diff --git a/backport-APPS-x509-With-CA-but-both-CAserial-and-CAcreateseri.patch b/backport-APPS-x509-With-CA-but-both-CAserial-and-CAcreateseri.patch new file mode 100644 index 0000000000000000000000000000000000000000..63c03f236119a85a9925a328f2f25c9931e850bb --- /dev/null +++ b/backport-APPS-x509-With-CA-but-both-CAserial-and-CAcreateseri.patch @@ -0,0 +1,187 @@ +From 55eafed6fbefbc1e725bf7b17b2bbca083a457fc Mon Sep 17 00:00:00 2001 +From: "Dr. David von Oheimb" +Date: Mon, 30 May 2022 16:53:05 +0200 +Subject: [PATCH] APPS/x509: With -CA but both -CAserial and -CAcreateserial + not given, use random serial. + +Also improve openssl-x509.pod.in and error handling of load_serial() in apps.c. +Backported from https://github.com/openssl/openssl/pull/18373 + +Reviewed-by: Hugo Landau +Reviewed-by: Tomas Mraz +Reviewed-by: David von Oheimb +(Merged from https://github.com/openssl/openssl/pull/18803) +--- + apps/apps.c | 15 +++++++++++++-- + apps/apps.h | 9 ++++++--- + apps/ca.c | 6 ++++-- + apps/x509.c | 12 ++++++++---- + doc/man1/x509.pod | 12 +++++++----- + 5 files changed, 38 insertions(+), 16 deletions(-) + +diff --git a/apps/apps.c b/apps/apps.c +index db5b48e4cf..f2447fb0be 100644 +--- a/apps/apps.c ++++ b/apps/apps.c +@@ -1376,7 +1376,8 @@ static IMPLEMENT_LHASH_HASH_FN(index_name, OPENSSL_CSTRING) + static IMPLEMENT_LHASH_COMP_FN(index_name, OPENSSL_CSTRING) + #undef BSIZE + #define BSIZE 256 +-BIGNUM *load_serial(const char *serialfile, int create, ASN1_INTEGER **retai) ++BIGNUM *load_serial(const char *serialfile, int *exists, int create, ++ ASN1_INTEGER **retai) + { + BIO *in = NULL; + BIGNUM *ret = NULL; +@@ -1388,6 +1389,8 @@ BIGNUM *load_serial(const char *serialfile, int create, ASN1_INTEGER **retai) + goto err; + + in = BIO_new_file(serialfile, "r"); ++ if (exists != NULL) ++ *exists = in != NULL; + if (in == NULL) { + if (!create) { + perror(serialfile); +@@ -1395,8 +1398,14 @@ BIGNUM *load_serial(const char *serialfile, int create, ASN1_INTEGER **retai) + } + ERR_clear_error(); + ret = BN_new(); +- if (ret == NULL || !rand_serial(ret, ai)) ++ if (ret == NULL) { + BIO_printf(bio_err, "Out of memory\n"); ++ } else if (!rand_serial(ret, ai)) { ++ BIO_printf(bio_err, "Error creating random number to store in %s\n", ++ serialfile); ++ BN_free(ret); ++ ret = NULL; ++ } + } else { + if (!a2i_ASN1_INTEGER(in, ai, buf, 1024)) { + BIO_printf(bio_err, "unable to load number from %s\n", +@@ -1416,6 +1425,8 @@ BIGNUM *load_serial(const char *serialfile, int create, ASN1_INTEGER **retai) + ai = NULL; + } + err: ++ if (ret == NULL) ++ ERR_print_errors(bio_err); + BIO_free(in); + ASN1_INTEGER_free(ai); + return ret; +diff --git a/apps/apps.h b/apps/apps.h +index 34c3fd8633..775342b4f3 100644 +--- a/apps/apps.h ++++ b/apps/apps.h +@@ -527,9 +527,12 @@ typedef struct ca_db_st { + } CA_DB; + + void* app_malloc(int sz, const char *what); +-BIGNUM *load_serial(const char *serialfile, int create, ASN1_INTEGER **retai); +-int save_serial(const char *serialfile, const char *suffix, const BIGNUM *serial, +- ASN1_INTEGER **retai); ++ ++/* load_serial, save_serial, and rotate_serial are also used for CRL numbers */ ++BIGNUM *load_serial(const char *serialfile, int *exists, int create, ++ ASN1_INTEGER **retai); ++int save_serial(const char *serialfile, const char *suffix, ++ const BIGNUM *serial, ASN1_INTEGER **retai); + int rotate_serial(const char *serialfile, const char *new_suffix, + const char *old_suffix); + int rand_serial(BIGNUM *b, ASN1_INTEGER *ai); +diff --git a/apps/ca.c b/apps/ca.c +index 390ac37493..ad01bba55a 100755 +--- a/apps/ca.c ++++ b/apps/ca.c +@@ -842,7 +842,8 @@ end_of_options: + goto end; + } + } else { +- if ((serial = load_serial(serialfile, create_ser, NULL)) == NULL) { ++ serial = load_serial(serialfile, NULL, create_ser, NULL); ++ if (serial == NULL) { + BIO_printf(bio_err, "error while loading serial number\n"); + goto end; + } +@@ -1078,7 +1079,8 @@ end_of_options: + + if ((crlnumberfile = NCONF_get_string(conf, section, ENV_CRLNUMBER)) + != NULL) +- if ((crlnumber = load_serial(crlnumberfile, 0, NULL)) == NULL) { ++ if ((crlnumber = load_serial(crlnumberfile, NULL, 0, NULL)) ++ == NULL) { + BIO_printf(bio_err, "error while loading CRL number\n"); + goto end; + } +diff --git a/apps/x509.c b/apps/x509.c +index 1f53504209..67a70e7fea 100644 +--- a/apps/x509.c ++++ b/apps/x509.c +@@ -400,7 +400,7 @@ int x509_main(int argc, char **argv) + aliasout = ++num; + break; + case OPT_CACREATESERIAL: +- CA_createserial = ++num; ++ CA_createserial = 1; + break; + case OPT_CLREXT: + clrext = 1; +@@ -916,6 +916,7 @@ static ASN1_INTEGER *x509_load_serial(const char *CAfile, + char *buf = NULL; + ASN1_INTEGER *bs = NULL; + BIGNUM *serial = NULL; ++ int defaultfile = 0, file_exists; + + if (serialfile == NULL) { + const char *p = strrchr(CAfile, '.'); +@@ -925,9 +926,10 @@ static ASN1_INTEGER *x509_load_serial(const char *CAfile, + memcpy(buf, CAfile, len); + memcpy(buf + len, POSTFIX, sizeof(POSTFIX)); + serialfile = buf; ++ defaultfile = 1; + } + +- serial = load_serial(serialfile, create, NULL); ++ serial = load_serial(serialfile, &file_exists, create || defaultfile, NULL); + if (serial == NULL) + goto end; + +@@ -936,8 +938,10 @@ static ASN1_INTEGER *x509_load_serial(const char *CAfile, + goto end; + } + +- if (!save_serial(serialfile, NULL, serial, &bs)) +- goto end; ++ if (file_exists || create) ++ save_serial(serialfile, NULL, serial, &bs); ++ else ++ bs = BN_to_ASN1_INTEGER(serial, NULL); + + end: + OPENSSL_free(buf); +diff --git a/doc/man1/x509.pod b/doc/man1/x509.pod +index 3c9b2f2263..67d131389a 100644 +--- a/doc/man1/x509.pod ++++ b/doc/man1/x509.pod +@@ -443,13 +443,15 @@ The default filename consists of the CA certificate file base name with + ".srl" appended. For example if the CA certificate file is called + "mycacert.pem" it expects to find a serial number file called "mycacert.srl". + ++If the B<-CA> option is specified and both the <-CAserial> and <-CAcreateserial> ++options are not given and the default serial number file does not exist, ++a random number is generated; this is the recommended practice. ++ + =item B<-CAcreateserial> + +-With this option the CA serial number file is created if it does not exist: +-it will contain the serial number "02" and the certificate being signed will +-have the 1 as its serial number. If the B<-CA> option is specified +-and the serial number file does not exist a random number is generated; +-this is the recommended practice. ++With this option the CA serial number file is created if it does not exist. ++A random number is generated, used for the certificate, and saved into the ++serial number file in that case. + + =item B<-extfile filename> + +-- +2.17.1 + diff --git a/backport-Add-missing-header-for-memcmp.patch b/backport-Add-missing-header-for-memcmp.patch new file mode 100644 index 0000000000000000000000000000000000000000..50ed322cc51be41a7ca9bfbda121a2f473574080 --- /dev/null +++ b/backport-Add-missing-header-for-memcmp.patch @@ -0,0 +1,33 @@ +From 60f011f584d80447e86cae1d1bd3ae24bc13235b Mon Sep 17 00:00:00 2001 +From: Gregor Jasny +Date: Tue, 5 Jul 2022 12:57:06 +0200 +Subject: [PATCH] Add missing header for memcmp + +CLA: trivial + +Reviewed-by: Paul Dale +Reviewed-by: Dmitry Belyavskiy +Reviewed-by: Todd Short +Reviewed-by: Richard Levitte +(Merged from https://github.com/openssl/openssl/pull/18719) + +(cherry picked from commit f9e578e720bb35228948564192adbe3bc503d5fb) +--- + test/v3ext.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/test/v3ext.c b/test/v3ext.c +index 386135fed8..7a240cd706 100644 +--- a/test/v3ext.c ++++ b/test/v3ext.c +@@ -8,6 +8,7 @@ + */ + + #include ++#include + #include + #include + #include +-- +2.17.1 + diff --git a/backport-Add-test-for-EC_KEY_set_private_key.patch b/backport-Add-test-for-EC_KEY_set_private_key.patch new file mode 100644 index 0000000000000000000000000000000000000000..c6def396daa5f57737545f83b8c63be4a601d8de --- /dev/null +++ b/backport-Add-test-for-EC_KEY_set_private_key.patch @@ -0,0 +1,71 @@ +From 1c2f52bed3ebee6222cf078278074c72717df4ec Mon Sep 17 00:00:00 2001 +From: Roberto Hueso Gomez +Date: Mon, 1 Aug 2022 02:08:47 +0200 +Subject: [PATCH] Add test for EC_KEY_set_private_key() + +This tests the behavior and API of the EC_KEY_set_private_key function. +It tests compliance with legacy features related to NULL private keys +too. + +Reviewed-by: Nicola Tuveri +Reviewed-by: Matt Caswell +(Merged from https://github.com/openssl/openssl/pull/18874) +--- + test/ec_internal_test.c | 34 ++++++++++++++++++++++++++++++++++ + 1 file changed, 34 insertions(+) + +diff --git a/test/ec_internal_test.c b/test/ec_internal_test.c +index 45a36ab94a..4da842a8a7 100644 +--- a/test/ec_internal_test.c ++++ b/test/ec_internal_test.c +@@ -183,6 +183,39 @@ static int field_tests_default(int n) + return ret; + } + ++/* ++ * Tests behavior of the EC_KEY_set_private_key ++ */ ++static int set_private_key(void) ++{ ++ EC_KEY *key = NULL, *aux_key = NULL; ++ int testresult = 0; ++ ++ key = EC_KEY_new_by_curve_name(NID_secp224r1); ++ aux_key = EC_KEY_new_by_curve_name(NID_secp224r1); ++ if (!TEST_ptr(key) ++ || !TEST_ptr(aux_key) ++ || !TEST_int_eq(EC_KEY_generate_key(key), 1) ++ || !TEST_int_eq(EC_KEY_generate_key(aux_key), 1)) ++ goto err; ++ ++ /* Test setting a valid private key */ ++ if (!TEST_int_eq(EC_KEY_set_private_key(key, aux_key->priv_key), 1)) ++ goto err; ++ ++ /* Test compliance with legacy behavior for NULL private keys */ ++ if (!TEST_int_eq(EC_KEY_set_private_key(key, NULL), 0) ++ || !TEST_ptr_null(key->priv_key)) ++ goto err; ++ ++ testresult = 1; ++ ++ err: ++ EC_KEY_free(key); ++ EC_KEY_free(aux_key); ++ return testresult; ++} ++ + /* + * Tests behavior of the decoded_from_explicit_params flag and API + */ +@@ -337,6 +370,7 @@ int setup_tests(void) + ADD_TEST(field_tests_ec2_simple); + #endif + ADD_ALL_TESTS(field_tests_default, crv_len); ++ ADD_TEST(set_private_key); + ADD_TEST(decoded_flag_test); + ADD_ALL_TESTS(ecpkparams_i2d2i_test, crv_len); + +-- +2.17.1 + diff --git a/backport-Add-test-for-empty-supported-groups-extension.patch b/backport-Add-test-for-empty-supported-groups-extension.patch new file mode 100644 index 0000000000000000000000000000000000000000..5e118780cc0579a34b3f7abb23edc01aba9fb9d7 --- /dev/null +++ b/backport-Add-test-for-empty-supported-groups-extension.patch @@ -0,0 +1,157 @@ +From c7d6c08290b67cbeef2b4f636f04788ea405520a Mon Sep 17 00:00:00 2001 +From: Tomas Mraz +Date: Fri, 29 Apr 2022 17:02:19 +0200 +Subject: [PATCH] Add test for empty supported-groups extension + +Reviewed-by: Paul Dale +Reviewed-by: Matt Caswell +(Merged from https://github.com/openssl/openssl/pull/18213) +--- + test/recipes/80-test_ssl_new.t | 4 +- + test/ssl-tests/16-certstatus.conf | 0 + test/ssl-tests/30-supported-groups.conf | 54 ++++++++++++++++++++++ + test/ssl-tests/30-supported-groups.conf.in | 45 ++++++++++++++++++ + 4 files changed, 102 insertions(+), 1 deletion(-) + delete mode 100644 test/ssl-tests/16-certstatus.conf + create mode 100644 test/ssl-tests/30-supported-groups.conf + create mode 100644 test/ssl-tests/30-supported-groups.conf.in + +diff --git a/test/recipes/80-test_ssl_new.t b/test/recipes/80-test_ssl_new.t +index 81d8f59a70..fa62b30850 100644 +--- a/test/recipes/80-test_ssl_new.t ++++ b/test/recipes/80-test_ssl_new.t +@@ -28,7 +28,7 @@ map { s/\^// } @conf_files if $^O eq "VMS"; + + # We hard-code the number of tests to double-check that the globbing above + # finds all files as expected. +-plan tests => 29; # = scalar @conf_srcs ++plan tests => 30; # = scalar @conf_srcs + + # Some test results depend on the configuration of enabled protocols. We only + # verify generated sources in the default configuration. +@@ -70,6 +70,8 @@ my %conf_dependent_tests = ( + "25-cipher.conf" => disabled("poly1305") || disabled("chacha"), + "27-ticket-appdata.conf" => !$is_default_tls, + "28-seclevel.conf" => disabled("tls1_2") || $no_ec, ++ "30-supported-groups.conf" => disabled("tls1_2") || disabled("tls1_3") ++ || $no_ec || $no_ec2m + ); + + # Add your test here if it should be skipped for some compile-time +diff --git a/test/ssl-tests/16-certstatus.conf b/test/ssl-tests/16-certstatus.conf +deleted file mode 100644 +index e69de29bb2..0000000000 +diff --git a/test/ssl-tests/30-supported-groups.conf b/test/ssl-tests/30-supported-groups.conf +new file mode 100644 +index 0000000000..4280db7114 +--- /dev/null ++++ b/test/ssl-tests/30-supported-groups.conf +@@ -0,0 +1,54 @@ ++# Generated with generate_ssl_tests.pl ++ ++num_tests = 2 ++ ++test-0 = 0-Just a sanity test case ++test-1 = 1-Pass with empty groups with TLS1.2 ++# =========================================================== ++ ++[0-Just a sanity test case] ++ssl_conf = 0-Just a sanity test case-ssl ++ ++[0-Just a sanity test case-ssl] ++server = 0-Just a sanity test case-server ++client = 0-Just a sanity test case-client ++ ++[0-Just a sanity test case-server] ++Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem ++CipherString = DEFAULT ++PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem ++ ++[0-Just a sanity test case-client] ++CipherString = DEFAULT ++VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem ++VerifyMode = Peer ++ ++[test-0] ++ExpectedResult = Success ++ ++ ++# =========================================================== ++ ++[1-Pass with empty groups with TLS1.2] ++ssl_conf = 1-Pass with empty groups with TLS1.2-ssl ++ ++[1-Pass with empty groups with TLS1.2-ssl] ++server = 1-Pass with empty groups with TLS1.2-server ++client = 1-Pass with empty groups with TLS1.2-client ++ ++[1-Pass with empty groups with TLS1.2-server] ++Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem ++CipherString = DEFAULT ++PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem ++ ++[1-Pass with empty groups with TLS1.2-client] ++CipherString = DEFAULT ++Groups = sect163k1 ++MaxProtocol = TLSv1.2 ++VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem ++VerifyMode = Peer ++ ++[test-1] ++ExpectedResult = Success ++ ++ +diff --git a/test/ssl-tests/30-supported-groups.conf.in b/test/ssl-tests/30-supported-groups.conf.in +new file mode 100644 +index 0000000000..438a07a11f +--- /dev/null ++++ b/test/ssl-tests/30-supported-groups.conf.in +@@ -0,0 +1,45 @@ ++# -*- mode: perl; -*- ++# Copyright 2016-2020 The OpenSSL Project Authors. All Rights Reserved. ++# ++# Licensed under the OpenSSL license (the "License"). You may not use ++# this file except in compliance with the License. You can obtain a copy ++# in the file LICENSE in the source distribution or at ++# https://www.openssl.org/source/license.html ++ ++ ++## SSL test configurations ++ ++package ssltests; ++use OpenSSL::Test::Utils; ++ ++our @tests = ( ++ { ++ name => "Just a sanity test case", ++ server => { }, ++ client => { }, ++ test => { "ExpectedResult" => "Success" }, ++ }, ++); ++ ++our @tests_tls1_3 = ( ++ { ++ name => "Fail empty groups with TLS1.3", ++ server => { }, ++ client => { "Groups" => "sect163k1" }, ++ test => { "ExpectedResult" => "ClientFail" }, ++ }, ++); ++ ++our @tests_tls1_2 = ( ++ { ++ name => "Pass with empty groups with TLS1.2", ++ server => { }, ++ client => { "Groups" => "sect163k1", ++ "MaxProtocol" => "TLSv1.2" }, ++ test => { "ExpectedResult" => "Success" }, ++ }, ++); ++ ++push @tests, @tests_tls1_3 unless disabled("tls1_3") ++ || !disabled("ec2m") || disabled("ec"); ++push @tests, @tests_tls1_2 unless disabled("tls1_2") || disabled("ec"); +-- +2.17.1 + diff --git a/backport-Check-password-length-only-when-verify-is-enabled.patch b/backport-Check-password-length-only-when-verify-is-enabled.patch new file mode 100644 index 0000000000000000000000000000000000000000..4196ef1e84f868a10e7514f1098138e1d8a4f6ab --- /dev/null +++ b/backport-Check-password-length-only-when-verify-is-enabled.patch @@ -0,0 +1,30 @@ +From 0a9bb445893b4a98ad1588aef2d14c29e6c4c5e3 Mon Sep 17 00:00:00 2001 +From: Daniel Fiala +Date: Wed, 16 Mar 2022 07:42:55 +0100 +Subject: [PATCH] Check password length only when verify is enabled. + +Fixes #16231. + +Reviewed-by: Paul Dale +Reviewed-by: Tomas Mraz +(Merged from https://github.com/openssl/openssl/pull/17899) +--- + apps/apps.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/apps/apps.c b/apps/apps.c +index 1a92271595..db5b48e4cf 100644 +--- a/apps/apps.c ++++ b/apps/apps.c +@@ -307,6 +307,8 @@ int password_callback(char *buf, int bufsiz, int verify, PW_CB_DATA *cb_tmp) + if (cb_data != NULL && cb_data->password != NULL + && *(const char*)cb_data->password != '\0') + pw_min_len = 1; ++ else if (!verify) ++ pw_min_len = 0; + prompt = UI_construct_prompt(ui, "pass phrase", prompt_info); + if (!prompt) { + BIO_printf(bio_err, "Out of memory\n"); +-- +2.17.1 + diff --git a/backport-Do-not-send-an-empty-supported-groups-extension.patch b/backport-Do-not-send-an-empty-supported-groups-extension.patch new file mode 100644 index 0000000000000000000000000000000000000000..527ffab6fe26c19ea53502600f4e9c96e95814ea --- /dev/null +++ b/backport-Do-not-send-an-empty-supported-groups-extension.patch @@ -0,0 +1,54 @@ +From bd164884f258d99ca876f6cdcdf9bd0dcceee6ad Mon Sep 17 00:00:00 2001 +From: Tomas Mraz +Date: Fri, 29 Apr 2022 16:36:36 +0200 +Subject: [PATCH] Do not send an empty supported groups extension + +This allows handshake to proceed if the maximum TLS version enabled is <1.3 + +Fixes #13583 + +Reviewed-by: Paul Dale +Reviewed-by: Matt Caswell +(Merged from https://github.com/openssl/openssl/pull/18213) +--- + CHANGES | 24 ++++++++++++++---------- + ssl/statem/extensions_clnt.c | 16 +++++++++++++++- + 2 files changed, 29 insertions(+), 11 deletions(-) + +diff --git a/ssl/statem/extensions_clnt.c b/ssl/statem/extensions_clnt.c +index 9d38ac23b5..036a9b3c48 100644 +--- a/ssl/statem/extensions_clnt.c ++++ b/ssl/statem/extensions_clnt.c +@@ -118,6 +118,8 @@ static int use_ecc(SSL *s) + int i, end, ret = 0; + unsigned long alg_k, alg_a; + STACK_OF(SSL_CIPHER) *cipher_stack = NULL; ++ const uint16_t *pgroups = NULL; ++ size_t num_groups, j; + + /* See if we support any ECC ciphersuites */ + if (s->version == SSL3_VERSION) +@@ -139,7 +141,19 @@ static int use_ecc(SSL *s) + } + + sk_SSL_CIPHER_free(cipher_stack); +- return ret; ++ if (!ret) ++ return 0; ++ ++ /* Check we have at least one EC supported group */ ++ tls1_get_supported_groups(s, &pgroups, &num_groups); ++ for (j = 0; j < num_groups; j++) { ++ uint16_t ctmp = pgroups[j]; ++ ++ if (tls_curve_allowed(s, ctmp, SSL_SECOP_CURVE_SUPPORTED)) ++ return 1; ++ } ++ ++ return 0; + } + + EXT_RETURN tls_construct_ctos_ec_pt_formats(SSL *s, WPACKET *pkt, +-- +2.17.1 + diff --git a/backport-Fix-Coverity-1201763-uninitialised-pointer-read.patch b/backport-Fix-Coverity-1201763-uninitialised-pointer-read.patch new file mode 100644 index 0000000000000000000000000000000000000000..aa1406f0adabb7f1af40a7a474505b8cee013693 --- /dev/null +++ b/backport-Fix-Coverity-1201763-uninitialised-pointer-read.patch @@ -0,0 +1,37 @@ +From ad24941228eafe59fe3807d1659585c4d98eac97 Mon Sep 17 00:00:00 2001 +From: Pauli +Date: Wed, 16 Mar 2022 13:48:27 +1100 +Subject: [PATCH] Fix Coverity 1201763 uninitialised pointer read + +Reviewed-by: Shane Lontis +Reviewed-by: Tomas Mraz +(Merged from https://github.com/openssl/openssl/pull/17890) + +(cherry picked from commit a0238b7ed87998c48b1c92bad7fa82dcbba507f9) +--- + crypto/bn/bn_exp.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/crypto/bn/bn_exp.c b/crypto/bn/bn_exp.c +index 9531acfc3c..451e88ac3c 100644 +--- a/crypto/bn/bn_exp.c ++++ b/crypto/bn/bn_exp.c +@@ -188,13 +188,14 @@ int BN_mod_exp_recp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, + return ret; + } + ++ BN_RECP_CTX_init(&recp); ++ + BN_CTX_start(ctx); + aa = BN_CTX_get(ctx); + val[0] = BN_CTX_get(ctx); + if (val[0] == NULL) + goto err; + +- BN_RECP_CTX_init(&recp); + if (m->neg) { + /* ignore sign of 'm' */ + if (!BN_copy(aa, m)) +-- +2.17.1 + diff --git a/backport-Fix-Coverity-1498611-1498608-uninitialised-read.patch b/backport-Fix-Coverity-1498611-1498608-uninitialised-read.patch new file mode 100644 index 0000000000000000000000000000000000000000..865ffa3b78b30f55f8ec29639b914610f7de35fb --- /dev/null +++ b/backport-Fix-Coverity-1498611-1498608-uninitialised-read.patch @@ -0,0 +1,37 @@ +From cd2471cd797ae5a6355814bb14a176af6a7d883f Mon Sep 17 00:00:00 2001 +From: Pauli +Date: Wed, 16 Mar 2022 14:21:01 +1100 +Subject: [PATCH] Fix Coverity 1498611 & 1498608: uninitialised read + +Reviewed-by: Shane Lontis +Reviewed-by: Tomas Mraz +(Merged from https://github.com/openssl/openssl/pull/17893) + +(cherry picked from commit 09134f183f76539aa1294adfef10fcc694e90267) +--- + ssl/ssl_lib.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c +index 9c411a3293..7383badce3 100644 +--- a/ssl/ssl_lib.c ++++ b/ssl/ssl_lib.c +@@ -2084,6 +2084,7 @@ int SSL_shutdown(SSL *s) + if ((s->mode & SSL_MODE_ASYNC) && ASYNC_get_current_job() == NULL) { + struct ssl_async_args args; + ++ memset(&args, 0, sizeof(args)); + args.s = s; + args.type = OTHERFUNC; + args.f.func_other = s->method->ssl_shutdown; +@@ -3709,6 +3710,7 @@ int SSL_do_handshake(SSL *s) + if ((s->mode & SSL_MODE_ASYNC) && ASYNC_get_current_job() == NULL) { + struct ssl_async_args args; + ++ memset(&args, 0, sizeof(args)); + args.s = s; + + ret = ssl_start_async_job(s, &args, ssl_do_handshake_intern); +-- +2.17.1 + diff --git a/backport-Fix-EC_KEY_set_private_key-priv_key-regression.patch b/backport-Fix-EC_KEY_set_private_key-priv_key-regression.patch new file mode 100644 index 0000000000000000000000000000000000000000..a0354a90fb6fd4fbfd4094c9bf329805098263f0 --- /dev/null +++ b/backport-Fix-EC_KEY_set_private_key-priv_key-regression.patch @@ -0,0 +1,42 @@ +From 143d7d4c791df8b9051356be51d9f77bc241fe4c Mon Sep 17 00:00:00 2001 +From: Roberto Hueso Gomez +Date: Tue, 26 Jul 2022 20:41:02 +0200 +Subject: [PATCH] Fix EC_KEY_set_private_key() priv_key regression + +This allows to set EC_KEY's private key to NULL and fixes regression +issue following OTC guideline in +https://github.com/openssl/openssl/issues/18744#issuecomment-1195175696 + +Fixes #18744. + +Reviewed-by: Nicola Tuveri +Reviewed-by: Matt Caswell +(Merged from https://github.com/openssl/openssl/pull/18874) +--- + crypto/ec/ec_key.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/crypto/ec/ec_key.c b/crypto/ec/ec_key.c +index 3017f0936c..63799002bc 100644 +--- a/crypto/ec/ec_key.c ++++ b/crypto/ec/ec_key.c +@@ -443,6 +443,16 @@ int EC_KEY_set_private_key(EC_KEY *key, const BIGNUM *priv_key) + && key->meth->set_private(key, priv_key) == 0) + return 0; + ++ /* ++ * Return `0` to comply with legacy behavior for this function, see ++ * https://github.com/openssl/openssl/issues/18744#issuecomment-1195175696 ++ */ ++ if (priv_key == NULL) { ++ BN_clear_free(key->priv_key); ++ key->priv_key = NULL; ++ return 0; /* intentional for legacy compatibility */ ++ } ++ + /* + * We should never leak the bit length of the secret scalar in the key, + * so we always set the `BN_FLG_CONSTTIME` flag on the internal `BIGNUM` +-- +2.17.1 + diff --git a/backport-Fix-SSL_pending-and-SSL_has_pending-with-DTLS.patch b/backport-Fix-SSL_pending-and-SSL_has_pending-with-DTLS.patch new file mode 100644 index 0000000000000000000000000000000000000000..c39270400fd0eb71b21be3d15055893109838fac --- /dev/null +++ b/backport-Fix-SSL_pending-and-SSL_has_pending-with-DTLS.patch @@ -0,0 +1,89 @@ +From 01fc812cb0aafc3cfc271303b6646d1c0a86b020 Mon Sep 17 00:00:00 2001 +From: Matt Caswell +Date: Mon, 25 Jul 2022 15:59:38 +0100 +Subject: [PATCH] Fix SSL_pending() and SSL_has_pending() with DTLS + +If app data is received before a Finished message in DTLS then we buffer +it to return later. The function SSL_pending() is supposed to tell you +how much processed app data we have already buffered, and SSL_has_pending() +is supposed to tell you if we have any data buffered (whether processed or +not, and whether app data or not). + +Neither SSL_pending() or SSL_has_pending() were taking account of this +DTLS specific app data buffer. + +Reviewed-by: Hugo Landau +Reviewed-by: Tomas Mraz +(Merged from https://github.com/openssl/openssl/pull/18976) +--- + ssl/record/rec_layer_s3.c | 14 +++++++++++++- + ssl/ssl_lib.c | 24 +++++++++++++++++++----- + 2 files changed, 32 insertions(+), 6 deletions(-) + +diff --git a/ssl/record/rec_layer_s3.c b/ssl/record/rec_layer_s3.c +index 8249b4ace9..23cd4219e9 100644 +--- a/ssl/record/rec_layer_s3.c ++++ b/ssl/record/rec_layer_s3.c +@@ -115,10 +115,22 @@ size_t ssl3_pending(const SSL *s) + if (s->rlayer.rstate == SSL_ST_READ_BODY) + return 0; + ++ /* Take into account DTLS buffered app data */ ++ if (SSL_IS_DTLS(s)) { ++ DTLS1_RECORD_DATA *rdata; ++ pitem *item, *iter; ++ ++ iter = pqueue_iterator(s->rlayer.d->buffered_app_data.q); ++ while ((item = pqueue_next(&iter)) != NULL) { ++ rdata = item->data; ++ num += rdata->rrec.length; ++ } ++ } ++ + for (i = 0; i < RECORD_LAYER_get_numrpipes(&s->rlayer); i++) { + if (SSL3_RECORD_get_type(&s->rlayer.rrec[i]) + != SSL3_RT_APPLICATION_DATA) +- return 0; ++ return num; + num += SSL3_RECORD_get_length(&s->rlayer.rrec[i]); + } + +diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c +index 25a1a44785..47adc3211c 100644 +--- a/ssl/ssl_lib.c ++++ b/ssl/ssl_lib.c +@@ -1510,12 +1510,26 @@ int SSL_has_pending(const SSL *s) + { + /* + * Similar to SSL_pending() but returns a 1 to indicate that we have +- * unprocessed data available or 0 otherwise (as opposed to the number of +- * bytes available). Unlike SSL_pending() this will take into account +- * read_ahead data. A 1 return simply indicates that we have unprocessed +- * data. That data may not result in any application data, or we may fail +- * to parse the records for some reason. ++ * processed or unprocessed data available or 0 otherwise (as opposed to the ++ * number of bytes available). Unlike SSL_pending() this will take into ++ * account read_ahead data. A 1 return simply indicates that we have data. ++ * That data may not result in any application data, or we may fail to parse ++ * the records for some reason. + */ ++ ++ /* Check buffered app data if any first */ ++ if (SSL_IS_DTLS(s)) { ++ DTLS1_RECORD_DATA *rdata; ++ pitem *item, *iter; ++ ++ iter = pqueue_iterator(s->rlayer.d->buffered_app_data.q); ++ while ((item = pqueue_next(&iter)) != NULL) { ++ rdata = item->data; ++ if (rdata->rrec.length > 0) ++ return 1; ++ } ++ } ++ + if (RECORD_LAYER_processed_read_pending(&s->rlayer)) + return 1; + +-- +2.17.1 + diff --git a/backport-Fix-a-DTLS-server-hangup-due-to-TLS13_AD_MISSING_EXT.patch b/backport-Fix-a-DTLS-server-hangup-due-to-TLS13_AD_MISSING_EXT.patch new file mode 100644 index 0000000000000000000000000000000000000000..1229cba6123a6acf9e6c13e338641bfd95d352a8 --- /dev/null +++ b/backport-Fix-a-DTLS-server-hangup-due-to-TLS13_AD_MISSING_EXT.patch @@ -0,0 +1,440 @@ +From 6e73a0a0bd608daecb8e2c1e46de9d1014194c84 Mon Sep 17 00:00:00 2001 +From: Bernd Edlinger +Date: Tue, 12 Apr 2022 08:27:21 +0200 +Subject: [PATCH] Fix a DTLS server hangup due to TLS13_AD_MISSING_EXTENSION + +This causes the DTLS server to enter an error state: + +./openssl s_server -dtls +./openssl s_client -dtls -maxfraglen 512 -sess_out s1.txt +[...] +Q +./openssl s_client -dtls -sess_in s1.txt +CONNECTED(00000003) +^C +./openssl s_client -dtls +CONNECTED(00000003) +140335537067840:error:14102410:SSL routines:dtls1_read_bytes:sslv3 alert handshake failure:ssl/record/rec_layer_d1.c:614:SSL alert number 40 + +At this point the dtls server needs to be restarted, +because verify_cookie_callback always fails, because +the previous cookie is checked against the current one. +The reason for this is not fully understood. + +In wireshark we see the following each time: +c->s Client Hello (without cookie) +s->c Hello Verify Request (with new cookie) +s->c Alert (Level: Fatal, Description: Handshake Failure) +c->s Client Hello (echoes new cookie) + +The client gives up when the Alert arrives. +The Alert is triggered because the server calls +verify_cookie_callback with the previous cookie, +although it just sent the current cookie in the +Hello Verify Request. + +However this does only happen because no Alert message +is sent when the client re-connects the session with +the missing -maxfraglen option. + +Reviewed-by: Tomas Mraz +Reviewed-by: Matt Caswell +(Merged from https://github.com/openssl/openssl/pull/18094) +--- + ssl/s3_enc.c | 2 + + ssl/t1_enc.c | 2 + + test/ssl-tests/10-resumption.conf | 121 +++++++++++++++++++++++- + test/ssl-tests/11-dtls_resumption.conf | 124 ++++++++++++++++++++++++- + test/ssl-tests/protocol_version.pm | 63 +++++++++++++ + 5 files changed, 310 insertions(+), 2 deletions(-) + +diff --git a/ssl/s3_enc.c b/ssl/s3_enc.c +index 8a89f512fe..eb1f36ac7e 100644 +--- a/ssl/s3_enc.c ++++ b/ssl/s3_enc.c +@@ -589,6 +589,8 @@ int ssl3_alert_code(int code) + return TLS1_AD_NO_APPLICATION_PROTOCOL; + case SSL_AD_CERTIFICATE_REQUIRED: + return SSL_AD_HANDSHAKE_FAILURE; ++ case SSL_AD_MISSING_EXTENSION: ++ return SSL_AD_HANDSHAKE_FAILURE; + default: + return -1; + } +diff --git a/ssl/t1_enc.c b/ssl/t1_enc.c +index c85c0b0310..2087b274d1 100644 +--- a/ssl/t1_enc.c ++++ b/ssl/t1_enc.c +@@ -672,6 +672,8 @@ int tls1_alert_code(int code) + return TLS1_AD_NO_APPLICATION_PROTOCOL; + case SSL_AD_CERTIFICATE_REQUIRED: + return SSL_AD_HANDSHAKE_FAILURE; ++ case SSL_AD_MISSING_EXTENSION: ++ return SSL_AD_HANDSHAKE_FAILURE; + default: + return -1; + } +diff --git a/test/ssl-tests/10-resumption.conf b/test/ssl-tests/10-resumption.conf +index 73de974ab0..a33a1d80e4 100644 +--- a/test/ssl-tests/10-resumption.conf ++++ b/test/ssl-tests/10-resumption.conf +@@ -1,6 +1,6 @@ + # Generated with generate_ssl_tests.pl + +-num_tests = 65 ++num_tests = 68 + + test-0 = 0-resumption + test-1 = 1-resumption +@@ -67,6 +67,9 @@ test-61 = 61-resumption + test-62 = 62-resumption + test-63 = 63-resumption + test-64 = 64-resumption-with-hrr ++test-65 = 65-resumption-when-mfl-ext-is-missing ++test-66 = 66-resumption-when-mfl-ext-is-different ++test-67 = 67-resumption-when-mfl-ext-is-correct + # =========================================================== + + [0-resumption] +@@ -2437,3 +2440,119 @@ Method = TLS + ResumptionExpected = Yes + + ++# =========================================================== ++ ++[65-resumption-when-mfl-ext-is-missing] ++ssl_conf = 65-resumption-when-mfl-ext-is-missing-ssl ++ ++[65-resumption-when-mfl-ext-is-missing-ssl] ++server = 65-resumption-when-mfl-ext-is-missing-server ++client = 65-resumption-when-mfl-ext-is-missing-client ++resume-server = 65-resumption-when-mfl-ext-is-missing-server ++resume-client = 65-resumption-when-mfl-ext-is-missing-resume-client ++ ++[65-resumption-when-mfl-ext-is-missing-server] ++Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem ++CipherString = DEFAULT ++PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem ++ ++[65-resumption-when-mfl-ext-is-missing-client] ++CipherString = DEFAULT ++VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem ++VerifyMode = Peer ++ ++[65-resumption-when-mfl-ext-is-missing-resume-client] ++CipherString = DEFAULT ++VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem ++VerifyMode = Peer ++ ++[test-65] ++ExpectedResult = ServerFail ++HandshakeMode = Resume ++ResumptionExpected = No ++client = 65-resumption-when-mfl-ext-is-missing-client-extra ++ ++[65-resumption-when-mfl-ext-is-missing-client-extra] ++MaxFragmentLenExt = 512 ++ ++ ++# =========================================================== ++ ++[66-resumption-when-mfl-ext-is-different] ++ssl_conf = 66-resumption-when-mfl-ext-is-different-ssl ++ ++[66-resumption-when-mfl-ext-is-different-ssl] ++server = 66-resumption-when-mfl-ext-is-different-server ++client = 66-resumption-when-mfl-ext-is-different-client ++resume-server = 66-resumption-when-mfl-ext-is-different-server ++resume-client = 66-resumption-when-mfl-ext-is-different-resume-client ++ ++[66-resumption-when-mfl-ext-is-different-server] ++Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem ++CipherString = DEFAULT ++PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem ++ ++[66-resumption-when-mfl-ext-is-different-client] ++CipherString = DEFAULT ++VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem ++VerifyMode = Peer ++ ++[66-resumption-when-mfl-ext-is-different-resume-client] ++CipherString = DEFAULT ++VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem ++VerifyMode = Peer ++ ++[test-66] ++ExpectedResult = ServerFail ++HandshakeMode = Resume ++ResumptionExpected = No ++client = 66-resumption-when-mfl-ext-is-different-client-extra ++resume-client = 66-resumption-when-mfl-ext-is-different-resume-client-extra ++ ++[66-resumption-when-mfl-ext-is-different-client-extra] ++MaxFragmentLenExt = 512 ++ ++[66-resumption-when-mfl-ext-is-different-resume-client-extra] ++MaxFragmentLenExt = 1024 ++ ++ ++# =========================================================== ++ ++[67-resumption-when-mfl-ext-is-correct] ++ssl_conf = 67-resumption-when-mfl-ext-is-correct-ssl ++ ++[67-resumption-when-mfl-ext-is-correct-ssl] ++server = 67-resumption-when-mfl-ext-is-correct-server ++client = 67-resumption-when-mfl-ext-is-correct-client ++resume-server = 67-resumption-when-mfl-ext-is-correct-server ++resume-client = 67-resumption-when-mfl-ext-is-correct-resume-client ++ ++[67-resumption-when-mfl-ext-is-correct-server] ++Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem ++CipherString = DEFAULT ++PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem ++ ++[67-resumption-when-mfl-ext-is-correct-client] ++CipherString = DEFAULT ++VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem ++VerifyMode = Peer ++ ++[67-resumption-when-mfl-ext-is-correct-resume-client] ++CipherString = DEFAULT ++VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem ++VerifyMode = Peer ++ ++[test-67] ++ExpectedResult = Success ++HandshakeMode = Resume ++ResumptionExpected = Yes ++client = 67-resumption-when-mfl-ext-is-correct-client-extra ++resume-client = 67-resumption-when-mfl-ext-is-correct-resume-client-extra ++ ++[67-resumption-when-mfl-ext-is-correct-client-extra] ++MaxFragmentLenExt = 512 ++ ++[67-resumption-when-mfl-ext-is-correct-resume-client-extra] ++MaxFragmentLenExt = 512 ++ ++ +diff --git a/test/ssl-tests/11-dtls_resumption.conf b/test/ssl-tests/11-dtls_resumption.conf +index a981fa51df..635279a30f 100644 +--- a/test/ssl-tests/11-dtls_resumption.conf ++++ b/test/ssl-tests/11-dtls_resumption.conf +@@ -1,6 +1,6 @@ + # Generated with generate_ssl_tests.pl + +-num_tests = 16 ++num_tests = 19 + + test-0 = 0-resumption + test-1 = 1-resumption +@@ -18,6 +18,9 @@ test-12 = 12-resumption + test-13 = 13-resumption + test-14 = 14-resumption + test-15 = 15-resumption ++test-16 = 16-resumption-when-mfl-ext-is-missing ++test-17 = 17-resumption-when-mfl-ext-is-different ++test-18 = 18-resumption-when-mfl-ext-is-correct + # =========================================================== + + [0-resumption] +@@ -618,3 +621,122 @@ Method = DTLS + ResumptionExpected = Yes + + ++# =========================================================== ++ ++[16-resumption-when-mfl-ext-is-missing] ++ssl_conf = 16-resumption-when-mfl-ext-is-missing-ssl ++ ++[16-resumption-when-mfl-ext-is-missing-ssl] ++server = 16-resumption-when-mfl-ext-is-missing-server ++client = 16-resumption-when-mfl-ext-is-missing-client ++resume-server = 16-resumption-when-mfl-ext-is-missing-server ++resume-client = 16-resumption-when-mfl-ext-is-missing-resume-client ++ ++[16-resumption-when-mfl-ext-is-missing-server] ++Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem ++CipherString = DEFAULT ++PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem ++ ++[16-resumption-when-mfl-ext-is-missing-client] ++CipherString = DEFAULT ++VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem ++VerifyMode = Peer ++ ++[16-resumption-when-mfl-ext-is-missing-resume-client] ++CipherString = DEFAULT ++VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem ++VerifyMode = Peer ++ ++[test-16] ++ExpectedResult = ServerFail ++HandshakeMode = Resume ++Method = DTLS ++ResumptionExpected = No ++client = 16-resumption-when-mfl-ext-is-missing-client-extra ++ ++[16-resumption-when-mfl-ext-is-missing-client-extra] ++MaxFragmentLenExt = 512 ++ ++ ++# =========================================================== ++ ++[17-resumption-when-mfl-ext-is-different] ++ssl_conf = 17-resumption-when-mfl-ext-is-different-ssl ++ ++[17-resumption-when-mfl-ext-is-different-ssl] ++server = 17-resumption-when-mfl-ext-is-different-server ++client = 17-resumption-when-mfl-ext-is-different-client ++resume-server = 17-resumption-when-mfl-ext-is-different-server ++resume-client = 17-resumption-when-mfl-ext-is-different-resume-client ++ ++[17-resumption-when-mfl-ext-is-different-server] ++Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem ++CipherString = DEFAULT ++PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem ++ ++[17-resumption-when-mfl-ext-is-different-client] ++CipherString = DEFAULT ++VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem ++VerifyMode = Peer ++ ++[17-resumption-when-mfl-ext-is-different-resume-client] ++CipherString = DEFAULT ++VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem ++VerifyMode = Peer ++ ++[test-17] ++ExpectedResult = ServerFail ++HandshakeMode = Resume ++Method = DTLS ++ResumptionExpected = No ++client = 17-resumption-when-mfl-ext-is-different-client-extra ++resume-client = 17-resumption-when-mfl-ext-is-different-resume-client-extra ++ ++[17-resumption-when-mfl-ext-is-different-client-extra] ++MaxFragmentLenExt = 512 ++ ++[17-resumption-when-mfl-ext-is-different-resume-client-extra] ++MaxFragmentLenExt = 1024 ++ ++ ++# =========================================================== ++ ++[18-resumption-when-mfl-ext-is-correct] ++ssl_conf = 18-resumption-when-mfl-ext-is-correct-ssl ++ ++[18-resumption-when-mfl-ext-is-correct-ssl] ++server = 18-resumption-when-mfl-ext-is-correct-server ++client = 18-resumption-when-mfl-ext-is-correct-client ++resume-server = 18-resumption-when-mfl-ext-is-correct-server ++resume-client = 18-resumption-when-mfl-ext-is-correct-resume-client ++ ++[18-resumption-when-mfl-ext-is-correct-server] ++Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem ++CipherString = DEFAULT ++PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem ++ ++[18-resumption-when-mfl-ext-is-correct-client] ++CipherString = DEFAULT ++VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem ++VerifyMode = Peer ++ ++[18-resumption-when-mfl-ext-is-correct-resume-client] ++CipherString = DEFAULT ++VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem ++VerifyMode = Peer ++ ++[test-18] ++ExpectedResult = Success ++HandshakeMode = Resume ++Method = DTLS ++ResumptionExpected = Yes ++client = 18-resumption-when-mfl-ext-is-correct-client-extra ++resume-client = 18-resumption-when-mfl-ext-is-correct-resume-client-extra ++ ++[18-resumption-when-mfl-ext-is-correct-client-extra] ++MaxFragmentLenExt = 512 ++ ++[18-resumption-when-mfl-ext-is-correct-resume-client-extra] ++MaxFragmentLenExt = 512 ++ ++ +diff --git a/test/ssl-tests/protocol_version.pm b/test/ssl-tests/protocol_version.pm +index 943719e84a..039d782b73 100644 +--- a/test/ssl-tests/protocol_version.pm ++++ b/test/ssl-tests/protocol_version.pm +@@ -265,6 +265,69 @@ sub generate_resumption_tests { + }; + } + ++ push @client_tests, { ++ "name" => "resumption-when-mfl-ext-is-missing", ++ "server" => { ++ }, ++ "client" => { ++ "extra" => { ++ "MaxFragmentLenExt" => 512, ++ }, ++ }, ++ "resume_client" => { ++ }, ++ "test" => { ++ "Method" => $method, ++ "HandshakeMode" => "Resume", ++ "ResumptionExpected" => "No", ++ "ExpectedResult" => "ServerFail", ++ } ++ }; ++ ++ push @client_tests, { ++ "name" => "resumption-when-mfl-ext-is-different", ++ "server" => { ++ }, ++ "client" => { ++ "extra" => { ++ "MaxFragmentLenExt" => 512, ++ }, ++ }, ++ "resume_client" => { ++ "extra" => { ++ "MaxFragmentLenExt" => 1024, ++ }, ++ }, ++ "test" => { ++ "Method" => $method, ++ "HandshakeMode" => "Resume", ++ "ResumptionExpected" => "No", ++ "ExpectedResult" => "ServerFail", ++ } ++ }; ++ ++ push @client_tests, { ++ "name" => "resumption-when-mfl-ext-is-correct", ++ "server" => { ++ }, ++ "client" => { ++ "extra" => { ++ "MaxFragmentLenExt" => 512, ++ }, ++ }, ++ "resume_client" => { ++ "extra" => { ++ "MaxFragmentLenExt" => 512, ++ }, ++ }, ++ "test" => { ++ "Method" => $method, ++ "HandshakeMode" => "Resume", ++ "ResumptionExpected" => "Yes", ++ "ExpectedResult" => "Success", ++ } ++ }; ++ + return (@server_tests, @client_tests); + } + +-- +2.17.1 + diff --git a/backport-Fix-a-crash-in-X509v3_asid_subset.patch b/backport-Fix-a-crash-in-X509v3_asid_subset.patch new file mode 100644 index 0000000000000000000000000000000000000000..3aaa529bf1533962adf2d2e1fed5b986f336a6af --- /dev/null +++ b/backport-Fix-a-crash-in-X509v3_asid_subset.patch @@ -0,0 +1,161 @@ +From 8f078819556da83c15751678c39558a59bc746fc Mon Sep 17 00:00:00 2001 +From: Matt Caswell +Date: Thu, 9 Jun 2022 16:57:30 +0100 +Subject: [PATCH] Fix a crash in X509v3_asid_subset() + +If the asnum or rdi fields are NULL and the ASIdentifiers are otherwise +subsets then this will result in a crash. Of note is that rdi will usually +be NULL. + +Reported by Theo Buehler (@botovq) + +Reviewed-by: Tomas Mraz +Reviewed-by: Paul Yang +Reviewed-by: Todd Short +(Merged from https://github.com/openssl/openssl/pull/18514) + +(cherry picked from commit 01fc9b6bce82f0534d6673659a0e59a71f57ee82) +--- + crypto/x509v3/v3_asid.c | 31 +++++++++++----- + test/v3ext.c | 78 +++++++++++++++++++++++++++++++++++++++++ + 2 files changed, 100 insertions(+), 9 deletions(-) + +diff --git a/crypto/x509v3/v3_asid.c b/crypto/x509v3/v3_asid.c +index ac68572672..9bdc682978 100644 +--- a/crypto/x509v3/v3_asid.c ++++ b/crypto/x509v3/v3_asid.c +@@ -700,15 +700,28 @@ static int asid_contains(ASIdOrRanges *parent, ASIdOrRanges *child) + */ + int X509v3_asid_subset(ASIdentifiers *a, ASIdentifiers *b) + { +- return (a == NULL || +- a == b || +- (b != NULL && +- !X509v3_asid_inherits(a) && +- !X509v3_asid_inherits(b) && +- asid_contains(b->asnum->u.asIdsOrRanges, +- a->asnum->u.asIdsOrRanges) && +- asid_contains(b->rdi->u.asIdsOrRanges, +- a->rdi->u.asIdsOrRanges))); ++ int subset; ++ ++ if (a == NULL || a == b) ++ return 1; ++ ++ if (b == NULL) ++ return 0; ++ ++ if (X509v3_asid_inherits(a) || X509v3_asid_inherits(b)) ++ return 0; ++ ++ subset = a->asnum == NULL ++ || (b->asnum != NULL ++ && asid_contains(b->asnum->u.asIdsOrRanges, ++ a->asnum->u.asIdsOrRanges)); ++ if (!subset) ++ return 0; ++ ++ return a->rdi == NULL ++ || (b->rdi != NULL ++ && asid_contains(b->rdi->u.asIdsOrRanges, ++ a->rdi->u.asIdsOrRanges)); + } + + /* +diff --git a/test/v3ext.c b/test/v3ext.c +index 14ae49969d..1575e923da 100644 +--- a/test/v3ext.c ++++ b/test/v3ext.c +@@ -37,11 +37,89 @@ end: + return ret; + } + ++static int test_asid(void) ++{ ++ ASN1_INTEGER *val1 = NULL, *val2 = NULL; ++ ASIdentifiers *asid1 = ASIdentifiers_new(), *asid2 = ASIdentifiers_new(), ++ *asid3 = ASIdentifiers_new(), *asid4 = ASIdentifiers_new(); ++ int testresult = 0; ++ ++ if (!TEST_ptr(asid1) ++ || !TEST_ptr(asid2) ++ || !TEST_ptr(asid3)) ++ goto err; ++ ++ if (!TEST_ptr(val1 = ASN1_INTEGER_new()) ++ || !TEST_true(ASN1_INTEGER_set_int64(val1, 64496))) ++ goto err; ++ ++ if (!TEST_true(X509v3_asid_add_id_or_range(asid1, V3_ASID_ASNUM, val1, NULL))) ++ goto err; ++ ++ val1 = NULL; ++ if (!TEST_ptr(val2 = ASN1_INTEGER_new()) ++ || !TEST_true(ASN1_INTEGER_set_int64(val2, 64497))) ++ goto err; ++ ++ if (!TEST_true(X509v3_asid_add_id_or_range(asid2, V3_ASID_ASNUM, val2, NULL))) ++ goto err; ++ ++ val2 = NULL; ++ if (!TEST_ptr(val1 = ASN1_INTEGER_new()) ++ || !TEST_true(ASN1_INTEGER_set_int64(val1, 64496)) ++ || !TEST_ptr(val2 = ASN1_INTEGER_new()) ++ || !TEST_true(ASN1_INTEGER_set_int64(val2, 64497))) ++ goto err; ++ ++ /* ++ * Just tests V3_ASID_ASNUM for now. Could be extended at some point to also ++ * test V3_ASID_RDI if we think it is worth it. ++ */ ++ if (!TEST_true(X509v3_asid_add_id_or_range(asid3, V3_ASID_ASNUM, val1, val2))) ++ goto err; ++ val1 = val2 = NULL; ++ ++ /* Actual subsets */ ++ if (!TEST_true(X509v3_asid_subset(NULL, NULL)) ++ || !TEST_true(X509v3_asid_subset(NULL, asid1)) ++ || !TEST_true(X509v3_asid_subset(asid1, asid1)) ++ || !TEST_true(X509v3_asid_subset(asid2, asid2)) ++ || !TEST_true(X509v3_asid_subset(asid1, asid3)) ++ || !TEST_true(X509v3_asid_subset(asid2, asid3)) ++ || !TEST_true(X509v3_asid_subset(asid3, asid3)) ++ || !TEST_true(X509v3_asid_subset(asid4, asid1)) ++ || !TEST_true(X509v3_asid_subset(asid4, asid2)) ++ || !TEST_true(X509v3_asid_subset(asid4, asid3))) ++ goto err; ++ ++ /* Not subsets */ ++ if (!TEST_false(X509v3_asid_subset(asid1, NULL)) ++ || !TEST_false(X509v3_asid_subset(asid1, asid2)) ++ || !TEST_false(X509v3_asid_subset(asid2, asid1)) ++ || !TEST_false(X509v3_asid_subset(asid3, asid1)) ++ || !TEST_false(X509v3_asid_subset(asid3, asid2)) ++ || !TEST_false(X509v3_asid_subset(asid1, asid4)) ++ || !TEST_false(X509v3_asid_subset(asid2, asid4)) ++ || !TEST_false(X509v3_asid_subset(asid3, asid4))) ++ goto err; ++ ++ testresult = 1; ++ err: ++ ASN1_INTEGER_free(val1); ++ ASN1_INTEGER_free(val2); ++ ASIdentifiers_free(asid1); ++ ASIdentifiers_free(asid2); ++ ASIdentifiers_free(asid3); ++ ASIdentifiers_free(asid4); ++ return testresult; ++} ++ + int setup_tests(void) + { + if (!TEST_ptr(infile = test_get_argument(0))) + return 0; + + ADD_TEST(test_pathlen); ++ ADD_TEST(test_asid); + return 1; + } +-- +2.17.1 + diff --git a/backport-Fix-a-crash-in-asn1_item_embed_new.patch b/backport-Fix-a-crash-in-asn1_item_embed_new.patch new file mode 100644 index 0000000000000000000000000000000000000000..45a35827b7529de23514e726993f3ba36f545f8b --- /dev/null +++ b/backport-Fix-a-crash-in-asn1_item_embed_new.patch @@ -0,0 +1,93 @@ +From 8e60f41d064786f95440e4c56660ffe9777783d7 Mon Sep 17 00:00:00 2001 +From: Bernd Edlinger +Date: Fri, 20 May 2022 08:02:47 +0200 +Subject: [PATCH] Fix a crash in asn1_item_embed_new + +This happens usually if an template object is created +and there is an out of memory error before the ASN1_OP_NEW_POST +method is called, but asn1_item_embed_free calls now the +ASN1_OP_FREE_POST which may crash because the object is not +properly initialized. Apparently that is only an issue with +the ASN1_OP_FREE_POST handling of crypot/x509/x_crl.c, which +ought to be tolerant to incomplete initialized objects. + +The error can be reproduced with the reproducible error injection patch: + +$ ERROR_INJECT=1652890550 ../util/shlib_wrap.sh ./asn1-test ./corpora/asn1/0ff17293911f54d1538b9896563a4048d67d9ee4 + #0 0x7faae9dbeeba in __sanitizer_print_stack_trace ../../../../gcc-trunk/libsanitizer/asan/asan_stack.cpp:87 + #1 0x408dc4 in my_malloc fuzz/test-corpus.c:114 + #2 0x7faae99f2430 in CRYPTO_zalloc crypto/mem.c:230 + #3 0x7faae97f09e5 in ASN1_STRING_type_new crypto/asn1/asn1_lib.c:341 + #4 0x7faae98118f7 in asn1_primitive_new crypto/asn1/tasn_new.c:318 + #5 0x7faae9812401 in asn1_item_embed_new crypto/asn1/tasn_new.c:78 + #6 0x7faae9812401 in asn1_template_new crypto/asn1/tasn_new.c:240 + #7 0x7faae9812315 in asn1_item_embed_new crypto/asn1/tasn_new.c:137 + #8 0x7faae9812315 in asn1_template_new crypto/asn1/tasn_new.c:240 + #9 0x7faae9812a54 in asn1_item_embed_new crypto/asn1/tasn_new.c:137 + #10 0x7faae9812a54 in ASN1_item_ex_new crypto/asn1/tasn_new.c:39 + #11 0x7faae980be51 in asn1_item_embed_d2i crypto/asn1/tasn_dec.c:325 + #12 0x7faae980c813 in asn1_template_noexp_d2i crypto/asn1/tasn_dec.c:611 + #13 0x7faae980d288 in asn1_template_ex_d2i crypto/asn1/tasn_dec.c:518 + #14 0x7faae980b9ce in asn1_item_embed_d2i crypto/asn1/tasn_dec.c:382 + #15 0x7faae980caf5 in asn1_template_noexp_d2i crypto/asn1/tasn_dec.c:643 + #16 0x7faae980d7d3 in asn1_template_ex_d2i crypto/asn1/tasn_dec.c:494 + #17 0x7faae980b9ce in asn1_item_embed_d2i crypto/asn1/tasn_dec.c:382 + #18 0x7faae980dd1f in ASN1_item_ex_d2i crypto/asn1/tasn_dec.c:124 + #19 0x7faae980de35 in ASN1_item_d2i crypto/asn1/tasn_dec.c:114 + #20 0x40712c in FuzzerTestOneInput fuzz/asn1.c:301 + #21 0x40893b in testfile fuzz/test-corpus.c:182 + #22 0x406b86 in main fuzz/test-corpus.c:226 + #23 0x7faae8eb1f44 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21f44) + +AddressSanitizer:DEADLYSIGNAL +================================================================= +==1194==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000010 (pc 0x7faae9b0625f bp 0x7fffffe41a00 sp 0x7fffffe41920 T0) +==1194==The signal is caused by a READ memory access. +==1194==Hint: address points to the zero page. + #0 0x7faae9b0625f in crl_cb crypto/x509/x_crl.c:258 + #1 0x7faae9811255 in asn1_item_embed_free crypto/asn1/tasn_fre.c:113 + #2 0x7faae9812a65 in asn1_item_embed_new crypto/asn1/tasn_new.c:150 + #3 0x7faae9812a65 in ASN1_item_ex_new crypto/asn1/tasn_new.c:39 + #4 0x7faae980be51 in asn1_item_embed_d2i crypto/asn1/tasn_dec.c:325 + #5 0x7faae980c813 in asn1_template_noexp_d2i crypto/asn1/tasn_dec.c:611 + #6 0x7faae980d288 in asn1_template_ex_d2i crypto/asn1/tasn_dec.c:518 + #7 0x7faae980b9ce in asn1_item_embed_d2i crypto/asn1/tasn_dec.c:382 + #8 0x7faae980caf5 in asn1_template_noexp_d2i crypto/asn1/tasn_dec.c:643 + #9 0x7faae980d7d3 in asn1_template_ex_d2i crypto/asn1/tasn_dec.c:494 + #10 0x7faae980b9ce in asn1_item_embed_d2i crypto/asn1/tasn_dec.c:382 + #11 0x7faae980dd1f in ASN1_item_ex_d2i crypto/asn1/tasn_dec.c:124 + #12 0x7faae980de35 in ASN1_item_d2i crypto/asn1/tasn_dec.c:114 + #13 0x40712c in FuzzerTestOneInput fuzz/asn1.c:301 + #14 0x40893b in testfile fuzz/test-corpus.c:182 + #15 0x406b86 in main fuzz/test-corpus.c:226 + #16 0x7faae8eb1f44 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21f44) + +AddressSanitizer can not provide additional info. +SUMMARY: AddressSanitizer: SEGV crypto/x509/x_crl.c:258 in crl_cb +==1194==ABORTING + +Reviewed-by: Matt Caswell +Reviewed-by: Tomas Mraz +(Merged from https://github.com/openssl/openssl/pull/18360) + +(cherry picked from commit 557825acd622f98fc21423aba092e374db84f483) +--- + crypto/x509/x_crl.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/crypto/x509/x_crl.c b/crypto/x509/x_crl.c +index c9762f9e23..9af39a45fc 100644 +--- a/crypto/x509/x_crl.c ++++ b/crypto/x509/x_crl.c +@@ -255,7 +255,7 @@ static int crl_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it, + break; + + case ASN1_OP_FREE_POST: +- if (crl->meth->crl_free) { ++ if (crl->meth != NULL && crl->meth->crl_free != NULL) { + if (!crl->meth->crl_free(crl)) + return 0; + } +-- +2.17.1 + diff --git a/backport-Fix-a-crash-in-ssl_security_cert_chain.patch b/backport-Fix-a-crash-in-ssl_security_cert_chain.patch new file mode 100644 index 0000000000000000000000000000000000000000..234a78330d3dd28c922c9130f97dc8686a2974e5 --- /dev/null +++ b/backport-Fix-a-crash-in-ssl_security_cert_chain.patch @@ -0,0 +1,88 @@ +From 4a28f8451fbc1848fd2d1b99203a7c75876123f6 Mon Sep 17 00:00:00 2001 +From: Bernd Edlinger +Date: Sun, 22 May 2022 20:12:56 +0200 +Subject: [PATCH] Fix a crash in ssl_security_cert_chain + +Prior to the crash there is an out of memory error +in X509_verify_cert which makes the chain NULL or +empty. The error is ignored by ssl_add_cert_chain, +and ssl_security_cert_chain crashes due to the +unchecked null pointer. + +This is reproducible with my error injection patch. + +The test vector has been validated on the 1.1.1 branch +but the issue is of course identical in all branches. + +$ ERROR_INJECT=1652848273 ../util/shlib_wrap.sh ./server-test ./corpora/server/47c8e933c4ec66fa3c309422283dfe0f31aafae8# ./corpora/server/47c8e933c4ec66fa3c309422283dfe0f31aafae8 + #0 0x7f3a8f766eba in __sanitizer_print_stack_trace ../../../../gcc-trunk/libsanitizer/asan/asan_stack.cpp:87 + #1 0x403ba4 in my_malloc fuzz/test-corpus.c:114 + #2 0x7f3a8f39a430 in CRYPTO_zalloc crypto/mem.c:230 + #3 0x7f3a8f46bd3b in sk_reserve crypto/stack/stack.c:180 + #4 0x7f3a8f46bd3b in OPENSSL_sk_insert crypto/stack/stack.c:242 + #5 0x7f3a8f4a4fd8 in sk_X509_push include/openssl/x509.h:99 + #6 0x7f3a8f4a4fd8 in X509_verify_cert crypto/x509/x509_vfy.c:286 + #7 0x7f3a8fed726e in ssl_add_cert_chain ssl/statem/statem_lib.c:959 + #8 0x7f3a8fed726e in ssl3_output_cert_chain ssl/statem/statem_lib.c:1015 + #9 0x7f3a8fee1c50 in tls_construct_server_certificate ssl/statem/statem_srvr.c:3812 + #10 0x7f3a8feb8b0a in write_state_machine ssl/statem/statem.c:843 + #11 0x7f3a8feb8b0a in state_machine ssl/statem/statem.c:443 + #12 0x7f3a8fe84b3f in SSL_do_handshake ssl/ssl_lib.c:3718 + #13 0x403202 in FuzzerTestOneInput fuzz/server.c:740 + #14 0x40371b in testfile fuzz/test-corpus.c:182 + #15 0x402856 in main fuzz/test-corpus.c:226 + #16 0x7f3a8e859f44 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21f44) + #17 0x402936 (/home/ed/OPC/openssl/fuzz/server-test+0x402936) + +AddressSanitizer:DEADLYSIGNAL +================================================================= +==8400==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000158 (pc 0x7f3a8f4d822f bp 0x7ffc39b76190 sp 0x7ffc39b760a0 T0) +==8400==The signal is caused by a READ memory access. +==8400==Hint: address points to the zero page. + #0 0x7f3a8f4d822f in x509v3_cache_extensions crypto/x509v3/v3_purp.c:386 + #1 0x7f3a8f4d9d3a in X509_check_purpose crypto/x509v3/v3_purp.c:84 + #2 0x7f3a8f4da02a in X509_get_extension_flags crypto/x509v3/v3_purp.c:921 + #3 0x7f3a8feff7d2 in ssl_security_cert_sig ssl/t1_lib.c:2518 + #4 0x7f3a8feff7d2 in ssl_security_cert ssl/t1_lib.c:2542 + #5 0x7f3a8feffa03 in ssl_security_cert_chain ssl/t1_lib.c:2562 + #6 0x7f3a8fed728d in ssl_add_cert_chain ssl/statem/statem_lib.c:963 + #7 0x7f3a8fed728d in ssl3_output_cert_chain ssl/statem/statem_lib.c:1015 + #8 0x7f3a8fee1c50 in tls_construct_server_certificate ssl/statem/statem_srvr.c:3812 + #9 0x7f3a8feb8b0a in write_state_machine ssl/statem/statem.c:843 + #10 0x7f3a8feb8b0a in state_machine ssl/statem/statem.c:443 + #11 0x7f3a8fe84b3f in SSL_do_handshake ssl/ssl_lib.c:3718 + #12 0x403202 in FuzzerTestOneInput fuzz/server.c:740 + #13 0x40371b in testfile fuzz/test-corpus.c:182 + #14 0x402856 in main fuzz/test-corpus.c:226 + #15 0x7f3a8e859f44 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21f44) + #16 0x402936 (/home/ed/OPC/openssl/fuzz/server-test+0x402936) + +AddressSanitizer can not provide additional info. +SUMMARY: AddressSanitizer: SEGV crypto/x509v3/v3_purp.c:386 in x509v3_cache_extensions +==8400==ABORTING + +Reviewed-by: Tomas Mraz +Reviewed-by: Matt Caswell +(Merged from https://github.com/openssl/openssl/pull/18376) + +(cherry picked from commit dc0ef292f7df4ce0c49c64b47726a6768f9ac044) +--- + ssl/t1_lib.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c +index b1d3add187..4de4623a49 100644 +--- a/ssl/t1_lib.c ++++ b/ssl/t1_lib.c +@@ -2555,6 +2555,8 @@ int ssl_security_cert_chain(SSL *s, STACK_OF(X509) *sk, X509 *x, int vfy) + int rv, start_idx, i; + if (x == NULL) { + x = sk_X509_value(sk, 0); ++ if (x == NULL) ++ return ERR_R_INTERNAL_ERROR; + start_idx = 1; + } else + start_idx = 0; +-- +2.17.1 + diff --git a/backport-Fix-a-crash-in-v2i_IPAddrBlocks.patch b/backport-Fix-a-crash-in-v2i_IPAddrBlocks.patch new file mode 100644 index 0000000000000000000000000000000000000000..90f12eab47c49320053c9befe1a38fa1793b09fb --- /dev/null +++ b/backport-Fix-a-crash-in-v2i_IPAddrBlocks.patch @@ -0,0 +1,76 @@ +From 264a3f453c418dc01f4b74928ed2a76a08a65513 Mon Sep 17 00:00:00 2001 +From: Matt Caswell +Date: Fri, 10 Jun 2022 12:33:45 +0100 +Subject: [PATCH] Fix a crash in v2i_IPAddrBlocks() + +If an IP address prefix value is supplied that is too large then a crash +can result. v2i_IPAddrBlocks() should sanity check the prefix value, as +should X509v3_addr_add_prefix(). + +Reported by Theo Buehler (@botovq) + +Reviewed-by: Tomas Mraz +Reviewed-by: Dmitry Belyavskiy +Reviewed-by: Hugo Landau +(Merged from https://github.com/openssl/openssl/pull/18847) +--- + crypto/x509v3/v3_addr.c | 17 ++++--- + test/v3ext.c | 99 +++++++++++++++++++++++++++++++++++++++++ + 2 files changed, 111 insertions(+), 5 deletions(-) + +diff --git a/crypto/x509v3/v3_addr.c b/crypto/x509v3/v3_addr.c +index ccce34ef2e..f9c368bea4 100644 +--- a/crypto/x509v3/v3_addr.c ++++ b/crypto/x509v3/v3_addr.c +@@ -392,12 +392,14 @@ static int range_should_be_prefix(const unsigned char *min, + /* + * Construct a prefix. + */ +-static int make_addressPrefix(IPAddressOrRange **result, +- unsigned char *addr, const int prefixlen) ++static int make_addressPrefix(IPAddressOrRange **result, unsigned char *addr, ++ const int prefixlen, const int afilen) + { + int bytelen = (prefixlen + 7) / 8, bitlen = prefixlen % 8; + IPAddressOrRange *aor = IPAddressOrRange_new(); + ++ if (prefixlen < 0 || prefixlen > (afilen * 8)) ++ return 0; + if (aor == NULL) + return 0; + aor->type = IPAddressOrRange_addressPrefix; +@@ -437,7 +439,7 @@ static int make_addressRange(IPAddressOrRange **result, + return 0; + + if ((prefixlen = range_should_be_prefix(min, max, length)) >= 0) +- return make_addressPrefix(result, min, prefixlen); ++ return make_addressPrefix(result, min, prefixlen, length); + + if ((aor = IPAddressOrRange_new()) == NULL) + return 0; +@@ -599,7 +601,9 @@ int X509v3_addr_add_prefix(IPAddrBlocks *addr, + { + IPAddressOrRanges *aors = make_prefix_or_range(addr, afi, safi); + IPAddressOrRange *aor; +- if (aors == NULL || !make_addressPrefix(&aor, a, prefixlen)) ++ ++ if (aors == NULL ++ || !make_addressPrefix(&aor, a, prefixlen, length_from_afi(afi))) + return 0; + if (sk_IPAddressOrRange_push(aors, aor)) + return 1; +@@ -996,7 +1000,10 @@ static void *v2i_IPAddrBlocks(const struct v3_ext_method *method, + switch (delim) { + case '/': + prefixlen = (int)strtoul(s + i2, &t, 10); +- if (t == s + i2 || *t != '\0') { ++ if (t == s + i2 ++ || *t != '\0' ++ || prefixlen > (length * 8) ++ || prefixlen < 0) { + X509V3err(X509V3_F_V2I_IPADDRBLOCKS, + X509V3_R_EXTENSION_VALUE_ERROR); + X509V3_conf_err(val); +-- +2.17.1 + diff --git a/backport-Fix-a-memory-leak-in-EC_GROUP_new_from_ecparameters.patch b/backport-Fix-a-memory-leak-in-EC_GROUP_new_from_ecparameters.patch new file mode 100644 index 0000000000000000000000000000000000000000..a0b7d2e3c83cd6bd2bf48e8326cd2af0122b28a6 --- /dev/null +++ b/backport-Fix-a-memory-leak-in-EC_GROUP_new_from_ecparameters.patch @@ -0,0 +1,134 @@ +From 6c8879c8bf6030666c851623f93fff03c1266715 Mon Sep 17 00:00:00 2001 +From: Bernd Edlinger +Date: Wed, 22 Jun 2022 17:05:55 +0200 +Subject: [PATCH] Fix a memory leak in EC_GROUP_new_from_ecparameters + +This can be reproduced with my error injection patch. + +The test vector has been validated on the 1.1.1 branch +but the issue is of course identical in all branches. + +$ ERROR_INJECT=1656112173 ../util/shlib_wrap.sh ./x509-test ./corpora/x509/fe543a8d7e09109a9a08114323eefec802ad79e2 + #0 0x7fb61945eeba in __sanitizer_print_stack_trace ../../../../gcc-trunk/libsanitizer/asan/asan_stack.cpp:87 + #1 0x402f84 in my_malloc fuzz/test-corpus.c:114 + #2 0x7fb619092430 in CRYPTO_zalloc crypto/mem.c:230 + #3 0x7fb618ef7561 in bn_expand_internal crypto/bn/bn_lib.c:280 + #4 0x7fb618ef7561 in bn_expand2 crypto/bn/bn_lib.c:304 + #5 0x7fb618ef819d in BN_bin2bn crypto/bn/bn_lib.c:454 + #6 0x7fb618e7aa13 in asn1_string_to_bn crypto/asn1/a_int.c:503 + #7 0x7fb618e7aa13 in ASN1_INTEGER_to_BN crypto/asn1/a_int.c:559 + #8 0x7fb618fd8e79 in EC_GROUP_new_from_ecparameters crypto/ec/ec_asn1.c:814 + #9 0x7fb618fd98e8 in EC_GROUP_new_from_ecpkparameters crypto/ec/ec_asn1.c:935 + #10 0x7fb618fd9aec in d2i_ECPKParameters crypto/ec/ec_asn1.c:966 + #11 0x7fb618fdace9 in d2i_ECParameters crypto/ec/ec_asn1.c:1184 + #12 0x7fb618fd1fc7 in eckey_type2param crypto/ec/ec_ameth.c:119 + #13 0x7fb618fd57b4 in eckey_pub_decode crypto/ec/ec_ameth.c:165 + #14 0x7fb6191a9c62 in x509_pubkey_decode crypto/x509/x_pubkey.c:124 + #15 0x7fb6191a9e42 in pubkey_cb crypto/x509/x_pubkey.c:46 + #16 0x7fb618eac032 in asn1_item_embed_d2i crypto/asn1/tasn_dec.c:432 + #17 0x7fb618eacaf5 in asn1_template_noexp_d2i crypto/asn1/tasn_dec.c:643 + #18 0x7fb618ead288 in asn1_template_ex_d2i crypto/asn1/tasn_dec.c:518 + #19 0x7fb618eab9ce in asn1_item_embed_d2i crypto/asn1/tasn_dec.c:382 + #20 0x7fb618eacaf5 in asn1_template_noexp_d2i crypto/asn1/tasn_dec.c:643 + #21 0x7fb618ead288 in asn1_template_ex_d2i crypto/asn1/tasn_dec.c:518 + #22 0x7fb618eab9ce in asn1_item_embed_d2i crypto/asn1/tasn_dec.c:382 + #23 0x7fb618eadd1f in ASN1_item_ex_d2i crypto/asn1/tasn_dec.c:124 + #24 0x7fb618eade35 in ASN1_item_d2i crypto/asn1/tasn_dec.c:114 + #25 0x40310c in FuzzerTestOneInput fuzz/x509.c:33 + #26 0x402afb in testfile fuzz/test-corpus.c:182 + #27 0x402656 in main fuzz/test-corpus.c:226 + #28 0x7fb618551f44 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21f44) + #29 0x402756 (/home/ed/OPC/openssl/fuzz/x509-test+0x402756) + +================================================================= +==12221==ERROR: LeakSanitizer: detected memory leaks + +Direct leak of 24 byte(s) in 1 object(s) allocated from: + #0 0x7fb61945309f in __interceptor_malloc ../../../../gcc-trunk/libsanitizer/asan/asan_malloc_linux.cpp:69 + #1 0x7fb619092430 in CRYPTO_zalloc crypto/mem.c:230 + #2 0x7fb618ef5f11 in BN_new crypto/bn/bn_lib.c:246 + #3 0x7fb618ef82f4 in BN_bin2bn crypto/bn/bn_lib.c:440 + #4 0x7fb618fd8933 in EC_GROUP_new_from_ecparameters crypto/ec/ec_asn1.c:618 + #5 0x7fb618fd98e8 in EC_GROUP_new_from_ecpkparameters crypto/ec/ec_asn1.c:935 + #6 0x7fb618fd9aec in d2i_ECPKParameters crypto/ec/ec_asn1.c:966 + #7 0x7fb618fdace9 in d2i_ECParameters crypto/ec/ec_asn1.c:1184 + #8 0x7fb618fd1fc7 in eckey_type2param crypto/ec/ec_ameth.c:119 + #9 0x7fb618fd57b4 in eckey_pub_decode crypto/ec/ec_ameth.c:165 + #10 0x7fb6191a9c62 in x509_pubkey_decode crypto/x509/x_pubkey.c:124 + #11 0x7fb6191a9e42 in pubkey_cb crypto/x509/x_pubkey.c:46 + #12 0x7fb618eac032 in asn1_item_embed_d2i crypto/asn1/tasn_dec.c:432 + #13 0x7fb618eacaf5 in asn1_template_noexp_d2i crypto/asn1/tasn_dec.c:643 + #14 0x7fb618ead288 in asn1_template_ex_d2i crypto/asn1/tasn_dec.c:518 + #15 0x7fb618eab9ce in asn1_item_embed_d2i crypto/asn1/tasn_dec.c:382 + #16 0x7fb618eacaf5 in asn1_template_noexp_d2i crypto/asn1/tasn_dec.c:643 + #17 0x7fb618ead288 in asn1_template_ex_d2i crypto/asn1/tasn_dec.c:518 + #18 0x7fb618eab9ce in asn1_item_embed_d2i crypto/asn1/tasn_dec.c:382 + #19 0x7fb618eadd1f in ASN1_item_ex_d2i crypto/asn1/tasn_dec.c:124 + #20 0x7fb618eade35 in ASN1_item_d2i crypto/asn1/tasn_dec.c:114 + #21 0x40310c in FuzzerTestOneInput fuzz/x509.c:33 + #22 0x402afb in testfile fuzz/test-corpus.c:182 + #23 0x402656 in main fuzz/test-corpus.c:226 + #24 0x7fb618551f44 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21f44) + +Indirect leak of 56 byte(s) in 1 object(s) allocated from: + #0 0x7fb61945309f in __interceptor_malloc ../../../../gcc-trunk/libsanitizer/asan/asan_malloc_linux.cpp:69 + #1 0x7fb619092430 in CRYPTO_zalloc crypto/mem.c:230 + #2 0x7fb618ef7561 in bn_expand_internal crypto/bn/bn_lib.c:280 + #3 0x7fb618ef7561 in bn_expand2 crypto/bn/bn_lib.c:304 + #4 0x7fb618ef819d in BN_bin2bn crypto/bn/bn_lib.c:454 + #5 0x7fb618fd8933 in EC_GROUP_new_from_ecparameters crypto/ec/ec_asn1.c:618 + #6 0x7fb618fd98e8 in EC_GROUP_new_from_ecpkparameters crypto/ec/ec_asn1.c:935 + #7 0x7fb618fd9aec in d2i_ECPKParameters crypto/ec/ec_asn1.c:966 + #8 0x7fb618fdace9 in d2i_ECParameters crypto/ec/ec_asn1.c:1184 + #9 0x7fb618fd1fc7 in eckey_type2param crypto/ec/ec_ameth.c:119 + #10 0x7fb618fd57b4 in eckey_pub_decode crypto/ec/ec_ameth.c:165 + #11 0x7fb6191a9c62 in x509_pubkey_decode crypto/x509/x_pubkey.c:124 + #12 0x7fb6191a9e42 in pubkey_cb crypto/x509/x_pubkey.c:46 + #13 0x7fb618eac032 in asn1_item_embed_d2i crypto/asn1/tasn_dec.c:432 + #14 0x7fb618eacaf5 in asn1_template_noexp_d2i crypto/asn1/tasn_dec.c:643 + #15 0x7fb618ead288 in asn1_template_ex_d2i crypto/asn1/tasn_dec.c:518 + #16 0x7fb618eab9ce in asn1_item_embed_d2i crypto/asn1/tasn_dec.c:382 + #17 0x7fb618eacaf5 in asn1_template_noexp_d2i crypto/asn1/tasn_dec.c:643 + #18 0x7fb618ead288 in asn1_template_ex_d2i crypto/asn1/tasn_dec.c:518 + #19 0x7fb618eab9ce in asn1_item_embed_d2i crypto/asn1/tasn_dec.c:382 + #20 0x7fb618eadd1f in ASN1_item_ex_d2i crypto/asn1/tasn_dec.c:124 + #21 0x7fb618eade35 in ASN1_item_d2i crypto/asn1/tasn_dec.c:114 + #22 0x40310c in FuzzerTestOneInput fuzz/x509.c:33 + #23 0x402afb in testfile fuzz/test-corpus.c:182 + #24 0x402656 in main fuzz/test-corpus.c:226 + #25 0x7fb618551f44 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21f44) + +SUMMARY: AddressSanitizer: 80 byte(s) leaked in 2 allocation(s). + +Reviewed-by: Tomas Mraz +Reviewed-by: Kurt Roeckx +(Merged from https://github.com/openssl/openssl/pull/18632) +--- + crypto/ec/ec_asn1.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/crypto/ec/ec_asn1.c b/crypto/ec/ec_asn1.c +index 34de7b2aab..1acbbde3d3 100644 +--- a/crypto/ec/ec_asn1.c ++++ b/crypto/ec/ec_asn1.c +@@ -794,7 +794,7 @@ EC_GROUP *EC_GROUP_new_from_ecparameters(const ECPARAMETERS *params) + } + + /* extract the order */ +- if ((a = ASN1_INTEGER_to_BN(params->order, a)) == NULL) { ++ if (ASN1_INTEGER_to_BN(params->order, a) == NULL) { + ECerr(EC_F_EC_GROUP_NEW_FROM_ECPARAMETERS, ERR_R_ASN1_LIB); + goto err; + } +@@ -811,7 +811,7 @@ EC_GROUP *EC_GROUP_new_from_ecparameters(const ECPARAMETERS *params) + if (params->cofactor == NULL) { + BN_free(b); + b = NULL; +- } else if ((b = ASN1_INTEGER_to_BN(params->cofactor, b)) == NULL) { ++ } else if (ASN1_INTEGER_to_BN(params->cofactor, b) == NULL) { + ECerr(EC_F_EC_GROUP_NEW_FROM_ECPARAMETERS, ERR_R_ASN1_LIB); + goto err; + } +-- +2.17.1 + diff --git a/backport-Fix-a-memory-leak-in-X509_issuer_and_serial_hash.patch b/backport-Fix-a-memory-leak-in-X509_issuer_and_serial_hash.patch new file mode 100644 index 0000000000000000000000000000000000000000..397b8c6c440569c98312efb5c2a6a33f198e3679 --- /dev/null +++ b/backport-Fix-a-memory-leak-in-X509_issuer_and_serial_hash.patch @@ -0,0 +1,74 @@ +From 59b8eca400d9ea7b77dc98fe08a91bbfe35d025a Mon Sep 17 00:00:00 2001 +From: Bernd Edlinger +Date: Sat, 21 May 2022 15:41:46 +0200 +Subject: [PATCH] Fix a memory leak in X509_issuer_and_serial_hash + +This is reproducible with my error injection patch: + +$ ERROR_INJECT=1653267699 ../util/shlib_wrap.sh ./x509-test ./corpora/x509/5f4034ae85d6587dcad4da3e812e80f3d312894d +ERROR_INJECT=1653267699 + #0 0x7fd485a6ad4f in __sanitizer_print_stack_trace ../../../../src/libsanitizer/asan/asan_stack.cc:36 + #1 0x55c12d268724 in my_malloc fuzz/test-corpus.c:114 + #2 0x7fd484f51a75 in CRYPTO_zalloc crypto/mem.c:230 + #3 0x7fd484ed778d in EVP_DigestInit_ex crypto/evp/digest.c:139 + #4 0x7fd4850a9849 in X509_issuer_and_serial_hash crypto/x509/x509_cmp.c:44 + #5 0x55c12d268951 in FuzzerTestOneInput fuzz/x509.c:44 + #6 0x55c12d268239 in testfile fuzz/test-corpus.c:182 + #7 0x55c12d267c7f in main fuzz/test-corpus.c:226 + #8 0x7fd483a42082 in __libc_start_main ../csu/libc-start.c:308 + #9 0x55c12d267e5d in _start (/home/ed/OPCToolboxV5/Source/Core/OpenSSL/openssl/fuzz/x509-test+0x3e5d) + +================================================================= +==1058475==ERROR: LeakSanitizer: detected memory leaks + +Direct leak of 268 byte(s) in 1 object(s) allocated from: + #0 0x7fd485a5dc3e in __interceptor_realloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:163 + #1 0x7fd484d2eb9b in BUF_MEM_grow crypto/buffer/buffer.c:97 + #2 0x7fd4850b2913 in X509_NAME_oneline crypto/x509/x509_obj.c:43 + #3 0x7fd4850a982f in X509_issuer_and_serial_hash crypto/x509/x509_cmp.c:41 + #4 0x55c12d268951 in FuzzerTestOneInput fuzz/x509.c:44 + #5 0x55c12d268239 in testfile fuzz/test-corpus.c:182 + #6 0x55c12d267c7f in main fuzz/test-corpus.c:226 + #7 0x7fd483a42082 in __libc_start_main ../csu/libc-start.c:308 + +SUMMARY: AddressSanitizer: 268 byte(s) leaked in 1 allocation(s). + +Reviewed-by: Tomas Mraz +Reviewed-by: Matt Caswell +(Merged from https://github.com/openssl/openssl/pull/18370) +--- + crypto/x509/x509_cmp.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/crypto/x509/x509_cmp.c b/crypto/x509/x509_cmp.c +index 1d8d2d7b28..1661cac634 100644 +--- a/crypto/x509/x509_cmp.c ++++ b/crypto/x509/x509_cmp.c +@@ -34,7 +34,7 @@ unsigned long X509_issuer_and_serial_hash(X509 *a) + unsigned long ret = 0; + EVP_MD_CTX *ctx = EVP_MD_CTX_new(); + unsigned char md[16]; +- char *f; ++ char *f = NULL; + + if (ctx == NULL) + goto err; +@@ -45,7 +45,6 @@ unsigned long X509_issuer_and_serial_hash(X509 *a) + goto err; + if (!EVP_DigestUpdate(ctx, (unsigned char *)f, strlen(f))) + goto err; +- OPENSSL_free(f); + if (!EVP_DigestUpdate + (ctx, (unsigned char *)a->cert_info.serialNumber.data, + (unsigned long)a->cert_info.serialNumber.length)) +@@ -56,6 +55,7 @@ unsigned long X509_issuer_and_serial_hash(X509 *a) + ((unsigned long)md[2] << 16L) | ((unsigned long)md[3] << 24L) + ) & 0xffffffffL; + err: ++ OPENSSL_free(f); + EVP_MD_CTX_free(ctx); + return ret; + } +-- +2.17.1 + diff --git a/backport-Fix-a-memory-leak-in-crl_set_issuers.patch b/backport-Fix-a-memory-leak-in-crl_set_issuers.patch new file mode 100644 index 0000000000000000000000000000000000000000..803b7276e2721e86265010e2bca30be3e40dd014 --- /dev/null +++ b/backport-Fix-a-memory-leak-in-crl_set_issuers.patch @@ -0,0 +1,118 @@ +From 8754fa5f60ac4fdb5127f2eded9c7bbe0651c880 Mon Sep 17 00:00:00 2001 +From: Bernd Edlinger +Date: Sat, 21 May 2022 07:50:46 +0200 +Subject: [PATCH] Fix a memory leak in crl_set_issuers + +This can be reproduced with my error injection patch. + +The test vector has been validated on the 1.1.1 branch +but the issue is of course identical in all branches. + +$ ERROR_INJECT=1653520461 ../util/shlib_wrap.sh ./cms-test ./corpora/cms/3eff1d2f1232bd66d5635db2c3f9e7f23830dfd1 +log file: cms-3eff1d2f1232bd66d5635db2c3f9e7f23830dfd1-32454-test.out +ERROR_INJECT=1653520461 + #0 0x7fd5d8b8eeba in __sanitizer_print_stack_trace ../../../../gcc-trunk/libsanitizer/asan/asan_stack.cpp:87 + #1 0x402fc4 in my_realloc fuzz/test-corpus.c:129 + #2 0x7fd5d8893c49 in sk_reserve crypto/stack/stack.c:198 + #3 0x7fd5d8893c49 in OPENSSL_sk_insert crypto/stack/stack.c:242 + #4 0x7fd5d88d6d7f in sk_GENERAL_NAMES_push include/openssl/x509v3.h:168 + #5 0x7fd5d88d6d7f in crl_set_issuers crypto/x509/x_crl.c:111 + #6 0x7fd5d88d6d7f in crl_cb crypto/x509/x_crl.c:246 + #7 0x7fd5d85dc032 in asn1_item_embed_d2i crypto/asn1/tasn_dec.c:432 + #8 0x7fd5d85dcaf5 in asn1_template_noexp_d2i crypto/asn1/tasn_dec.c:643 + #9 0x7fd5d85dd288 in asn1_template_ex_d2i crypto/asn1/tasn_dec.c:518 + #10 0x7fd5d85db2b5 in asn1_item_embed_d2i crypto/asn1/tasn_dec.c:259 + #11 0x7fd5d85dc813 in asn1_template_noexp_d2i crypto/asn1/tasn_dec.c:611 + #12 0x7fd5d85dd288 in asn1_template_ex_d2i crypto/asn1/tasn_dec.c:518 + #13 0x7fd5d85db9ce in asn1_item_embed_d2i crypto/asn1/tasn_dec.c:382 + #14 0x7fd5d85dca28 in asn1_template_noexp_d2i crypto/asn1/tasn_dec.c:633 + #15 0x7fd5d85dd288 in asn1_template_ex_d2i crypto/asn1/tasn_dec.c:518 + #16 0x7fd5d85db9ce in asn1_item_embed_d2i crypto/asn1/tasn_dec.c:382 + #17 0x7fd5d85dcaf5 in asn1_template_noexp_d2i crypto/asn1/tasn_dec.c:643 + #18 0x7fd5d85dd7d3 in asn1_template_ex_d2i crypto/asn1/tasn_dec.c:494 + #19 0x7fd5d85db9ce in asn1_item_embed_d2i crypto/asn1/tasn_dec.c:382 + #20 0x7fd5d85ddd1f in ASN1_item_ex_d2i crypto/asn1/tasn_dec.c:124 + #21 0x7fd5d85dde35 in ASN1_item_d2i crypto/asn1/tasn_dec.c:114 + #22 0x7fd5d85a77e0 in ASN1_item_d2i_bio crypto/asn1/a_d2i_fp.c:69 + #23 0x402845 in FuzzerTestOneInput fuzz/cms.c:43 + #24 0x402bbb in testfile fuzz/test-corpus.c:182 + #25 0x402626 in main fuzz/test-corpus.c:226 + #26 0x7fd5d7c81f44 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21f44) + #27 0x402706 (/home/ed/OPC/openssl/fuzz/cms-test+0x402706) + +================================================================= +==29625==ERROR: LeakSanitizer: detected memory leaks + +Direct leak of 32 byte(s) in 1 object(s) allocated from: + #0 0x7fd5d8b8309f in __interceptor_malloc ../../../../gcc-trunk/libsanitizer/asan/asan_malloc_linux.cpp:69 + #1 0x7fd5d87c2430 in CRYPTO_zalloc crypto/mem.c:230 + #2 0x7fd5d889501f in OPENSSL_sk_new_reserve crypto/stack/stack.c:209 + #3 0x7fd5d85dcbc3 in sk_ASN1_VALUE_new_null include/openssl/asn1t.h:928 + #4 0x7fd5d85dcbc3 in asn1_template_noexp_d2i crypto/asn1/tasn_dec.c:577 + #5 0x7fd5d85dd288 in asn1_template_ex_d2i crypto/asn1/tasn_dec.c:518 + #6 0x7fd5d85db104 in asn1_item_embed_d2i crypto/asn1/tasn_dec.c:178 + #7 0x7fd5d85ddd1f in ASN1_item_ex_d2i crypto/asn1/tasn_dec.c:124 + #8 0x7fd5d85dde35 in ASN1_item_d2i crypto/asn1/tasn_dec.c:114 + #9 0x7fd5d88f86d9 in X509V3_EXT_d2i crypto/x509v3/v3_lib.c:142 + #10 0x7fd5d88d6d3c in crl_set_issuers crypto/x509/x_crl.c:97 + #11 0x7fd5d88d6d3c in crl_cb crypto/x509/x_crl.c:246 + #12 0x7fd5d85dc032 in asn1_item_embed_d2i crypto/asn1/tasn_dec.c:432 + #13 0x7fd5d85dcaf5 in asn1_template_noexp_d2i crypto/asn1/tasn_dec.c:643 + #14 0x7fd5d85dd288 in asn1_template_ex_d2i crypto/asn1/tasn_dec.c:518 + #15 0x7fd5d85db2b5 in asn1_item_embed_d2i crypto/asn1/tasn_dec.c:259 + #16 0x7fd5d85dc813 in asn1_template_noexp_d2i crypto/asn1/tasn_dec.c:611 + #17 0x7fd5d85dd288 in asn1_template_ex_d2i crypto/asn1/tasn_dec.c:518 + #18 0x7fd5d85db9ce in asn1_item_embed_d2i crypto/asn1/tasn_dec.c:382 + #19 0x7fd5d85dca28 in asn1_template_noexp_d2i crypto/asn1/tasn_dec.c:633 + #20 0x7fd5d85dd288 in asn1_template_ex_d2i crypto/asn1/tasn_dec.c:518 + #21 0x7fd5d85db9ce in asn1_item_embed_d2i crypto/asn1/tasn_dec.c:382 + #22 0x7fd5d85dcaf5 in asn1_template_noexp_d2i crypto/asn1/tasn_dec.c:643 + #23 0x7fd5d85dd7d3 in asn1_template_ex_d2i crypto/asn1/tasn_dec.c:494 + #24 0x7fd5d85db9ce in asn1_item_embed_d2i crypto/asn1/tasn_dec.c:382 + #25 0x7fd5d85ddd1f in ASN1_item_ex_d2i crypto/asn1/tasn_dec.c:124 + #26 0x7fd5d85dde35 in ASN1_item_d2i crypto/asn1/tasn_dec.c:114 + #27 0x7fd5d85a77e0 in ASN1_item_d2i_bio crypto/asn1/a_d2i_fp.c:69 + #28 0x402845 in FuzzerTestOneInput fuzz/cms.c:43 + #29 0x402bbb in testfile fuzz/test-corpus.c:182 + #30 0x402626 in main fuzz/test-corpus.c:226 + #31 0x7fd5d7c81f44 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21f44) + +SUMMARY: AddressSanitizer: 32 byte(s) leaked in 1 allocation(s). + +Reviewed-by: Paul Dale +Reviewed-by: Tomas Mraz +(Merged from https://github.com/openssl/openssl/pull/18391) + +(cherry picked from commit e9007e09792e3735d4973743634ff55d354fc7d8) +--- + crypto/x509/x_crl.c | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +diff --git a/crypto/x509/x_crl.c b/crypto/x509/x_crl.c +index 9af39a45fc..a4e4a415de 100644 +--- a/crypto/x509/x_crl.c ++++ b/crypto/x509/x_crl.c +@@ -103,13 +103,17 @@ static int crl_set_issuers(X509_CRL *crl) + + if (gtmp) { + gens = gtmp; +- if (!crl->issuers) { ++ if (crl->issuers == NULL) { + crl->issuers = sk_GENERAL_NAMES_new_null(); +- if (!crl->issuers) ++ if (crl->issuers == NULL) { ++ GENERAL_NAMES_free(gtmp); + return 0; ++ } + } +- if (!sk_GENERAL_NAMES_push(crl->issuers, gtmp)) ++ if (!sk_GENERAL_NAMES_push(crl->issuers, gtmp)) { ++ GENERAL_NAMES_free(gtmp); + return 0; ++ } + } + rev->issuer = gens; + +-- +2.17.1 + diff --git a/backport-Fix-a-memory-leak-in-ec_key_simple_oct2priv.patch b/backport-Fix-a-memory-leak-in-ec_key_simple_oct2priv.patch new file mode 100644 index 0000000000000000000000000000000000000000..a209f0ed376c3007240f638d31b77b3709f906cf --- /dev/null +++ b/backport-Fix-a-memory-leak-in-ec_key_simple_oct2priv.patch @@ -0,0 +1,61 @@ +From 8e1ece20cdb4a584be5311370256c4e813c09826 Mon Sep 17 00:00:00 2001 +From: Bernd Edlinger +Date: Fri, 20 May 2022 16:15:44 +0200 +Subject: [PATCH] Fix a memory leak in ec_key_simple_oct2priv + +This is reproducible with my error injection patch: + +$ ERROR_INJECT=1652710284 ../util/shlib_wrap.sh ./server-test ./corpora/server/4e48da8aecce6b9b58e8e4dbbf0523e6d2dd56dc +140587884632000:error:03078041:bignum routines:bn_expand_internal:malloc failure:crypto/bn/bn_lib.c:282: +140587884632000:error:10103003:elliptic curve routines:ec_key_simple_oct2priv:BN lib:crypto/ec/ec_key.c:662: +140587884632000:error:100DE08E:elliptic curve routines:old_ec_priv_decode:decode error:crypto/ec/ec_ameth.c:464: +140587884632000:error:0D0680A8:asn1 encoding routines:asn1_check_tlen:wrong tag:crypto/asn1/tasn_dec.c:1149: +140587884632000:error:0D07803A:asn1 encoding routines:asn1_item_embed_d2i:nested asn1 error:crypto/asn1/tasn_dec.c:309:Type=X509_ALGOR +140587884632000:error:0D08303A:asn1 encoding routines:asn1_template_noexp_d2i:nested asn1 error:crypto/asn1/tasn_dec.c:646:Field=pkeyalg, Type=PKCS8_PRIV_KEY_INFO +140587884632000:error:0907B00D:PEM routines:PEM_read_bio_PrivateKey:ASN1 lib:crypto/pem/pem_pkey.c:88: + +================================================================= +==19676==ERROR: LeakSanitizer: detected memory leaks + +Direct leak of 24 byte(s) in 1 object(s) allocated from: + #0 0x7fdd2a6bb09f in __interceptor_malloc ../../../../gcc-trunk/libsanitizer/asan/asan_malloc_linux.cpp:69 + #1 0x7fdd2a2fa430 in CRYPTO_zalloc crypto/mem.c:230 + #2 0x7fdd2a15df11 in BN_new crypto/bn/bn_lib.c:246 + #3 0x7fdd2a15df88 in BN_secure_new crypto/bn/bn_lib.c:257 + #4 0x7fdd2a247390 in ec_key_simple_oct2priv crypto/ec/ec_key.c:655 + #5 0x7fdd2a241fc5 in d2i_ECPrivateKey crypto/ec/ec_asn1.c:1030 + #6 0x7fdd2a23dac5 in old_ec_priv_decode crypto/ec/ec_ameth.c:463 + #7 0x7fdd2a109db7 in d2i_PrivateKey crypto/asn1/d2i_pr.c:46 + #8 0x7fdd2a33ab16 in PEM_read_bio_PrivateKey crypto/pem/pem_pkey.c:84 + #9 0x7fdd2a3330b6 in PEM_read_bio_ECPrivateKey crypto/pem/pem_all.c:151 + #10 0x402dba in FuzzerTestOneInput fuzz/server.c:592 + #11 0x40370b in testfile fuzz/test-corpus.c:182 + #12 0x402846 in main fuzz/test-corpus.c:226 + #13 0x7fdd297b9f44 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21f44) + +SUMMARY: AddressSanitizer: 24 byte(s) leaked in 1 allocation(s). + +Reviewed-by: Tomas Mraz +Reviewed-by: Matt Caswell +(Merged from https://github.com/openssl/openssl/pull/18361) +--- + crypto/ec/ec_key.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/crypto/ec/ec_key.c b/crypto/ec/ec_key.c +index 23efbd015c..27d5a43b5f 100644 +--- a/crypto/ec/ec_key.c ++++ b/crypto/ec/ec_key.c +@@ -657,8 +657,7 @@ int ec_key_simple_oct2priv(EC_KEY *eckey, const unsigned char *buf, size_t len) + ECerr(EC_F_EC_KEY_SIMPLE_OCT2PRIV, ERR_R_MALLOC_FAILURE); + return 0; + } +- eckey->priv_key = BN_bin2bn(buf, len, eckey->priv_key); +- if (eckey->priv_key == NULL) { ++ if (BN_bin2bn(buf, len, eckey->priv_key) == NULL) { + ECerr(EC_F_EC_KEY_SIMPLE_OCT2PRIV, ERR_R_BN_LIB); + return 0; + } +-- +2.17.1 + diff --git a/backport-Fix-a-memory-leak-in-tls13_generate_secret.patch b/backport-Fix-a-memory-leak-in-tls13_generate_secret.patch new file mode 100644 index 0000000000000000000000000000000000000000..2789d555957e90095661031afbaf3d131a292f8f --- /dev/null +++ b/backport-Fix-a-memory-leak-in-tls13_generate_secret.patch @@ -0,0 +1,117 @@ +From a937806043bda5775091844050e8c632a41922ac Mon Sep 17 00:00:00 2001 +From: Bernd Edlinger +Date: Tue, 5 Jul 2022 20:39:06 +0200 +Subject: [PATCH] Fix a memory leak in tls13_generate_secret + +This was found by my Reproducible Error Injection patch (#18356) + +Due to the exact location of the injected memory +error the sha256 digest is missing, and this causes much later +the memory leak (and a failed assertion) in tls13_generate_secret. + +But the reproduction is a bit challenging, as it requires AESNI +and RDRAND capability. + +OPENSSL_ia32cap=0x4200000000000000 ERROR_INJECT=1657070330 ../util/shlib_wrap.sh ./client-test ./corpora/client/791afc153e17db072175eeef85385a38d7f6d194 + #0 0x7fceaffb7d4f in __sanitizer_print_stack_trace ../../../../src/libsanitizer/asan/asan_stack.cc:36 + #1 0x55fb9117f934 in my_malloc fuzz/test-corpus.c:114 + #2 0x7fceafa147f3 in OPENSSL_LH_insert crypto/lhash/lhash.c:109 + #3 0x7fceafa42639 in lh_OBJ_NAME_insert crypto/objects/obj_local.h:12 + #4 0x7fceafa42639 in OBJ_NAME_add crypto/objects/o_names.c:236 + #5 0x7fceaf9f7baa in EVP_add_digest crypto/evp/names.c:39 + #6 0x7fceaf9c6b97 in openssl_add_all_digests_int crypto/evp/c_alld.c:39 + #7 0x7fceafa0f8ec in ossl_init_add_all_digests crypto/init.c:275 + #8 0x7fceafa0f8ec in ossl_init_add_all_digests_ossl_ crypto/init.c:264 + #9 0x7fceaf69b4de in __pthread_once_slow /build/glibc-SzIz7B/glibc-2.31/nptl/pthread_once.c:116 + #10 0x7fceafafb27c in CRYPTO_THREAD_run_once crypto/threads_pthread.c:118 + #11 0x7fceafa1000e in OPENSSL_init_crypto crypto/init.c:677 + #12 0x7fceafa1000e in OPENSSL_init_crypto crypto/init.c:611 + #13 0x7fceafdad3e8 in OPENSSL_init_ssl ssl/ssl_init.c:190 + #14 0x55fb9117ee0f in FuzzerInitialize fuzz/client.c:46 + #15 0x55fb9117e939 in main fuzz/test-corpus.c:194 + #16 0x7fceaf4bc082 in __libc_start_main ../csu/libc-start.c:308 + #17 0x55fb9117ec7d in _start (.../openssl/fuzz/client-test+0x2c7d) + + #0 0x7fceaffb7d4f in __sanitizer_print_stack_trace ../../../../src/libsanitizer/asan/asan_stack.cc:36 + #1 0x55fb9117f934 in my_malloc fuzz/test-corpus.c:114 + #2 0x7fceafa147f3 in OPENSSL_LH_insert crypto/lhash/lhash.c:109 + #3 0x7fceafa42639 in lh_OBJ_NAME_insert crypto/objects/obj_local.h:12 + #4 0x7fceafa42639 in OBJ_NAME_add crypto/objects/o_names.c:236 + #5 0x7fceaf9f7baa in EVP_add_digest crypto/evp/names.c:39 + #6 0x7fceafdad328 in ossl_init_ssl_base ssl/ssl_init.c:87 + #7 0x7fceafdad328 in ossl_init_ssl_base_ossl_ ssl/ssl_init.c:24 + #8 0x7fceaf69b4de in __pthread_once_slow /build/glibc-SzIz7B/glibc-2.31/nptl/pthread_once.c:116 + #9 0x7fceafafb27c in CRYPTO_THREAD_run_once crypto/threads_pthread.c:118 + #10 0x7fceafdad412 in OPENSSL_init_ssl ssl/ssl_init.c:193 + #11 0x55fb9117ee0f in FuzzerInitialize fuzz/client.c:46 + #12 0x55fb9117e939 in main fuzz/test-corpus.c:194 + #13 0x7fceaf4bc082 in __libc_start_main ../csu/libc-start.c:308 + #14 0x55fb9117ec7d in _start (.../openssl/fuzz/client-test+0x2c7d) + +================================================================= +==1320996==ERROR: LeakSanitizer: detected memory leaks + +Direct leak of 80 byte(s) in 1 object(s) allocated from: + #0 0x7fceaffaa808 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:144 + #1 0x7fceafa19425 in CRYPTO_zalloc crypto/mem.c:230 + #2 0x7fceafa03a85 in int_ctx_new crypto/evp/pmeth_lib.c:144 + #3 0x7fceafa03a85 in EVP_PKEY_CTX_new_id crypto/evp/pmeth_lib.c:250 + #4 0x7fceafe38de5 in tls13_generate_secret ssl/tls13_enc.c:174 + #5 0x7fceafd9537f in ssl_derive ssl/s3_lib.c:4833 + #6 0x7fceafdde91c in tls_parse_stoc_key_share ssl/statem/extensions_clnt.c:1902 + #7 0x7fceafdd4ac1 in tls_parse_all_extensions ssl/statem/extensions.c:752 + #8 0x7fceafdf8079 in tls_process_server_hello ssl/statem/statem_clnt.c:1698 + #9 0x7fceafe01f87 in ossl_statem_client_process_message ssl/statem/statem_clnt.c:1034 + #10 0x7fceafdeec0d in read_state_machine ssl/statem/statem.c:636 + #11 0x7fceafdeec0d in state_machine ssl/statem/statem.c:434 + #12 0x7fceafdb88d7 in SSL_do_handshake ssl/ssl_lib.c:3718 + #13 0x55fb9117f07c in FuzzerTestOneInput fuzz/client.c:98 + #14 0x55fb9117f463 in testfile fuzz/test-corpus.c:182 + #15 0x55fb9117eb92 in main fuzz/test-corpus.c:226 + #16 0x7fceaf4bc082 in __libc_start_main ../csu/libc-start.c:308 + +Indirect leak of 1080 byte(s) in 1 object(s) allocated from: + #0 0x7fceaffaa808 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:144 + #1 0x7fceafa19425 in CRYPTO_zalloc crypto/mem.c:230 + #2 0x7fceafa11555 in pkey_hkdf_init crypto/kdf/hkdf.c:51 + #3 0x7fceafa03b36 in int_ctx_new crypto/evp/pmeth_lib.c:160 + #4 0x7fceafa03b36 in EVP_PKEY_CTX_new_id crypto/evp/pmeth_lib.c:250 + #5 0x7fceafe38de5 in tls13_generate_secret ssl/tls13_enc.c:174 + #6 0x7fceafd9537f in ssl_derive ssl/s3_lib.c:4833 + #7 0x7fceafdde91c in tls_parse_stoc_key_share ssl/statem/extensions_clnt.c:1902 + #8 0x7fceafdd4ac1 in tls_parse_all_extensions ssl/statem/extensions.c:752 + #9 0x7fceafdf8079 in tls_process_server_hello ssl/statem/statem_clnt.c:1698 + #10 0x7fceafe01f87 in ossl_statem_client_process_message ssl/statem/statem_clnt.c:1034 + #11 0x7fceafdeec0d in read_state_machine ssl/statem/statem.c:636 + #12 0x7fceafdeec0d in state_machine ssl/statem/statem.c:434 + #13 0x7fceafdb88d7 in SSL_do_handshake ssl/ssl_lib.c:3718 + #14 0x55fb9117f07c in FuzzerTestOneInput fuzz/client.c:98 + #15 0x55fb9117f463 in testfile fuzz/test-corpus.c:182 + #16 0x55fb9117eb92 in main fuzz/test-corpus.c:226 + #17 0x7fceaf4bc082 in __libc_start_main ../csu/libc-start.c:308 + +SUMMARY: AddressSanitizer: 1160 byte(s) leaked in 2 allocation(s). + +Reviewed-by: Todd Short +Reviewed-by: Shane Lontis +Reviewed-by: Hugo Landau +(Merged from https://github.com/openssl/openssl/pull/18725) +--- + ssl/tls13_enc.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/ssl/tls13_enc.c b/ssl/tls13_enc.c +index b8fb07f210..51ca1050a4 100644 +--- a/ssl/tls13_enc.c ++++ b/ssl/tls13_enc.c +@@ -190,6 +190,7 @@ int tls13_generate_secret(SSL *s, const EVP_MD *md, + if (!ossl_assert(mdleni >= 0)) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS13_GENERATE_SECRET, + ERR_R_INTERNAL_ERROR); ++ EVP_PKEY_CTX_free(pctx); + return 0; + } + mdlen = (size_t)mdleni; +-- +2.17.1 + diff --git a/backport-Fix-an-assertion-in-the-DTLS-server-code.patch b/backport-Fix-an-assertion-in-the-DTLS-server-code.patch new file mode 100644 index 0000000000000000000000000000000000000000..0f75a9f665c7a80eaca02839970b4af27288a389 --- /dev/null +++ b/backport-Fix-an-assertion-in-the-DTLS-server-code.patch @@ -0,0 +1,145 @@ +From 564a8d442cbd8ce68d452ff2e8a58c0aea6b0632 Mon Sep 17 00:00:00 2001 +From: Bernd Edlinger +Date: Mon, 11 Apr 2022 10:12:48 +0200 +Subject: [PATCH] Fix an assertion in the DTLS server code + +This fixes an internal error alert from the server and +an unexpected connection failure in the release version, +but a failed assertion and a server crash in the +debug version. + +Reproduce this issue with a DTLS server/client like that: + +./openssl s_server -dtls -mtu 1500 +./openssl s_client -dtls -maxfraglen 512 + +In the debug version a crash happens in the Server now: + +./openssl s_server -dtls -mtu 1500 +Using default temp DH parameters +ACCEPT +ssl/statem/statem_dtls.c:269: OpenSSL internal error: Assertion failed: len == written +Aborted (core dumped) + +While in the release version the handshake exceeds the +negotiated max fragment size, and fails because of this: + +$ ./openssl s_server -dtls -mtu 1500 +Using default temp DH parameters +ACCEPT +ERROR +4057152ADA7F0000:error:0A0000C2:SSL routines:do_dtls1_write:exceeds max fragment size:ssl/record/rec_layer_d1.c:826: +shutting down SSL +CONNECTION CLOSED + +From the client's point of view the connection fails +with an Internal Error Alert: + +$ ./openssl s_client -dtls -maxfraglen 512 +Connecting to ::1 +CONNECTED(00000003) +40B76343377F0000:error:0A000438:SSL routines:dtls1_read_bytes:tlsv1 alert internal error:ssl/record/rec_layer_d1.c:613:SSL alert number 80 + +and now the connection attempt fails unexpectedly. + +Reviewed-by: Tomas Mraz +Reviewed-by: Matt Caswell +(Merged from https://github.com/openssl/openssl/pull/18093) + +(cherry picked from commit e915c3f5381cd38ebdc1824c3ba9896ea7160103) +--- + ssl/statem/statem_dtls.c | 6 ++--- + test/dtls_mtu_test.c | 48 +++++++++++++++++++++++++++++++++++++++- + 2 files changed, 50 insertions(+), 4 deletions(-) + +diff --git a/ssl/statem/statem_dtls.c b/ssl/statem/statem_dtls.c +index 8e3fb686ee..620367ace4 100644 +--- a/ssl/statem/statem_dtls.c ++++ b/ssl/statem/statem_dtls.c +@@ -218,8 +218,8 @@ int dtls1_do_write(SSL *s, int type) + else + len = s->init_num; + +- if (len > s->max_send_fragment) +- len = s->max_send_fragment; ++ if (len > ssl_get_max_send_fragment(s)) ++ len = ssl_get_max_send_fragment(s); + + /* + * XDTLS: this function is too long. split out the CCS part +@@ -241,7 +241,7 @@ int dtls1_do_write(SSL *s, int type) + + ret = dtls1_write_bytes(s, type, &s->init_buf->data[s->init_off], len, + &written); +- if (ret < 0) { ++ if (ret <= 0) { + /* + * might need to update MTU here, but we don't know which + * previous packet caused the failure -- so can't really +diff --git a/test/dtls_mtu_test.c b/test/dtls_mtu_test.c +index f20edf02d2..9b69e80a62 100644 +--- a/test/dtls_mtu_test.c ++++ b/test/dtls_mtu_test.c +@@ -185,12 +185,58 @@ static int run_mtu_tests(void) + + end: + SSL_CTX_free(ctx); +- bio_s_mempacket_test_free(); + return ret; + } + ++static int test_server_mtu_larger_than_max_fragment_length(void) ++{ ++ SSL_CTX *ctx = NULL; ++ SSL *srvr_ssl = NULL, *clnt_ssl = NULL; ++ int rv = 0; ++ ++ if (!TEST_ptr(ctx = SSL_CTX_new(DTLS_method()))) ++ goto end; ++ ++ SSL_CTX_set_psk_server_callback(ctx, srvr_psk_callback); ++ SSL_CTX_set_psk_client_callback(ctx, clnt_psk_callback); ++ ++#ifndef OPENSSL_NO_DH ++ if (!TEST_true(SSL_CTX_set_dh_auto(ctx, 1))) ++ goto end; ++#endif ++ ++ if (!TEST_true(create_ssl_objects(ctx, ctx, &srvr_ssl, &clnt_ssl, ++ NULL, NULL))) ++ goto end; ++ ++ SSL_set_options(srvr_ssl, SSL_OP_NO_QUERY_MTU); ++ if (!TEST_true(DTLS_set_link_mtu(srvr_ssl, 1500))) ++ goto end; ++ ++ SSL_set_tlsext_max_fragment_length(clnt_ssl, ++ TLSEXT_max_fragment_length_512); ++ ++ if (!TEST_true(create_ssl_connection(srvr_ssl, clnt_ssl, ++ SSL_ERROR_NONE))) ++ goto end; ++ ++ rv = 1; ++ ++ end: ++ SSL_free(clnt_ssl); ++ SSL_free(srvr_ssl); ++ SSL_CTX_free(ctx); ++ return rv; ++} ++ + int setup_tests(void) + { + ADD_TEST(run_mtu_tests); ++ ADD_TEST(test_server_mtu_larger_than_max_fragment_length); + return 1; + } ++ ++void cleanup_tests(void) ++{ ++ bio_s_mempacket_test_free(); ++} +-- +2.17.1 + diff --git a/backport-Fix-bn_gcd-code-to-check-return-value-when-calling-B.patch b/backport-Fix-bn_gcd-code-to-check-return-value-when-calling-B.patch new file mode 100644 index 0000000000000000000000000000000000000000..04a597b8d4d1205f21236595755fe5d68a03bb5f --- /dev/null +++ b/backport-Fix-bn_gcd-code-to-check-return-value-when-calling-B.patch @@ -0,0 +1,47 @@ +From 6495cab1c876ad80ce983d848ccaa1dc286a63e1 Mon Sep 17 00:00:00 2001 +From: slontis +Date: Fri, 1 Jul 2022 13:47:11 +1000 +Subject: [PATCH] Fix bn_gcd code to check return value when calling BN_one() + +BN_one() uses the expand function which calls malloc which may fail. +All other places that reference BN_one() check the return value. + +The issue is triggered by a memory allocation failure. +Detected by PR #18355 + +Reviewed-by: Tomas Mraz +Reviewed-by: Paul Dale +(Merged from https://github.com/openssl/openssl/pull/18697) + +(cherry picked from commit 7fe7cc57af3db1e497877f0329ba17609b2efc8b) +--- + crypto/bn/bn_gcd.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/crypto/bn/bn_gcd.c b/crypto/bn/bn_gcd.c +index 0941f7b97f..c4b7854e1a 100644 +--- a/crypto/bn/bn_gcd.c ++++ b/crypto/bn/bn_gcd.c +@@ -47,7 +47,8 @@ BIGNUM *bn_mod_inverse_no_branch(BIGNUM *in, + if (R == NULL) + goto err; + +- BN_one(X); ++ if (!BN_one(X)) ++ goto err; + BN_zero(Y); + if (BN_copy(B, a) == NULL) + goto err; +@@ -235,7 +236,8 @@ BIGNUM *int_bn_mod_inverse(BIGNUM *in, + if (R == NULL) + goto err; + +- BN_one(X); ++ if (!BN_one(X)) ++ goto err; + BN_zero(Y); + if (BN_copy(B, a) == NULL) + goto err; +-- +2.17.1 + diff --git a/backport-Fix-coverity-1498607-uninitialised-value.patch b/backport-Fix-coverity-1498607-uninitialised-value.patch new file mode 100644 index 0000000000000000000000000000000000000000..7fa05993941be68dede01c1f74350a51406bb9fc --- /dev/null +++ b/backport-Fix-coverity-1498607-uninitialised-value.patch @@ -0,0 +1,29 @@ +From 2f1c42553dbaac97d38657cd1ac1209ef4c11e78 Mon Sep 17 00:00:00 2001 +From: Pauli +Date: Wed, 16 Mar 2022 14:45:44 +1100 +Subject: [PATCH] Fix coverity 1498607: uninitialised value + +Reviewed-by: Tim Hudson +Reviewed-by: Tomas Mraz +(Merged from https://github.com/openssl/openssl/pull/17897) + +(cherry picked from commit 70cd9a51911e9a4e2f24e29ddd84fa9fcb778b63) +--- + crypto/ec/ecp_nistz256.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/crypto/ec/ecp_nistz256.c b/crypto/ec/ecp_nistz256.c +index 5005249b05..43eab75fa7 100644 +--- a/crypto/ec/ecp_nistz256.c ++++ b/crypto/ec/ecp_nistz256.c +@@ -973,6 +973,7 @@ __owur static int ecp_nistz256_points_mul(const EC_GROUP *group, + return 0; + } + ++ memset(&p, 0, sizeof(p)); + BN_CTX_start(ctx); + + if (scalar) { +-- +2.17.1 + diff --git a/backport-Fix-integer-overflow-in-evp_EncryptDecryptUpdate.patch b/backport-Fix-integer-overflow-in-evp_EncryptDecryptUpdate.patch new file mode 100644 index 0000000000000000000000000000000000000000..71df3f04f0dfcbc7f758477c2bc3e9b115a88e79 --- /dev/null +++ b/backport-Fix-integer-overflow-in-evp_EncryptDecryptUpdate.patch @@ -0,0 +1,62 @@ +From eed53b9addd097a5d39f896b05aa857d6f29b245 Mon Sep 17 00:00:00 2001 +From: Hugo Landau +Date: Fri, 11 Mar 2022 08:36:11 +0000 +Subject: [PATCH] Fix integer overflow in evp_EncryptDecryptUpdate + +Fixes #17871. + +Reviewed-by: Paul Dale +Reviewed-by: Tomas Mraz +(Merged from https://github.com/openssl/openssl/pull/17872) +--- + crypto/evp/evp_enc.c | 8 +++++--- + crypto/evp/evp_local.h | 2 +- + 2 files changed, 6 insertions(+), 4 deletions(-) + +diff --git a/crypto/evp/evp_enc.c b/crypto/evp/evp_enc.c +index d835968f25..b8b9d90d36 100644 +--- a/crypto/evp/evp_enc.c ++++ b/crypto/evp/evp_enc.c +@@ -281,7 +281,7 @@ int EVP_DecryptInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher, + # define PTRDIFF_T size_t + #endif + +-int is_partially_overlapping(const void *ptr1, const void *ptr2, int len) ++int is_partially_overlapping(const void *ptr1, const void *ptr2, size_t len) + { + PTRDIFF_T diff = (PTRDIFF_T)ptr1-(PTRDIFF_T)ptr2; + /* +@@ -299,7 +299,8 @@ static int evp_EncryptDecryptUpdate(EVP_CIPHER_CTX *ctx, + unsigned char *out, int *outl, + const unsigned char *in, int inl) + { +- int i, j, bl, cmpl = inl; ++ int i, j, bl; ++ size_t cmpl = (size_t)inl; + + if (EVP_CIPHER_CTX_test_flags(ctx, EVP_CIPH_FLAG_LENGTH_BITS)) + cmpl = (cmpl + 7) / 8; +@@ -464,8 +465,9 @@ int EVP_EncryptFinal_ex(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl) + int EVP_DecryptUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl, + const unsigned char *in, int inl) + { +- int fix_len, cmpl = inl; ++ int fix_len; + unsigned int b; ++ size_t cmpl = (size_t)inl; + + /* Prevent accidental use of encryption context when decrypting */ + if (ctx->encrypt) { +diff --git a/crypto/evp/evp_local.h b/crypto/evp/evp_local.h +index f1589d6828..cd3c1cf148 100644 +--- a/crypto/evp/evp_local.h ++++ b/crypto/evp/evp_local.h +@@ -65,4 +65,4 @@ struct evp_Encode_Ctx_st { + typedef struct evp_pbe_st EVP_PBE_CTL; + DEFINE_STACK_OF(EVP_PBE_CTL) + +-int is_partially_overlapping(const void *ptr1, const void *ptr2, int len); ++int is_partially_overlapping(const void *ptr1, const void *ptr2, size_t len); +-- +2.17.1 + diff --git a/backport-Fix-ipv4_from_asc-behavior-on-invalid-Ip-addresses.patch b/backport-Fix-ipv4_from_asc-behavior-on-invalid-Ip-addresses.patch new file mode 100644 index 0000000000000000000000000000000000000000..fec39592c817a115ad5b1996e11d18f076d9137a --- /dev/null +++ b/backport-Fix-ipv4_from_asc-behavior-on-invalid-Ip-addresses.patch @@ -0,0 +1,45 @@ +From 65e30e7d56f01008d29e65c9ae7a42ce074def2f Mon Sep 17 00:00:00 2001 +From: Amir Mohammadi +Date: Wed, 4 Aug 2021 09:43:49 +0430 +Subject: [PATCH] Fix ipv4_from_asc behavior on invalid Ip addresses + +sscanf() call in ipv4_from_asc does not check that +the string is terminated immediately after the last digit. + +(cherry picked from commit 8b9a13b43ba3d71e441fca47a52e800ce79b3d2b) + +Reviewed-by: Tomas Mraz +Reviewed-by: Dmitry Belyavskiy +Reviewed-by: Hugo Landau +(Merged from https://github.com/openssl/openssl/pull/18847) +--- + crypto/x509v3/v3_utl.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +diff --git a/crypto/x509v3/v3_utl.c b/crypto/x509v3/v3_utl.c +index a7ff4b4fb4..eac78259fc 100644 +--- a/crypto/x509v3/v3_utl.c ++++ b/crypto/x509v3/v3_utl.c +@@ -1087,12 +1087,17 @@ int a2i_ipadd(unsigned char *ipout, const char *ipasc) + + static int ipv4_from_asc(unsigned char *v4, const char *in) + { +- int a0, a1, a2, a3; +- if (sscanf(in, "%d.%d.%d.%d", &a0, &a1, &a2, &a3) != 4) ++ const char *p; ++ int a0, a1, a2, a3, n; ++ ++ if (sscanf(in, "%d.%d.%d.%d%n", &a0, &a1, &a2, &a3, &n) != 4) + return 0; + if ((a0 < 0) || (a0 > 255) || (a1 < 0) || (a1 > 255) + || (a2 < 0) || (a2 > 255) || (a3 < 0) || (a3 > 255)) + return 0; ++ p = in + n; ++ if (!(*p == '\0' || ossl_isspace(*p))) ++ return 0; + v4[0] = a0; + v4[1] = a1; + v4[2] = a2; +-- +2.17.1 + diff --git a/backport-Fix-issue-where-OBJ_nid2obj-doesn-t-always-raise-an-.patch b/backport-Fix-issue-where-OBJ_nid2obj-doesn-t-always-raise-an-.patch new file mode 100644 index 0000000000000000000000000000000000000000..681863a8c82e74b1fef5c9ccbd4b636a3335f006 --- /dev/null +++ b/backport-Fix-issue-where-OBJ_nid2obj-doesn-t-always-raise-an-.patch @@ -0,0 +1,80 @@ +From add8c29badb315cb8137655893826562ff12a581 Mon Sep 17 00:00:00 2001 +From: Hugo Landau +Date: Thu, 3 Mar 2022 17:27:23 +0000 +Subject: [PATCH] Fix issue where OBJ_nid2obj doesn't always raise an error + +This was previously fixed in 3.0 but not 1.1. + +Fixes #13008. + +Reviewed-by: Tomas Mraz +Reviewed-by: Matt Caswell +Reviewed-by: Todd Short +Reviewed-by: Paul Dale +(Merged from https://github.com/openssl/openssl/pull/17808) +--- + crypto/objects/obj_dat.c | 5 +++-- + test/asn1_internal_test.c | 27 +++++++++++++++++++++++++++ + 2 files changed, 30 insertions(+), 2 deletions(-) + +diff --git a/crypto/objects/obj_dat.c b/crypto/objects/obj_dat.c +index 46006fe6cf..a501ca104b 100644 +--- a/crypto/objects/obj_dat.c ++++ b/crypto/objects/obj_dat.c +@@ -228,9 +228,10 @@ ASN1_OBJECT *OBJ_nid2obj(int n) + return NULL; + } + return (ASN1_OBJECT *)&(nid_objs[n]); +- } else if (added == NULL) ++ } else if (added == NULL) { ++ OBJerr(OBJ_F_OBJ_NID2OBJ, OBJ_R_UNKNOWN_NID); + return NULL; +- else { ++ } else { + ad.type = ADDED_NID; + ad.obj = &ob; + ob.nid = n; +diff --git a/test/asn1_internal_test.c b/test/asn1_internal_test.c +index 865e058421..caca0cb15e 100644 +--- a/test/asn1_internal_test.c ++++ b/test/asn1_internal_test.c +@@ -107,9 +107,36 @@ static int test_standard_methods(void) + return 0; + } + ++/********************************************************************** ++ * ++ * Regression test for issue where OBJ_nid2obj does not raise ++ * an error when a NID is not registered. ++ * ++ ***/ ++static int test_nid2obj_nonexist(void) ++{ ++ ASN1_OBJECT *obj; ++ unsigned long err; ++ ++ obj = OBJ_nid2obj(INT_MAX); ++ if (!TEST_true(obj == NULL)) ++ return 0; ++ ++ err = ERR_get_error(); ++ ++ if (!TEST_int_eq(ERR_GET_FUNC(err), OBJ_F_OBJ_NID2OBJ)) ++ return 0; ++ ++ if (!TEST_int_eq(ERR_GET_REASON(err), OBJ_R_UNKNOWN_NID)) ++ return 0; ++ ++ return 1; ++} ++ + int setup_tests(void) + { + ADD_TEST(test_tbl_standard); + ADD_TEST(test_standard_methods); ++ ADD_TEST(test_nid2obj_nonexist); + return 1; + } +-- +2.17.1 + diff --git a/backport-Fix-leakage-when-the-cacheline-is-32-bytes-in-CBC_MA.patch b/backport-Fix-leakage-when-the-cacheline-is-32-bytes-in-CBC_MA.patch new file mode 100644 index 0000000000000000000000000000000000000000..f6319831712820a6f46bdd8c8ec21ee65e3a29e5 --- /dev/null +++ b/backport-Fix-leakage-when-the-cacheline-is-32-bytes-in-CBC_MA.patch @@ -0,0 +1,61 @@ +From 6ef91d8153e04a2302bff11b29caf7e888b62fe8 Mon Sep 17 00:00:00 2001 +From: basavesh +Date: Tue, 5 Apr 2022 17:49:09 +0200 +Subject: [PATCH] Fix leakage when the cacheline is 32-bytes in + CBC_MAC_ROTATE_IN_PLACE + +rotated_mac is a 64-byte aligned buffer of size 64 and rotate_offset is secret. +Consider a weaker leakage model(CL) where only cacheline base address is leaked, +i.e address/32 for 32-byte cacheline(CL32). + +Previous code used to perform two loads + 1. rotated_mac[rotate_offset ^ 32] and + 2. rotated_mac[rotate_offset++] +which would leak 2q + 1, 2q for 0 <= rotate_offset < 32 +and 2q, 2q + 1 for 32 <= rotate_offset < 64 + +The proposed fix performs load operations which will always leak 2q, 2q + 1 and +selects the appropriate value in constant-time. + +Reviewed-by: Matt Caswell +Reviewed-by: Tomas Mraz +(Merged from https://github.com/openssl/openssl/pull/18050) +--- + ssl/record/ssl3_record.c | 14 +++++++++++--- + 1 file changed, 11 insertions(+), 3 deletions(-) + +diff --git a/ssl/record/ssl3_record.c b/ssl/record/ssl3_record.c +index f158544789..69f1a64cb3 100644 +--- a/ssl/record/ssl3_record.c ++++ b/ssl/record/ssl3_record.c +@@ -1532,6 +1532,7 @@ int ssl3_cbc_copy_mac(unsigned char *out, + #if defined(CBC_MAC_ROTATE_IN_PLACE) + unsigned char rotated_mac_buf[64 + EVP_MAX_MD_SIZE]; + unsigned char *rotated_mac; ++ char aux1, aux2, aux3, mask; + #else + unsigned char rotated_mac[EVP_MAX_MD_SIZE]; + #endif +@@ -1581,9 +1582,16 @@ int ssl3_cbc_copy_mac(unsigned char *out, + #if defined(CBC_MAC_ROTATE_IN_PLACE) + j = 0; + for (i = 0; i < md_size; i++) { +- /* in case cache-line is 32 bytes, touch second line */ +- ((volatile unsigned char *)rotated_mac)[rotate_offset ^ 32]; +- out[j++] = rotated_mac[rotate_offset++]; ++ /* ++ * in case cache-line is 32 bytes, ++ * load from both lines and select appropriately ++ */ ++ aux1 = rotated_mac[rotate_offset & ~32]; ++ aux2 = rotated_mac[rotate_offset | 32]; ++ mask = constant_time_eq_8(rotate_offset & ~32, rotate_offset); ++ aux3 = constant_time_select_8(mask, aux1, aux2); ++ out[j++] = aux3; ++ rotate_offset++; + rotate_offset &= constant_time_lt_s(rotate_offset, md_size); + } + #else +-- +2.17.1 + diff --git a/backport-Fix-memory-leak-in-X509V3_add1_i2d-when-flag-is-X509.patch b/backport-Fix-memory-leak-in-X509V3_add1_i2d-when-flag-is-X509.patch new file mode 100644 index 0000000000000000000000000000000000000000..a8b4d7e3b1c6bf9bdc8f3e2f59a51fec62df41c8 --- /dev/null +++ b/backport-Fix-memory-leak-in-X509V3_add1_i2d-when-flag-is-X509.patch @@ -0,0 +1,36 @@ +From c3efe5c96128d699f0884128ce905906bc28ed34 Mon Sep 17 00:00:00 2001 +From: Allan +Date: Thu, 7 Jul 2022 16:04:09 -0700 +Subject: [PATCH] Fix memory leak in X509V3_add1_i2d when flag is + X509V3_ADD_DELETE + +Fixes #18677 + +Reviewed-by: Hugo Landau +Reviewed-by: Tomas Mraz +(Merged from https://github.com/openssl/openssl/pull/18698) + +(cherry picked from commit 4798e0680b112993815098ca21d7d68ff31ebc6e) +--- + crypto/x509v3/v3_lib.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/crypto/x509v3/v3_lib.c b/crypto/x509v3/v3_lib.c +index 97c1cbc20f..d7e7c9a5cb 100644 +--- a/crypto/x509v3/v3_lib.c ++++ b/crypto/x509v3/v3_lib.c +@@ -242,8 +242,10 @@ int X509V3_add1_i2d(STACK_OF(X509_EXTENSION) **x, int nid, void *value, + } + /* If delete, just delete it */ + if (ext_op == X509V3_ADD_DELETE) { +- if (!sk_X509_EXTENSION_delete(*x, extidx)) ++ extmp = sk_X509_EXTENSION_delete(*x, extidx); ++ if (extmp == NULL) + return -1; ++ X509_EXTENSION_free(extmp); + return 1; + } + } else { +-- +2.17.1 + diff --git a/backport-Fix-range_should_be_prefix-to-actually-return-the-co.patch b/backport-Fix-range_should_be_prefix-to-actually-return-the-co.patch new file mode 100644 index 0000000000000000000000000000000000000000..a1235f4baf519ff184d4b09529d7bef4fae7896c --- /dev/null +++ b/backport-Fix-range_should_be_prefix-to-actually-return-the-co.patch @@ -0,0 +1,71 @@ +From a1d80edcf830739131e0567dc03b1e80b7988b1e Mon Sep 17 00:00:00 2001 +From: Matt Caswell +Date: Fri, 10 Jun 2022 15:58:58 +0100 +Subject: [PATCH] Fix range_should_be_prefix() to actually return the correct + result + +range_should_be_prefix() was misidentifying whether an IP address range +should in fact be represented as a prefix. This was due to a bug introduced +in commit 42d7d7dd which made this incorrect change: + +- OPENSSL_assert(memcmp(min, max, length) <= 0); ++ if (memcmp(min, max, length) <= 0) ++ return -1; + +This error leads to incorrect DER being encoded/accepted. + +Reported by Theo Buehler (@botovq) + +Reviewed-by: Paul Dale +Reviewed-by: Tomas Mraz +(Merged from https://github.com/openssl/openssl/pull/18524) + +(cherry picked from commit 30532e59f475e0066c030693e4d614311a9e0cae) +(cherry picked from commit 2c6550c6db9b1b69dc24f968b4ceb534edcf4841) +--- + crypto/x509v3/v3_addr.c | 14 ++++- + test/v3ext.c | 111 ++++++++++++++++++++++++++++++++++++++++ + 2 files changed, 123 insertions(+), 2 deletions(-) + +diff --git a/crypto/x509v3/v3_addr.c b/crypto/x509v3/v3_addr.c +index 4258dbc40c..32f77a2679 100644 +--- a/crypto/x509v3/v3_addr.c ++++ b/crypto/x509v3/v3_addr.c +@@ -13,6 +13,8 @@ + + #include + #include ++#include ++#include + + #include "internal/cryptlib.h" + #include +@@ -342,8 +344,13 @@ static int range_should_be_prefix(const unsigned char *min, + unsigned char mask; + int i, j; + +- if (memcmp(min, max, length) <= 0) +- return -1; ++ /* ++ * It is the responsibility of the caller to confirm min <= max. We don't ++ * use ossl_assert() here since we have no way of signalling an error from ++ * this function - so we just use a plain assert instead. ++ */ ++ assert(memcmp(min, max, length) <= 0); ++ + for (i = 0; i < length && min[i] == max[i]; i++) ; + for (j = length - 1; j >= 0 && min[j] == 0x00 && max[j] == 0xFF; j--) ; + if (i < j) +@@ -426,6 +433,9 @@ static int make_addressRange(IPAddressOrRange **result, + IPAddressOrRange *aor; + int i, prefixlen; + ++ if (memcmp(min, max, length) > 0) ++ return 0; ++ + if ((prefixlen = range_should_be_prefix(min, max, length)) >= 0) + return make_addressPrefix(result, min, prefixlen); + +-- +2.17.1 + diff --git a/backport-Fix-re-signing-certificates-with-different-key-sizes.patch b/backport-Fix-re-signing-certificates-with-different-key-sizes.patch new file mode 100644 index 0000000000000000000000000000000000000000..dc15494d3b25a7ee28514f3b74387460aaa2aafe --- /dev/null +++ b/backport-Fix-re-signing-certificates-with-different-key-sizes.patch @@ -0,0 +1,131 @@ +From 952fab01bebb15a8408c6ac27b59c28c979f7d49 Mon Sep 17 00:00:00 2001 +From: Todd Short +Date: Wed, 20 Jul 2022 16:42:50 -0400 +Subject: [PATCH] Fix re-signing certificates with different key sizes + +PR #18129 broke the scenario of signing a certificate (not CSR) with +different-sized key. This works in 3.0, so port the fix from 3.0 +(which is to only update the issuer for a request). + +Partially undo #18129, but keep setting the issuer only for a CSR + +Create two certs (a and ca) then sign a with c (into b): +``` +openssl req -x509 -newkey rsa:2048 -keyout a-key.pem -out a-cert.pem -days 365 -nodes -subj /CN=a.example.com +openssl req -x509 -newkey rsa:4096 -keyout ${HERE}/ca-key.pem -out ${HERE}/ca-cert.pem -days 3650 -nodes -subj /CN=ca.example.com +openssl x509 -in a-cert.pem -CA ca-cert.pem -CAkey ca-key.pem -set_serial '1234567890' -preserve_dates -sha256 -out b-cert.pem +``` +The above succeeds in 1.1.1n and 3.0, fails in 1.1.1o (which includes #18129) +The issue in #16080 is also fixed. + +Reviewed-by: Matt Caswell +Reviewed-by: Tomas Mraz +Reviewed-by: Ben Kaduk +(Merged from https://github.com/openssl/openssl/pull/18836) +--- + apps/x509.c | 4 ++- + test/recipes/25-test_x509.t | 61 ++++++++++++++++++++++++++++++++++++- + 2 files changed, 63 insertions(+), 2 deletions(-) + +diff --git a/apps/x509.c b/apps/x509.c +index 67a70e7fea..8d4bf71a03 100644 +--- a/apps/x509.c ++++ b/apps/x509.c +@@ -590,7 +590,7 @@ int x509_main(int argc, char **argv) + xca = load_cert(CAfile, CAformat, "CA Certificate"); + if (xca == NULL) + goto end; +- if (!X509_set_issuer_name(x, X509_get_subject_name(xca))) ++ if (reqfile && !X509_set_issuer_name(x, X509_get_subject_name(xca))) + goto end; + } + +@@ -993,6 +993,8 @@ static int x509_certify(X509_STORE *ctx, const char *CAfile, const EVP_MD *diges + goto end; + } + ++ if (!X509_set_issuer_name(x, X509_get_subject_name(xca))) ++ goto end; + if (!X509_set_serialNumber(x, bs)) + goto end; + +diff --git a/test/recipes/25-test_x509.t b/test/recipes/25-test_x509.t +index f5ef0f9963..73548145c8 100644 +--- a/test/recipes/25-test_x509.t ++++ b/test/recipes/25-test_x509.t +@@ -15,7 +15,11 @@ use OpenSSL::Test qw/:DEFAULT srctop_file/; + + setup("test_x509"); + +-plan tests => 9; ++plan tests => 16; ++ ++# Prevent MSys2 filename munging for arguments that look like file paths but ++# aren't ++$ENV{MSYS2_ARG_CONV_EXCL} = "/CN="; + + require_ok(srctop_file('test','recipes','tconversion.pl')); + +@@ -46,4 +50,59 @@ subtest 'x509 -- second x.509 v3 certificate' => sub { + + subtest 'x509 -- pathlen' => sub { + ok(run(test(["v3ext", srctop_file("test/certs", "pathlen.pem")]))); ++}; ++ ++# extracts issuer from a -text formatted-output ++sub get_issuer { ++ my $f = shift(@_); ++ my $issuer = ""; ++ open my $fh, $f or die; ++ while (my $line = <$fh>) { ++ if ($line =~ /Issuer:/) { ++ $issuer = $line; ++ } ++ } ++ close $fh; ++ return $issuer; + } ++ ++# Tests for signing certs (broken in 1.1.1o) ++my $a_key = "a-key.pem"; ++my $a_cert = "a-cert.pem"; ++my $a2_cert = "a2-cert.pem"; ++my $ca_key = "ca-key.pem"; ++my $ca_cert = "ca-cert.pem"; ++my $cnf = srctop_file('apps', 'openssl.cnf'); ++ ++# Create cert A ++ok(run(app(["openssl", "req", "-x509", "-newkey", "rsa:2048", ++ "-config", $cnf, ++ "-keyout", $a_key, "-out", $a_cert, "-days", "365", ++ "-nodes", "-subj", "/CN=test.example.com"]))); ++# Create cert CA - note key size ++ok(run(app(["openssl", "req", "-x509", "-newkey", "rsa:4096", ++ "-config", $cnf, ++ "-keyout", $ca_key, "-out", $ca_cert, "-days", "3650", ++ "-nodes", "-subj", "/CN=ca.example.com"]))); ++# Sign cert A with CA (errors on 1.1.1o) ++ok(run(app(["openssl", "x509", "-in", $a_cert, "-CA", $ca_cert, ++ "-CAkey", $ca_key, "-set_serial", "1234567890", ++ "-preserve_dates", "-sha256", "-text", "-out", $a2_cert]))); ++# verify issuer is CA ++ok (get_issuer($a2_cert) =~ /CN = ca.example.com/); ++ ++# Tests for issue #16080 (fixed in 1.1.1o) ++my $b_key = "b-key.pem"; ++my $b_csr = "b-cert.csr"; ++my $b_cert = "b-cert.pem"; ++# Create the CSR ++ok(run(app(["openssl", "req", "-new", "-newkey", "rsa:4096", ++ "-keyout", $b_key, "-out", $b_csr, "-nodes", ++ "-config", $cnf, ++ "-subj", "/CN=b.example.com"]))); ++# Sign it - position of "-text" matters! ++ok(run(app(["openssl", "x509", "-req", "-text", "-CAcreateserial", ++ "-CA", $ca_cert, "-CAkey", $ca_key, ++ "-in", $b_csr, "-out", $b_cert]))); ++# Verify issuer is CA ++ok(get_issuer($b_cert) =~ /CN = ca.example.com/); +-- +2.17.1 + diff --git a/backport-Fix-strict-client-chain-check-with-TLS-1.3.patch b/backport-Fix-strict-client-chain-check-with-TLS-1.3.patch new file mode 100644 index 0000000000000000000000000000000000000000..f13fb2a3f6146ec7e5f78c657e688bb2c27c7c5f --- /dev/null +++ b/backport-Fix-strict-client-chain-check-with-TLS-1.3.patch @@ -0,0 +1,54 @@ +From 3bd976551e549c030bdbd150c7aa8a1980cb00fe Mon Sep 17 00:00:00 2001 +From: Tomas Mraz +Date: Tue, 29 Mar 2022 13:31:34 +0200 +Subject: [PATCH] Fix strict client chain check with TLS-1.3 + +When TLS-1.3 is used and the server does not send any CA names +the ca_dn will be NULL. sk_X509_NAME_num() returns -1 on null +argument. + +Reviewed-by: Todd Short +Reviewed-by: Matt Caswell +(Merged from https://github.com/openssl/openssl/pull/17986) + +(cherry picked from commit 89dd85430770d39cbfb15eb586c921958ca7687f) +--- + ssl/t1_lib.c | 14 ++++++-------- + 1 file changed, 6 insertions(+), 8 deletions(-) + +diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c +index 4de4623a49..5fcb40eaff 100644 +--- a/ssl/t1_lib.c ++++ b/ssl/t1_lib.c +@@ -2369,22 +2369,20 @@ int tls1_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain, + + ca_dn = s->s3->tmp.peer_ca_names; + +- if (!sk_X509_NAME_num(ca_dn)) ++ if (ca_dn == NULL ++ || sk_X509_NAME_num(ca_dn) == 0 ++ || ssl_check_ca_name(ca_dn, x)) + rv |= CERT_PKEY_ISSUER_NAME; +- +- if (!(rv & CERT_PKEY_ISSUER_NAME)) { +- if (ssl_check_ca_name(ca_dn, x)) +- rv |= CERT_PKEY_ISSUER_NAME; +- } +- if (!(rv & CERT_PKEY_ISSUER_NAME)) { ++ else + for (i = 0; i < sk_X509_num(chain); i++) { + X509 *xtmp = sk_X509_value(chain, i); ++ + if (ssl_check_ca_name(ca_dn, xtmp)) { + rv |= CERT_PKEY_ISSUER_NAME; + break; + } + } +- } ++ + if (!check_flags && !(rv & CERT_PKEY_ISSUER_NAME)) + goto end; + } else +-- +2.17.1 + diff --git a/backport-Fix-test-case-for-a2i_IPADDRESS.patch b/backport-Fix-test-case-for-a2i_IPADDRESS.patch new file mode 100644 index 0000000000000000000000000000000000000000..6fb1f30c64d2e200089a5d3fd58edd03f7302f4b --- /dev/null +++ b/backport-Fix-test-case-for-a2i_IPADDRESS.patch @@ -0,0 +1,42 @@ +From c3b0279bda7bf4f0f81a3dba952698fa68a51639 Mon Sep 17 00:00:00 2001 +From: Amir Mohammadi +Date: Wed, 4 Aug 2021 09:44:29 +0430 +Subject: [PATCH] Fix test case for a2i_IPADDRESS + +(cherry picked from commit 9b887d5d5a8ef9aa1c3ce6e54a82ddcba25b9415) + +Reviewed-by: Tomas Mraz +Reviewed-by: Dmitry Belyavskiy +Reviewed-by: Hugo Landau +(Merged from https://github.com/openssl/openssl/pull/18847) +--- + test/x509_internal_test.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/test/x509_internal_test.c b/test/x509_internal_test.c +index 3eec970352..63f350f74b 100644 +--- a/test/x509_internal_test.c ++++ b/test/x509_internal_test.c +@@ -61,7 +61,6 @@ typedef struct { + const char *ipasc; + const char *data; + int length; +- ASN1_OCTET_STRING ip; + } IP_TESTDATA; + + static IP_TESTDATA a2i_ipaddress_tests[] = { +@@ -81,8 +80,10 @@ static IP_TESTDATA a2i_ipaddress_tests[] = { + {"example.test", NULL, 0}, + {"", NULL, 0}, + ++ {"1.2.3.4 ", "\x01\x02\x03\x04", 4}, ++ {" 1.2.3.4", "\x01\x02\x03\x04", 4}, ++ {" 1.2.3.4 ", "\x01\x02\x03\x04", 4}, + {"1.2.3.4.example.test", NULL, 0}, +- {"1.2.3.4 ", NULL, 0}, + }; + + +-- +2.17.1 + diff --git a/backport-Fix-undefined-behaviour-in-EC_GROUP_new_from_ecparam.patch b/backport-Fix-undefined-behaviour-in-EC_GROUP_new_from_ecparam.patch new file mode 100644 index 0000000000000000000000000000000000000000..072a73798a89eb61ee526883f0c055b13035ebff --- /dev/null +++ b/backport-Fix-undefined-behaviour-in-EC_GROUP_new_from_ecparam.patch @@ -0,0 +1,41 @@ +From e4b84b7514e5cbcbfc80e31b4ce609c7584e14bb Mon Sep 17 00:00:00 2001 +From: Bernd Edlinger +Date: Fri, 20 May 2022 16:54:41 +0200 +Subject: [PATCH] Fix undefined behaviour in EC_GROUP_new_from_ecparameters + +This happens for instance with +fuzz/corpora/asn1/65cf44e85614c62f10cf3b7a7184c26293a19e4a +and causes the OPENSSL_malloc below to choke on the +zero length allocation request. + +Reviewed-by: Matt Caswell +Reviewed-by: Tomas Mraz +(Merged from https://github.com/openssl/openssl/pull/18363) +--- + crypto/ec/ec_asn1.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/crypto/ec/ec_asn1.c b/crypto/ec/ec_asn1.c +index 4335b3da1a..ad9a54dc50 100644 +--- a/crypto/ec/ec_asn1.c ++++ b/crypto/ec/ec_asn1.c +@@ -751,6 +751,16 @@ EC_GROUP *EC_GROUP_new_from_ecparameters(const ECPARAMETERS *params) + + /* extract seed (optional) */ + if (params->curve->seed != NULL) { ++ /* ++ * This happens for instance with ++ * fuzz/corpora/asn1/65cf44e85614c62f10cf3b7a7184c26293a19e4a ++ * and causes the OPENSSL_malloc below to choke on the ++ * zero length allocation request. ++ */ ++ if (params->curve->seed->length == 0) { ++ ECerr(EC_F_EC_GROUP_NEW_FROM_ECPARAMETERS, EC_R_ASN1_ERROR); ++ goto err; ++ } + OPENSSL_free(ret->seed); + if ((ret->seed = OPENSSL_malloc(params->curve->seed->length)) == NULL) { + ECerr(EC_F_EC_GROUP_NEW_FROM_ECPARAMETERS, ERR_R_MALLOC_FAILURE); +-- +2.17.1 + diff --git a/backport-Fix-verify_callback-in-the-openssl-s_client-s_server.patch b/backport-Fix-verify_callback-in-the-openssl-s_client-s_server.patch new file mode 100644 index 0000000000000000000000000000000000000000..f5f70b4d29cd8fd50266d98e06dc803c51cede65 --- /dev/null +++ b/backport-Fix-verify_callback-in-the-openssl-s_client-s_server.patch @@ -0,0 +1,64 @@ +From 86945b10ccd84f685bd6215bbb00d1e700303e49 Mon Sep 17 00:00:00 2001 +From: Dmitry Belyavskiy +Date: Thu, 14 Jul 2022 21:41:48 +0200 +Subject: [PATCH] Fix verify_callback in the openssl s_client/s_server app + +We need to check that error cert is available before printing its data + +Reviewed-by: Tomas Mraz +Reviewed-by: David von Oheimb +Reviewed-by: Viktor Dukhovni +Reviewed-by: Hugo Landau +(Merged from https://github.com/openssl/openssl/pull/18805) + +(cherry picked from commit fad0f80eff188ef938fed614245a56ed56110deb) +--- + apps/s_cb.c | 26 ++++++++++++++++---------- + 1 file changed, 16 insertions(+), 10 deletions(-) + +diff --git a/apps/s_cb.c b/apps/s_cb.c +index d066a423de..a4ff978908 100644 +--- a/apps/s_cb.c ++++ b/apps/s_cb.c +@@ -74,22 +74,28 @@ int verify_callback(int ok, X509_STORE_CTX *ctx) + } + switch (err) { + case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT: +- BIO_puts(bio_err, "issuer= "); +- X509_NAME_print_ex(bio_err, X509_get_issuer_name(err_cert), +- 0, get_nameopt()); +- BIO_puts(bio_err, "\n"); ++ if (err_cert != NULL) { ++ BIO_puts(bio_err, "issuer= "); ++ X509_NAME_print_ex(bio_err, X509_get_issuer_name(err_cert), ++ 0, get_nameopt()); ++ BIO_puts(bio_err, "\n"); ++ } + break; + case X509_V_ERR_CERT_NOT_YET_VALID: + case X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD: +- BIO_printf(bio_err, "notBefore="); +- ASN1_TIME_print(bio_err, X509_get0_notBefore(err_cert)); +- BIO_printf(bio_err, "\n"); ++ if (err_cert != NULL) { ++ BIO_printf(bio_err, "notBefore="); ++ ASN1_TIME_print(bio_err, X509_get0_notBefore(err_cert)); ++ BIO_printf(bio_err, "\n"); ++ } + break; + case X509_V_ERR_CERT_HAS_EXPIRED: + case X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD: +- BIO_printf(bio_err, "notAfter="); +- ASN1_TIME_print(bio_err, X509_get0_notAfter(err_cert)); +- BIO_printf(bio_err, "\n"); ++ if (err_cert != NULL) { ++ BIO_printf(bio_err, "notAfter="); ++ ASN1_TIME_print(bio_err, X509_get0_notAfter(err_cert)); ++ BIO_printf(bio_err, "\n"); ++ } + break; + case X509_V_ERR_NO_EXPLICIT_POLICY: + if (!verify_args.quiet) +-- +2.17.1 + diff --git a/backport-Fixes-segfault-occurrence-in-PEM_write.patch b/backport-Fixes-segfault-occurrence-in-PEM_write.patch new file mode 100644 index 0000000000000000000000000000000000000000..4a3888b4cff8e72e23706ee446adee6454b25461 --- /dev/null +++ b/backport-Fixes-segfault-occurrence-in-PEM_write.patch @@ -0,0 +1,37 @@ +From 3b9082c844913d3a0efada9fac0bd2924ce1a8f2 Mon Sep 17 00:00:00 2001 +From: valdaarhun +Date: Mon, 25 Jul 2022 18:49:19 +0530 +Subject: [PATCH] Fixes segfault occurrence in PEM_write() + +Checks if header is NULL or not before calling strlen(). + +CLA: trivial + +Fixes #18825 + +Reviewed-by: Tomas Mraz +Reviewed-by: Ben Kaduk +Reviewed-by: Paul Dale +(Merged from https://github.com/openssl/openssl/pull/18865) + +(cherry picked from commit 205957405d08ef199e6ab654e333a627bbca9ccc) +--- + crypto/pem/pem_lib.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/crypto/pem/pem_lib.c b/crypto/pem/pem_lib.c +index 2de093595d..c2cf407931 100644 +--- a/crypto/pem/pem_lib.c ++++ b/crypto/pem/pem_lib.c +@@ -621,7 +621,7 @@ int PEM_write_bio(BIO *bp, const char *name, const char *header, + (BIO_write(bp, "-----\n", 6) != 6)) + goto err; + +- i = strlen(header); ++ i = header != NULL ? strlen(header) : 0; + if (i > 0) { + if ((BIO_write(bp, header, i) != i) || (BIO_write(bp, "\n", 1) != 1)) + goto err; +-- +2.17.1 + diff --git a/backport-Make-the-DRBG-seed-propagation-thread-safe.patch b/backport-Make-the-DRBG-seed-propagation-thread-safe.patch new file mode 100644 index 0000000000000000000000000000000000000000..6ba2678781ff6881d8796dcbc981b68bcc667c7f --- /dev/null +++ b/backport-Make-the-DRBG-seed-propagation-thread-safe.patch @@ -0,0 +1,77 @@ +From 17098c116d68b3a01fcb688487dccdc0c10b8f63 Mon Sep 17 00:00:00 2001 +From: Bernd Edlinger +Date: Sat, 23 Oct 2021 11:58:27 +0200 +Subject: [PATCH] Make the DRBG seed propagation thread safe + +Currently there is a race possible because the reseed_counter +of the master drbg may be incremented after the get_entropy call. +Therefore access the parent's reseed_counter while still holding +the rand_drbg_lock. + +This improves commit 958fec77928a28350f6af252ac5e8d0e6e081faa + +Reviewed-by: Paul Dale +Reviewed-by: Tomas Mraz +(Merged from https://github.com/openssl/openssl/pull/16900) +--- + crypto/rand/drbg_lib.c | 18 ++++-------------- + crypto/rand/rand_lib.c | 6 +++++- + 2 files changed, 9 insertions(+), 15 deletions(-) + +diff --git a/crypto/rand/drbg_lib.c b/crypto/rand/drbg_lib.c +index 8c7c28c970..0ba20ca326 100644 +--- a/crypto/rand/drbg_lib.c ++++ b/crypto/rand/drbg_lib.c +@@ -354,13 +354,8 @@ int RAND_DRBG_instantiate(RAND_DRBG *drbg, + drbg->state = DRBG_READY; + drbg->generate_counter = 1; + drbg->reseed_time = time(NULL); +- if (drbg->enable_reseed_propagation) { +- if (drbg->parent == NULL) +- tsan_counter(&drbg->reseed_counter); +- else +- tsan_store(&drbg->reseed_counter, +- tsan_load(&drbg->parent->reseed_counter)); +- } ++ if (drbg->enable_reseed_propagation && drbg->parent == NULL) ++ tsan_counter(&drbg->reseed_counter); + + end: + if (entropy != NULL && drbg->cleanup_entropy != NULL) +@@ -444,13 +439,8 @@ int RAND_DRBG_reseed(RAND_DRBG *drbg, + drbg->state = DRBG_READY; + drbg->generate_counter = 1; + drbg->reseed_time = time(NULL); +- if (drbg->enable_reseed_propagation) { +- if (drbg->parent == NULL) +- tsan_counter(&drbg->reseed_counter); +- else +- tsan_store(&drbg->reseed_counter, +- tsan_load(&drbg->parent->reseed_counter)); +- } ++ if (drbg->enable_reseed_propagation && drbg->parent == NULL) ++ tsan_counter(&drbg->reseed_counter); + + end: + if (entropy != NULL && drbg->cleanup_entropy != NULL) +diff --git a/crypto/rand/rand_lib.c b/crypto/rand/rand_lib.c +index 5c72fad8ca..545ab46315 100644 +--- a/crypto/rand/rand_lib.c ++++ b/crypto/rand/rand_lib.c +@@ -172,8 +172,12 @@ size_t rand_drbg_get_entropy(RAND_DRBG *drbg, + if (RAND_DRBG_generate(drbg->parent, + buffer, bytes_needed, + prediction_resistance, +- (unsigned char *)&drbg, sizeof(drbg)) != 0) ++ (unsigned char *)&drbg, sizeof(drbg)) != 0) { + bytes = bytes_needed; ++ if (drbg->enable_reseed_propagation) ++ tsan_store(&drbg->reseed_counter, ++ tsan_load(&drbg->parent->reseed_counter)); ++ } + rand_drbg_unlock(drbg->parent); + + rand_pool_add_end(pool, bytes, 8 * bytes); +-- +2.17.1 + diff --git a/backport-Set-protocol-in-init_client.patch b/backport-Set-protocol-in-init_client.patch new file mode 100644 index 0000000000000000000000000000000000000000..e2b38410be92e517cb5f2ecc9b7964a15388b167 --- /dev/null +++ b/backport-Set-protocol-in-init_client.patch @@ -0,0 +1,33 @@ +From 3aeed22c593ae036c2503ac07276768c82fe5782 Mon Sep 17 00:00:00 2001 +From: Todd Short +Date: Tue, 8 Mar 2022 09:36:43 -0500 +Subject: [PATCH] Set protocol in init_client() + +If TCP is being used, protocol = 0 is passed to init_client(), then +protocol == IPPROTO_TCP fails when attempting to set BIO_SOCK_NODELAY. + +Reviewed-by: Tomas Mraz +Reviewed-by: Tim Hudson +(Merged from https://github.com/openssl/openssl/pull/17838) + +(cherry picked from commit 54b6755702309487ea860e1cc3e60ccef4cf7878) +--- + apps/s_socket.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/apps/s_socket.c b/apps/s_socket.c +index aee366d5f4..a518d56200 100644 +--- a/apps/s_socket.c ++++ b/apps/s_socket.c +@@ -147,7 +147,7 @@ int init_client(int *sock, const char *host, const char *port, + #endif + + if (!BIO_connect(*sock, BIO_ADDRINFO_address(ai), +- protocol == IPPROTO_TCP ? BIO_SOCK_NODELAY : 0)) { ++ BIO_ADDRINFO_protocol(ai) == IPPROTO_TCP ? BIO_SOCK_NODELAY : 0)) { + BIO_closesocket(*sock); + *sock = INVALID_SOCKET; + continue; +-- +2.17.1 + diff --git a/backport-Test-case-for-a2i_IPADDRESS.patch b/backport-Test-case-for-a2i_IPADDRESS.patch new file mode 100644 index 0000000000000000000000000000000000000000..e0c1a6a399afd18be5f74a019ac773e87bf6d9ee --- /dev/null +++ b/backport-Test-case-for-a2i_IPADDRESS.patch @@ -0,0 +1,91 @@ +From bd41b84bede84c1a5716be4eafddd1dd052faa72 Mon Sep 17 00:00:00 2001 +From: Christian Heimes +Date: Sat, 15 Aug 2020 20:01:49 +0200 +Subject: [PATCH] Test case for a2i_IPADDRESS + +Unit test to show that a2i_IPADDRESS("1.2.3.4.test.example") ignores +trailing data. + +See: https://github.com/openssl/openssl/issues/12649 +See: https://bugs.python.org/issue41556 + +(cherry picked from commit 1a9411a30b09a98498366979a1ea4898f70f6d19) + +Reviewed-by: Tomas Mraz +Reviewed-by: Dmitry Belyavskiy +Reviewed-by: Hugo Landau +(Merged from https://github.com/openssl/openssl/pull/18847) +--- + test/x509_internal_test.c | 54 +++++++++++++++++++++++++++++++++++++++ + 1 file changed, 54 insertions(+) + +diff --git a/test/x509_internal_test.c b/test/x509_internal_test.c +index d2f41d7085..3eec970352 100644 +--- a/test/x509_internal_test.c ++++ b/test/x509_internal_test.c +@@ -57,8 +57,62 @@ static int test_standard_exts(void) + return good; + } + ++typedef struct { ++ const char *ipasc; ++ const char *data; ++ int length; ++ ASN1_OCTET_STRING ip; ++} IP_TESTDATA; ++ ++static IP_TESTDATA a2i_ipaddress_tests[] = { ++ {"127.0.0.1", "\x7f\x00\x00\x01", 4}, ++ {"1.2.3.4", "\x01\x02\x03\x04", 4}, ++ {"1.2.3.255", "\x01\x02\x03\xff", 4}, ++ {"1.2.3", NULL, 0}, ++ {"1.2.3 .4", NULL, 0}, ++ ++ {"::1", "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01", 16}, ++ {"1:1:1:1:1:1:1:1", "\x00\x01\x00\x01\x00\x01\x00\x01\x00\x01\x00\x01\x00\x01\x00\x01", 16}, ++ {"2001:db8::ff00:42:8329", "\x20\x01\x0d\xb8\x00\x00\x00\x00\x00\x00\xff\x00\x00\x42\x83\x29", 16}, ++ {"1:1:1:1:1:1:1:1.test", NULL, 0}, ++ {":::1", NULL, 0}, ++ {"2001::123g", NULL, 0}, ++ ++ {"example.test", NULL, 0}, ++ {"", NULL, 0}, ++ ++ {"1.2.3.4.example.test", NULL, 0}, ++ {"1.2.3.4 ", NULL, 0}, ++}; ++ ++ ++static int test_a2i_ipaddress(int idx) ++{ ++ int good = 1; ++ ASN1_OCTET_STRING *ip; ++ int len = a2i_ipaddress_tests[idx].length; ++ ++ ip = a2i_IPADDRESS(a2i_ipaddress_tests[idx].ipasc); ++ if (len == 0) { ++ if (!TEST_ptr_null(ip)) { ++ good = 0; ++ TEST_note("'%s' should not be parsed as IP address", a2i_ipaddress_tests[idx].ipasc); ++ } ++ } else { ++ if (!TEST_ptr(ip) ++ || !TEST_int_eq(ASN1_STRING_length(ip), len) ++ || !TEST_mem_eq(ASN1_STRING_get0_data(ip), len, ++ a2i_ipaddress_tests[idx].data, len)) { ++ good = 0; ++ } ++ } ++ ASN1_OCTET_STRING_free(ip); ++ return good; ++} ++ + int setup_tests(void) + { + ADD_TEST(test_standard_exts); ++ ADD_ALL_TESTS(test_a2i_ipaddress, OSSL_NELEM(a2i_ipaddress_tests)); + return 1; + } +-- +2.17.1 + diff --git a/backport-Test-that-swapping-the-first-app-data-record-with-Fi.patch b/backport-Test-that-swapping-the-first-app-data-record-with-Fi.patch new file mode 100644 index 0000000000000000000000000000000000000000..685668168c21b59e86537cdedfeb697cdbf2a08d --- /dev/null +++ b/backport-Test-that-swapping-the-first-app-data-record-with-Fi.patch @@ -0,0 +1,183 @@ +From d87e99df3162b2d56b8d44907fde88b67d7e3900 Mon Sep 17 00:00:00 2001 +From: Matt Caswell +Date: Mon, 25 Jul 2022 12:39:52 +0100 +Subject: [PATCH] Test that swapping the first app data record with Finished + msg works + +If the first app data record arrives before the Finished message we should +be able to buffer it and move on to the Finished message. + +Reviewed-by: Hugo Landau +Reviewed-by: Tomas Mraz +(Merged from https://github.com/openssl/openssl/pull/18976) +--- + test/dtlstest.c | 88 +++++++++++++++++++++++++++++++++++++++++++++++ + test/ssltestlib.c | 33 ++++++++++++++++++ + test/ssltestlib.h | 1 + + 3 files changed, 122 insertions(+) + +diff --git a/test/dtlstest.c b/test/dtlstest.c +index 1d7b105fb6..f5c9dcfcd8 100644 +--- a/test/dtlstest.c ++++ b/test/dtlstest.c +@@ -328,6 +328,93 @@ static int test_dtls_duplicate_records(void) + return testresult; + } + ++/* ++ * Test that swapping an app data record so that it is received before the ++ * Finished message still works. ++ */ ++static int test_swap_app_data(void) ++{ ++ SSL_CTX *sctx = NULL, *cctx = NULL; ++ SSL *sssl = NULL, *cssl = NULL; ++ int testresult = 0; ++ BIO *bio; ++ char msg[] = { 0x00, 0x01, 0x02, 0x03 }; ++ char buf[10]; ++ ++ if (!TEST_true(create_ssl_ctx_pair(DTLS_server_method(), ++ DTLS_client_method(), ++ DTLS1_VERSION, 0, ++ &sctx, &cctx, cert, privkey))) ++ return 0; ++ ++#ifndef OPENSSL_NO_DTLS1_2 ++ if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "AES128-SHA"))) ++ goto end; ++#else ++ /* Default sigalgs are SHA1 based in pkts); ++ ++ /* We need at least 2 packets to be able to swap them */ ++ if (numpkts <= 1) ++ return 0; ++ ++ /* Get the penultimate packet */ ++ thispkt = sk_MEMPACKET_value(ctx->pkts, numpkts - 2); ++ if (thispkt == NULL) ++ return 0; ++ ++ if (sk_MEMPACKET_delete(ctx->pkts, numpkts - 2) != thispkt) ++ return 0; ++ ++ /* Re-add it to the end of the list */ ++ thispkt->num++; ++ if (sk_MEMPACKET_insert(ctx->pkts, thispkt, numpkts - 1) <= 0) ++ return 0; ++ ++ /* We also have to adjust the packet number of the other packet */ ++ thispkt = sk_MEMPACKET_value(ctx->pkts, numpkts - 2); ++ if (thispkt == NULL) ++ return 0; ++ thispkt->num--; ++ ++ return 1; ++} ++ + int mempacket_test_inject(BIO *bio, const char *in, int inl, int pktnum, + int type) + { +diff --git a/test/ssltestlib.h b/test/ssltestlib.h +index 17b278219a..b47004f62e 100644 +--- a/test/ssltestlib.h ++++ b/test/ssltestlib.h +@@ -46,6 +46,7 @@ void bio_s_always_retry_free(void); + #define MEMPACKET_CTRL_GET_DROP_REC (3 << 15) + #define MEMPACKET_CTRL_SET_DUPLICATE_REC (4 << 15) + ++int mempacket_swap_recent(BIO *bio); + int mempacket_test_inject(BIO *bio, const char *in, int inl, int pktnum, + int type); + +-- +2.17.1 + diff --git a/backport-X509_REQ_get_extensions-Return-empty-stack-if-no-ext.patch b/backport-X509_REQ_get_extensions-Return-empty-stack-if-no-ext.patch new file mode 100644 index 0000000000000000000000000000000000000000..1bc0efd209ef1bbf5da015b845a66b53ff4aef7f --- /dev/null +++ b/backport-X509_REQ_get_extensions-Return-empty-stack-if-no-ext.patch @@ -0,0 +1,32 @@ +From 0b755cdfb52ff51830aa004799e1f78548423c00 Mon Sep 17 00:00:00 2001 +From: "Dr. David von Oheimb" +Date: Fri, 8 Jan 2021 08:27:17 +0100 +Subject: [PATCH] X509_REQ_get_extensions(): Return empty stack if no + extensions found + +Reviewed-by: Tomas Mraz +Reviewed-by: Todd Short +Reviewed-by: David von Oheimb +(Merged from https://github.com/openssl/openssl/pull/18926) +--- + crypto/x509/x509_req.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/crypto/x509/x509_req.c b/crypto/x509/x509_req.c +index dd674926dd..a69f9a723d 100644 +--- a/crypto/x509/x509_req.c ++++ b/crypto/x509/x509_req.c +@@ -167,7 +167,9 @@ STACK_OF(X509_EXTENSION) *X509_REQ_get_extensions(X509_REQ *req) + ext = X509_ATTRIBUTE_get0_type(attr, 0); + break; + } +- if (!ext || (ext->type != V_ASN1_SEQUENCE)) ++ if (ext == NULL) /* no extensions is not an error */ ++ return sk_X509_EXTENSION_new_null(); ++ if (ext->type != V_ASN1_SEQUENCE) + return NULL; + p = ext->value.sequence->data; + return (STACK_OF(X509_EXTENSION) *) +-- +2.17.1 + diff --git a/backport-ticket_lifetime_hint-may-exceed-1-week-in-TLSv1.3.patch b/backport-ticket_lifetime_hint-may-exceed-1-week-in-TLSv1.3.patch new file mode 100644 index 0000000000000000000000000000000000000000..e437535db8c22fe6b53ec47e6e50da3919c147a8 --- /dev/null +++ b/backport-ticket_lifetime_hint-may-exceed-1-week-in-TLSv1.3.patch @@ -0,0 +1,156 @@ +From 79dbd85fe27ebabc278417af64ab8e3eb43d2d40 Mon Sep 17 00:00:00 2001 +From: Todd Short +Date: Wed, 23 Mar 2022 18:55:10 -0400 +Subject: [PATCH] ticket_lifetime_hint may exceed 1 week in TLSv1.3 + +For TLSv1.3, limit ticket lifetime hint to 1 week per RFC8446 + +Fixes #17948 + +Reviewed-by: Tomas Mraz +Reviewed-by: Tim Hudson +(Merged from https://github.com/openssl/openssl/pull/17952) + +(cherry picked from commit 0089cc7f9d42f6e39872161199fb8b6a99da2492) +--- + doc/man3/SSL_CTX_set_timeout.pod | 10 ++++++ + ssl/statem/statem_srvr.c | 21 ++++++++---- + test/sslapitest.c | 59 ++++++++++++++++++++++++++++++++ + 3 files changed, 84 insertions(+), 6 deletions(-) + +diff --git a/doc/man3/SSL_CTX_set_timeout.pod b/doc/man3/SSL_CTX_set_timeout.pod +index c32585e45f..54592654ff 100644 +--- a/doc/man3/SSL_CTX_set_timeout.pod ++++ b/doc/man3/SSL_CTX_set_timeout.pod +@@ -42,6 +42,16 @@ basis, see L. + All currently supported protocols have the same default timeout value + of 300 seconds. + ++This timeout value is used as the ticket lifetime hint for stateless session ++tickets. It is also used as the timeout value within the ticket itself. ++ ++For TLSv1.3, RFC8446 limits transmission of this value to 1 week (604800 ++seconds). ++ ++For TLSv1.2, tickets generated during an initial handshake use the value ++as specified. Tickets generated during a resumed handshake have a value ++of 0 for the ticket lifetime hint. ++ + =head1 RETURN VALUES + + SSL_CTX_set_timeout() returns the previously set timeout value. +diff --git a/ssl/statem/statem_srvr.c b/ssl/statem/statem_srvr.c +index d701c46b43..79cfd1d835 100644 +--- a/ssl/statem/statem_srvr.c ++++ b/ssl/statem/statem_srvr.c +@@ -3820,15 +3820,24 @@ int tls_construct_server_certificate(SSL *s, WPACKET *pkt) + static int create_ticket_prequel(SSL *s, WPACKET *pkt, uint32_t age_add, + unsigned char *tick_nonce) + { ++ uint32_t timeout = (uint32_t)s->session->timeout; ++ + /* +- * Ticket lifetime hint: For TLSv1.2 this is advisory only and we leave this +- * unspecified for resumed session (for simplicity). ++ * Ticket lifetime hint: + * In TLSv1.3 we reset the "time" field above, and always specify the +- * timeout. ++ * timeout, limited to a 1 week period per RFC8446. ++ * For TLSv1.2 this is advisory only and we leave this unspecified for ++ * resumed session (for simplicity). + */ +- if (!WPACKET_put_bytes_u32(pkt, +- (s->hit && !SSL_IS_TLS13(s)) +- ? 0 : s->session->timeout)) { ++#define ONE_WEEK_SEC (7 * 24 * 60 * 60) ++ ++ if (SSL_IS_TLS13(s)) { ++ if (s->session->timeout > ONE_WEEK_SEC) ++ timeout = ONE_WEEK_SEC; ++ } else if (s->hit) ++ timeout = 0; ++ ++ if (!WPACKET_put_bytes_u32(pkt, timeout)) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_CREATE_TICKET_PREQUEL, + ERR_R_INTERNAL_ERROR); + return 0; +diff --git a/test/sslapitest.c b/test/sslapitest.c +index 21322ceec5..09a732f577 100644 +--- a/test/sslapitest.c ++++ b/test/sslapitest.c +@@ -6734,6 +6734,64 @@ end: + SSL_CTX_free(cctx); + return testresult; + } ++ ++/* ++ * Test that the lifetime hint of a TLSv1.3 ticket is no more than 1 week ++ * 0 = TLSv1.2 ++ * 1 = TLSv1.3 ++ */ ++static int test_ticket_lifetime(int idx) ++{ ++ SSL_CTX *cctx = NULL, *sctx = NULL; ++ SSL *clientssl = NULL, *serverssl = NULL; ++ int testresult = 0; ++ int version = TLS1_3_VERSION; ++ ++#define ONE_WEEK_SEC (7 * 24 * 60 * 60) ++#define TWO_WEEK_SEC (2 * ONE_WEEK_SEC) ++ ++ if (idx == 0) { ++ version = TLS1_2_VERSION; ++ } ++ ++ if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), ++ TLS_client_method(), version, version, ++ &sctx, &cctx, cert, privkey))) ++ goto end; ++ ++ if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, ++ &clientssl, NULL, NULL))) ++ goto end; ++ ++ /* ++ * Set the timeout to be more than 1 week ++ * make sure the returned value is the default ++ */ ++ if (!TEST_long_eq(SSL_CTX_set_timeout(sctx, TWO_WEEK_SEC), ++ SSL_get_default_timeout(serverssl))) ++ goto end; ++ ++ if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))) ++ goto end; ++ ++ if (idx == 0) { ++ /* TLSv1.2 uses the set value */ ++ if (!TEST_ulong_eq(SSL_SESSION_get_ticket_lifetime_hint(SSL_get_session(clientssl)), TWO_WEEK_SEC)) ++ goto end; ++ } else { ++ /* TLSv1.3 uses the limited value */ ++ if (!TEST_ulong_le(SSL_SESSION_get_ticket_lifetime_hint(SSL_get_session(clientssl)), ONE_WEEK_SEC)) ++ goto end; ++ } ++ testresult = 1; ++ ++end: ++ SSL_free(serverssl); ++ SSL_free(clientssl); ++ SSL_CTX_free(sctx); ++ SSL_CTX_free(cctx); ++ return testresult; ++} + #endif + /* + * Test that setting an ALPN does not violate RFC +@@ -6973,6 +7031,7 @@ int setup_tests(void) + #endif + #ifndef OPENSSL_NO_TLS1_3 + ADD_TEST(test_sni_tls13); ++ ADD_ALL_TESTS(test_ticket_lifetime, 2); + #endif + ADD_TEST(test_set_alpn); + ADD_TEST(test_inherit_verify_param); +-- +2.17.1 + diff --git a/backport-v3_sxnet-add-a-check-for-the-return-of-i2s_ASN1_INTE.patch b/backport-v3_sxnet-add-a-check-for-the-return-of-i2s_ASN1_INTE.patch new file mode 100644 index 0000000000000000000000000000000000000000..214010ecd6d5f8b42855146af1cc3a724009bfa4 --- /dev/null +++ b/backport-v3_sxnet-add-a-check-for-the-return-of-i2s_ASN1_INTE.patch @@ -0,0 +1,30 @@ +From 7a05fcb1fc276a7ecfe599d45655d4e617c5e2d4 Mon Sep 17 00:00:00 2001 +From: xkernel +Date: Mon, 20 Jun 2022 17:46:39 +0800 +Subject: [PATCH] v3_sxnet: add a check for the return of i2s_ASN1_INTEGER() + +Reviewed-by: Matt Caswell +Reviewed-by: Ben Kaduk +(Merged from https://github.com/openssl/openssl/pull/18608) + +(cherry picked from commit 9ef1f848a646565d4dd86e56542cf921d4921ad9) +--- + crypto/x509v3/v3_sxnet.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/crypto/x509v3/v3_sxnet.c b/crypto/x509v3/v3_sxnet.c +index 144e8bee84..3c5508f941 100644 +--- a/crypto/x509v3/v3_sxnet.c ++++ b/crypto/x509v3/v3_sxnet.c +@@ -78,6 +78,8 @@ static int sxnet_i2r(X509V3_EXT_METHOD *method, SXNET *sx, BIO *out, + for (i = 0; i < sk_SXNETID_num(sx->ids); i++) { + id = sk_SXNETID_value(sx->ids, i); + tmp = i2s_ASN1_INTEGER(NULL, id->zone); ++ if (tmp == NULL) ++ return 0; + BIO_printf(out, "\n%*sZone: %s, User: ", indent, "", tmp); + OPENSSL_free(tmp); + ASN1_STRING_print(out, id->user); +-- +2.17.1 + diff --git a/backport-x509-use-actual-issuer-name-if-a-CA-is-used.patch b/backport-x509-use-actual-issuer-name-if-a-CA-is-used.patch new file mode 100644 index 0000000000000000000000000000000000000000..17736899a4cad749f1168160b764a4f72be3131b --- /dev/null +++ b/backport-x509-use-actual-issuer-name-if-a-CA-is-used.patch @@ -0,0 +1,39 @@ +From 91db522f31981b3fafdec4120de1027e8bc4d792 Mon Sep 17 00:00:00 2001 +From: Daniel Fiala +Date: Mon, 18 Apr 2022 11:30:13 +0200 +Subject: [PATCH] x509: use actual issuer name if a CA is used + +Fixes openssl#16080. + +Reviewed-by: Ben Kaduk +Reviewed-by: Tomas Mraz +(Merged from https://github.com/openssl/openssl/pull/18129) +--- + apps/x509.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/apps/x509.c b/apps/x509.c +index 1043eba0c8..2329d9b2d4 100644 +--- a/apps/x509.c ++++ b/apps/x509.c +@@ -590,6 +590,8 @@ int x509_main(int argc, char **argv) + xca = load_cert(CAfile, CAformat, "CA Certificate"); + if (xca == NULL) + goto end; ++ if (!X509_set_issuer_name(x, X509_get_subject_name(xca))) ++ goto end; + } + + out = bio_open_default(outfile, 'w', outformat); +@@ -987,8 +989,6 @@ static int x509_certify(X509_STORE *ctx, const char *CAfile, const EVP_MD *diges + goto end; + } + +- if (!X509_set_issuer_name(x, X509_get_subject_name(xca))) +- goto end; + if (!X509_set_serialNumber(x, bs)) + goto end; + +-- +2.17.1 + diff --git a/openssl.spec b/openssl.spec index a03d135b8032eb08dc36f0d6b47dff74a3e63a20..2444f7b824089a9cac494f5f607c6865b6a5b81b 100644 --- a/openssl.spec +++ b/openssl.spec @@ -2,7 +2,7 @@ Name: openssl Epoch: 1 Version: 1.1.1m -Release: 13 +Release: 17 Summary: Cryptography and SSL/TLS Toolkit License: OpenSSL and SSLeay URL: https://www.openssl.org/ @@ -46,7 +46,50 @@ Patch35: backport-Fix-NULL-pointer-dereference-for-BN_mod_exp2_mont.patch Patch36: backport-crypto-x509-v3_utl.c-Add-missing-check-for-OPENSSL_s.patch Patch37: backport-Fix-password_callback-to-handle-short-passwords.patch Patch38: backport-Fix-usage-of-SSLfatal.patch - +Patch39: backport-Fix-integer-overflow-in-evp_EncryptDecryptUpdate.patch +Patch40: backport-Fix-Coverity-1201763-uninitialised-pointer-read.patch +Patch41: backport-Fix-Coverity-1498611-1498608-uninitialised-read.patch +Patch42: backport-Fix-coverity-1498607-uninitialised-value.patch +Patch43: backport-Check-password-length-only-when-verify-is-enabled.patch +Patch44: backport-Fix-issue-where-OBJ_nid2obj-doesn-t-always-raise-an-.patch +Patch45: backport-Set-protocol-in-init_client.patch +Patch46: backport-Fix-a-crash-in-ssl_security_cert_chain.patch +Patch47: backport-Fix-undefined-behaviour-in-EC_GROUP_new_from_ecparam.patch +Patch48: backport-Fix-a-memory-leak-in-ec_key_simple_oct2priv.patch +Patch49: backport-Fix-a-crash-in-asn1_item_embed_new.patch +Patch50: backport-Fix-leakage-when-the-cacheline-is-32-bytes-in-CBC_MA.patch +Patch51: backport-Add-test-for-empty-supported-groups-extension.patch +Patch52: backport-Do-not-send-an-empty-supported-groups-extension.patch +Patch53: backport-x509-use-actual-issuer-name-if-a-CA-is-used.patch +Patch54: backport-ticket_lifetime_hint-may-exceed-1-week-in-TLSv1.3.patch +Patch55: backport-Fix-a-memory-leak-in-crl_set_issuers.patch +Patch56: backport-Fix-a-DTLS-server-hangup-due-to-TLS13_AD_MISSING_EXT.patch +Patch57: backport-Fix-an-assertion-in-the-DTLS-server-code.patch +Patch58: backport-Fix-a-memory-leak-in-X509_issuer_and_serial_hash.patch +Patch59: backport-Fix-strict-client-chain-check-with-TLS-1.3.patch +Patch60: backport-Fix-a-crash-in-X509v3_asid_subset.patch +Patch61: backport-Fix-a-memory-leak-in-EC_GROUP_new_from_ecparameters.patch +Patch62: backport-Fix-range_should_be_prefix-to-actually-return-the-co.patch +Patch63: backport-v3_sxnet-add-a-check-for-the-return-of-i2s_ASN1_INTE.patch +Patch64: backport-Fix-bn_gcd-code-to-check-return-value-when-calling-B.patch +Patch65: backport-Add-missing-header-for-memcmp.patch +Patch66: backport-Fix-a-memory-leak-in-tls13_generate_secret.patch +Patch67: backport-Make-the-DRBG-seed-propagation-thread-safe.patch +Patch68: backport-Fix-memory-leak-in-X509V3_add1_i2d-when-flag-is-X509.patch +Patch69: backport-APPS-x509-With-CA-but-both-CAserial-and-CAcreateseri.patch +Patch70: backport-Fix-verify_callback-in-the-openssl-s_client-s_server.patch +Patch71: backport-Fix-re-signing-certificates-with-different-key-sizes.patch +Patch72: backport-Fix-ipv4_from_asc-behavior-on-invalid-Ip-addresses.patch +Patch73: backport-Test-case-for-a2i_IPADDRESS.patch +Patch74: backport-Fix-test-case-for-a2i_IPADDRESS.patch +Patch75: backport-Fix-a-crash-in-v2i_IPAddrBlocks.patch +Patch76: backport-Fixes-segfault-occurrence-in-PEM_write.patch +Patch77: backport-X509_REQ_get_extensions-Return-empty-stack-if-no-ext.patch +Patch78: backport-Fix-EC_KEY_set_private_key-priv_key-regression.patch +Patch79: backport-Add-test-for-EC_KEY_set_private_key.patch +Patch80: backport-Fix-SSL_pending-and-SSL_has_pending-with-DTLS.patch +Patch81: backport-Test-that-swapping-the-first-app-data-record-with-Fi.patch + BuildRequires: gcc perl make lksctp-tools-devel coreutils util-linux zlib-devel Requires: coreutils %{name}-libs%{?_isa} = %{epoch}:%{version}-%{release} Obsoletes: openssl-SMx < %{epoch}:%{version}-%{release} @@ -248,6 +291,18 @@ make test || : %ldconfig_scriptlets libs %changelog +* Fri Nov 4 2022 wangcheng - 1:1.1.1m-17 +- backport some patches + +* Fri Nov 4 2022 wangcheng - 1:1.1.1m-16 +- backport some patches + +* Fri Nov 4 2022 wangcheng - 1:1.1.1m-15 +- backport some patches + +* Fri Nov 4 2022 wangcheng - 1:1.1.1m-14 +- backport some patches + * Fri Nov 4 2022 wangcheng - 1:1.1.1m-13 - backport some patches