged from https://github.com/openssl/openssl/pull/15112) * Test oct2point for hybrid point encoding of (0, y) Reviewed-by: Nicola Tuveri <[email protected]> Reviewed-by: Matt Caswell <[email protected]> Reviewed-by: Tomas Mraz <[email protected]> (Merged from https://github.com/openssl/openssl/pull/15112) * Inherit hostflags verify params even without hosts X509_VERIFY_PARAM_inherit() now copies hostflags independently of hosts. Previously hostflags were only copied when at least one host was set. Typically applications don't configure hosts on SSL_CTX. The change enables applications to configure hostflags on SSL_CTX and have OpenSSL copy the flags from SSL_CTX to SSL. Fixes: https://github.com/openssl/openssl/issues/14579 Signed-off-by: Christian Heimes <[email protected]> Reviewed-by: Paul Dale <[email protected]> Reviewed-by: Tomas Mraz <[email protected]> (Merged from https://github.com/openssl/openssl/pull/14856) * Properly restore XMM registers in ChaCha20's AVX-512(VL) assembly Reviewed-by: Paul Dale <[email protected]> Reviewed-by: Tomas Mraz <[email protected]> (Merged from https://github.com/openssl/openssl/pull/15315) (cherry picked from commit 6d3f798cba8075e700003aaf34f1e72bb930086c) * Cleanup the peer point formats on regotiation Fixes #14875 Reviewed-by: Ben Kaduk <[email protected]> Reviewed-by: Matt Caswell <[email protected]> (Merged from https://github.com/openssl/openssl/pull/15383) (cherry picked from commit 3f987381929ee725daf4746591144dde18f313e1) * s_client.pod: Fix grammar in NOTES section. Reviewed-by: Paul Dale <[email protected]> (Merged from https://github.com/openssl/openssl/pull/12907) * Call SSLfatal when the generate_ticket_cb returns 0 Otherwise, the state machine ends up being in a bad state: ``` SSL routines:write_state_machine:missing fatal:ssl/statem/statem.c:850: ``` Reviewed-by: Matt Caswell <[email protected]> Reviewed-by: Ben Kaduk <[email protected]> (Merged from https://github.com/openssl/openssl/pull/15485) * Put init_ec_point_formats() inside #ifndef OPENSSL_NO_EC Reviewed-by: Matt Caswell <[email protected]> Reviewed-by: Dmitry Belyavskiy <[email protected]> (Merged from https://github.com/openssl/openssl/pull/15518) * Modify ssl_handshake_hash to call SSLfatal When EVP_MD_CTX_new fails call SSLfatal before the goto err. This resolves a state machine issue on the out of memory condition: ssl/statem/statem.c:643: OpenSSL internal error: Assertion failed: (s)->statem.in_init && (s)->statem.state == MSG_FLOW_ERROR Fixes #15491. CLA: trivial Reviewed-by: Ben Kaduk <[email protected]> Reviewed-by: Paul Dale <[email protected]> Reviewed-by: Tomas Mraz <[email protected]> (Merged from https://github.com/openssl/openssl/pull/15511) * ee-self-signed.pem: Restore original version, adding -attime to 25-test_verify.t Reviewed-by: Tomas Mraz <[email protected]> (Merged from https://github.com/openssl/openssl/pull/15505) * Check the return value of ASN1_STRING_length ASN1_STRING_length gets the field 'length' of msg, which can be manipulated through a crafted input. Add a check to avoid error execution of OPENSSL_malloc(). CLA: trivial Reviewed-by: Matt Caswell <[email protected]> Reviewed-by: Paul Dale <[email protected]> Reviewed-by: Tomas Mraz <[email protected]> (Merged from https://github.com/openssl/openssl/pull/15583) (cherry picked from commit effb0dcf864110a4595f1a243adb9c1dd09eb516) * Only call dtls1_start_timer() once The function dtls1_handle_timeout() calls dtls1_double_timeout() which was calling dtls1_start_timer(). However dtls1_start_timer() is also called directly by dtls1_handle_timeout(). We only need to start the timer once. Fixes #15561 Reviewed-by: Paul Dale <[email protected]> (Merged from https://github.com/openssl/openssl/pull/15595) (cherry picked from commit f570d33b02d824e2a3f676f718c4692572f45333) * s390x: cipher must set EVP_CIPH_ALWAYS_CALL_INIT flag The s390x cipher implementations must call their init function even if the key argument is NULL to allow initializing the cipher operation's context in any order. Signed-off-by: Patrick Steuer <[email protected]> Reviewed-by: Tomas Mraz <[email protected]> (Merged from https://github.com/openssl/openssl/pull/14900) * Test EVP_CipherInit sequences and resets Various EVP_CipherInit sequences including partial inits and initializations with different "enc" flags caused problems on s390x. Similarly, cipher reinitialization and especially GCM reinitialization with different tag length led to wrong results. Add some unit tests to cover these rather exotic use cases. Signed-off-by: Patrick Steuer <[email protected]> Reviewed-by: Tomas Mraz <[email protected]> (Merged from https://github.com/openssl/openssl/pull/14900) * Clean away remaining Travis related files Reviewed-by: Paul Dale <[email protected]> (Merged from https://github.com/openssl/openssl/pull/15693) * enable getauxval on android 10 Fixes #9498 Reviewed-by: Tomas Mraz <[email protected]> Reviewed-by: Paul Dale <[email protected]> (Merged from https://github.com/openssl/openssl/pull/15870) * Use getauxval on Android with API level > 18 We received analytics that devices of the device family Oppo A37x are crashing with SIGILL when trying to load libcrypto.so. These crashes were fixed by using the system-supplied getauxval function. Reviewed-by: Paul Dale <[email protected]> Reviewed-by: Tomas Mraz <[email protected]> (Merged from https://github.com/openssl/openssl/pull/15763) * Add riscv64 target Reviewed-by: Paul Dale <[email protected]> Reviewed-by: Tomas Mraz <[email protected]> (Merged from https://github.com/openssl/openssl/pull/14724) * apple getentropy removal backport of #15924 Reviewed-by: Tomas Mraz <[email protected]> Reviewed-by: Paul Dale <[email protected]> (Merged from https://github.com/openssl/openssl/pull/15935) * Fix use of uninitialized memory in test_rsa_oaep 48f1739600f33c92387debce2002acec6e365f1d did not convert the RSA OAEP tests correctly. The corrupted ciphertext and truncation tests were really decrypting uninitialized memory, rather than the sample ciphertext. This results in an error in tools like MSan. The test is somewhat roundabout. In the original version, before the conversion, ctext_ex was an OAEP test vector from key1(), etc., functions. The test would: 1. Encrypt ptext_ex as ctext. 2. Decrypt ctext and check it gives ptext_ex. 3. Decrypt ctext_ex and check it gives ptext_ex. 4. Try corrupted and truncated versions of ctext. 48f1739600f33c92387debce2002acec6e365f1d then moved steps 1 and 2 into test_rsa_simple, which meant ctext is no longer available for step 4. It then mistakenly left the variable around, but uninitialized, so the test wasn't testing anything. (Confusingly, test_rsa_simple outputs ctext_ex to the caller, but doesn't do anything with it. The ctext_ex output is also only usable for OAEP, not PKCS#1 v1.5.) It doesn't really matter whether we use ctext or ctext_ex for step 4, so this PR fixes it by using ctext_ex instead. Reviewed-by: Shane Lontis <[email protected]> Reviewed-by: Paul Dale <[email protected]> (Merged from https://github.com/openssl/openssl/pull/15950) (cherry picked from commit 36a4637e158508f5d2fb7750e4870888072a56f9) * doc: Mention the update of der data pointers in d2i/i2d Fixes #15958 Reviewed-by: Richard Levitte <[email protected]> Reviewed-by: Paul Dale <[email protected]> (Merged from https://github.com/openssl/openssl/pull/15973) * bn: procduce correct sign for result of BN_mod() There is a problem that appears when calling BN_div(a, c, a, b) with negative b. In this case, the sign of the remainder c is incorrect. The problem only occurs if the dividend and the quotient are the same BIGNUM. Fixes #15982 Reviewed-by: Nicola Tuveri <[email protected]> (Merged from https://github.com/openssl/openssl/pull/15991) (cherry picked from commit 105c83150f15af3f78ea0758859062842bdbe30e) * Fix memory leak in i2d_ASN1_bio_stream When creating a signed S/MIME message using SMIME_write_CMS() if the reading from the bio fails, the state is therefore still ASN1_STATE_START when BIO_flush() is called by i2d_ASN1_bio_stream(). This results in calling asn1_bio_flush_ex cleanup but will only reset retry flags as the state is not ASN1_STATE_POST_COPY. Therefore 48 bytes (Linux x86_64) leaked since the ndef_prefix_free / ndef_suffix_free callbacks are not executed and the ndef_aux structure is not freed. By always calling free function callback in asn1_bio_free() the memory leak is fixed. (cherry picked from commit 3a1d2b59522163ebb83bb68e13c896188dc222c6) Reviewed-by: Paul Dale <[email protected]> Reviewed-by: Tomas Mraz <[email protected]> (Merged from https://github.com/openssl/openssl/pull/15999) * ssl: do not choose auto DH groups that are weaker than the security level manual merge from https://github.com/openssl/openssl/pull/15818 id d7b5c648d682b499b71320a03747602a6ba4dec3 Reviewed-by: Tomas Mraz <[email protected]> (Merged from https://github.com/openssl/openssl/pull/15832) * test: add test for auto DH security level meets the minimum Manual merge from https://github.com/openssl/openssl/pull/15818 Commit id d0e5230dcecc6013d351545ceb275aa2ba5baa80 Reviewed-by: Tomas Mraz <[email protected]> (Merged from https://github.com/openssl/openssl/pull/15832) * Fix s_server PSK handling Issue #15951 describes a scenario which causes s_server to fail when using a PSK. In the originally described issue this only impacted master and not 1.1.1. However, in fact this issue does also impact 1.1.1 - but only if you additionally supply the option "-no_ticket" to the s_server command line. The difference between the behaviour in master and 1.1.1 is due to 9c13b49, which changed PSK_MAX_IDENTITY_LEN from 128 to 256. It just so happens that a default OpenSSL TLSv1.3 ticket length happens to fall between those 2 values. Tickets are presented in TLSv1.3 as a PSK "identity". Passing "no_ticket" doesn't actually stop TLSv1.3 tickets completely, it just forces the use of "session ids as a ticket" instead. This significantly reduces the ticket size to below 128 in 1.1.1. The problem was due to s_server setting a TLSv1.2 PSK callback and a TLSv1.3 PSK callback. For backwards compat reasons the TLSv1.2 PSK callbacks also work in TLSv1.3 but are not preferred. In the described scenario we use a PSK to create the initial connection. Subsequent to that we attempt a resumption using a TLSv1.3 ticket (psk). If the psk length is below PSK_MAX_IDENTITY_LEN then we first call the TLSv1.2 PSK callback. Subsequently we call the TLSv1.3 PSK callback. Unfortunately s_server's TLSv1.2 PSK callback accepts the identity regardless, even though it is an unexpected value, and hence the binder subsequently fails to verify. The fix is to bail early in the TLSv1.2 callback if we detect we are being called from a TLSv1.3 connection. Fixes #15951 Reviewed-by: Ben Kaduk <[email protected]> Reviewed-by: Paul Dale <[email protected]> (Merged from https://github.com/openssl/openssl/pull/16008) (cherry picked from commit 0007ff257c95f5cd046799e492436f41caf4ecb2) * TEST: Check that i2d refuses to encode non-optional items with no content The test case creates an RSA public key and tries to pass it through i2d_PrivateKey(). This SHOULD fail, since the private bits are missing. Reviewed-by: Tomas Mraz <[email protected]> (Merged from https://github.com/openssl/openssl/pull/16027) * ASN.1: Refuse to encode to DER if non-optional items are missing Fixes #16026 Reviewed-by: Tomas Mraz <[email protected]> (Merged from https://github.com/openssl/openssl/pull/16027) * Fix test/asn1_encode_test.c to not use ASN1_FBOOLEAN ASN1_FBOOLEAN is designed to use as a default for optional ASN1 items. This test program used it for non-optional items, which doesn't encode well. Reviewed-by: Tomas Mraz <[email protected]> (Merged from https://github.com/openssl/openssl/pull/16027) * Fix test/asn1_encode_test.c to handle encoding/decoding failure Make it only report (and fail on) encoding/decoding failures when success is expected. Reviewed-by: Tomas Mraz <[email protected]> (Merged from https://github.com/openssl/openssl/pull/16027) * make update (adds a new function code) Reviewed-by: Tomas Mraz <[email protected]> (Merged from https://github.com/openssl/openssl/pull/16027) * Avoid "excessive message size" for session tickets We received a report of an "excessive message size" for a received session ticket. Our maximum size was significantly less than the theoretical maximum. The server may put any data it likes in the session ticket including (for example) the full certificate chain so we should be able to handle longer tickets. Update the value to the maximum allowed by the spec. Reviewed-by: Paul Dale <[email protected]> (Merged from https://github.com/openssl/openssl/pull/15877) (cherry picked from commit e54f0c9b2fe3dd2dcb5e8100e2c69e5b2f6eb681) * BIO_lookup_ex: use AI_ADDRCONFIG only if explicit host name is given The flag only affects which record types are queried via DNS (A or AAAA, or both). When node is NULL and AF_UNSPEC is used, it prevents getaddrinfo returning the right address associated with the loopback interface. Signed-off-by: Daiki Ueno <[email protected]> Reviewed-by: Dmitry Belyavskiy <[email protected]> Reviewed-by: Paul Dale <[email protected]> (Merged from https://github.com/openssl/openssl/pull/16039) * Avoid empty lines in nmake rule bodies nmake is tolerant of those empty lines, but jom isn't. That tolerance isn't standard make behaviour, so we lean towards avoiding them. We simply use '@rem' instead. Fixes #16014 Reviewed-by: Tomas Mraz <[email protected]> Reviewed-by: Paul Dale <[email protected]> (Merged from https://github.com/openssl/openssl/pull/16047) * apps: Use the first detected address family if IPv6 is not available This is a follow up of 15729bef385211bc2a0497e2d53a45c45d677d2c. Even when the host does not support IPv6 at all, BIO_lookup_ex may now return IN6ADDR_ANY in addition to INADDR_ANY, as the second element of the ai_next field. After eee8a40aa5e06841eed6fa8eb4f6109238d59aea, the do_server function prefers the IPv6 address and fails on the BIO_socket call. This adds a fallback code to retry with the IPv4 address returned as the first element to avoid the error. The failure had been partially avoided in the previous code with AI_ADDRCONFIG, because getaddrinfo returns only IPv4 address if no IPv6 address is associated with external interface. However, it would be still a problem if the external interface has an IPv6 address assigned, while the loopback interface doesn't. Signed-off-by: Daiki Ueno <[email protected]> Reviewed-by: Paul Dale <[email protected]> Reviewed-by: Tomas Mraz <[email protected]> (Merged from https://github.com/openssl/openssl/pull/16078) * Don't reset the packet pointer in ssl3_setup_read_buffer Sometimes this function gets called when the buffers have already been set up. If there is already a partial packet in the read buffer then the packet pointer will be set to an incorrect value. The packet pointer already gets reset to the correct value when we first read a packet anyway, so we don't also need to do it in ssl3_setup_read_buffer. Fixes #13729 Reviewed-by: Ben Kaduk <[email protected]> Reviewed-by: Tomas Mraz <[email protected]> (Merged from https://github.com/openssl/openssl/pull/16098) * Disallow SSL_key_update() if there are writes pending If an application is halfway through writing application data it should not be allowed to attempt an SSL_key_update() operation. Instead the SSL_write() operation should be completed. Fixes #12485 Reviewed-by: Ben Kaduk <[email protected]> Reviewed-by: Tomas Mraz <[email protected]> (Merged from https://github.com/openssl/openssl/pull/16098) * Fix some minor record layer issues Various comments referred to s->packet and s->packet_length instead of s->rlayer.packet and s->rlayer.packet_length. Also fixed is a spot where RECORD_LAYER_write_pending() should have been used. Based on the review comments in #16077. Reviewed-by: Tomas Mraz <[email protected]> Reviewed-by: Ben Kaduk <[email protected]> (cherry picked from commit ca001524971ccd595bc0e9843611e6784adfc981) Reviewed-by: Paul Dale <[email protected]> (Merged from https://github.com/openssl/openssl/pull/16105) * Fix a read buffer overrun in X509_aux_print(). The ASN1_STRING_get0_data(3) manual explitely cautions the reader that the data is not necessarily NUL-terminated, and the function X509_alias_set1(3) does not sanitize the data passed into it in any way either, so we must assume the return value from X509_alias_get0(3) is merely a byte array and not necessarily a string in the sense of the C language. I found this bug while writing manual pages for X509_print_ex(3) and related functions. Theo Buehler <[email protected]> checked my patch to fix the same bug in LibreSSL, see http://cvsweb.openbsd.org/src/lib/libcrypto/asn1/t_x509a.c#rev1.9 As an aside, note that the function still produces incomplete and misleading results when the data contains a NUL byte in the middle and that error handling is consistently absent throughout, even though the function provides an "int" return value obviously intended to be 1 for success and 0 for failure, and even though this function is called by another function that also wants to return 1 for success and 0 for failure and even does so in many of its code paths, though not in others. But let's stay focussed. Many things would be nice to have in the wide wild world, but a buffer overflow must not be allowed to remain in our backyard. CLA: trivial Reviewed-by: Tim Hudson <[email protected]> Reviewed-by: Paul Dale <[email protected]> Reviewed-by: Tomas Mraz <[email protected]> (Merged from https://github.com/openssl/openssl/pull/16108) (cherry picked from commit c5dc9ab965f2a69bca964c709e648158f3e4cd67) * DSA/RSA_print(): Fix potential memory leak Fixes #10777 Reviewed-by: Paul Dale <[email protected]> (Merged from https://github.com/openssl/openssl/pull/16130) (cherry picked from commit 40184c96103a388209939c1c19920971c05bb78c) * [doc/man3] documentation: BN_cmp manpage updates Reviewed-by: Paul Dale <[email protected]> Reviewed-by: Nicola Tuveri <[email protected]> Reviewed-by: Dmitry Belyavskiy <[email protected]> (Merged from https://github.com/openssl/openssl/pull/16214) (cherry picked from commit 3d4ca443b4778e3230ff23f17625f58f815a9142) * Revert "make update (adds a new function code)" This reverts commit ea26844c4f624ef515d9228d3b623761a369b049. Reviewed-by: Dmitry Belyavskiy <[email protected]> (Merged from https://github.com/openssl/openssl/pull/16308) * Revert "Fix test/asn1_encode_test.c to handle encoding/decoding failure" This reverts commit f1d97905bbd8679b7647c992b97f526791069040. Reviewed-by: Dmitry Belyavskiy <[email protected]> (Merged from https://github.com/openssl/openssl/pull/16308) * Revert "Fix test/asn1_encode_test.c to not use ASN1_FBOOLEAN" This reverts commit 5434acb6c4d56507d761b28f7e142ccab808a8fa. Reviewed-by: Dmitry Belyavskiy <[email protected]> (Merged from https://github.com/openssl/openssl/pull/16308) * Revert "ASN.1: Refuse to encode to DER if non-optional items are missing" This reverts commit 006906cddda37e24a66443199444ef4476697477. Reviewed-by: Dmitry Belyavskiy <[email protected]> (Merged from https://github.com/openssl/openssl/pull/16308) * Revert "TEST: Check that i2d refuses to encode non-optional items with no content" This reverts commit 12e9b74c513a8ed3c1c260cf25221a465ae14b84. Reviewed-by: Dmitry Belyavskiy <[email protected]> (Merged from https://github.com/openssl/openssl/pull/16308) * Fix potential double-free The `sk` variable is assigned to `s->session->peer_chain`. If `ssl3_digest_cached_records()` were to fail, then `sk` would still be non-NULL, and subsequently freed on the error return. When the session is freed, it will then attempt to free `s->session->peer_chain`, resulting in a double-free (of `sk`). Reviewed-by: Matt Caswell <[email protected]> Reviewed-by: Tomas Mraz <[email protected]> (Merged from https://github.com/openssl/openssl/pull/16309) (cherry picked from commit 0449702abc95a3af24c049cb02c01ca6a8015cef) * s390x: AES OFB/CFB: Maintain running IV from cipher context Copy the current IV from the cipher context into the kmo/kmf param before the operation, and copy the modified IV back to the context afterwards. Without this, an application that obtains the running IV from the context would still get the original IV, but not the updated one. Signed-off-by: Ingo Franzki <[email protected]> Reviewed-by: Patrick Steuer <[email protected]> Reviewed-by: Tomas Mraz <[email protected]> (Merged from https://github.com/openssl/openssl/pull/16292) * Test EVP Cipher updating the context's IV Ensure that an EVP_CipherUpdate operation updates the context's IV for AES CBC, CFB, OFB, and CTR. An application can get the updated IV via EVP_CIPHER_CTX_iv(). The s390x implementation of the CFB and OFB ciphers did not update the IV in the context, but only within its s390x specific context data. Signed-off-by: Ingo Franzki <[email protected]> Reviewed-by: Patrick Steuer <[email protected]> Reviewed-by: Tomas Mraz <[email protected]> (Merged from https://github.com/openssl/openssl/pull/16292) * pkcs12: check for zero length digest to avoid division by zero Fixes #16331 Reviewed-by: Dmitry Belyavskiy <[email protected]> Reviewed-by: Kurt Roeckx <[email protected]> (Merged from https://github.com/openssl/openssl/pull/16333) * [github-ci] Sync ci.yml workflow with master Reviewed-by: Paul Dale <[email protected]> (Merged from https://github.com/openssl/openssl/pull/16252) * [github-ci] Import windows.yml workflow from master Reviewed-by: Paul Dale <[email protected]> (Merged from https://github.com/openssl/openssl/pull/16252) * [github-ci] Import cross-compiles.yml workflow from master Reviewed-by: Paul Dale <[email protected]> (Merged from https://github.com/openssl/openssl/pull/16252) * [github-ci] Import run-checker workflows from master This commit does not include the daily run-checker workflow. Reviewed-by: Paul Dale <[email protected]> (Merged from https://github.com/openssl/openssl/pull/16252) * [github-ci] Import run-checker daily workflow from master The daily run-checker is scheduled to start at 6:42, instead of the start of the hour. The official GitHub documentation remarks the following regarding scheduled workflows: > Note: The schedule event can be delayed during periods of high loads > of GitHub Actions workflow runs. High load times include the start of > every hour. To decrease the chance of delay, schedule your workflow to > run at a different time of the hour. 42, obviously, has been picked because it is the answer to the ultimate question of life, the universe, and everything. Reviewed-by: Paul Dale <[email protected]> (Merged from https://github.com/openssl/openssl/pull/16252) * [github-ci][cross-compiles.yml] Disable sparcv9 This commit temporarily disables cross-compiling tests for sparcv9, due to failures to be investigated in a dedicated PR. Reviewed-by: Paul Dale <[email protected]> (Merged from https://github.com/openssl/openssl/pull/16252) * [github-ci][ci.yml] Disable krb5 external tests This commit temporarily disables krb5 external tests, due to failures to be investigated in a dedicated PR. Reviewed-by: Paul Dale <[email protected]> (Merged from https://github.com/openssl/openssl/pull/16252) * [github-ci][ci.yml] Disable pyca external tests This commit temporarily disables pyca external tests, due to failures to be investigated in a dedicated PR. Reviewed-by: Paul Dale <[email protected]> (Merged from https://github.com/openssl/openssl/pull/16252) * [github-ci][run-checker-ci.yml] Disable no-tls1_3 tests This commit temporarily disables tests for no-tls1_3, due to failures to be investigated in a dedicated PR. Reviewed-by: Paul Dale <[email protected]> (Merged from https://github.com/openssl/openssl/pull/16252) * [github-ci][ci.yml] Disable memory sanitizer build In 1.1.1 currently we do not support running multiple tests in parallel, and the `--debug -O1` msan build required more than 3h to run the tests. This commit temporarily disables this build configuration. Reviewed-by: Paul Dale <[email protected]> (Merged from https://github.com/openssl/openssl/pull/16252) * [github-ci][run-checker-merge.yml] Disable ubsan build This commit temporarily disables the ubsan build, due to failures to be investigated in a dedicated PR. Reviewed-by: Paul Dale <[email protected]> (Merged from https://github.com/openssl/openssl/pull/16252) * [github-ci] Add comment about our approach to GitHub Actions CI Reviewed-by: Nicola Tuveri <[email protected]> (Merged from https://github.com/openssl/openssl/pull/16252) * Revert "[github-ci][cross-compiles.yml] Disable sparcv9" This reverts commit aa23aa759cf33b4f481fc719d42cb7bae8b2eaf0. Reviewed-by: Paul Dale <[email protected]> (Merged from https://github.com/openssl/openssl/pull/16336) * sparc: fix cross compile build (cherry picked from commit 64fac96de81d3dc19cc0c9045c341f0dec818075) Reviewed-by: Nicola Tuveri <[email protected]> (Merged from https://github.com/openssl/openssl/pull/16336) * Fix i2v_GENERAL_NAME to not assume NUL terminated strings ASN.1 strings may not be NUL terminated. Don't assume they are. CVE-2021-3712 Reviewed-by: Viktor Dukhovni <[email protected]> Reviewed-by: Paul Dale <[email protected]> * Fix POLICYINFO printing to not assume NUL terminated strings ASN.1 strings may not be NUL terminated. Don't assume they are. CVE-2021-3712 Reviewed-by: Viktor Dukhovni <[email protected]> Reviewed-by: Paul Dale <[email protected]> * Fix printing of PROXY_CERT_INFO_EXTENSION to not assume NUL terminated strings ASN.1 strings may not be NUL terminated. Don't assume they are. CVE-2021-3712 Reviewed-by: Viktor Dukhovni <[email protected]> Reviewed-by: Paul Dale <[email protected]> * Fix the name constraints code to not assume NUL terminated strings ASN.1 strings may not be NUL terminated. Don't assume they are. CVE-2021-3712 Reviewed-by: Viktor Dukhovni <[email protected]> Reviewed-by: Paul Dale <[email protected]> * Fix test code to not assume NUL terminated strings ASN.1 strings may not be NUL terminated. Don't assume they are. CVE-2021-3712 Reviewed-by: Viktor Dukhovni <[email protected]> Reviewed-by: Paul Dale <[email protected]> * Fix append_ia5 function to not assume NUL terminated strings ASN.1 strings may not be NUL terminated. Don't assume they are. CVE-2021-3712 Reviewed-by: Viktor Dukhovni <[email protected]> Reviewed-by: Paul Dale <[email protected]> * Fix NETSCAPE_SPKI_print function to not assume NUL terminated strings ASN.1 strings may not be NUL terminated. Don't assume they are. CVE-2021-3712 Reviewed-by: Viktor Dukhovni <[email protected]> Reviewed-by: Paul Dale <[email protected]> * Fix EC_GROUP_new_from_ecparameters to check the base length Check that there's at least one byte in params->base before trying to read it. CVE-2021-3712 Reviewed-by: Viktor Dukhovni <[email protected]> Reviewed-by: Paul Dale <[email protected]> * Allow fuzz builds to detect string overruns If FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION is defined then we don't NUL terminate ASN1_STRING datatypes. This shouldn't be necessary but we add it any for safety in normal builds. Reviewed-by: Viktor Dukhovni <[email protected]> Reviewed-by: Paul Dale <[email protected]> * Fix the error handling in i2v_AUTHORITY_KEYID Previously if an error path is entered a leak could result. Reviewed-by: Viktor Dukhovni <[email protected]> Reviewed-by: Paul Dale <[email protected]> * Correctly calculate the length of SM2 plaintext given the ciphertext Previously the length of the SM2 plaintext could be incorrectly calculated. The plaintext length was calculated by taking the ciphertext length and taking off an "overhead" value. The overhead value was assumed to have a "fixed" element of 10 bytes. This is incorrect since in some circumstances it can be more than 10 bytes. Additionally the overhead included the length of two integers C1x and C1y, which were assumed to be the same length as the field size (32 bytes for the SM2 curve). However in some cases these integers can have an additional padding byte when the msb is set, to disambiguate them from negative integers. Additionally the integers can also be less than 32 bytes in length in some cases. If the calculated overhead is incorrect and larger than the actual value this can result in the calculated plaintext length being too small. Applications are likely to allocate buffer sizes based on this and therefore a buffer overrun can occur. CVE-2021-3711 Issue reported by John Ouyang. Reviewed-by: Paul Dale <[email protected]> Reviewed-by: Nicola Tuveri <[email protected]> * Extend tests for SM2 decryption Check the case where C1y < 32 bytes in length (i.e. short overhead), and also the case with longer plaintext and C1x and C1y > 32 bytes in length (i.e. long overhead) Reviewed-by: Paul Dale <[email protected]> Reviewed-by: Nicola Tuveri <[email protected]> * Check the plaintext buffer is large enough when decrypting SM2 Previously there was no check that the supplied buffer was large enough. It was just assumed to be sufficient. Instead we should check and fail if not. Reviewed-by: Paul Dale <[email protected]> Reviewed-by: Nicola Tuveri <[email protected]> * Updates to CHANGES and NEWS for the new release Reviewed-by: Richard Levitte <[email protected]> * Update copyright year Reviewed-by: Richard Levitte <[email protected]> * Run make update Reviewed-by: Richard Levitte <[email protected]> * Prepare for 1.1.1l release Reviewed-by: Richard Levitte <[email protected]> * Prepare for 1.1.1m-dev Reviewed-by: Richard Levitte <[email protected]> * Fix the array size of dtlsseq in tls1_enc Reviewed-by: Tomas Mraz <[email protected]> (Merged from https://github.com/openssl/openssl/pull/16385) (cherry picked from commit 562d4cd3c35b32f2bc6ac0770b80ce394f8d76a4) * Avoid using undefined value in generate_stateless_cookie_callback Reviewed-by: Paul Yang <[email protected]> Reviewed-by: Paul Dale <[email protected]> Reviewed-by: Tomas Mraz <[email protected]> (Merged from https://github.com/openssl/openssl/pull/16381) * Fix some strict gcc-12 warnings Reviewed-by: Paul Dale <[email protected]> Reviewed-by: Richard Levitte <[email protected]> Reviewed-by: Tomas Mraz <[email protected]> (Merged from https://github.com/openssl/openssl/pull/16375) * apps/ciphers: Fix wrong return value when using -convert parameter Command 'openssl ciphers -convert <name>' always returns failure, this patch set the correct return value. Signed-off-by: Tianjia Zhang <[email protected]> Reviewed-by: Paul Yang <[email protected]> Reviewed-by: Paul Dale <[email protected]> Reviewed-by: Tomas Mraz <[email protected]> (Merged from https://github.com/openssl/openssl/pull/16383) (cherry picked from commit 8b4e9c5265ffd3457ad37133502a9d8a4e8daccd) * Check for null-pointer dereference in dh_cms_set_peerkey Reviewed-by: Paul Dale <[email protected]> Reviewed-by: Tomas Mraz <[email protected]> (Merged from https://github.com/openssl/openssl/pull/16382) * ts: fix memleaks caused by TS_VERIFY_CTX_set_imprint CLA: trivial Reviewed-by: Paul Dale <[email protected]> Reviewed-by: Tomas Mraz <[email protected]> (Merged from https://github.com/openssl/openssl/pull/16347) (cherry picked from commit 62bae84d4587ec9a56d0ce830e36e4a5b2fa8a33) * Darwin platform allows to build on releases before Yosemite/ios 8. issue #16407 #16408 Reviewed-by: Paul Dale <[email protected]> Reviewed-by: Tomas Mraz <[email protected]> (Merged from https://github.com/openssl/openssl/pull/16409) * cms: fix memleaks in cms_env.c CLA: trivial Reviewed-by: Paul Dale <[email protected]> Reviewed-by: Tomas Mraz <[email protected]> (Merged from https://github.com/openssl/openssl/pull/16403) * Fix instances of pointer addition with the NULL pointer ubsan found undefined pointer addtions in crypto/bio/bss_mem.c (mem_ctrl), crypto/pem/pem_lib.c (PEM_read_bio_ex), test/testutil/format_output.c (test_fail_string_common, test_fail_memory_common). Mostly a straight back-port-of: a07dc81 Additionally enable the ubsan run-checker, to prevent regressions. Reviewed-by: Tomas Mraz <[email protected]> Reviewed-by: Nicola Tuveri <[email protected]> (Merged from https://github.com/openssl/openssl/pull/16423) * Fix enable-asan with C++ buildtest the following config: ./config no-shared enable-asan enable-buildtest-c++ enable-external-tests fails to build with unresolved asan symbols when linking test/ossl_shim/ossl_shim Fixed by passing all sanitizer-flags to cxxflags. Reviewed-by: Paul Dale <[email protected]> (Merged from https://github.com/openssl/openssl/pull/16434) * Fix the "Out of memory" EVP KDF scrypt test This test did not really execute, since usually the OPENSSL_malloc(0) will fail and prevent the execution of the KDF. Reviewed-by: Paul Dale <[email protected]> (Merged from https://github.com/openssl/openssl/pull/16446) * Ensure that _GNU_SOURCE is defined for bss_dgram.c This fixes the following error with gcc10 under strict ANSI conditions: .../crypto/bio/bss_dgram.c:373:20: error: 'const struct in6_addr' has no member named 's6_addr32' CLA: trivial Fixes #16449 Reviewed-by: Bernd Edlinger <[email protected]> Reviewed-by: Paul Dale <[email protected]> Reviewed-by: Dmitry Belyavskiy <[email protected]> (Merged from https://github.com/openssl/openssl/pull/16451) (cherry picked from commit e8e1f6d1a9e599d575431f559200018b8f822e0f) * Fix no-tls1_3 tests This recently added test needs DH2048 to work without tls1_3. Fixes: #16335 Reviewed-by: Paul Dale <[email protected]> Reviewed-by: Tomas Mraz <[email protected]> (Merged from https://github.com/openssl/openssl/pull/16453) * Add tests for i2d_TYPE_fp and d2i_TYPE_fp These functions are part of the public API but we don't have tests covering their usage. They are actually implemented as macros and the absence of tests has caused them to fall out-of-sync with the latest changes to ASN1 related functions and cause compilation warnings. @@ Note: This commit limits to ECPKParameters as a type. (cherry picked from commit ea1128e94e36fa9fa25278dc6b3f5b42d8735782) Reviewed-by: Tomas Mraz <[email protected]> (Merged from https://github.com/openssl/openssl/pull/12457) * Fix d2i_ECPKParameters_fp and i2d_ECPKParameters_fp macros These functions are part of the public API but we don't have tests covering their usage. They are actually implemented as macros and the absence of tests has caused them to fall out-of-sync with the latest changes to ASN1 related functions and cause compilation warnings. This commit fixes the public headers to reflect these changes. Fixes #12443 (cherry picked from commit cca8a4cedaafe63b0b5729b72133661ece24ff08) Reviewed-by: Tomas Mraz <[email protected]> (Merged from https://github.com/openssl/openssl/pull/12457) * [ec] Do not default to OPENSSL_EC_NAMED_CURVE for curves without OID Some curves don't have an associated OID: for those we should not default to `OPENSSL_EC_NAMED_CURVE` encoding of parameters and instead set the ASN1 flag to `OPENSSL_EC_EXPLICIT_CURVE`. This is a follow-up to https://github.com/openssl/openssl/pull/12312 (cherry picked from commit 7aa3dfc42104588f65301d20324388ac2c9a6b11) Reviewed-by: Tomas Mraz <[email protected]> (Merged from https://github.com/openssl/openssl/pull/12457) * Use applink to fix windows tests (cherry picked from commit <https://github.com/bernd-edlinger/openssl/commit/96a463cede0070aa5c86629d683a214657a9ba9e>) Reviewed-by: Tomas Mraz <[email protected]> Reviewed-by: Nicola Tuveri <[email protected]> (Merged from https://github.com/openssl/openssl/pull/12457) * Make the -DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION pass tests Fixes #16428 Reviewed-by: Bernd Edlinger <[email protected]> Reviewed-by: Paul Dale <[email protected]> (Merged from https://github.com/openssl/openssl/pull/16441) * ci: Add -DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION to asan build Reviewed-by: Bernd Edlinger <[email protected]> Reviewed-by: Paul Dale <[email protected]> (Merged from https://github.com/openssl/openssl/pull/16441) * Openssl fails to compile on Debian with kfreebsd kernels (kfreebsd-amd64, kfreebsd-i386). The error reported by the compiler is: ../crypto/uid.c: In function 'OPENSSL_issetugid': ../crypto/uid.c:50:22: error: 'AT_SECURE' undeclared (first use in this function) 50 | return getauxval(AT_SECURE) != 0; | ^~~~~~~~~ This commit changes the code to use the freebsd code in this case. This fixes the compilation. CLA: trivial Reviewed-by: Ben Kaduk <[email protected]> Reviewed-by: Tomas Mraz <[email protected]> Reviewed-by: Paul Dale <[email protected]> (Merged from https://github.com/openssl/openssl/pull/16477) (cherry picked from commit 3a1fa0116a92235ba200228e4bb60d6a3a7f4113) * doc: document the rsa_oaep_md: pkeyopt This was missing but essential for using non-SHA1 digests with OAEP. Fixes #15998 Manual backport of #16410 Reviewed-by: Tomas Mraz <[email protected]> Reviewed-by: Tim Hudson <[email protected]> (Merged from https://github.com/openssl/openssl/pull/16488) * Prioritise DANE TLSA issuer certs over peer certs When building the certificate chain, prioritise any Cert(0) Full(0) certificates from TLSA records over certificates received from the peer. This is important when the server sends a cross cert, but TLSA records include the underlying root CA cert. We want to construct a chain with the issuer from the TLSA record, which can then match the TLSA records (while the associated cross cert may not). Reviewed-by: Tomáš Mráz <[email protected]> * Test for DANE cross cert fix Reviewed-by: Tomáš Mráz <[email protected]> * test/ec_internal_test: link with libapps.a too Whenever the source from $target{apps_init_src} is added to the source of a test program, it needs to be linked with libapps.a as well. Some init sources depend on that. Without this, builds break on VMS because of the unresolved symbol 'app_malloc'. On platforms that do not need anything from libapps.a, adding it is a no-op. This is for OpenSSL 1.1.1 only. OpenSSL 3.0 and beyond have a different solution. Reviewed-by: Tomas Mraz <[email protected]> Reviewed-by: Paul Dale <[email protected]> (Merged from https://github.com/openssl/openssl/pull/16512) * VMS: Compensate for compiler type incompatibility The compiler says that 'unsigned long long' isn't the same as 'unsigned __int64'. Sure, and considering that crypto/rand/rand_vms.c is specific VMS only code, it's easy to just change the type to the exact same as what's specified in the system headers. Reviewed-by: Tomas Mraz <[email protected]> Reviewed-by: Paul Dale <[email protected]> (Merged from https://github.com/openssl/openssl/pull/15613) * DOCS: Update the page for 'openssl passwd' to not duplicate some info The options -1 and -apr1 were mentioned in DESCRIPTION, not mentioning any other options or even mentioning that there are more algorithms. The simple fix is to remove that sentence and let the OPTIONS section speak for itself. Fixes #16529 Reviewed-by: Tomas Mraz <[email protected]> Reviewed-by: Paul Dale <[email protected]> (Merged from https://github.com/openssl/openssl/pull/16531) (cherry picked from commit 116799ff6a8fc803ec4685fc432c7329d0511e23) * VMS: Fix misspelt type '__int64', not 'int64_t' Ref: commit 2e5cdbc18a1a26bfc817070a52689886fa0669c2 Reviewed-by: Tomas Mraz <[email protected]> Reviewed-by: Paul Dale <[email protected]> (Merged from https://github.com/openssl/openssl/pull/16557) * Fix nc_email to check ASN1 strings with NULL byte in the middle Reviewed-by: Tomas Mraz <[email protected]> Reviewed-by: Paul Dale <[email protected]> (Merged from https://github.com/openssl/openssl/pull/16524) (cherry picked from commit 485d0790ac1a29a0d4e7391d804810d485890376) * MacOS prior to 10.12 does not support random API correctly Fixes #16517 Reviewed-by: Paul Dale <[email protected]> Reviewed-by: Tomas Mraz <[email protected]> (Merged from https://github.com/openssl/openssl/pull/16587) * Clarify what SSL_get_session() does on the server side in TLSv1.3 Reviewed-by: Paul Dale <[email protected]> Reviewed-by: Tomas Mraz <[email protected]> (Merged from https://github.com/openssl/openssl/pull/16582) (cherry picked from commit 9e51f877930dbd4216438a5da3c9612bf4d0a918) * Correct the documentation for SSL_set_num_tickets() The behaviour for what happens in a resumption connection was not quite described correctly. Reviewed-by: Paul Dale <[email protected]> Reviewed-by: Tomas Mraz <[email protected]> (Merged from https://github.com/openssl/openssl/pull/16582) (cherry picked from commit 4603b782e6dbed493d2f38db111abc05df66fb99) * ssl: Correct filename in README Reviewed-by: Matt Caswell <[email protected]> Reviewed-by: Richard Levitte <[email protected]> Reviewed-by: Paul Dale <[email protected]> (Merged from https://github.com/openssl/openssl/pull/16671) * Add sm2 encryption test case from GM/T 0003.5-2012 Reviewed-by: Nicola Tuveri <[email protected]> Reviewed-by: Paul Dale <[email protected]> (Merged from https://github.com/openssl/openssl/pull/16511) (cherry picked from commit 8ba65c35ea3af347c3b2adc8e665066b541a1c35) * doc/man3/SSL_set_fd.pod: add note about Windows compiler warning According to an old stackoverflow thread [1], citing an even older comment by Andy Polyakov (1875e6db29, Pull up Win64 support from 0.9.8., 2005-07-05), a cast of 'SOCKET' (UINT_PTR) to 'int' does not create a problem, because although the documentation [2] claims that the upper limit is INVALID_SOCKET-1 (2^64 - 2), in practice the socket() implementation on Windows returns an index into the kernel handle table, the size of which is limited to 2^24 [3]. Add this note to the manual page to avoid unnecessary roundtrips to StackOverflow. [1] https://stackoverflow.com/questions/1953639/is-it-safe-to-cast-socket-to-int-under-win64 [2] https://docs.microsoft.com/en-us/windows/win32/winsock/socket-data-type-2 [3] https://docs.microsoft.com/en-us/windows/win32/sysinfo/kernel-objects Reviewed-by: Paul Dale <[email protected]> (Merged from https://github.com/openssl/openssl/pull/16699) (cherry picked from commit f8dd5869bca047a23599ac925aace70efcf487ad) * Fix a NPD bug in engines/e_dasync.c The dasync_aes_128_cbc_hmac_sha1 cipher depends on EVP_aes_128_cbc_hmac_sha1() returning a NON-NULL value. We should simply not advertise this cipher otherwise. Fixes: #7950 Reviewed-by: Tomas Mraz <[email protected]> Reviewed-by: Paul Dale <[email protected]> (Merged from https://github.com/openssl/openssl/pull/16722) * Fix a memory leak in the afalg engine Fixes: #16743 Reviewed-by: Tomas Mraz <[email protected]> (Merged from https://github.com/openssl/openssl/pull/16744) (cherry picked from commit 6f6a5e0c7c41b6b3639e51f435cd98bb3ae061bc) * Fix some possible memory leaks in EVP_CipherInit_ex An EVP_CONTEXT with zero cipher but non-zero engine, and/or cipher_data is possible if an error happens in EVP_CTRL_INIT or in EVP_CTRL_COPY, the error handling will just clear the cipher in that case. Reviewed-by: Tomas Mraz <[email protected]> (Merged from https://github.com/openssl/openssl/pull/16756) * Fix double-free in e_dasync.c When the cipher is copied, the inner_cihper_data need to be copied as well, using the EVP_CTRL_COPY method. The EVP_CIPH_CUSTOM_COPY bit needs to be set as well. Reviewed-by: Tomas Mraz <[email protected]> (Merged from https://github.com/openssl/openssl/pull/16751) * Bindhost/bindport should be freed Reviewed-by: Matt Caswell <[email protected]> Reviewed-by: Tomas Mraz <[email protected]> (Merged from https://github.com/openssl/openssl/pull/16775) (cherry picked from commit 0ce0c455862ed29bd7f2acdbddbe8d0b1783c1c9) * New extensions can be sent in a certificate request Normally we expect a client to send new extensions in the ClientHello, which may be echoed back by the server in subsequent messages. However the server can also send a new extension in the certificate request message to be echoed back in a certificate message Fixes #16632 Reviewed-by: Paul Dale <[email protected]> Reviewed-by: Tomas Mraz <[email protected]> (Merged from https://github.com/openssl/openssl/pull/16634) (cherry picked from commit cbb862fbaaa1ec5a3e33836bc92a6dbea97ceba0) * Extend custom extension testing Test the scenario where we add a custom extension to a cetificate request and expect a response in the client's certificate message. Reviewed-by: Paul Dale <[email protected]> Reviewed-by: Tomas Mraz <[email protected]> (Merged from https://github.com/openssl/openssl/pull/16634) (cherry picked from commit 0db3a9904fa00569905be130854a31dab7b8f49d) * Fix test/recipes/01-test_symbol_presence.t to allow for stripped libraries It's a small change to the 'nm' call, to have it look at dynamic symbols rather than the normal ones. Fixes #16810 Reviewed-by: Tomas Mraz <[email protected]> (Merged from https://github.com/openssl/openssl/pull/16822) (cherry picked from commit a85b4de6a6cbe03c46219d4b1c3b2828ca3fd51c) * Fix test/recipes/01-test_symbol_presence.t to disregard version info The output of 'nm -DPg' contains version info attached to the symbols, which makes the test fail. Simply dropping the version info makes the test work again. Fixes #16810 (followup) Reviewed-by: Matt Caswell <[email protected]> (Merged from https://github.com/openssl/openssl/pull/16840) (cherry picked from commit 73970cb91fdf8e7b4b434d479b875a47a0aa0dbc) * test/ssl_old_test.c: Fix potential leak Reviewed-by: Kurt Roeckx <[email protected]> Reviewed-by: Tomas Mraz <[email protected]> (Merged from https://github.com/openssl/openssl/pull/16806) (cherry picked from commit 34563be5368fb8e6ade7d06d8376522ba83cd6ac) * Ensure pkey_set_type handles ENGINE references correctly pkey_set_type should not consume the ENGINE references that may be passed to it. Fixes #16757 Reviewed-by: Tomas Mraz <[email protected]> (…

* Add riscv64 target Reviewed-by: Paul Dale <[email protected]> Reviewed-by: Tomas Mraz <[email protected]> (Merged from https://github.com/openssl/openssl/pull/14724) * apple getentropy removal backport of #15924 Reviewed-by: Tomas Mraz <[email protected]> Reviewed-by: Paul Dale <[email protected]> (Merged from https://github.com/openssl/openssl/pull/15935) * Fix use of uninitialized memory in test_rsa_oaep 48f1739600f33c92387debce2002acec6e365f1d did not convert the RSA OAEP tests correctly. The corrupted ciphertext and truncation tests were really decrypting uninitialized memory, rather than the sample ciphertext. This results in an error in tools like MSan. The test is somewhat roundabout. In the original version, before the conversion, ctext_ex was an OAEP test vector from key1(), etc., functions. The test would: 1. Encrypt ptext_ex as ctext. 2. Decrypt ctext and check it gives ptext_ex. 3. Decrypt ctext_ex and check it gives ptext_ex. 4. Try corrupted and truncated versions of ctext. 48f1739600f33c92387debce2002acec6e365f1d then moved steps 1 and 2 into test_rsa_simple, which meant ctext is no longer available for step 4. It then mistakenly left the variable around, but uninitialized, so the test wasn't testing anything. (Confusingly, test_rsa_simple outputs ctext_ex to the caller, but doesn't do anything with it. The ctext_ex output is also only usable for OAEP, not PKCS#1 v1.5.) It doesn't really matter whether we use ctext or ctext_ex for step 4, so this PR fixes it by using ctext_ex instead. Reviewed-by: Shane Lontis <[email protected]> Reviewed-by: Paul Dale <[email protected]> (Merged from https://github.com/openssl/openssl/pull/15950) (cherry picked from commit 36a4637e158508f5d2fb7750e4870888072a56f9) * doc: Mention the update of der data pointers in d2i/i2d Fixes #15958 Reviewed-by: Richard Levitte <[email protected]> Reviewed-by: Paul Dale <[email protected]> (Merged from https://github.com/openssl/openssl/pull/15973) * bn: procduce correct sign for result of BN_mod() There is a problem that appears when calling BN_div(a, c, a, b) with negative b. In this case, the sign of the remainder c is incorrect. The problem only occurs if the dividend and the quotient are the same BIGNUM. Fixes #15982 Reviewed-by: Nicola Tuveri <[email protected]> (Merged from https://github.com/openssl/openssl/pull/15991) (cherry picked from commit 105c83150f15af3f78ea0758859062842bdbe30e) * Fix memory leak in i2d_ASN1_bio_stream When creating a signed S/MIME message using SMIME_write_CMS() if the reading from the bio fails, the state is therefore still ASN1_STATE_START when BIO_flush() is called by i2d_ASN1_bio_stream(). This results in calling asn1_bio_flush_ex cleanup but will only reset retry flags as the state is not ASN1_STATE_POST_COPY. Therefore 48 bytes (Linux x86_64) leaked since the ndef_prefix_free / ndef_suffix_free callbacks are not executed and the ndef_aux structure is not freed. By always calling free function callback in asn1_bio_free() the memory leak is fixed. (cherry picked from commit 3a1d2b59522163ebb83bb68e13c896188dc222c6) Reviewed-by: Paul Dale <[email protected]> Reviewed-by: Tomas Mraz <[email protected]> (Merged from https://github.com/openssl/openssl/pull/15999) * ssl: do not choose auto DH groups that are weaker than the security level manual merge from https://github.com/openssl/openssl/pull/15818 id d7b5c648d682b499b71320a03747602a6ba4dec3 Reviewed-by: Tomas Mraz <[email protected]> (Merged from https://github.com/openssl/openssl/pull/15832) * test: add test for auto DH security level meets the minimum Manual merge from https://github.com/openssl/openssl/pull/15818 Commit id d0e5230dcecc6013d351545ceb275aa2ba5baa80 Reviewed-by: Tomas Mraz <[email protected]> (Merged from https://github.com/openssl/openssl/pull/15832) * Fix s_server PSK handling Issue #15951 describes a scenario which causes s_server to fail when using a PSK. In the originally described issue this only impacted master and not 1.1.1. However, in fact this issue does also impact 1.1.1 - but only if you additionally supply the option "-no_ticket" to the s_server command line. The difference between the behaviour in master and 1.1.1 is due to 9c13b49, which changed PSK_MAX_IDENTITY_LEN from 128 to 256. It just so happens that a default OpenSSL TLSv1.3 ticket length happens to fall between those 2 values. Tickets are presented in TLSv1.3 as a PSK "identity". Passing "no_ticket" doesn't actually stop TLSv1.3 tickets completely, it just forces the use of "session ids as a ticket" instead. This significantly reduces the ticket size to below 128 in 1.1.1. The problem was due to s_server setting a TLSv1.2 PSK callback and a TLSv1.3 PSK callback. For backwards compat reasons the TLSv1.2 PSK callbacks also work in TLSv1.3 but are not preferred. In the described scenario we use a PSK to create the initial connection. Subsequent to that we attempt a resumption using a TLSv1.3 ticket (psk). If the psk length is below PSK_MAX_IDENTITY_LEN then we first call the TLSv1.2 PSK callback. Subsequently we call the TLSv1.3 PSK callback. Unfortunately s_server's TLSv1.2 PSK callback accepts the identity regardless, even though it is an unexpected value, and hence the binder subsequently fails to verify. The fix is to bail early in the TLSv1.2 callback if we detect we are being called from a TLSv1.3 connection. Fixes #15951 Reviewed-by: Ben Kaduk <[email protected]> Reviewed-by: Paul Dale <[email protected]> (Merged from https://github.com/openssl/openssl/pull/16008) (cherry picked from commit 0007ff257c95f5cd046799e492436f41caf4ecb2) * TEST: Check that i2d refuses to encode non-optional items with no content The test case creates an RSA public key and tries to pass it through i2d_PrivateKey(). This SHOULD fail, since the private bits are missing. Reviewed-by: Tomas Mraz <[email protected]> (Merged from https://github.com/openssl/openssl/pull/16027) * ASN.1: Refuse to encode to DER if non-optional items are missing Fixes #16026 Reviewed-by: Tomas Mraz <[email protected]> (Merged from https://github.com/openssl/openssl/pull/16027) * Fix test/asn1_encode_test.c to not use ASN1_FBOOLEAN ASN1_FBOOLEAN is designed to use as a default for optional ASN1 items. This test program used it for non-optional items, which doesn't encode well. Reviewed-by: Tomas Mraz <[email protected]> (Merged from https://github.com/openssl/openssl/pull/16027) * Fix test/asn1_encode_test.c to handle encoding/decoding failure Make it only report (and fail on) encoding/decoding failures when success is expected. Reviewed-by: Tomas Mraz <[email protected]> (Merged from https://github.com/openssl/openssl/pull/16027) * make update (adds a new function code) Reviewed-by: Tomas Mraz <[email protected]> (Merged from https://github.com/openssl/openssl/pull/16027) * Avoid "excessive message size" for session tickets We received a report of an "excessive message size" for a received session ticket. Our maximum size was significantly less than the theoretical maximum. The server may put any data it likes in the session ticket including (for example) the full certificate chain so we should be able to handle longer tickets. Update the value to the maximum allowed by the spec. Reviewed-by: Paul Dale <[email protected]> (Merged from https://github.com/openssl/openssl/pull/15877) (cherry picked from commit e54f0c9b2fe3dd2dcb5e8100e2c69e5b2f6eb681) * BIO_lookup_ex: use AI_ADDRCONFIG only if explicit host name is given The flag only affects which record types are queried via DNS (A or AAAA, or both). When node is NULL and AF_UNSPEC is used, it prevents getaddrinfo returning the right address associated with the loopback interface. Signed-off-by: Daiki Ueno <[email protected]> Reviewed-by: Dmitry Belyavskiy <[email protected]> Reviewed-by: Paul Dale <[email protected]> (Merged from https://github.com/openssl/openssl/pull/16039) * Avoid empty lines in nmake rule bodies nmake is tolerant of those empty lines, but jom isn't. That tolerance isn't standard make behaviour, so we lean towards avoiding them. We simply use '@rem' instead. Fixes #16014 Reviewed-by: Tomas Mraz <[email protected]> Reviewed-by: Paul Dale <[email protected]> (Merged from https://github.com/openssl/openssl/pull/16047) * apps: Use the first detected address family if IPv6 is not available This is a follow up of 15729bef385211bc2a0497e2d53a45c45d677d2c. Even when the host does not support IPv6 at all, BIO_lookup_ex may now return IN6ADDR_ANY in addition to INADDR_ANY, as the second element of the ai_next field. After eee8a40aa5e06841eed6fa8eb4f6109238d59aea, the do_server function prefers the IPv6 address and fails on the BIO_socket call. This adds a fallback code to retry with the IPv4 address returned as the first element to avoid the error. The failure had been partially avoided in the previous code with AI_ADDRCONFIG, because getaddrinfo returns only IPv4 address if no IPv6 address is associated with external interface. However, it would be still a problem if the external interface has an IPv6 address assigned, while the loopback interface doesn't. Signed-off-by: Daiki Ueno <[email protected]> Reviewed-by: Paul Dale <[email protected]> Reviewed-by: Tomas Mraz <[email protected]> (Merged from https://github.com/openssl/openssl/pull/16078) * Don't reset the packet pointer in ssl3_setup_read_buffer Sometimes this function gets called when the buffers have already been set up. If there is already a partial packet in the read buffer then the packet pointer will be set to an incorrect value. The packet pointer already gets reset to the correct value when we first read a packet anyway, so we don't also need to do it in ssl3_setup_read_buffer. Fixes #13729 Reviewed-by: Ben Kaduk <[email protected]> Reviewed-by: Tomas Mraz <[email protected]> (Merged from https://github.com/openssl/openssl/pull/16098) * Disallow SSL_key_update() if there are writes pending If an application is halfway through writing application data it should not be allowed to attempt an SSL_key_update() operation. Instead the SSL_write() operation should be completed. Fixes #12485 Reviewed-by: Ben Kaduk <[email protected]> Reviewed-by: Tomas Mraz <[email protected]> (Merged from https://github.com/openssl/openssl/pull/16098) * Fix some minor record layer issues Various comments referred to s->packet and s->packet_length instead of s->rlayer.packet and s->rlayer.packet_length. Also fixed is a spot where RECORD_LAYER_write_pending() should have been used. Based on the review comments in #16077. Reviewed-by: Tomas Mraz <[email protected]> Reviewed-by: Ben Kaduk <[email protected]> (cherry picked from commit ca001524971ccd595bc0e9843611e6784adfc981) Reviewed-by: Paul Dale <[email protected]> (Merged from https://github.com/openssl/openssl/pull/16105) * Fix a read buffer overrun in X509_aux_print(). The ASN1_STRING_get0_data(3) manual explitely cautions the reader that the data is not necessarily NUL-terminated, and the function X509_alias_set1(3) does not sanitize the data passed into it in any way either, so we must assume the return value from X509_alias_get0(3) is merely a byte array and not necessarily a string in the sense of the C language. I found this bug while writing manual pages for X509_print_ex(3) and related functions. Theo Buehler <[email protected]> checked my patch to fix the same bug in LibreSSL, see http://cvsweb.openbsd.org/src/lib/libcrypto/asn1/t_x509a.c#rev1.9 As an aside, note that the function still produces incomplete and misleading results when the data contains a NUL byte in the middle and that error handling is consistently absent throughout, even though the function provides an "int" return value obviously intended to be 1 for success and 0 for failure, and even though this function is called by another function that also wants to return 1 for success and 0 for failure and even does so in many of its code paths, though not in others. But let's stay focussed. Many things would be nice to have in the wide wild world, but a buffer overflow must not be allowed to remain in our backyard. CLA: trivial Reviewed-by: Tim Hudson <[email protected]> Reviewed-by: Paul Dale <[email protected]> Reviewed-by: Tomas Mraz <[email protected]> (Merged from https://github.com/openssl/openssl/pull/16108) (cherry picked from commit c5dc9ab965f2a69bca964c709e648158f3e4cd67) * DSA/RSA_print(): Fix potential memory leak Fixes #10777 Reviewed-by: Paul Dale <[email protected]> (Merged from https://github.com/openssl/openssl/pull/16130) (cherry picked from commit 40184c96103a388209939c1c19920971c05bb78c) * [doc/man3] documentation: BN_cmp manpage updates Reviewed-by: Paul Dale <[email protected]> Reviewed-by: Nicola Tuveri <[email protected]> Reviewed-by: Dmitry Belyavskiy <[email protected]> (Merged from https://github.com/openssl/openssl/pull/16214) (cherry picked from commit 3d4ca443b4778e3230ff23f17625f58f815a9142) * Revert "make update (adds a new function code)" This reverts commit ea26844c4f624ef515d9228d3b623761a369b049. Reviewed-by: Dmitry Belyavskiy <[email protected]> (Merged from https://github.com/openssl/openssl/pull/16308) * Revert "Fix test/asn1_encode_test.c to handle encoding/decoding failure" This reverts commit f1d97905bbd8679b7647c992b97f526791069040. Reviewed-by: Dmitry Belyavskiy <[email protected]> (Merged from https://github.com/openssl/openssl/pull/16308) * Revert "Fix test/asn1_encode_test.c to not use ASN1_FBOOLEAN" This reverts commit 5434acb6c4d56507d761b28f7e142ccab808a8fa. Reviewed-by: Dmitry Belyavskiy <[email protected]> (Merged from https://github.com/openssl/openssl/pull/16308) * Revert "ASN.1: Refuse to encode to DER if non-optional items are missing" This reverts commit 006906cddda37e24a66443199444ef4476697477. Reviewed-by: Dmitry Belyavskiy <[email protected]> (Merged from https://github.com/openssl/openssl/pull/16308) * Revert "TEST: Check that i2d refuses to encode non-optional items with no content" This reverts commit 12e9b74c513a8ed3c1c260cf25221a465ae14b84. Reviewed-by: Dmitry Belyavskiy <[email protected]> (Merged from https://github.com/openssl/openssl/pull/16308) * Fix potential double-free The `sk` variable is assigned to `s->session->peer_chain`. If `ssl3_digest_cached_records()` were to fail, then `sk` would still be non-NULL, and subsequently freed on the error return. When the session is freed, it will then attempt to free `s->session->peer_chain`, resulting in a double-free (of `sk`). Reviewed-by: Matt Caswell <[email protected]> Reviewed-by: Tomas Mraz <[email protected]> (Merged from https://github.com/openssl/openssl/pull/16309) (cherry picked from commit 0449702abc95a3af24c049cb02c01ca6a8015cef) * s390x: AES OFB/CFB: Maintain running IV from cipher context Copy the current IV from the cipher context into the kmo/kmf param before the operation, and copy the modified IV back to the context afterwards. Without this, an application that obtains the running IV from the context would still get the original IV, but not the updated one. Signed-off-by: Ingo Franzki <[email protected]> Reviewed-by: Patrick Steuer <[email protected]> Reviewed-by: Tomas Mraz <[email protected]> (Merged from https://github.com/openssl/openssl/pull/16292) * Test EVP Cipher updating the context's IV Ensure that an EVP_CipherUpdate operation updates the context's IV for AES CBC, CFB, OFB, and CTR. An application can get the updated IV via EVP_CIPHER_CTX_iv(). The s390x implementation of the CFB and OFB ciphers did not update the IV in the context, but only within its s390x specific context data. Signed-off-by: Ingo Franzki <[email protected]> Reviewed-by: Patrick Steuer <[email protected]> Reviewed-by: Tomas Mraz <[email protected]> (Merged from https://github.com/openssl/openssl/pull/16292) * pkcs12: check for zero length digest to avoid division by zero Fixes #16331 Reviewed-by: Dmitry Belyavskiy <[email protected]> Reviewed-by: Kurt Roeckx <[email protected]> (Merged from https://github.com/openssl/openssl/pull/16333) * [github-ci] Sync ci.yml workflow with master Reviewed-by: Paul Dale <[email protected]> (Merged from https://github.com/openssl/openssl/pull/16252) * [github-ci] Import windows.yml workflow from master Reviewed-by: Paul Dale <[email protected]> (Merged from https://github.com/openssl/openssl/pull/16252) * [github-ci] Import cross-compiles.yml workflow from master Reviewed-by: Paul Dale <[email protected]> (Merged from https://github.com/openssl/openssl/pull/16252) * [github-ci] Import run-checker workflows from master This commit does not include the daily run-checker workflow. Reviewed-by: Paul Dale <[email protected]> (Merged from https://github.com/openssl/openssl/pull/16252) * [github-ci] Import run-checker daily workflow from master The daily run-checker is scheduled to start at 6:42, instead of the start of the hour. The official GitHub documentation remarks the following regarding scheduled workflows: > Note: The schedule event can be delayed during periods of high loads > of GitHub Actions workflow runs. High load times include the start of > every hour. To decrease the chance of delay, schedule your workflow to > run at a different time of the hour. 42, obviously, has been picked because it is the answer to the ultimate question of life, the universe, and everything. Reviewed-by: Paul Dale <[email protected]> (Merged from https://github.com/openssl/openssl/pull/16252) * [github-ci][cross-compiles.yml] Disable sparcv9 This commit temporarily disables cross-compiling tests for sparcv9, due to failures to be investigated in a dedicated PR. Reviewed-by: Paul Dale <[email protected]> (Merged from https://github.com/openssl/openssl/pull/16252) * [github-ci][ci.yml] Disable krb5 external tests This commit temporarily disables krb5 external tests, due to failures to be investigated in a dedicated PR. Reviewed-by: Paul Dale <[email protected]> (Merged from https://github.com/openssl/openssl/pull/16252) * [github-ci][ci.yml] Disable pyca external tests This commit temporarily disables pyca external tests, due to failures to be investigated in a dedicated PR. Reviewed-by: Paul Dale <[email protected]> (Merged from https://github.com/openssl/openssl/pull/16252) * [github-ci][run-checker-ci.yml] Disable no-tls1_3 tests This commit temporarily disables tests for no-tls1_3, due to failures to be investigated in a dedicated PR. Reviewed-by: Paul Dale <[email protected]> (Merged from https://github.com/openssl/openssl/pull/16252) * [github-ci][ci.yml] Disable memory sanitizer build In 1.1.1 currently we do not support running multiple tests in parallel, and the `--debug -O1` msan build required more than 3h to run the tests. This commit temporarily disables this build configuration. Reviewed-by: Paul Dale <[email protected]> (Merged from https://github.com/openssl/openssl/pull/16252) * [github-ci][run-checker-merge.yml] Disable ubsan build This commit temporarily disables the ubsan build, due to failures to be investigated in a dedicated PR. Reviewed-by: Paul Dale <[email protected]> (Merged from https://github.com/openssl/openssl/pull/16252) * [github-ci] Add comment about our approach to GitHub Actions CI Reviewed-by: Nicola Tuveri <[email protected]> (Merged from https://github.com/openssl/openssl/pull/16252) * Revert "[github-ci][cross-compiles.yml] Disable sparcv9" This reverts commit aa23aa759cf33b4f481fc719d42cb7bae8b2eaf0. Reviewed-by: Paul Dale <[email protected]> (Merged from https://github.com/openssl/openssl/pull/16336) * sparc: fix cross compile build (cherry picked from commit 64fac96de81d3dc19cc0c9045c341f0dec818075) Reviewed-by: Nicola Tuveri <[email protected]> (Merged from https://github.com/openssl/openssl/pull/16336) * Fix i2v_GENERAL_NAME to not assume NUL terminated strings ASN.1 strings may not be NUL terminated. Don't assume they are. CVE-2021-3712 Reviewed-by: Viktor Dukhovni <[email protected]> Reviewed-by: Paul Dale <[email protected]> * Fix POLICYINFO printing to not assume NUL terminated strings ASN.1 strings may not be NUL terminated. Don't assume they are. CVE-2021-3712 Reviewed-by: Viktor Dukhovni <[email protected]> Reviewed-by: Paul Dale <[email protected]> * Fix printing of PROXY_CERT_INFO_EXTENSION to not assume NUL terminated strings ASN.1 strings may not be NUL terminated. Don't assume they are. CVE-2021-3712 Reviewed-by: Viktor Dukhovni <[email protected]> Reviewed-by: Paul Dale <[email protected]> * Fix the name constraints code to not assume NUL terminated strings ASN.1 strings may not be NUL terminated. Don't assume they are. CVE-2021-3712 Reviewed-by: Viktor Dukhovni <[email protected]> Reviewed-by: Paul Dale <[email protected]> * Fix test code to not assume NUL terminated strings ASN.1 strings may not be NUL terminated. Don't assume they are. CVE-2021-3712 Reviewed-by: Viktor Dukhovni <[email protected]> Reviewed-by: Paul Dale <[email protected]> * Fix append_ia5 function to not assume NUL terminated strings ASN.1 strings may not be NUL terminated. Don't assume they are. CVE-2021-3712 Reviewed-by: Viktor Dukhovni <[email protected]> Reviewed-by: Paul Dale <[email protected]> * Fix NETSCAPE_SPKI_print function to not assume NUL terminated strings ASN.1 strings may not be NUL terminated. Don't assume they are. CVE-2021-3712 Reviewed-by: Viktor Dukhovni <[email protected]> Reviewed-by: Paul Dale <[email protected]> * Fix EC_GROUP_new_from_ecparameters to check the base length Check that there's at least one byte in params->base before trying to read it. CVE-2021-3712 Reviewed-by: Viktor Dukhovni <[email protected]> Reviewed-by: Paul Dale <[email protected]> * Allow fuzz builds to detect string overruns If FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION is defined then we don't NUL terminate ASN1_STRING datatypes. This shouldn't be necessary but we add it any for safety in normal builds. Reviewed-by: Viktor Dukhovni <[email protected]> Reviewed-by: Paul Dale <[email protected]> * Fix the error handling in i2v_AUTHORITY_KEYID Previously if an error path is entered a leak could result. Reviewed-by: Viktor Dukhovni <[email protected]> Reviewed-by: Paul Dale <[email protected]> * Correctly calculate the length of SM2 plaintext given the ciphertext Previously the length of the SM2 plaintext could be incorrectly calculated. The plaintext length was calculated by taking the ciphertext length and taking off an "overhead" value. The overhead value was assumed to have a "fixed" element of 10 bytes. This is incorrect since in some circumstances it can be more than 10 bytes. Additionally the overhead included the length of two integers C1x and C1y, which were assumed to be the same length as the field size (32 bytes for the SM2 curve). However in some cases these integers can have an additional padding byte when the msb is set, to disambiguate them from negative integers. Additionally the integers can also be less than 32 bytes in length in some cases. If the calculated overhead is incorrect and larger than the actual value this can result in the calculated plaintext length being too small. Applications are likely to allocate buffer sizes based on this and therefore a buffer overrun can occur. CVE-2021-3711 Issue reported by John Ouyang. Reviewed-by: Paul Dale <[email protected]> Reviewed-by: Nicola Tuveri <[email protected]> * Extend tests for SM2 decryption Check the case where C1y < 32 bytes in length (i.e. short overhead), and also the case with longer plaintext and C1x and C1y > 32 bytes in length (i.e. long overhead) Reviewed-by: Paul Dale <[email protected]> Reviewed-by: Nicola Tuveri <[email protected]> * Check the plaintext buffer is large enough when decrypting SM2 Previously there was no check that the supplied buffer was large enough. It was just assumed to be sufficient. Instead we should check and fail if not. Reviewed-by: Paul Dale <[email protected]> Reviewed-by: Nicola Tuveri <[email protected]> * Updates to CHANGES and NEWS for the new release Reviewed-by: Richard Levitte <[email protected]> * Update copyright year Reviewed-by: Richard Levitte <[email protected]> * Run make update Reviewed-by: Richard Levitte <[email protected]> * Prepare for 1.1.1l release Reviewed-by: Richard Levitte <[email protected]> * Prepare for 1.1.1m-dev Reviewed-by: Richard Levitte <[email protected]> * Fix the array size of dtlsseq in tls1_enc Reviewed-by: Tomas Mraz <[email protected]> (Merged from https://github.com/openssl/openssl/pull/16385) (cherry picked from commit 562d4cd3c35b32f2bc6ac0770b80ce394f8d76a4) * Avoid using undefined value in generate_stateless_cookie_callback Reviewed-by: Paul Yang <[email protected]> Reviewed-by: Paul Dale <[email protected]> Reviewed-by: Tomas Mraz <[email protected]> (Merged from https://github.com/openssl/openssl/pull/16381) * Fix some strict gcc-12 warnings Reviewed-by: Paul Dale <[email protected]> Reviewed-by: Richard Levitte <[email protected]> Reviewed-by: Tomas Mraz <[email protected]> (Merged from https://github.com/openssl/openssl/pull/16375) * apps/ciphers: Fix wrong return value when using -convert parameter Command 'openssl ciphers -convert <name>' always returns failure, this patch set the correct return value. Signed-off-by: Tianjia Zhang <[email protected]> Reviewed-by: Paul Yang <[email protected]> Reviewed-by: Paul Dale <[email protected]> Reviewed-by: Tomas Mraz <[email protected]> (Merged from https://github.com/openssl/openssl/pull/16383) (cherry picked from commit 8b4e9c5265ffd3457ad37133502a9d8a4e8daccd) * Check for null-pointer dereference in dh_cms_set_peerkey Reviewed-by: Paul Dale <[email protected]> Reviewed-by: Tomas Mraz <[email protected]> (Merged from https://github.com/openssl/openssl/pull/16382) * ts: fix memleaks caused by TS_VERIFY_CTX_set_imprint CLA: trivial Reviewed-by: Paul Dale <[email protected]> Reviewed-by: Tomas Mraz <[email protected]> (Merged from https://github.com/openssl/openssl/pull/16347) (cherry picked from commit 62bae84d4587ec9a56d0ce830e36e4a5b2fa8a33) * Darwin platform allows to build on releases before Yosemite/ios 8. issue #16407 #16408 Reviewed-by: Paul Dale <[email protected]> Reviewed-by: Tomas Mraz <[email protected]> (Merged from https://github.com/openssl/openssl/pull/16409) * cms: fix memleaks in cms_env.c CLA: trivial Reviewed-by: Paul Dale <[email protected]> Reviewed-by: Tomas Mraz <[email protected]> (Merged from https://github.com/openssl/openssl/pull/16403) * Fix instances of pointer addition with the NULL pointer ubsan found undefined pointer addtions in crypto/bio/bss_mem.c (mem_ctrl), crypto/pem/pem_lib.c (PEM_read_bio_ex), test/testutil/format_output.c (test_fail_string_common, test_fail_memory_common). Mostly a straight back-port-of: a07dc81 Additionally enable the ubsan run-checker, to prevent regressions. Reviewed-by: Tomas Mraz <[email protected]> Reviewed-by: Nicola Tuveri <[email protected]> (Merged from https://github.com/openssl/openssl/pull/16423) * Fix enable-asan with C++ buildtest the following config: ./config no-shared enable-asan enable-buildtest-c++ enable-external-tests fails to build with unresolved asan symbols when linking test/ossl_shim/ossl_shim Fixed by passing all sanitizer-flags to cxxflags. Reviewed-by: Paul Dale <[email protected]> (Merged from https://github.com/openssl/openssl/pull/16434) * Fix the "Out of memory" EVP KDF scrypt test This test did not really execute, since usually the OPENSSL_malloc(0) will fail and prevent the execution of the KDF. Reviewed-by: Paul Dale <[email protected]> (Merged from https://github.com/openssl/openssl/pull/16446) * Ensure that _GNU_SOURCE is defined for bss_dgram.c This fixes the following error with gcc10 under strict ANSI conditions: .../crypto/bio/bss_dgram.c:373:20: error: 'const struct in6_addr' has no member named 's6_addr32' CLA: trivial Fixes #16449 Reviewed-by: Bernd Edlinger <[email protected]> Reviewed-by: Paul Dale <[email protected]> Reviewed-by: Dmitry Belyavskiy <[email protected]> (Merged from https://github.com/openssl/openssl/pull/16451) (cherry picked from commit e8e1f6d1a9e599d575431f559200018b8f822e0f) * Fix no-tls1_3 tests This recently added test needs DH2048 to work without tls1_3. Fixes: #16335 Reviewed-by: Paul Dale <[email protected]> Reviewed-by: Tomas Mraz <[email protected]> (Merged from https://github.com/openssl/openssl/pull/16453) * Add tests for i2d_TYPE_fp and d2i_TYPE_fp These functions are part of the public API but we don't have tests covering their usage. They are actually implemented as macros and the absence of tests has caused them to fall out-of-sync with the latest changes to ASN1 related functions and cause compilation warnings. @@ Note: This commit limits to ECPKParameters as a type. (cherry picked from commit ea1128e94e36fa9fa25278dc6b3f5b42d8735782) Reviewed-by: Tomas Mraz <[email protected]> (Merged from https://github.com/openssl/openssl/pull/12457) * Fix d2i_ECPKParameters_fp and i2d_ECPKParameters_fp macros These functions are part of the public API but we don't have tests covering their usage. They are actually implemented as macros and the absence of tests has caused them to fall out-of-sync with the latest changes to ASN1 related functions and cause compilation warnings. This commit fixes the public headers to reflect these changes. Fixes #12443 (cherry picked from commit cca8a4cedaafe63b0b5729b72133661ece24ff08) Reviewed-by: Tomas Mraz <[email protected]> (Merged from https://github.com/openssl/openssl/pull/12457) * [ec] Do not default to OPENSSL_EC_NAMED_CURVE for curves without OID Some curves don't have an associated OID: for those we should not default to `OPENSSL_EC_NAMED_CURVE` encoding of parameters and instead set the ASN1 flag to `OPENSSL_EC_EXPLICIT_CURVE`. This is a follow-up to https://github.com/openssl/openssl/pull/12312 (cherry picked from commit 7aa3dfc42104588f65301d20324388ac2c9a6b11) Reviewed-by: Tomas Mraz <[email protected]> (Merged from https://github.com/openssl/openssl/pull/12457) * Use applink to fix windows tests (cherry picked from commit <https://github.com/bernd-edlinger/openssl/commit/96a463cede0070aa5c86629d683a214657a9ba9e>) Reviewed-by: Tomas Mraz <[email protected]> Reviewed-by: Nicola Tuveri <[email protected]> (Merged from https://github.com/openssl/openssl/pull/12457) * Make the -DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION pass tests Fixes #16428 Reviewed-by: Bernd Edlinger <[email protected]> Reviewed-by: Paul Dale <[email protected]> (Merged from https://github.com/openssl/openssl/pull/16441) * ci: Add -DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION to asan build Reviewed-by: Bernd Edlinger <[email protected]> Reviewed-by: Paul Dale <[email protected]> (Merged from https://github.com/openssl/openssl/pull/16441) * Openssl fails to compile on Debian with kfreebsd kernels (kfreebsd-amd64, kfreebsd-i386). The error reported by the compiler is: ../crypto/uid.c: In function 'OPENSSL_issetugid': ../crypto/uid.c:50:22: error: 'AT_SECURE' undeclared (first use in this function) 50 | return getauxval(AT_SECURE) != 0; | ^~~~~~~~~ This commit changes the code to use the freebsd code in this case. This fixes the compilation. CLA: trivial Reviewed-by: Ben Kaduk <[email protected]> Reviewed-by: Tomas Mraz <[email protected]> Reviewed-by: Paul Dale <[email protected]> (Merged from https://github.com/openssl/openssl/pull/16477) (cherry picked from commit 3a1fa0116a92235ba200228e4bb60d6a3a7f4113) * doc: document the rsa_oaep_md: pkeyopt This was missing but essential for using non-SHA1 digests with OAEP. Fixes #15998 Manual backport of #16410 Reviewed-by: Tomas Mraz <[email protected]> Reviewed-by: Tim Hudson <[email protected]> (Merged from https://github.com/openssl/openssl/pull/16488) * Prioritise DANE TLSA issuer certs over peer certs When building the certificate chain, prioritise any Cert(0) Full(0) certificates from TLSA records over certificates received from the peer. This is important when the server sends a cross cert, but TLSA records include the underlying root CA cert. We want to construct a chain with the issuer from the TLSA record, which can then match the TLSA records (while the associated cross cert may not). Reviewed-by: Tomáš Mráz <[email protected]> * Test for DANE cross cert fix Reviewed-by: Tomáš Mráz <[email protected]> * test/ec_internal_test: link with libapps.a too Whenever the source from $target{apps_init_src} is added to the source of a test program, it needs to be linked with libapps.a as well. Some init sources depend on that. Without this, builds break on VMS because of the unresolved symbol 'app_malloc'. On platforms that do not need anything from libapps.a, adding it is a no-op. This is for OpenSSL 1.1.1 only. OpenSSL 3.0 and beyond have a different solution. Reviewed-by: Tomas Mraz <[email protected]> Reviewed-by: Paul Dale <[email protected]> (Merged from https://github.com/openssl/openssl/pull/16512) * VMS: Compensate for compiler type incompatibility The compiler says that 'unsigned long long' isn't the same as 'unsigned __int64'. Sure, and considering that crypto/rand/rand_vms.c is specific VMS only code, it's easy to just change the type to the exact same as what's specified in the system headers. Reviewed-by: Tomas Mraz <[email protected]> Reviewed-by: Paul Dale <[email protected]> (Merged from https://github.com/openssl/openssl/pull/15613) * DOCS: Update the page for 'openssl passwd' to not duplicate some info The options -1 and -apr1 were mentioned in DESCRIPTION, not mentioning any other options or even mentioning that there are more algorithms. The simple fix is to remove that sentence and let the OPTIONS section speak for itself. Fixes #16529 Reviewed-by: Tomas Mraz <[email protected]> Reviewed-by: Paul Dale <[email protected]> (Merged from https://github.com/openssl/openssl/pull/16531) (cherry picked from commit 116799ff6a8fc803ec4685fc432c7329d0511e23) * VMS: Fix misspelt type '__int64', not 'int64_t' Ref: commit 2e5cdbc18a1a26bfc817070a52689886fa0669c2 Reviewed-by: Tomas Mraz <[email protected]> Reviewed-by: Paul Dale <[email protected]> (Merged from https://github.com/openssl/openssl/pull/16557) * Fix nc_email to check ASN1 strings with NULL byte in the middle Reviewed-by: Tomas Mraz <[email protected]> Reviewed-by: Paul Dale <[email protected]> (Merged from https://github.com/openssl/openssl/pull/16524) (cherry picked from commit 485d0790ac1a29a0d4e7391d804810d485890376) * MacOS prior to 10.12 does not support random API correctly Fixes #16517 Reviewed-by: Paul Dale <[email protected]> Reviewed-by: Tomas Mraz <[email protected]> (Merged from https://github.com/openssl/openssl/pull/16587) * Clarify what SSL_get_session() does on the server side in TLSv1.3 Reviewed-by: Paul Dale <[email protected]> Reviewed-by: Tomas Mraz <[email protected]> (Merged from https://github.com/openssl/openssl/pull/16582) (cherry picked from commit 9e51f877930dbd4216438a5da3c9612bf4d0a918) * Correct the documentation for SSL_set_num_tickets() The behaviour for what happens in a resumption connection was not quite described correctly. Reviewed-by: Paul Dale <[email protected]> Reviewed-by: Tomas Mraz <[email protected]> (Merged from https://github.com/openssl/openssl/pull/16582) (cherry picked from commit 4603b782e6dbed493d2f38db111abc05df66fb99) * ssl: Correct filename in README Reviewed-by: Matt Caswell <[email protected]> Reviewed-by: Richard Levitte <[email protected]> Reviewed-by: Paul Dale <[email protected]> (Merged from https://github.com/openssl/openssl/pull/16671) * Add sm2 encryption test case from GM/T 0003.5-2012 Reviewed-by: Nicola Tuveri <[email protected]> Reviewed-by: Paul Dale <[email protected]> (Merged from https://github.com/openssl/openssl/pull/16511) (cherry picked from commit 8ba65c35ea3af347c3b2adc8e665066b541a1c35) * doc/man3/SSL_set_fd.pod: add note about Windows compiler warning According to an old stackoverflow thread [1], citing an even older comment by Andy Polyakov (1875e6db29, Pull up Win64 support from 0.9.8., 2005-07-05), a cast of 'SOCKET' (UINT_PTR) to 'int' does not create a problem, because although the documentation [2] claims that the upper limit is INVALID_SOCKET-1 (2^64 - 2), in practice the socket() implementation on Windows returns an index into the kernel handle table, the size of which is limited to 2^24 [3]. Add this note to the manual page to avoid unnecessary roundtrips to StackOverflow. [1] https://stackoverflow.com/questions/1953639/is-it-safe-to-cast-socket-to-int-under-win64 [2] https://docs.microsoft.com/en-us/windows/win32/winsock/socket-data-type-2 [3] https://docs.microsoft.com/en-us/windows/win32/sysinfo/kernel-objects Reviewed-by: Paul Dale <[email protected]> (Merged from https://github.com/openssl/openssl/pull/16699) (cherry picked from commit f8dd5869bca047a23599ac925aace70efcf487ad) * Fix a NPD bug in engines/e_dasync.c The dasync_aes_128_cbc_hmac_sha1 cipher depends on EVP_aes_128_cbc_hmac_sha1() returning a NON-NULL value. We should simply not advertise this cipher otherwise. Fixes: #7950 Reviewed-by: Tomas Mraz <[email protected]> Reviewed-by: Paul Dale <[email protected]> (Merged from https://github.com/openssl/openssl/pull/16722) * Fix a memory leak in the afalg engine Fixes: #16743 Reviewed-by: Tomas Mraz <[email protected]> (Merged from https://github.com/openssl/openssl/pull/16744) (cherry picked from commit 6f6a5e0c7c41b6b3639e51f435cd98bb3ae061bc) * Fix some possible memory leaks in EVP_CipherInit_ex An EVP_CONTEXT with zero cipher but non-zero engine, and/or cipher_data is possible if an error happens in EVP_CTRL_INIT or in EVP_CTRL_COPY, the error handling will just clear the cipher in that case. Reviewed-by: Tomas Mraz <[email protected]> (Merged from https://github.com/openssl/openssl/pull/16756) * Fix double-free in e_dasync.c When the cipher is copied, the inner_cihper_data need to be copied as well, using the EVP_CTRL_COPY method. The EVP_CIPH_CUSTOM_COPY bit needs to be set as well. Reviewed-by: Tomas Mraz <[email protected]> (Merged from https://github.com/openssl/openssl/pull/16751) * Bindhost/bindport should be freed Reviewed-by: Matt Caswell <[email protected]> Reviewed-by: Tomas Mraz <[email protected]> (Merged from https://github.com/openssl/openssl/pull/16775) (cherry picked from commit 0ce0c455862ed29bd7f2acdbddbe8d0b1783c1c9) * New extensions can be sent in a certificate request Normally we expect a client to send new extensions in the ClientHello, which may be echoed back by the server in subsequent messages. However the server can also send a new extension in the certificate request message to be echoed back in a certificate message Fixes #16632 Reviewed-by: Paul Dale <[email protected]> Reviewed-by: Tomas Mraz <[email protected]> (Merged from https://github.com/openssl/openssl/pull/16634) (cherry picked from commit cbb862fbaaa1ec5a3e33836bc92a6dbea97ceba0) * Extend custom extension testing Test the scenario where we add a custom extension to a cetificate request and expect a response in the client's certificate message. Reviewed-by: Paul Dale <[email protected]> Reviewed-by: Tomas Mraz <[email protected]> (Merged from https://github.com/openssl/openssl/pull/16634) (cherry picked from commit 0db3a9904fa00569905be130854a31dab7b8f49d) * Fix test/recipes/01-test_symbol_presence.t to allow for stripped libraries It's a small change to the 'nm' call, to have it look at dynamic symbols rather than the normal ones. Fixes #16810 Reviewed-by: Tomas Mraz <[email protected]> (Merged from https://github.com/openssl/openssl/pull/16822) (cherry picked from commit a85b4de6a6cbe03c46219d4b1c3b2828ca3fd51c) * Fix test/recipes/01-test_symbol_presence.t to disregard version info The output of 'nm -DPg' contains version info attached to the symbols, which makes the test fail. Simply dropping the version info makes the test work again. Fixes #16810 (followup) Reviewed-by: Matt Caswell <[email protected]> (Merged from https://github.com/openssl/openssl/pull/16840) (cherry picked from commit 73970cb91fdf8e7b4b434d479b875a47a0aa0dbc) * test/ssl_old_test.c: Fix potential leak Reviewed-by: Kurt Roeckx <[email protected]> Reviewed-by: Tomas Mraz <[email protected]> (Merged from https://github.com/openssl/openssl/pull/16806) (cherry picked from commit 34563be5368fb8e6ade7d06d8376522ba83cd6ac) * Ensure pkey_set_type handles ENGINE references correctly pkey_set_type should not consume the ENGINE references that may be passed to it. Fixes #16757 Reviewed-by: Tomas Mraz <[email protected]> (Merged from https://github.com/openssl/openssl/pull/16860) * Add tests for ENGINE problems Add some tests which would have caught the issues fixed in the previous commit related to engine handling. Reviewed-by: Tomas Mraz <[email protected]> (Merged from https://github.com/openssl/openssl/pull/16860) * Fix some documentation errors related to return values Reviewed-by: Shane Lontis <[email protected]> Reviewed-by: Tomas Mraz <[email protected]> (Merged from https://github.com/openssl/openssl/pull/16794) (cherry picked from commit f1d077f1108b1bc2334350a4d53a46e29e082910) * Fix BIO_get_md_ctx return value check Reviewed-by: Shane Lontis <[email protected]> Reviewed-by: Tomas Mraz <[email protected]> (Merged from https://github.com/openssl/openssl/pull/16792) * Fix the s_server psk_server_cb for use in DTLS Commit 0007ff257c added a protocol version check to psk_server_cb but failed to take account of DTLS causing DTLS based psk connections to fail. Fixes #16707 Reviewed-by: Ben Kaduk <[email protected]> (Merged from https://github.com/openssl/openssl/pull/16838) (cherry picked from commit 8b09a9c76d873f62c2507fa9628a9c96c1d66d5c) * Fix no-cmac Reviewed-by: Bernd Edlinger <[email protected]> Reviewed-by: Paul Dale <[email protected]> (Merged from https://github.com/openssl/openssl/pull/16894) (cherry picked from commit ef2fb64f9dfde1965cb0b8a5f8765c4f467c1604) * Fix a gcc 11.2.0 warning gcc 11.2.0 is the default on Ubuntu 21.10. It emits a (spurious) warning when compiling test/packettest.c, which causes --strict-warnings builds to fail. A simple fix avoids the warning. Reviewed-by: Paul Dale <[email protected]> Reviewed-by: Dmitry Belyavskiy <[email protected]> (Merged from https://github.com/openssl/openssl/pull/16887) (cherry picked from commit 37467b2752f75ce80437120f704452982b7c1998) * speed: range check the argument given to -multi for 1.1.1 Fixes #16899 for 1.1.1 branch. Reviewed-by: Tomas Mraz <[email protected]> (Merged from https://github.com/openssl/openssl/pull/16922) * check the return value of BN_new() and BN_dup() Reviewed-by: Paul Dale <[email protected]> Reviewed-by: Tomas Mraz <[email protected]> (Merged from https://github.com/openssl/openssl/pull/16948) (cherry picked from commit d99004fe5de934120765d342586f08d22131b8ed) * Fix a memory leak in tls_parse_stoc_key_share Reviewed-by: Paul Dale <[email protected]> Reviewed-by: Matt Caswell <[email protected]> (Merged from https://github.com/openssl/openssl/pull/16957) * Fix a memory leak in ssl_create_cipher_list Reviewed-by: Paul Dale <[email protected]> Reviewed-by: Matt Caswell <[email protected]> (Merged from https://github.com/openssl/openssl/pull/16955) * Fix: invoking x509_name_cannon improperly Reviewed-by: Tomas Mraz <[email protected]> Reviewed-by: Paul Dale <[email protected]> (Merged from https://github.com/openssl/openssl/pull/16974) (cherry picked from commit 09235289c377ff998964bb6b074bb2a3ad768fd2) * Reset the rwstate before calling ASYNC_start_job() If an async job pauses while processing a TLS connection then the rwstate gets set to SSL_ASYNC_PAUSED. When resuming the job we should reset the rwstate back to SSL_NOTHING. In fact we can do this unconditionally since if we're about to call ASYNC_start_job() then either we are about to start the async job for the first time (in which case the rwstate should already by SSL_NOTHING), or we are restarting it after a pause (in which case reseting it to SSL_NOTHING is the correct action). Fixes #16809 Reviewed-by: Paul Dale <[email protected]> (Merged from https://github.com/openssl/openssl/pull/17013) (cherry picked from commit 07f620e3acf0dd76a3a03ada9911c544aa483aa7) * free the Post-Handshake Auth digest when there is an error saving the digest Reviewed-by: Tomas Mraz <[email protected]> Reviewed-by: Bernd Edlinger <[email protected]> Reviewed-by: Paul Dale <[email protected]> (Merged from https://github.com/openssl/openssl/pull/16924) * evp: fix EVP_PKEY_get0_EC_KEY when EC_KEY is SM2 EVP_PKEY_set_alias_type(pkey, EVP_PKEY_SM2) will change pkey->type to EVP_PKEY_SM2 CLA: trivial Reviewed-by: Tomas Mraz <[email protected]> Reviewed-by: Matt Caswell <[email protected]> Reviewed-by: Paul Dale <[email protected]> (Merged from https://github.com/openssl/openssl/pull/17015) * Avoid loading of a dynamic engine twice Use the address of the bind function as a DYNAMIC_ID, since the true name of the engine is not known before the bind function returns, but invoking the bind function before the engine is unloaded results in memory corruption. Fixes #17023 Reviewed-by: Tomas Mraz <[email protected]> Reviewed-by: Dmitry Belyavskiy <[email protected]> (Merged from https://github.com/openssl/openssl/pull/17073) (cherry picked from commit e2571e02d2b0cd83ed1c79d384fe941f27e603c0) * ERR: Add a missing common reason string There was no string present for ERR_R_PASSED_INVALID_ARGUMENT Reviewed-by: David von Oheimb <[email protected]> (Merged from https://github.com/openssl/openssl/pull/17069) * Add a test case for duplicate engine loading Reviewed-by: Tomas Mraz <[email protected]> Reviewed-by: Dmitry Belyavskiy <[email protected]> (Merged from https://github.com/openssl/openssl/pull/17083) * DOC: Add a few previously documented functions d2i_X509_bio(), d2i_X509_fp(), i2d_X509_bio(), and i2d_X509_fp() were documented in OpenSSL 1.0.2. In a grand unification of the documentation of (almost) all d2i and i2d functions, these were dropped, most likely by mistake. This simply adds them back. Fixes #17091 Reviewed-by: Tomas Mraz <[email protected]> (Merged from https://github.com/openssl/openssl/pull/17093) * Fix detection of ARMv7 and ARM64 CPU features on FreeBSD OpenSSL assumes AT_HWCAP = 16 (as on Linux), but on FreeBSD AT_HWCAP = 25 Switch to using AT_HWCAP, and setting it to 16 if it is not defined. OpenSSL calls elf_auxv_info() with AT_CANARY which returns ENOENT resulting in all ARM acceleration features being disabled. CLA: trivial Reviewed-by: Ben Kaduk <[email protected]> Reviewed-by: Tomas Mraz <[email protected]> (Merged from https://github.com/openssl/openssl/pull/17082) (cherry picked from commit c1dabe26e3e96cdce0ffc929e9677840ad089ba5) * Clarify and correct the EVP_CTRL_AEAD_SET_TAG docs The restriction about setting a tag length prior to setting the IV only applies to OCB mode. We clarify when in the process EVP_CTRL_AEAD_SET_TAG can be called. Reviewed-by: Tomas Mraz <[email protected]> Reviewed-by: Paul Dale <[email protected]> (Merged from https://github.com/openssl/openssl/pull/17111) (cherry picked from commit 3607b8ad8ee1980a079e985333a196e0c79f8f00) * doc: fix macro name OSSL_STORE_INFO_X509 doesn't exist. It should be OSSL_STORE_INFO_CERT. Fixes #17121 Reviewed-by: Richard Levitte <[email protected]> (Merged from https://github.com/openssl/openssl/pull/17125) (cherry picked from commit 01fde90eec721b64bc0e1c01cd94a9fd431adcc6) * BIO_push.pod: fix confusing text and add details on corner cases Reviewed-by: Paul Dale <[email protected]> Reviewed-by: Tomas Mraz <[email protected]> (Merged from https://github.com/openssl/openssl/pull/17086) (cherry picked from commit 7a37fd09a8f3607ed8acf55e03479861595be069) * Fix speed, use OPENSSL_free instead of free Reviewed-by: Tomas Mraz <[email protected]> Reviewed-by: Paul Dale <[email protected]> (Merged from https://github.com/openssl/openssl/pull/17132) * TEST: Enable and fix test_bn2padded() in test/bntest.c This looks like old code, written when the padded variety of BN_bn2bin() was developped, and disabled by default... and forgotten. A few simple changes to update it to the current API is all that was needed to enable it. Reviewed-by: Tomas Mraz <[email protected]> (Merged from https://github.com/openssl/openssl/pull/17133) (cherry picked from commit 23750f677ef61b6bea4e81f23f335ad08fc49b51) * No EtM for GOST ciphers Reviewed-by: Paul Dale <[email protected]> (Merged from https://github.com/openssl/openssl/pull/17158) * Fix ssl_free() and thus BIO_free() to respect BIO_NOCLOSE Reviewed-by: Paul Dale <[email protected]> (Merged from https://github.com/openssl/openssl/pull/17135) * BIO_f_ssl.pod: Make clear where an SSL BIOs are expected as an argument Reviewed-by: Paul Dale <[email protected]> (Merged from https://github.com/openssl/openssl/pull/17135) * Fix documentation for tlsext_ticket_key The tlsext_ticket_key functions are documented as returning 0 on success. In fact they return 1 on success. Reviewed-by: Tomas Mraz <[email protected]> Reviewed-by: Paul Dale <[email protected]> (Merged from https://github.com/openssl/openssl/pull/17210) (cherry picked from commit b0be101326f369f0dd547556d2f3eb3ef5ed0e33) * OBJ_nid2obj.pod: Replace remaining 'B<' by 'I<' were appropriate Reviewed-by: Tomas Mraz <[email protected]> (Merged from https://github.com/openssl/openssl/pull/17221) * Fix a deadlock in OBJ_NAME_add This happened after an out of memory error: CRYPTO_THREAD_write_lock may hang in OBJ_NAME_add. Reviewed-by: Tomas Mraz <[email protected]> Reviewed-by: Matt Caswell <[email protected]> Reviewed-by: Paul Dale <[email protected]> (Merged from https://github.com/openssl/openssl/pull/17236) * CI: Replace windows-2016 with windows-2022 Windows 2016 environment is going to be discontinued. We also replace windows-latest with windows-2019 so there aren't two identical builds done once windows-latest is switched to mean windows-2022. Fixes #17177 Reviewed-by: Paul Dale <[email protected]> (Merged from https://github.com/openssl/openssl/pull/17211) * Fix faulty detail in BN_rand() manual Reviewed-by: Paul Dale <[email protected]> Reviewed-by: Tomas Mraz <[email protected]> (Merged from https://github.com/openssl/openssl/pull/17131) * Fix a carry overflow bug in bn_sqr_comba4/8 for mips 32-bit targets bn_sqr_comba8 does for instance compute a wrong result for the value: a=0x4aaac919 62056c84 fba7334e 1a6be678 022181ba fd3aa878 899b2346 ee210f45 The correct result is: r=0x15c72e32 605a3061 d11b1012 3c187483 6df96999 bd0c22ba d3e7d437 4724a82f 912c5e61 6a187efe 8f7c47fc f6945fe5 75be8e3d 97ed17d4 7950b465 3cb32899 but the actual result was: r=0x15c72e32 605a3061 d11b1012 3c187483 6df96999 bd0c22ba d3e7d437 4724a82f 912c5e61 6a187efe 8f7c47fc f6945fe5 75be8e3c 97ed17d4 7950b465 3cb32899 so the forth word of the result was 0x75be8e3c but should have been 0x75be8e3d instead. Likewise bn_sqr_comba4 has an identical bug for the same value as well: a=0x022181ba fd3aa878 899b2346 ee210f45 correct result: r=0x00048a69 9fe82f8b 62bd2ed1 88781335 75be8e3d 97ed17d4 7950b465 3cb32899 wrong result: r=0x00048a69 9fe82f8b 62bd2ed1 88781335 75be8e3c 97ed17d4 7950b465 3cb32899 Fortunately the bn_mul_comba4/8 code paths are not affected. Also the mips64 target does in fact not handle the carry propagation correctly. Example: a=0x4aaac91900000000 62056c8400000000 fba7334e00000000 1a6be67800000000 022181ba00000000 fd3aa87800000000 899b234635dad283 ee210f4500000001 correct result: r=0x15c72e32272c4471 392debf018c679c8 b85496496bf8254c d0204f36611e2be1 0cdb3db8f3c081d8 c94ba0e1bacc5061 191b83d47ff929f6 5be0aebfc13ae68d 3eea7a7fdf2f5758 42f7ec656cab3cb5 6a28095be34756f2 64f24687bf37de06 2822309cd1d292f9 6fa698c972372f09 771e97d3a868cda0 dc421e8a00000001 wrong result: r=0x15c72e32272c4471 392debf018c679c8 b85496496bf8254c d0204f36611e2be1 0cdb3db8f3c081d8 c94ba0e1bacc5061 191b83d47ff929f6 5be0aebfc13ae68d 3eea7a7fdf2f5758 42f7ec656cab3cb5 6a28095be34756f2 64f24687bf37de06 2822309cd1d292f8 6fa698c972372f09 771e97d3a868cda0 dc421e8a00000001 Reviewed-by: Paul Dale <[email protected]> (Merged from https://github.com/openssl/openssl/pull/17258) (cherry picked from commit 336923c0c8d705cb8af5216b29a205662db0d590) * Add some CHANGES entries for 1.1.1m Reviewed-by: Matt Caswell <[email protected]> (Merged from https://github.com/openssl/openssl/pull/17269) * Update copyright year Reviewed-by: Richard Levitte <[email protected]> (Merged from https://github.com/openssl/openssl/pull/17271) * Update NEWS for 1.1.1m Reviewed-by: Matt Caswell <[email protected]> (Merged from https://github.com/openssl/openssl/pull/17273) * Prepare for 1.1.1m release Reviewed-by: Richard Levitte <[email protected]> * Prepare for 1.1.1n-dev Reviewed-by: Richard Levitte <[email protected]> * Fix the null pointer dereference Fixed #17296 Reviewed-by: Tomas Mraz <[email protected]> Reviewed-by: Paul Dale <[email protected]> (Merged from https://github.com/openssl/openssl/pull/17302) * Fix Configure variable spill * Evaluating code-refs in Configure can sometimes set the default variable `$_` * Prevent spillage influencing the target property by using named variable in loop CLA: trivial Fixes gh-17321 Reviewed-by: Tomas Mraz <[email protected]> Reviewed-by: Paul Dale <[email protected]> (Merged from https://github.com/openssl/openssl/pull/17322) (cherry picked from commit a595e3286ae9f033c56452967b3add2145f9085f) * document additional stack push error code Reviewed-by: Paul Dale <[email protected]> Reviewed-by: Tomas Mraz <[email protected]> (Merged from https://github.com/openssl/openssl/pull/17351) * Ensure s_client sends SNI data when used with -proxy The use of -proxy prevented s_client from correctly sending the target hostname as SNI data. Fixes #17232 Reviewed-by: Paul Dale <[email protected]> (Merged from https://github.com/openssl/openssl/pull/17249) * Add support for BSD-riscv64 target Reviewed-by: Tomas Mraz <[email protected]> Reviewed-by: Ben Kaduk <[email protected]> Reviewed-by: Paul Dale <[email protected]> (cherry picked from commit c2d1ad0e048dd3bfa60e6aa0b5ee343cc6d97a15) (cherry picked from commit fb72a093f88f7332069659994b67f6b19aceb865) (Merged from https://github.com/openssl/openssl/pull/17341) * OBJ_obj2txt(): fix off-by-one documentation of the result This backports the doc improvements of #17188. Reviewed-by: Tomas Mraz <[email protected]> (cherry picked from commit e36d10925396b6519e1abd338e1ef62cd5b1c9e6) * Update troublesome copyright years of auto-generated files to 2022 Reviewed-by: Tomas Mraz <[email protected]> Reviewed-by: Paul Dale <[email protected]> (Merged from https://github.com/openssl/openssl/pull/17401) * apps/passwd.c: free before error exiting use goto instead of returning directly while error handling Signed-off-by: Peiwei Hu <[email protected]> Reviewed-by: Ben Kaduk <[email protected]> Reviewed-by: Paul Dale <[email protected]> Reviewed-by: Tomas Mraz <[email protected]> (Merged from https://github.com/openssl/openssl/pull/17404) (cherry picked from commit ea4d16bc60dee53feb71997c1e78379eeb69b7ac) * close_console: Always unlock as the lock is always held Fixes #17364 Reviewed-by: Paul Dale <[email protected]> (Merged from https://github.com/openssl/openssl/pull/17395) * Fix password_callback to handle short passwords Fixes #17426 Reviewed-by: Paul Dale <[email protected]> (Merged from https://github.com/openssl/openssl/pull/17439) * Remove unsafe call to OPENSSL_cpuid_setup This function is inherently thread-unsafe, and moreover it is unnecessary here, because OPENSSL_init_crypto always calls it in a thread-safe way. Reviewed-by: Matt Caswell <[email protected]> Reviewed-by: Paul Dale <[email protected]> (Merged from https://github.com/openssl/openssl/pull/17468) * Fix a leak in EVP_DigestInit_ex() If an EVP_MD_CTX is reused then memory allocated and stored in md_data can be leaked unless the EVP_MD's cleanup function is called. Fixes #17149 Reviewed-by: Paul Dale <[email protected]> Reviewed-by: Bernd Edlinger <[email protected]> (Merged from https://github.com/openssl/openssl/pull/17472) * Add a test for a custom digest created via EVP_MD_meth_new() We check that the init and cleanup functions for the custom method are called as expected. Based on an original reproducer by Dmitry Belyavsky from issue #17149. Reviewed-by: Paul Dale <[email protected]> Reviewed-by: Bernd Edlinger <[email protected]> (Merged from https://github.com/openssl/openssl/pull/17472) * lhash: Avoid 32 bit right shift of a 32 bit value Fixes #17583 Reviewed-by: Matt Caswell <[email protected]> Reviewed-by: Paul Dale <[email protected]> (Merged from https://github.com/openssl/openssl/pull/17589) (cherry picked from commit 2ce0a3d19005271e7e3c351b562d9da93e2d4c80) * Ensure X509_STORE_CTX_purpose_inherit handles a 0 default purpose The function X509_STORE_CTX_purpose_inherit() can be called with a 0 default purpose. If the main purpose was set to X509_PURPOSE_ANY this would case the function to incorrectly return an error response. Fixes #17367 Reviewed-by: Shane Lontis <[email protected]> (Merged from https://github.com/openssl/openssl/pull/17604) * Add a test for X509_STORE_CTX_set_purpose() This function was previously incorrectly failing if it is called with X509_PURPOSE_ANY. Add a test to catch this. Reviewed-by: Shane Lontis <[email protected]> (Merged from https://github.com/openssl/openssl/pull/17604) * Document purpose and trust setting functions In particular: X509_STORE_CTX_set_purpose() X509_STORE_CTX_set_trust(); X509_STORE_CTX_purpose_inherit(); Reviewed-by: Shane Lontis <[email protected]> (Merged from https://github.com/openssl/openssl/pull/17604) * Fix builds with DJGPP CLA: trivial To get the master branch compiled with DJGPP some minor adjustments are required. They will have no impact on any other ports. The DJGPP port uses the Watt-32 library to provide the required network functionality and some of its headers need to be included. Neither DJGPP nor the Watt-32 library provide in_addr_t thus it must be provided as it is done for OPENSSL_SYS_WINDOWS in crypto/bio/b_addr.c. In the DJGPP section of include/internal/sockets.h the following Watt-32 headers must be added: - arpa/inet.h: to provide declaration of inet_ntoa required in crypto/bio/b_addr.c - netinet/tcp.h: to provide defintion of TCP_NODELAY required in crypto/bio/b_sock2.c Reviewed-by: Matt Caswell <[email protected]> Reviewed-by: Tomas Mraz <[email protected]> (Merged from https://github.com/openssl/openssl/pull/17623) (cherry picked from commit b9b211fcb6b9068ef1d8729a4971fbe693fd2cde) * Don't link test/ec_internal_test with libapps.a It's not at all necessary, and on some platforms, it's disruptive (leads to unresolved symbols because of object files that get included in the link that depend on libssl). Reviewed-by: Paul Dale <[email protected]> (Merged from https://github.com/openssl/openssl/pull/17637) * Correct return type for BIO_ptr_ctrl Fixes #17549 CLA: trivial Reviewed-by: Tomas Mraz <[email protected]> Reviewed-by: Paul Dale <[email protected]> (Merged from https://github.com/openssl/openssl/pull/17636) (cherry picked from commit 984cc9a0284ee4800862aa305f9f178827baf459) * scrypt: increase memory usage beyond limit This brings these tests in line with 3.0 and master and makes them fail correctly. Fixes #17612 Reviewed-by: Tomas Mraz <[email protected]> (Merged from https://github.com/openssl/openssl/pull/17619) * Prevent crash with engine using different openssl runtime This problem happens usually because an application links libcrypto and/or libssl statically which installs an atexit handler, but later an engine using a shared instance of libcrypto is installed. The problem is in simple words that both instances of libcrypto have an atexit handler installed, but both are unable to coordinate with each other, which causes a crash, typically a use-after-free in the engine's destroy function. Work around that by preventing the engine's libcrypto to install the atexit handler. This may result in a small memory leak, but that memory is still reachable. Fixes #15898 Reviewed-by: Richard Levitte <[email protected]> Reviewed-by: Tomas Mraz <[email protected]> (Merged from https://github.com/openssl/openssl/pull/17541) * Check for presence of 3.x openssl runtime if the newly loaded engine contains the symbol EVP_PKEY_get_base_id, we know it is linked to 3.x openssl. Abort loading this engine, as it will definitely crash. Reviewed-by: Richard Levitte <[email protected]> Reviewed-by: Tomas Mraz <[email protected]> (Merged from https://github.com/openssl/openssl/pull/17541) * crypto/x509/v3_utl.c: Add missing check for OPENSSL_strndup Since the potential failure of memory allocation, it should be better to check the return value of the OPENSSL_strndup(), like x509v3_add_len_value(). And following the comment of 'if (astrlen < 0)', return -1 if fails. Signed-off-by: Jiasheng Jiang <[email protected]> Reviewed-by: Matt Caswell <[email protected]> Reviewed-by: Paul Dale <[email protected]> Reviewed-by: Tomas Mraz <[email protected]> (Merged from https://github.com/openssl/openssl/pull/17737) (cherry picked from commit 366a16263959c0b6599f0b9ec18124d75560c6ef) * Improve documentation of BIO_FLAGS_BASE64_NO_NL flag. Fixes #12491. Reviewed-by: Matt Caswell <[email protected]> Reviewed-by: Tomas Mraz <[email protected]> (Merged from https://github.com/openssl/openssl/pull/17744) (cherry picked from commit 8bfb7506d210841f2ee4eda8afe96441a0e33fa5) * Fix NULL pointer dereference for BN_mod_exp2_mont This fixes a bug whereby BN_mod_exp2_mont can dereference a NULL pointer if BIGNUM argument m represents zero. Regression test added. Fixes #17648. Backport from master to 1.1. Reviewed-by: Matt Caswell <[email protected]> Reviewed-by: Todd Short <[email protected]> Reviewed-by: Tomas Mraz <[email protected]> (Merged from https://github.com/openssl/openssl/pull/17787) * VMS: move copy_argc to its own module and make it an aux source copy_argv was never initialization code. Make it self-cleaning too. Reviewed-by: Paul Dale <[email protected]> Reviewed-by: Tomas Mraz <[email protected]> (Merged from https://github.com/openssl/openssl/pull/17746) * [ssl] Prefer SSL_k(EC)?DHE to the SSL_kE(EC)?DH alias `SSL_kECDHE` and `SSL_kEECDH`, and `SSL_kDHE` and `SSL_kEDH` are already marked as aliases of each other in the headers. This commit, for each pair, replaces the leftover uses of the latter synonym with the first one, which is considered more common. (manually cherry picked from commit 66914fc024cfe0fec00dc0f2c7bd8a7957da5ec4) Reviewed-by: Dmitry Belyavskiy <[email protected]> Reviewed-by: Paul Dale <[email protected]> Reviewed-by: Tomas Mraz <[email protected]> (Merged from https://github.com/openssl/openssl/pull/17791) * [ssl] Add SSL_kDHEPSK and SSL_kECDHEPSK as PFS ciphersuites for SECLEVEL >= 3 Fixes #17743 (manually cherry picked from commit b13…

luyahan mentioned this pull request Mar 29, 2021

How to add a new target? #14721

Closed

luyahan added 2 commits March 31, 2021 11:42

Add riscv64 target

b2862c4

Update 10-main.conf

13217cb

luyahan force-pushed the OpenSSL_1_1_1-stable branch from 58e23a7 to 13217cb Compare March 31, 2021 02:43

t8m added branch: 1.1.1 Merge to OpenSSL_1_1_1-stable branch triaged: feature The issue/pr requests/adds a feature labels Mar 31, 2021

t8m added the hold: need otc decision The OTC needs to make a decision label Apr 26, 2021

levitte added hold: need omc decision The OMC needs to make a decision and removed hold: need otc decision The OTC needs to make a decision labels Apr 26, 2021

paulidale mentioned this pull request May 28, 2021

platform policy: add new targets openssl/web#240

Closed

paulidale approved these changes Jun 27, 2021

View reviewed changes

paulidale added approval: review pending This pull request needs review by a committer branch: 1.1.1 Merge to OpenSSL_1_1_1-stable branch and removed branch: 1.1.1 Merge to OpenSSL_1_1_1-stable branch hold: need omc decision The OMC needs to make a decision labels Jun 27, 2021

t8m approved these changes Jun 28, 2021

View reviewed changes

t8m added approval: done This pull request has the required number of approvals and removed approval: review pending This pull request needs review by a committer labels Jun 28, 2021

t8m added approval: ready to merge The 24 hour grace period has passed, ready to merge and removed approval: done This pull request has the required number of approvals labels Jun 29, 2021

openssl-machine pushed a commit that referenced this pull request Jun 29, 2021

Add riscv64 target

efac3f6

Reviewed-by: Paul Dale <[email protected]> Reviewed-by: Tomas Mraz <[email protected]> (Merged from #14724)

t8m closed this Jun 29, 2021

luyahan mentioned this pull request Jul 8, 2021

About change in openssl/openssl quictls/openssl#40

Closed

prchander mentioned this pull request Sep 20, 2021

Update to OpenSSL 1.1.1l (#330) prchander/openssl#3

Merged

2 tasks

richardlau mentioned this pull request Jun 1, 2022

End-of-Life dates of Node.js 16 and OpenSSL 1.1.1 do not align nodejs/TSC#1222

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Add riscv64 target for OpenSSL_1_1_1 #14724

Add riscv64 target for OpenSSL_1_1_1 #14724

luyahan commented Mar 29, 2021 •

edited

Loading

luyahan commented Mar 31, 2021

t8m commented Mar 31, 2021

slontis commented Apr 8, 2021

slontis commented Apr 8, 2021

paulidale commented Apr 8, 2021

luyahan commented Apr 26, 2021

levitte commented Apr 26, 2021

h-vetinari commented Apr 26, 2021

levitte commented Apr 26, 2021

openssl-machine commented May 27, 2021

openssl-machine commented Jun 27, 2021

paulidale commented Jun 27, 2021

openssl-machine commented Jun 29, 2021

t8m commented Jun 29, 2021

Add riscv64 target for OpenSSL_1_1_1 #14724

Add riscv64 target for OpenSSL_1_1_1 #14724

Conversation

luyahan commented Mar 29, 2021 • edited Loading

luyahan commented Mar 31, 2021

t8m commented Mar 31, 2021

slontis commented Apr 8, 2021

slontis commented Apr 8, 2021

paulidale commented Apr 8, 2021

luyahan commented Apr 26, 2021

levitte commented Apr 26, 2021

h-vetinari commented Apr 26, 2021

levitte commented Apr 26, 2021

openssl-machine commented May 27, 2021

openssl-machine commented Jun 27, 2021

paulidale commented Jun 27, 2021

openssl-machine commented Jun 29, 2021

t8m commented Jun 29, 2021

luyahan commented Mar 29, 2021 •

edited

Loading