diff --git a/AES-CTR-DRGB-do-not-leak-timing-information.patch b/AES-CTR-DRGB-do-not-leak-timing-information.patch new file mode 100644 index 0000000000000000000000000000000000000000..8c8c9706e1e567e39ec756df8c1df8c306d01837 --- /dev/null +++ b/AES-CTR-DRGB-do-not-leak-timing-information.patch @@ -0,0 +1,52 @@ +From 9cc834d966ea5afc38fb829bfe498aed4c5d498d Mon Sep 17 00:00:00 2001 +From: Patrick Steuer +Date: Sat, 22 Feb 2020 01:20:09 +0100 +Subject: [PATCH 013/217] AES CTR-DRGB: do not leak timing information + +Signed-off-by: Patrick Steuer + +Reviewed-by: Tomas Mraz +Reviewed-by: Paul Dale +(Merged from https://github.com/openssl/openssl/pull/11147) + +(cherry picked from commit 069165d10646a22000c596095cc04d43bbf1f807) +--- + crypto/rand/drbg_ctr.c | 22 +++++++++------------- + 1 file changed, 9 insertions(+), 13 deletions(-) + +diff --git a/crypto/rand/drbg_ctr.c b/crypto/rand/drbg_ctr.c +index 93b82f3..f41484e 100644 +--- a/crypto/rand/drbg_ctr.c ++++ b/crypto/rand/drbg_ctr.c +@@ -21,19 +21,15 @@ + + static void inc_128(RAND_DRBG_CTR *ctr) + { +- int i; +- unsigned char c; +- unsigned char *p = &ctr->V[15]; +- +- for (i = 0; i < 16; i++, p--) { +- c = *p; +- c++; +- *p = c; +- if (c != 0) { +- /* If we didn't wrap around, we're done. */ +- break; +- } +- } ++ unsigned char *p = &ctr->V[0]; ++ u32 n = 16, c = 1; ++ ++ do { ++ --n; ++ c += p[n]; ++ p[n] = (u8)c; ++ c >>= 8; ++ } while (n); + } + + static void ctr_XOR(RAND_DRBG_CTR *ctr, const unsigned char *in, size_t inlen) +-- +1.8.3.1 + diff --git a/Add-an-SSL_dup-test.patch b/Add-an-SSL_dup-test.patch new file mode 100644 index 0000000000000000000000000000000000000000..0b746089ffc8e6690401c5119e1acd1995a6e759 --- /dev/null +++ b/Add-an-SSL_dup-test.patch @@ -0,0 +1,104 @@ +From 45f02e9095f30abefc799b34a612140a47aa9e27 Mon Sep 17 00:00:00 2001 +From: Matt Caswell +Date: Tue, 16 Jun 2020 17:19:40 +0100 +Subject: [PATCH 035/147] Add an SSL_dup test + +Reviewed-by: Tomas Mraz +(Merged from https://github.com/openssl/openssl/pull/12245) +--- + test/sslapitest.c | 72 +++++++++++++++++++++++++++++++++++++++++++++++++++++++ + 1 file changed, 72 insertions(+) + +diff --git a/test/sslapitest.c b/test/sslapitest.c +index 62d22e8..5220722 100644 +--- a/test/sslapitest.c ++++ b/test/sslapitest.c +@@ -6578,6 +6578,75 @@ static int test_servername(int tst) + return testresult; + } + ++#ifndef OPENSSL_NO_TLS1_2 ++static int test_ssl_dup(void) ++{ ++ SSL_CTX *cctx = NULL, *sctx = NULL; ++ SSL *clientssl = NULL, *serverssl = NULL, *client2ssl = NULL; ++ int testresult = 0; ++ BIO *rbio = NULL, *wbio = NULL; ++ ++ if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), ++ TLS_client_method(), ++ 0, ++ 0, ++ &sctx, &cctx, cert, privkey))) ++ goto end; ++ ++ if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, ++ NULL, NULL))) ++ goto end; ++ ++ if (!TEST_true(SSL_set_min_proto_version(clientssl, TLS1_2_VERSION)) ++ || !TEST_true(SSL_set_max_proto_version(clientssl, TLS1_2_VERSION))) ++ goto end; ++ ++ client2ssl = SSL_dup(clientssl); ++ rbio = SSL_get_rbio(clientssl); ++ if (!TEST_ptr(rbio) ++ || !TEST_true(BIO_up_ref(rbio))) ++ goto end; ++ SSL_set0_rbio(client2ssl, rbio); ++ rbio = NULL; ++ ++ wbio = SSL_get_wbio(clientssl); ++ if (!TEST_ptr(wbio) || !TEST_true(BIO_up_ref(wbio))) ++ goto end; ++ SSL_set0_wbio(client2ssl, wbio); ++ rbio = NULL; ++ ++ if (!TEST_ptr(client2ssl) ++ /* Handshake not started so pointers should be different */ ++ || !TEST_ptr_ne(clientssl, client2ssl)) ++ goto end; ++ ++ if (!TEST_int_eq(SSL_get_min_proto_version(client2ssl), TLS1_2_VERSION) ++ || !TEST_int_eq(SSL_get_max_proto_version(client2ssl), TLS1_2_VERSION)) ++ goto end; ++ ++ if (!TEST_true(create_ssl_connection(serverssl, client2ssl, SSL_ERROR_NONE))) ++ goto end; ++ ++ SSL_free(clientssl); ++ clientssl = SSL_dup(client2ssl); ++ if (!TEST_ptr(clientssl) ++ /* Handshake has finished so pointers should be the same */ ++ || !TEST_ptr_eq(clientssl, client2ssl)) ++ goto end; ++ ++ testresult = 1; ++ ++ end: ++ SSL_free(serverssl); ++ SSL_free(clientssl); ++ SSL_free(client2ssl); ++ SSL_CTX_free(sctx); ++ SSL_CTX_free(cctx); ++ ++ return testresult; ++} ++#endif ++ + int setup_tests(void) + { + if (!TEST_ptr(certsdir = test_get_argument(0)) +@@ -6698,6 +6767,9 @@ int setup_tests(void) + ADD_ALL_TESTS(test_client_cert_cb, 2); + ADD_ALL_TESTS(test_ca_names, 3); + ADD_ALL_TESTS(test_servername, 10); ++#ifndef OPENSSL_NO_TLS1_2 ++ ADD_TEST(test_ssl_dup); ++#endif + return 1; + } + +-- +1.8.3.1 + diff --git a/Add-test-for-CVE-2020-1967.patch b/Add-test-for-CVE-2020-1967.patch new file mode 100644 index 0000000000000000000000000000000000000000..8bdd9232601e049c149e03a1958c5962cca271e3 --- /dev/null +++ b/Add-test-for-CVE-2020-1967.patch @@ -0,0 +1,118 @@ +From 64eef86733fd40a5b7737dc586754c3fa3414b0c Mon Sep 17 00:00:00 2001 +From: Benjamin Kaduk +Date: Fri, 10 Apr 2020 12:27:28 -0700 +Subject: [PATCH 025/217] Add test for CVE-2020-1967 + +Add to test_sslsigalgs a TLSProxy test that injects a +"signature_algorithms_cert" extension that contains an unallocated +codepoint. + +The test currently fails, since s_server segfaults instead of +ignoring the unrecognized value. + +Since "signature_algorithms" and "signature_algorithms_cert" are very +similar, also add the analogous test for "signature_algorithms". + +Reviewed-by: Matt Caswell +--- + test/recipes/70-test_sslsigalgs.t | 66 +++++++++++++++++++++++++++++++++++++-- + 1 file changed, 64 insertions(+), 2 deletions(-) + +diff --git a/test/recipes/70-test_sslsigalgs.t b/test/recipes/70-test_sslsigalgs.t +index b3339ff..9ea9d05 100644 +--- a/test/recipes/70-test_sslsigalgs.t ++++ b/test/recipes/70-test_sslsigalgs.t +@@ -44,7 +44,9 @@ use constant { + COMPAT_SIGALGS => 6, + SIGALGS_CERT_ALL => 7, + SIGALGS_CERT_PKCS => 8, +- SIGALGS_CERT_INVALID => 9 ++ SIGALGS_CERT_INVALID => 9, ++ UNRECOGNIZED_SIGALGS_CERT => 10, ++ UNRECOGNIZED_SIGALG => 11 + }; + + #Note: Throughout this test we override the default ciphersuites where TLSv1.2 +@@ -53,7 +55,7 @@ use constant { + + #Test 1: Default sig algs should succeed + $proxy->start() or plan skip_all => "Unable to start up Proxy for tests"; +-plan tests => 24; ++plan tests => 26; + ok(TLSProxy::Message->success, "Default sigalgs"); + my $testtype; + +@@ -282,6 +284,39 @@ SKIP: { + ok(TLSProxy::Message->fail, "No matching certificate for sigalgs_cert"); + } + ++SKIP: { ++ skip "TLS 1.3 disabled", 2 if disabled("tls1_3"); ++ #Test 25: Send an unrecognized signature_algorithms_cert ++ # We should be able to skip over the unrecognized value and use a ++ # valid one that appears later in the list. ++ $proxy->clear(); ++ $proxy->filter(\&inject_unrecognized_sigalg); ++ $proxy->clientflags("-tls1_3"); ++ # Use -xcert to get SSL_check_chain() to run in the cert_cb. This is ++ # needed to trigger (e.g.) CVE-2020-1967 ++ $proxy->serverflags("" . ++ " -xcert " . srctop_file("test", "certs", "servercert.pem") . ++ " -xkey " . srctop_file("test", "certs", "serverkey.pem") . ++ " -xchain " . srctop_file("test", "certs", "rootcert.pem")); ++ $testtype = UNRECOGNIZED_SIGALGS_CERT; ++ $proxy->start(); ++ ok(TLSProxy::Message->success(), "Unrecognized sigalg_cert in ClientHello"); ++ ++ #Test 26: Send an unrecognized signature_algorithms ++ # We should be able to skip over the unrecognized value and use a ++ # valid one that appears later in the list. ++ $proxy->clear(); ++ $proxy->filter(\&inject_unrecognized_sigalg); ++ $proxy->clientflags("-tls1_3"); ++ $proxy->serverflags("" . ++ " -xcert " . srctop_file("test", "certs", "servercert.pem") . ++ " -xkey " . srctop_file("test", "certs", "serverkey.pem") . ++ " -xchain " . srctop_file("test", "certs", "rootcert.pem")); ++ $testtype = UNRECOGNIZED_SIGALG; ++ $proxy->start(); ++ ok(TLSProxy::Message->success(), "Unrecognized sigalg in ClientHello"); ++} ++ + + + sub sigalgs_filter +@@ -427,3 +462,30 @@ sub modify_cert_verify_sigalg + } + } + } ++ ++sub inject_unrecognized_sigalg ++{ ++ my $proxy = shift; ++ my $type; ++ ++ # We're only interested in the initial ClientHello ++ if ($proxy->flight != 0) { ++ return; ++ } ++ if ($testtype == UNRECOGNIZED_SIGALGS_CERT) { ++ $type = TLSProxy::Message::EXT_SIG_ALGS_CERT; ++ } elsif ($testtype == UNRECOGNIZED_SIGALG) { ++ $type = TLSProxy::Message::EXT_SIG_ALGS; ++ } else { ++ return; ++ } ++ ++ my $ext = pack "C8", ++ 0x00, 0x06, #Extension length ++ 0xfe, 0x18, #private use ++ 0x04, 0x01, #rsa_pkcs1_sha256 ++ 0x08, 0x04; #rsa_pss_rsae_sha256; ++ my $message = ${$proxy->message_list}[0]; ++ $message->set_extension($type, $ext); ++ $message->repack; ++} +-- +1.8.3.1 + diff --git a/Allow-NULL-arg-to-OSSL_STORE_close.patch b/Allow-NULL-arg-to-OSSL_STORE_close.patch new file mode 100644 index 0000000000000000000000000000000000000000..b11b7c9bd516807cb74757c9f7cf02077a10bbb0 --- /dev/null +++ b/Allow-NULL-arg-to-OSSL_STORE_close.patch @@ -0,0 +1,44 @@ +From 767b86ee52227b1c8e5c783b9c3850fa65338058 Mon Sep 17 00:00:00 2001 +From: "Dr. David von Oheimb" +Date: Fri, 22 May 2020 14:56:06 +0200 +Subject: [PATCH 066/217] Allow NULL arg to OSSL_STORE_close() + +Reviewed-by: Tomas Mraz +(Merged from https://github.com/openssl/openssl/pull/11912) +--- + crypto/store/store_lib.c | 6 +++++- + doc/man3/OSSL_STORE_open.pod | 1 + + 2 files changed, 6 insertions(+), 1 deletion(-) + +diff --git a/crypto/store/store_lib.c b/crypto/store/store_lib.c +index fb8184d..637466c 100644 +--- a/crypto/store/store_lib.c ++++ b/crypto/store/store_lib.c +@@ -218,7 +218,11 @@ int OSSL_STORE_eof(OSSL_STORE_CTX *ctx) + + int OSSL_STORE_close(OSSL_STORE_CTX *ctx) + { +- int loader_ret = ctx->loader->close(ctx->loader_ctx); ++ int loader_ret; ++ ++ if (ctx == NULL) ++ return 1; ++ loader_ret = ctx->loader->close(ctx->loader_ctx); + + OPENSSL_free(ctx); + return loader_ret; +diff --git a/doc/man3/OSSL_STORE_open.pod b/doc/man3/OSSL_STORE_open.pod +index 1e8ebf7..309390e 100644 +--- a/doc/man3/OSSL_STORE_open.pod ++++ b/doc/man3/OSSL_STORE_open.pod +@@ -94,6 +94,7 @@ OSSL_STORE_eof() shows that the end of data has been reached. + OSSL_STORE_close() takes a B, closes the channel that was opened + by OSSL_STORE_open() and frees all other information that was stored in the + B, as well as the B itself. ++If B is NULL it does nothing. + + =head1 SUPPORTED SCHEMES + +-- +1.8.3.1 + diff --git a/Avoid-errors-with-a-priori-inapplicable-protocol-bou.patch b/Avoid-errors-with-a-priori-inapplicable-protocol-bou.patch new file mode 100644 index 0000000000000000000000000000000000000000..250945ead04e3978eaf7158947d3ac98f897d1e7 --- /dev/null +++ b/Avoid-errors-with-a-priori-inapplicable-protocol-bou.patch @@ -0,0 +1,219 @@ +From c6c9f886ae118fffb0591ea0b5c3e4770b176552 Mon Sep 17 00:00:00 2001 +From: Viktor Dukhovni +Date: Thu, 16 Jul 2020 23:30:43 -0200 +Subject: [PATCH 054/147] Avoid errors with a priori inapplicable protocol + bounds + +The 'MinProtocol' and 'MaxProtocol' configuration commands now silently +ignore TLS protocol version bounds when configurign DTLS-based contexts, +and conversely, silently ignore DTLS protocol version bounds when +configuring TLS-based contexts. The commands can be repeated to set +bounds of both types. The same applies with the corresponding +"min_protocol" and "max_protocol" command-line switches, in case some +application uses both TLS and DTLS. + +SSL_CTX instances that are created for a fixed protocol version (e.g. +TLSv1_server_method()) also silently ignore version bounds. Previously +attempts to apply bounds to these protocol versions would result in an +error. Now only the "version-flexible" SSL_CTX instances are subject to +limits in configuration files in command-line options. + +Expected to resolve #12394 + +Reviewed-by: Paul Dale +Reviewed-by: Matt Caswell + +GH: #12507 +--- + doc/man3/SSL_CONF_cmd.pod | 29 ++++++++++++++++++++--------- + doc/man5/config.pod | 15 +++++++++------ + ssl/ssl_conf.c | 7 +++++++ + ssl/statem/statem_lib.c | 34 +++++++++++++++++++--------------- + 4 files changed, 55 insertions(+), 30 deletions(-) + +diff --git a/doc/man3/SSL_CONF_cmd.pod b/doc/man3/SSL_CONF_cmd.pod +index 7f2449e..c5fed8e 100644 +--- a/doc/man3/SSL_CONF_cmd.pod ++++ b/doc/man3/SSL_CONF_cmd.pod +@@ -147,13 +147,16 @@ B. + =item B<-min_protocol>, B<-max_protocol> + + Sets the minimum and maximum supported protocol. +-Currently supported protocol values are B, B, +-B, B, B for TLS and B, B for DTLS, +-and B for no limit. +-If either bound is not specified then only the other bound applies, +-if specified. +-To restrict the supported protocol versions use these commands rather +-than the deprecated alternative commands below. ++Currently supported protocol values are B, B, B, ++B, B for TLS; B, B for DTLS, and B ++for no limit. ++If either the lower or upper bound is not specified then only the other bound ++applies, if specified. ++If your application supports both TLS and DTLS you can specify any of these ++options twice, once with a bound for TLS and again with an appropriate bound ++for DTLS. ++To restrict the supported protocol versions use these commands rather than the ++deprecated alternative commands below. + + =item B<-no_ssl3>, B<-no_tls1>, B<-no_tls1_1>, B<-no_tls1_2>, B<-no_tls1_3> + +@@ -370,7 +373,11 @@ This sets the minimum supported SSL, TLS or DTLS version. + + Currently supported protocol values are B, B, B, + B, B, B and B. +-The value B will disable the limit. ++The SSL and TLS bounds apply only to TLS-based contexts, while the DTLS bounds ++apply only to DTLS-based contexts. ++The command can be repeated with one instance setting a TLS bound, and the ++other setting a DTLS bound. ++The value B applies to both types of contexts and disables the limits. + + =item B + +@@ -378,7 +385,11 @@ This sets the maximum supported SSL, TLS or DTLS version. + + Currently supported protocol values are B, B, B, + B, B, B and B. +-The value B will disable the limit. ++The SSL and TLS bounds apply only to TLS-based contexts, while the DTLS bounds ++apply only to DTLS-based contexts. ++The command can be repeated with one instance setting a TLS bound, and the ++other setting a DTLS bound. ++The value B applies to both types of contexts and disables the limits. + + =item B + +diff --git a/doc/man5/config.pod b/doc/man5/config.pod +index 7b50b09..7a0459d 100644 +--- a/doc/man5/config.pod ++++ b/doc/man5/config.pod +@@ -262,13 +262,11 @@ Example of a configuration with the system default: + ssl_conf = ssl_sect + + [ssl_sect] +- + system_default = system_default_sect + + [system_default_sect] +- + MinProtocol = TLSv1.2 +- ++ MinProtocol = DTLSv1.2 + + =head1 NOTES + +@@ -355,8 +353,8 @@ Simple OpenSSL library configuration example to enter FIPS mode: + Note: in the above example you will get an error in non FIPS capable versions + of OpenSSL. + +-Simple OpenSSL library configuration to make TLS 1.3 the system-default +-minimum TLS version: ++Simple OpenSSL library configuration to make TLS 1.2 and DTLS 1.2 the ++system-default minimum TLS and DTLS versions, respectively: + + # Toplevel section for openssl (including libssl) + openssl_conf = default_conf_section +@@ -369,7 +367,12 @@ minimum TLS version: + system_default = system_default_section + + [system_default_section] +- MinProtocol = TLSv1.3 ++ MinProtocol = TLSv1.2 ++ MinProtocol = DTLSv1.2 ++ ++The minimum TLS protocol is applied to B objects that are TLS-based, ++and the minimum DTLS protocol to those are DTLS-based. ++The same applies also to maximum versions set with B. + + More complex OpenSSL library configuration. Add OID and don't enter FIPS mode: + +diff --git a/ssl/ssl_conf.c b/ssl/ssl_conf.c +index 8ef29bb..3890d16 100644 +--- a/ssl/ssl_conf.c ++++ b/ssl/ssl_conf.c +@@ -305,6 +305,13 @@ static int protocol_from_string(const char *value) + const char *name; + int version; + }; ++ /* ++ * Note: To avoid breaking previously valid configurations, we must retain ++ * legacy entries in this table even if the underlying protocol is no ++ * longer supported. This also means that the constants SSL3_VERSION, ... ++ * need to be retained indefinitely. This table can only grow, never ++ * shrink. ++ */ + static const struct protocol_versions versions[] = { + {"None", 0}, + {"SSLv3", SSL3_VERSION}, +diff --git a/ssl/statem/statem_lib.c b/ssl/statem/statem_lib.c +index 43d6fd5..0c5ba28 100644 +--- a/ssl/statem/statem_lib.c ++++ b/ssl/statem/statem_lib.c +@@ -1656,11 +1656,22 @@ int ssl_check_version_downgrade(SSL *s) + */ + int ssl_set_version_bound(int method_version, int version, int *bound) + { ++ int valid_tls; ++ int valid_dtls; ++ + if (version == 0) { + *bound = version; + return 1; + } + ++ valid_tls = version >= SSL3_VERSION && version <= TLS_MAX_VERSION; ++ valid_dtls = ++ DTLS_VERSION_LE(version, DTLS_MAX_VERSION) && ++ DTLS_VERSION_GE(version, DTLS1_BAD_VER); ++ ++ if (!valid_tls && !valid_dtls) ++ return 0; ++ + /*- + * Restrict TLS methods to TLS protocol versions. + * Restrict DTLS methods to DTLS protocol versions. +@@ -1671,31 +1682,24 @@ int ssl_set_version_bound(int method_version, int version, int *bound) + * configurations. If the MIN (supported) version ever rises, the user's + * "floor" remains valid even if no longer available. We don't expect the + * MAX ceiling to ever get lower, so making that variable makes sense. ++ * ++ * We ignore attempts to set bounds on version-inflexible methods, ++ * returning success. + */ + switch (method_version) { + default: +- /* +- * XXX For fixed version methods, should we always fail and not set any +- * bounds, always succeed and not set any bounds, or set the bounds and +- * arrange to fail later if they are not met? At present fixed-version +- * methods are not subject to controls that disable individual protocol +- * versions. +- */ +- return 0; ++ break; + + case TLS_ANY_VERSION: +- if (version < SSL3_VERSION || version > TLS_MAX_VERSION) +- return 0; ++ if (valid_tls) ++ *bound = version; + break; + + case DTLS_ANY_VERSION: +- if (DTLS_VERSION_GT(version, DTLS_MAX_VERSION) || +- DTLS_VERSION_LT(version, DTLS1_BAD_VER)) +- return 0; ++ if (valid_dtls) ++ *bound = version; + break; + } +- +- *bound = version; + return 1; + } + +-- +1.8.3.1 + diff --git a/Avoid-memory-leak-of-parent-on-allocation-failure-fo.patch b/Avoid-memory-leak-of-parent-on-allocation-failure-fo.patch new file mode 100644 index 0000000000000000000000000000000000000000..06caf68c0a91246d8bb1c689c544ec2825ed9864 --- /dev/null +++ b/Avoid-memory-leak-of-parent-on-allocation-failure-fo.patch @@ -0,0 +1,38 @@ +From 7455f247e6f9d621fa79ae3af1588df23078fb11 Mon Sep 17 00:00:00 2001 +From: Benny Baumann +Date: Fri, 2 Oct 2020 01:06:12 +0200 +Subject: [PATCH 079/147] Avoid memory leak of parent on allocation failure for + child structure + +Reviewed-by: Ben Kaduk +Reviewed-by: Dmitry Belyavskiy +Reviewed-by: Richard Levitte +Reviewed-by: Paul Dale +(Merged from https://github.com/openssl/openssl/pull/13055) + +(cherry picked from commit a21db568bf3d0ab4194fd3e0917ee982f1fc8bfd) +--- + apps/cms.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/apps/cms.c b/apps/cms.c +index 15edd67..60691f1 100644 +--- a/apps/cms.c ++++ b/apps/cms.c +@@ -545,9 +545,11 @@ int cms_main(int argc, char **argv) + if (key_param == NULL || key_param->idx != keyidx) { + cms_key_param *nparam; + nparam = app_malloc(sizeof(*nparam), "key param buffer"); +- nparam->idx = keyidx; +- if ((nparam->param = sk_OPENSSL_STRING_new_null()) == NULL) ++ if ((nparam->param = sk_OPENSSL_STRING_new_null()) == NULL) { ++ OPENSSL_free(nparam); + goto end; ++ } ++ nparam->idx = keyidx; + nparam->next = NULL; + if (key_first == NULL) + key_first = nparam; +-- +1.8.3.1 + diff --git a/Avoid-potential-doublefree-on-dh-object-assigned-to-.patch b/Avoid-potential-doublefree-on-dh-object-assigned-to-.patch new file mode 100644 index 0000000000000000000000000000000000000000..a1cc4663283f8eba677533c52266438480e56d16 --- /dev/null +++ b/Avoid-potential-doublefree-on-dh-object-assigned-to-.patch @@ -0,0 +1,29 @@ +From 7b324bb09f6313b370954fde8f2034a6055d8c2f Mon Sep 17 00:00:00 2001 +From: Tomas Mraz +Date: Tue, 20 Oct 2020 14:16:30 +0200 +Subject: [PATCH 085/147] Avoid potential doublefree on dh object assigned to + EVP_PKEY + +Fixes regression from 7844f3c784bfc93c9b94ae5a4082f9d01e82e0af + +Reviewed-by: Matt Caswell +(Merged from https://github.com/openssl/openssl/pull/13194) +--- + ssl/statem/statem_clnt.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/ssl/statem/statem_clnt.c b/ssl/statem/statem_clnt.c +index 3bf8aac..fd3b79c 100644 +--- a/ssl/statem/statem_clnt.c ++++ b/ssl/statem/statem_clnt.c +@@ -2150,6 +2150,7 @@ static int tls_process_ske_dhe(SSL *s, PACKET *pkt, EVP_PKEY **pkey) + ERR_R_EVP_LIB); + goto err; + } ++ dh = NULL; + + if (!ssl_security(s, SSL_SECOP_TMP_DH, EVP_PKEY_security_bits(peer_tmp), + 0, peer_tmp)) { +-- +1.8.3.1 + diff --git a/Avoid-potential-overflow-to-the-sign-bit-when-shifti.patch b/Avoid-potential-overflow-to-the-sign-bit-when-shifti.patch new file mode 100644 index 0000000000000000000000000000000000000000..fc40bd12fd9147a67674aa50c8f7e4cb9aa9982e --- /dev/null +++ b/Avoid-potential-overflow-to-the-sign-bit-when-shifti.patch @@ -0,0 +1,33 @@ +From 5156ecbe691c964ae528c74f94d5b515aeb25542 Mon Sep 17 00:00:00 2001 +From: Tomas Mraz +Date: Tue, 19 May 2020 10:51:53 +0200 +Subject: [PATCH 060/217] Avoid potential overflow to the sign bit when + shifting left 24 places + +Although there are platforms where int is 64 bit, 2GiB large BIGNUMs +instead of 4GiB should be "big enough for everybody". + +Reviewed-by: Richard Levitte +(Merged from https://github.com/openssl/openssl/pull/11857) + +(cherry picked from commit 1d05eb55caa8965a151360c2469c463ecd990987) +--- + crypto/bn/bn_mpi.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/crypto/bn/bn_mpi.c b/crypto/bn/bn_mpi.c +index bdbe822..b6e35a8 100644 +--- a/crypto/bn/bn_mpi.c ++++ b/crypto/bn/bn_mpi.c +@@ -45,7 +45,7 @@ BIGNUM *BN_mpi2bn(const unsigned char *d, int n, BIGNUM *ain) + int neg = 0; + BIGNUM *a = NULL; + +- if (n < 4) { ++ if (n < 4 || (d[0] & 0x80) != 0) { + BNerr(BN_F_BN_MPI2BN, BN_R_INVALID_LENGTH); + return NULL; + } +-- +1.8.3.1 + diff --git a/Avoid-segfault-in-SSL_export_keying_material-if-ther.patch b/Avoid-segfault-in-SSL_export_keying_material-if-ther.patch new file mode 100644 index 0000000000000000000000000000000000000000..704261b0460160bfaa996fda83a969245b096f0d --- /dev/null +++ b/Avoid-segfault-in-SSL_export_keying_material-if-ther.patch @@ -0,0 +1,33 @@ +From 925a9d0a8168bfd0b532bc6600ba3e7ab47a7592 Mon Sep 17 00:00:00 2001 +From: Tomas Mraz +Date: Thu, 6 Aug 2020 11:20:43 +0200 +Subject: [PATCH 060/147] Avoid segfault in SSL_export_keying_material if there + is no session + +Fixes #12588 + +Reviewed-by: Matt Caswell +(Merged from https://github.com/openssl/openssl/pull/12594) + +(cherry picked from commit dffeec1c10a874d7c7b83c221dbbce82f755edb1) +--- + ssl/ssl_lib.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c +index 433a537..b1df374 100644 +--- a/ssl/ssl_lib.c ++++ b/ssl/ssl_lib.c +@@ -2897,7 +2897,8 @@ int SSL_export_keying_material(SSL *s, unsigned char *out, size_t olen, + const unsigned char *context, size_t contextlen, + int use_context) + { +- if (s->version < TLS1_VERSION && s->version != DTLS1_BAD_VER) ++ if (s->session == NULL ++ || (s->version < TLS1_VERSION && s->version != DTLS1_BAD_VER)) + return -1; + + return s->method->ssl3_enc->export_keying_material(s, out, olen, label, +-- +1.8.3.1 + diff --git a/BIO_do_accept-correct-error-return-value.patch b/BIO_do_accept-correct-error-return-value.patch new file mode 100644 index 0000000000000000000000000000000000000000..5e8a30f5a4a510627d955e9a237fe750d31e2bfd --- /dev/null +++ b/BIO_do_accept-correct-error-return-value.patch @@ -0,0 +1,54 @@ +From 5f62ff49a9fdc9079aa6e9aefaf2cee51d2f4455 Mon Sep 17 00:00:00 2001 +From: scott +Date: Thu, 9 Apr 2020 12:36:37 +0100 +Subject: [PATCH 018/217] BIO_do_accept: correct error return value + +`BIO_do_accept` was returning incorrect values when unable to bind to a port. + +Fixes #7717 +CLA: trivial + +Reviewed-by: Viktor Dukhovni +Reviewed-by: Tomas Mraz +(Merged from https://github.com/openssl/openssl/pull/11505) + +(cherry picked from commit 0437435a960123be1ced766d18d715f939698345) +--- + crypto/bio/bss_acpt.c | 13 +++++++------ + 1 file changed, 7 insertions(+), 6 deletions(-) + +diff --git a/crypto/bio/bss_acpt.c b/crypto/bio/bss_acpt.c +index b38e47a..5a2cb50 100644 +--- a/crypto/bio/bss_acpt.c ++++ b/crypto/bio/bss_acpt.c +@@ -222,10 +222,10 @@ static int acpt_state(BIO *b, BIO_ACCEPT *c) + break; + + case ACPT_S_CREATE_SOCKET: +- ret = BIO_socket(BIO_ADDRINFO_family(c->addr_iter), +- BIO_ADDRINFO_socktype(c->addr_iter), +- BIO_ADDRINFO_protocol(c->addr_iter), 0); +- if (ret == (int)INVALID_SOCKET) { ++ s = BIO_socket(BIO_ADDRINFO_family(c->addr_iter), ++ BIO_ADDRINFO_socktype(c->addr_iter), ++ BIO_ADDRINFO_protocol(c->addr_iter), 0); ++ if (s == (int)INVALID_SOCKET) { + SYSerr(SYS_F_SOCKET, get_last_socket_error()); + ERR_add_error_data(4, + "hostname=", c->param_addr, +@@ -233,9 +233,10 @@ static int acpt_state(BIO *b, BIO_ACCEPT *c) + BIOerr(BIO_F_ACPT_STATE, BIO_R_UNABLE_TO_CREATE_SOCKET); + goto exit_loop; + } +- c->accept_sock = ret; +- b->num = ret; ++ c->accept_sock = s; ++ b->num = s; + c->state = ACPT_S_LISTEN; ++ s = -1; + break; + + case ACPT_S_LISTEN: +-- +1.8.3.1 + diff --git a/BN-harden-BN_copy-against-leaks-from-memory-accesses.patch b/BN-harden-BN_copy-against-leaks-from-memory-accesses.patch new file mode 100644 index 0000000000000000000000000000000000000000..68268e549560d6eedf9ec19c58426b380aa9f286 --- /dev/null +++ b/BN-harden-BN_copy-against-leaks-from-memory-accesses.patch @@ -0,0 +1,58 @@ +From 3655e35b78df095b367b3334b6515f6d9436fd95 Mon Sep 17 00:00:00 2001 +From: Nicola Tuveri +Date: Tue, 21 Jan 2020 17:08:16 +0200 +Subject: [PATCH 033/217] [BN] harden `BN_copy()` against leaks from memory + accesses + +`BN_copy()` (and indirectly `BN_dup()`) do not propagate the +`BN_FLG_CONSTTIME` flag: the propagation has been turned on and off a +few times in the past years, because in some conditions it has shown +unintended consequences in some code paths. + +Without turning the propagation on once more, we can still improve +`BN_copy()` by avoiding to leak `src->top` in case `src` is flagged with +`BN_FLG_CONSTTIME`. +In this case we can instead use `src->dmax` as the number of words +allocated for `dst` and for the `memcpy` operation. + +Barring compiler or runtime optimizations, if the caller provides `src` +flagged as const time and preallocated to a public size, no leak should +happen due to the copy operation. + +(cherry picked from commit 2d9167ed0b588dacbdd0303fb6041ffe1d8b3a92) + +Reviewed-by: Matt Caswell +(Merged from https://github.com/openssl/openssl/pull/11127) +--- + crypto/bn/bn_lib.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/crypto/bn/bn_lib.c b/crypto/bn/bn_lib.c +index 86d4956..759d4c7 100644 +--- a/crypto/bn/bn_lib.c ++++ b/crypto/bn/bn_lib.c +@@ -322,15 +322,19 @@ BIGNUM *BN_dup(const BIGNUM *a) + + BIGNUM *BN_copy(BIGNUM *a, const BIGNUM *b) + { ++ int bn_words; ++ + bn_check_top(b); + ++ bn_words = BN_get_flags(b, BN_FLG_CONSTTIME) ? b->dmax : b->top; ++ + if (a == b) + return a; +- if (bn_wexpand(a, b->top) == NULL) ++ if (bn_wexpand(a, bn_words) == NULL) + return NULL; + + if (b->top > 0) +- memcpy(a->d, b->d, sizeof(b->d[0]) * b->top); ++ memcpy(a->d, b->d, sizeof(b->d[0]) * bn_words); + + a->neg = b->neg; + a->top = b->top; +-- +1.8.3.1 + diff --git a/CMS_get0_signers-description.patch b/CMS_get0_signers-description.patch new file mode 100644 index 0000000000000000000000000000000000000000..07eacd7415b70e53e8464a6cbf25ddc6669f0fc1 --- /dev/null +++ b/CMS_get0_signers-description.patch @@ -0,0 +1,32 @@ +From 4151e303a488c53613f7b8c6eae4372759d7fa35 Mon Sep 17 00:00:00 2001 +From: olszomal +Date: Fri, 12 Jun 2020 12:09:02 +0200 +Subject: [PATCH 021/147] CMS_get0_signers() description + +CLA: trivial + +Reviewed-by: Shane Lontis +Reviewed-by: Tomas Mraz +(Merged from https://github.com/openssl/openssl/pull/12055) + +(cherry picked from commit 9ac916c7529a21cd01d1b539362abf8402719e30) +--- + doc/man3/CMS_verify.pod | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/doc/man3/CMS_verify.pod b/doc/man3/CMS_verify.pod +index be68868..b6650fd 100644 +--- a/doc/man3/CMS_verify.pod ++++ b/doc/man3/CMS_verify.pod +@@ -24,7 +24,7 @@ present in B. The content is written to B if it is not NULL. + B is an optional set of flags, which can be used to modify the verify + operation. + +-CMS_get0_signers() retrieves the signing certificate(s) from B, it must ++CMS_get0_signers() retrieves the signing certificate(s) from B, it may only + be called after a successful CMS_verify() operation. + + =head1 VERIFY PROCESS +-- +1.8.3.1 + diff --git a/Cast-the-unsigned-char-to-unsigned-int-before-shifti.patch b/Cast-the-unsigned-char-to-unsigned-int-before-shifti.patch new file mode 100644 index 0000000000000000000000000000000000000000..038c56d82f4b8128655edf5ddea6a19949af2adb --- /dev/null +++ b/Cast-the-unsigned-char-to-unsigned-int-before-shifti.patch @@ -0,0 +1,42 @@ +From e11072908742e96a1067bb1b9609bfc27ab05835 Mon Sep 17 00:00:00 2001 +From: Tomas Mraz +Date: Tue, 19 May 2020 10:51:19 +0200 +Subject: [PATCH 059/217] Cast the unsigned char to unsigned int before + shifting left + +This is needed to avoid automatic promotion to signed int. + +Fixes #11853 + +[extended tests] + +Reviewed-by: Richard Levitte +(Merged from https://github.com/openssl/openssl/pull/11857) + +(cherry picked from commit cbeb0bfa961412eebfbdf1e72900f05527e81e15) +--- + crypto/pem/pvkfmt.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/crypto/pem/pvkfmt.c b/crypto/pem/pvkfmt.c +index 46ed2ec..e6156df 100644 +--- a/crypto/pem/pvkfmt.c ++++ b/crypto/pem/pvkfmt.c +@@ -29,10 +29,10 @@ static unsigned int read_ledword(const unsigned char **in) + { + const unsigned char *p = *in; + unsigned int ret; +- ret = *p++; +- ret |= (*p++ << 8); +- ret |= (*p++ << 16); +- ret |= (*p++ << 24); ++ ret = (unsigned int)*p++; ++ ret |= (unsigned int)*p++ << 8; ++ ret |= (unsigned int)*p++ << 16; ++ ret |= (unsigned int)*p++ << 24; + *in = p; + return ret; + } +-- +1.8.3.1 + diff --git a/Correct-alignment-calculation-in-ssl3_setup_write.patch b/Correct-alignment-calculation-in-ssl3_setup_write.patch new file mode 100644 index 0000000000000000000000000000000000000000..21cec9ebe986527e480ebb5e69424568079d5c5b --- /dev/null +++ b/Correct-alignment-calculation-in-ssl3_setup_write.patch @@ -0,0 +1,46 @@ +From df943912046aee2e5e541949dbdbafa38819f195 Mon Sep 17 00:00:00 2001 +From: Matt Caswell +Date: Fri, 8 May 2020 11:12:10 +0100 +Subject: [PATCH 050/217] Correct alignment calculation in ssl3_setup_write + +The alignment calculation in ssl3_setup_write incorrectly results in an +alignment allowance of +(-SSL3_RT_HEADER_LENGTH) & (SSL3_ALIGN_PAYLOAD - 1) bytes. This equals 3 +in almost all cases. The maximum alignment actually used in do_ssl3_write +is (SSL3_ALIGN_PAYLOAD - 1). This equals 7 bytes in almost all cases. So +there is a potential to overrun the buffer by up to 4 bytes. + +Fortunately, the encryption overhead allowed for is 80 bytes which +consists of 16 bytes for the cipher block size and 64 bytes for the MAC +output. However the biggest MAC that we ever produce is HMAC-384 which is +48 bytes - so we have a headroom of 16 bytes (i.e. more than the 4 bytes +of potential overrun). + +Thanks to Nagesh Hegde for reporting this. + +Fixes #11766 + +Reviewed-by: Ben Kaduk +(Merged from https://github.com/openssl/openssl/pull/11768) + +(cherry picked from commit d30ef639647ad263d09740c931a5bfb5a8b6a5f6) +--- + ssl/record/ssl3_buffer.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/ssl/record/ssl3_buffer.c b/ssl/record/ssl3_buffer.c +index 605f8f9..56c0d78 100644 +--- a/ssl/record/ssl3_buffer.c ++++ b/ssl/record/ssl3_buffer.c +@@ -94,7 +94,7 @@ int ssl3_setup_write_buffer(SSL *s, size_t numwpipes, size_t len) + headerlen = SSL3_RT_HEADER_LENGTH; + + #if defined(SSL3_ALIGN_PAYLOAD) && SSL3_ALIGN_PAYLOAD!=0 +- align = (-SSL3_RT_HEADER_LENGTH) & (SSL3_ALIGN_PAYLOAD - 1); ++ align = SSL3_ALIGN_PAYLOAD - 1; + #endif + + len = ssl_get_max_send_fragment(s) +-- +1.8.3.1 + diff --git a/Correctly-handle-the-return-value-from-EVP_Cipher-in.patch b/Correctly-handle-the-return-value-from-EVP_Cipher-in.patch new file mode 100644 index 0000000000000000000000000000000000000000..e06fb766dce7bca02df3a1c39d3b00f6ea7b1593 --- /dev/null +++ b/Correctly-handle-the-return-value-from-EVP_Cipher-in.patch @@ -0,0 +1,50 @@ +From ce7bd71a428b0907958beb6dfa71681e751b33d1 Mon Sep 17 00:00:00 2001 +From: Matt Caswell +Date: Wed, 27 May 2020 11:38:39 +0100 +Subject: [PATCH 024/147] Correctly handle the return value from EVP_Cipher() + in the CMAC code + +EVP_Cipher() is a very low level routine that directly calls the +underlying cipher function. It's return value semantics are very odd. +Depending on the type of cipher 0 or -1 is returned on error. We should +just check for <=0 for a failure. + +Fixes #11957 + +Reviewed-by: Tomas Mraz +(Merged from https://github.com/openssl/openssl/pull/12107) +--- + crypto/cmac/cmac.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/crypto/cmac/cmac.c b/crypto/cmac/cmac.c +index dbcc436..1a76486 100644 +--- a/crypto/cmac/cmac.c ++++ b/crypto/cmac/cmac.c +@@ -135,7 +135,7 @@ int CMAC_Init(CMAC_CTX *ctx, const void *key, size_t keylen, + if (!EVP_EncryptInit_ex(ctx->cctx, NULL, NULL, key, zero_iv)) + return 0; + bl = EVP_CIPHER_CTX_block_size(ctx->cctx); +- if (!EVP_Cipher(ctx->cctx, ctx->tbl, zero_iv, bl)) ++ if (EVP_Cipher(ctx->cctx, ctx->tbl, zero_iv, bl) <= 0) + return 0; + make_kn(ctx->k1, ctx->tbl, bl); + make_kn(ctx->k2, ctx->k1, bl); +@@ -173,12 +173,12 @@ int CMAC_Update(CMAC_CTX *ctx, const void *in, size_t dlen) + return 1; + data += nleft; + /* Else not final block so encrypt it */ +- if (!EVP_Cipher(ctx->cctx, ctx->tbl, ctx->last_block, bl)) ++ if (EVP_Cipher(ctx->cctx, ctx->tbl, ctx->last_block, bl) <= 0) + return 0; + } + /* Encrypt all but one of the complete blocks left */ + while (dlen > bl) { +- if (!EVP_Cipher(ctx->cctx, ctx->tbl, data, bl)) ++ if (EVP_Cipher(ctx->cctx, ctx->tbl, data, bl) <= 0) + return 0; + dlen -= bl; + data += bl; +-- +1.8.3.1 + diff --git a/Coverity-Fixes.patch b/Coverity-Fixes.patch new file mode 100644 index 0000000000000000000000000000000000000000..14ae810584e6e67e15ae50b19c6ef71e9aae9b88 --- /dev/null +++ b/Coverity-Fixes.patch @@ -0,0 +1,154 @@ +From 309e73dfe067b3b774ef6f57bf665f41373a81ca Mon Sep 17 00:00:00 2001 +From: Shane Lontis +Date: Mon, 7 Sep 2020 17:44:38 +1000 +Subject: [PATCH 064/147] Coverity Fixes + +x_algor.c: Explicit null dereferenced +cms_sd.c: Resource leak +ts_rsp_sign.c Resource Leak +extensions_srvr.c: Resourse Leak +v3_alt.c: Resourse Leak +pcy_data.c: Resource Leak +cms_lib.c: Resource Leak +drbg_lib.c: Unchecked return code + +Reviewed-by: Matt Caswell +Reviewed-by: Shane Lontis +(Merged from https://github.com/openssl/openssl/pull/12531) +--- + crypto/cms/cms_lib.c | 3 ++- + crypto/cms/cms_sd.c | 4 +++- + crypto/rand/drbg_lib.c | 8 +++++--- + crypto/ts/ts_rsp_sign.c | 2 ++ + crypto/x509v3/pcy_data.c | 1 + + crypto/x509v3/v3_alt.c | 1 + + ssl/statem/extensions_srvr.c | 2 +- + 7 files changed, 11 insertions(+), 10 deletions(-) + +diff --git a/crypto/cms/cms_lib.c b/crypto/cms/cms_lib.c +index 57afba4..cdd794e 100644 +--- a/crypto/cms/cms_lib.c ++++ b/crypto/cms/cms_lib.c +@@ -92,12 +92,13 @@ BIO *CMS_dataInit(CMS_ContentInfo *cms, BIO *icont) + + default: + CMSerr(CMS_F_CMS_DATAINIT, CMS_R_UNSUPPORTED_TYPE); +- return NULL; ++ goto err; + } + + if (cmsbio) + return BIO_push(cmsbio, cont); + ++err: + if (!icont) + BIO_free(cont); + return NULL; +diff --git a/crypto/cms/cms_sd.c b/crypto/cms/cms_sd.c +index 29ba4c1..6030f07 100644 +--- a/crypto/cms/cms_sd.c ++++ b/crypto/cms/cms_sd.c +@@ -897,8 +897,10 @@ int CMS_add_simple_smimecap(STACK_OF(X509_ALGOR) **algs, + ASN1_INTEGER *key = NULL; + if (keysize > 0) { + key = ASN1_INTEGER_new(); +- if (key == NULL || !ASN1_INTEGER_set(key, keysize)) ++ if (key == NULL || !ASN1_INTEGER_set(key, keysize)) { ++ ASN1_INTEGER_free(key); + return 0; ++ } + } + alg = X509_ALGOR_new(); + if (alg == NULL) { +diff --git a/crypto/rand/drbg_lib.c b/crypto/rand/drbg_lib.c +index faf0590..73fd439 100644 +--- a/crypto/rand/drbg_lib.c ++++ b/crypto/rand/drbg_lib.c +@@ -330,7 +330,7 @@ int RAND_DRBG_instantiate(RAND_DRBG *drbg, + drbg->reseed_next_counter = tsan_load(&drbg->reseed_prop_counter); + if (drbg->reseed_next_counter) { + drbg->reseed_next_counter++; +- if(!drbg->reseed_next_counter) ++ if (!drbg->reseed_next_counter) + drbg->reseed_next_counter = 1; + } + +@@ -432,7 +432,7 @@ int RAND_DRBG_reseed(RAND_DRBG *drbg, + drbg->reseed_next_counter = tsan_load(&drbg->reseed_prop_counter); + if (drbg->reseed_next_counter) { + drbg->reseed_next_counter++; +- if(!drbg->reseed_next_counter) ++ if (!drbg->reseed_next_counter) + drbg->reseed_next_counter = 1; + } + +@@ -554,7 +554,9 @@ int rand_drbg_restart(RAND_DRBG *drbg, + drbg->meth->reseed(drbg, adin, adinlen, NULL, 0); + } else if (reseeded == 0) { + /* do a full reseeding if it has not been done yet above */ +- RAND_DRBG_reseed(drbg, NULL, 0, 0); ++ if (!RAND_DRBG_reseed(drbg, NULL, 0, 0)) { ++ RANDerr(RAND_F_RAND_DRBG_RESTART, RAND_R_RESEED_ERROR); ++ } + } + } + +diff --git a/crypto/ts/ts_rsp_sign.c b/crypto/ts/ts_rsp_sign.c +index 041a187..342582f 100644 +--- a/crypto/ts/ts_rsp_sign.c ++++ b/crypto/ts/ts_rsp_sign.c +@@ -57,12 +57,14 @@ static ASN1_INTEGER *def_serial_cb(struct TS_resp_ctx *ctx, void *data) + goto err; + if (!ASN1_INTEGER_set(serial, 1)) + goto err; ++ + return serial; + + err: + TSerr(TS_F_DEF_SERIAL_CB, ERR_R_MALLOC_FAILURE); + TS_RESP_CTX_set_status_info(ctx, TS_STATUS_REJECTION, + "Error during serial number generation."); ++ ASN1_INTEGER_free(serial); + return NULL; + } + +diff --git a/crypto/x509v3/pcy_data.c b/crypto/x509v3/pcy_data.c +index 0735059..62db3b4 100644 +--- a/crypto/x509v3/pcy_data.c ++++ b/crypto/x509v3/pcy_data.c +@@ -52,6 +52,7 @@ X509_POLICY_DATA *policy_data_new(POLICYINFO *policy, + ret = OPENSSL_zalloc(sizeof(*ret)); + if (ret == NULL) { + X509V3err(X509V3_F_POLICY_DATA_NEW, ERR_R_MALLOC_FAILURE); ++ ASN1_OBJECT_free(id); + return NULL; + } + ret->expected_policy_set = sk_ASN1_OBJECT_new_null(); +diff --git a/crypto/x509v3/v3_alt.c b/crypto/x509v3/v3_alt.c +index 7ac2911..0bcee33 100644 +--- a/crypto/x509v3/v3_alt.c ++++ b/crypto/x509v3/v3_alt.c +@@ -275,6 +275,7 @@ static int copy_issuer(X509V3_CTX *ctx, GENERAL_NAMES *gens) + num = sk_GENERAL_NAME_num(ialt); + if (!sk_GENERAL_NAME_reserve(gens, num)) { + X509V3err(X509V3_F_COPY_ISSUER, ERR_R_MALLOC_FAILURE); ++ sk_GENERAL_NAME_free(ialt); + goto err; + } + +diff --git a/ssl/statem/extensions_srvr.c b/ssl/statem/extensions_srvr.c +index 3b07c6b..3c7395c 100644 +--- a/ssl/statem/extensions_srvr.c ++++ b/ssl/statem/extensions_srvr.c +@@ -1151,7 +1151,7 @@ int tls_parse_ctos_psk(SSL *s, PACKET *pkt, unsigned int context, X509 *x, + if (sesstmp == NULL) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, + SSL_F_TLS_PARSE_CTOS_PSK, ERR_R_INTERNAL_ERROR); +- return 0; ++ goto err; + } + SSL_SESSION_free(sess); + sess = sesstmp; +-- +1.8.3.1 + diff --git a/Do-not-allow-dropping-Extended-Master-Secret-extensi.patch b/Do-not-allow-dropping-Extended-Master-Secret-extensi.patch new file mode 100644 index 0000000000000000000000000000000000000000..30c366e875c49d32ac4db0f62269020c51cc1af9 --- /dev/null +++ b/Do-not-allow-dropping-Extended-Master-Secret-extensi.patch @@ -0,0 +1,67 @@ +From 4b7097025305b219694dd8b04f84155cd12fb71d Mon Sep 17 00:00:00 2001 +From: Tomas Mraz +Date: Thu, 4 Jun 2020 11:40:29 +0200 +Subject: [PATCH 018/147] Do not allow dropping Extended Master Secret + extension on renegotiaton + +Abort renegotiation if server receives client hello with Extended Master +Secret extension dropped in comparison to the initial session. + +Fixes #9754 + +Reviewed-by: Matt Caswell +(Merged from https://github.com/openssl/openssl/pull/12099) +--- + include/openssl/ssl3.h | 3 +++ + ssl/statem/extensions.c | 14 +++++++++++++- + 2 files changed, 16 insertions(+), 1 deletion(-) + +diff --git a/include/openssl/ssl3.h b/include/openssl/ssl3.h +index 8d01fcc..407db0b 100644 +--- a/include/openssl/ssl3.h ++++ b/include/openssl/ssl3.h +@@ -292,6 +292,9 @@ extern "C" { + + # define TLS1_FLAGS_STATELESS 0x0800 + ++/* Set if extended master secret extension required on renegotiation */ ++# define TLS1_FLAGS_REQUIRED_EXTMS 0x1000 ++ + # define SSL3_MT_HELLO_REQUEST 0 + # define SSL3_MT_CLIENT_HELLO 1 + # define SSL3_MT_SERVER_HELLO 2 +diff --git a/ssl/statem/extensions.c b/ssl/statem/extensions.c +index 4ef8b41..c785ab7 100644 +--- a/ssl/statem/extensions.c ++++ b/ssl/statem/extensions.c +@@ -1168,14 +1168,26 @@ static int init_etm(SSL *s, unsigned int context) + + static int init_ems(SSL *s, unsigned int context) + { +- if (!s->server) ++ if (s->s3->flags & TLS1_FLAGS_RECEIVED_EXTMS) { + s->s3->flags &= ~TLS1_FLAGS_RECEIVED_EXTMS; ++ s->s3->flags |= TLS1_FLAGS_REQUIRED_EXTMS; ++ } + + return 1; + } + + static int final_ems(SSL *s, unsigned int context, int sent) + { ++ /* ++ * Check extended master secret extension is not dropped on ++ * renegotiation. ++ */ ++ if (!(s->s3->flags & TLS1_FLAGS_RECEIVED_EXTMS) ++ && (s->s3->flags & TLS1_FLAGS_REQUIRED_EXTMS)) { ++ SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_FINAL_EMS, ++ SSL_R_INCONSISTENT_EXTMS); ++ return 0; ++ } + if (!s->server && s->hit) { + /* + * Check extended master secret extension is consistent with +-- +1.8.3.1 + diff --git a/Don-t-attempt-to-duplicate-the-BIO-state-in-SSL_dup.patch b/Don-t-attempt-to-duplicate-the-BIO-state-in-SSL_dup.patch new file mode 100644 index 0000000000000000000000000000000000000000..f301f30cfb6fedda9eaa0e8d63cdf5031238ae90 --- /dev/null +++ b/Don-t-attempt-to-duplicate-the-BIO-state-in-SSL_dup.patch @@ -0,0 +1,59 @@ +From 4864a232ee7f901388532f65911866ca2478cfa9 Mon Sep 17 00:00:00 2001 +From: Matt Caswell +Date: Tue, 16 Jun 2020 17:40:40 +0100 +Subject: [PATCH 034/147] Don't attempt to duplicate the BIO state in SSL_dup + +SSL_dup attempted to duplicate the BIO state if the source SSL had BIOs +configured for it. This did not work. + +Firstly the SSL_dup code was passing a BIO ** as the destination +argument for BIO_dup_state. However BIO_dup_state expects a BIO * for that +parameter. Any attempt to use this will either (1) fail silently, (2) crash +or fail in some other strange way. + +Secondly many BIOs do not implement the BIO_CTRL_DUP ctrl required to make +this work. + +Thirdly, if rbio == wbio in the original SSL object, then an attempt is made +to up-ref the BIO in the new SSL object - even though it hasn't been set +yet and is NULL. This results in a crash. + +This appears to have been broken for a very long time with at least some of +the problems described above coming from SSLeay. The simplest approach is +to just remove this capability from the function. + +Reviewed-by: Tomas Mraz +(Merged from https://github.com/openssl/openssl/pull/12245) +--- + ssl/ssl_lib.c | 15 --------------- + 1 files changed, 15 deletions(-) + +diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c +index 1d96eb4..f6a4964 100644 +--- a/ssl/ssl_lib.c ++++ b/ssl/ssl_lib.c +@@ -3841,21 +3841,6 @@ SSL *SSL_dup(SSL *s) + if (!CRYPTO_dup_ex_data(CRYPTO_EX_INDEX_SSL, &ret->ex_data, &s->ex_data)) + goto err; + +- /* setup rbio, and wbio */ +- if (s->rbio != NULL) { +- if (!BIO_dup_state(s->rbio, (char *)&ret->rbio)) +- goto err; +- } +- if (s->wbio != NULL) { +- if (s->wbio != s->rbio) { +- if (!BIO_dup_state(s->wbio, (char *)&ret->wbio)) +- goto err; +- } else { +- BIO_up_ref(ret->rbio); +- ret->wbio = ret->rbio; +- } +- } +- + ret->server = s->server; + if (s->handshake_func) { + if (s->server) +-- +1.8.3.1 + diff --git a/EC-Constify-internal-EC_KEY-pointer-usage.patch b/EC-Constify-internal-EC_KEY-pointer-usage.patch new file mode 100644 index 0000000000000000000000000000000000000000..830c858e7e5d91b72fb863db3d7cad140a5d4840 --- /dev/null +++ b/EC-Constify-internal-EC_KEY-pointer-usage.patch @@ -0,0 +1,78 @@ +From cd45a57aafddb908eb3a56e118b4c01899765d18 Mon Sep 17 00:00:00 2001 +From: Nicola Tuveri +Date: Tue, 7 Jan 2020 01:19:13 +0200 +Subject: [PATCH 031/217] [EC] Constify internal EC_KEY pointer usage + +A pair of internal functions related to EC_KEY handling could benefit +from declaring `EC_KEY *` variables as `const`, providing clarity for +callers and readers of the code, in addition to enlisting the compiler +in preventing some mistakes. + +(cherry picked from commit cd701de96a147260c2290d85af8a0656120a8ff8) + +In master `id2_ECParameters` and most of the ASN1 public functions have +been properly constified in their signature. + +Unfortunately this has been deemed not doable in a patch release for +1.1.1 as, in subtle ways, this would break API compatibility. +See the discussion at https://github.com/openssl/openssl/pull/9347 for +more details about this. + +This constification commit should still be portable w.r.t. our criteria, +as the constification happens only on internal functions. + +The fix here is to explicitly discard the const qualifier before the +call to `i2d_ECParameters`, which should be safe anyway because we can +expect `i2d_ECParameters()` to treat the first argument as if it was +const. + +Reviewed-by: Matt Caswell +(Merged from https://github.com/openssl/openssl/pull/11127) +--- + crypto/ec/ec_ameth.c | 16 +++++++++++++--- + 1 file changed, 13 insertions(+), 3 deletions(-) + +diff --git a/crypto/ec/ec_ameth.c b/crypto/ec/ec_ameth.c +index 2210383..b7b82e5 100644 +--- a/crypto/ec/ec_ameth.c ++++ b/crypto/ec/ec_ameth.c +@@ -23,7 +23,7 @@ static int ecdh_cms_decrypt(CMS_RecipientInfo *ri); + static int ecdh_cms_encrypt(CMS_RecipientInfo *ri); + #endif + +-static int eckey_param2type(int *pptype, void **ppval, EC_KEY *ec_key) ++static int eckey_param2type(int *pptype, void **ppval, const EC_KEY *ec_key) + { + const EC_GROUP *group; + int nid; +@@ -43,7 +43,17 @@ static int eckey_param2type(int *pptype, void **ppval, EC_KEY *ec_key) + pstr = ASN1_STRING_new(); + if (pstr == NULL) + return 0; +- pstr->length = i2d_ECParameters(ec_key, &pstr->data); ++ ++ /* ++ * The cast in the following line is intentional as the ++ * `i2d_ECParameters` signature can't be constified (see discussion at ++ * https://github.com/openssl/openssl/pull/9347 where related and ++ * required constification backports were rejected). ++ * ++ * This cast should be safe anyway, because we can expect ++ * `i2d_ECParameters()` to treat the first argument as if it was const. ++ */ ++ pstr->length = i2d_ECParameters((EC_KEY *)ec_key, &pstr->data); + if (pstr->length <= 0) { + ASN1_STRING_free(pstr); + ECerr(EC_F_ECKEY_PARAM2TYPE, ERR_R_EC_LIB); +@@ -57,7 +67,7 @@ static int eckey_param2type(int *pptype, void **ppval, EC_KEY *ec_key) + + static int eckey_pub_encode(X509_PUBKEY *pk, const EVP_PKEY *pkey) + { +- EC_KEY *ec_key = pkey->pkey.ec; ++ const EC_KEY *ec_key = pkey->pkey.ec; + void *pval = NULL; + int ptype; + unsigned char *penc = NULL, *p; +-- +1.8.3.1 + diff --git a/EC-harden-EC_KEY-against-leaks-from-memory-accesses.patch b/EC-harden-EC_KEY-against-leaks-from-memory-accesses.patch new file mode 100644 index 0000000000000000000000000000000000000000..09e8f440b88d284e6c0b13c99fc40668ccfd5831 --- /dev/null +++ b/EC-harden-EC_KEY-against-leaks-from-memory-accesses.patch @@ -0,0 +1,167 @@ +From 6a01f6f4b41d045e2a3abcb10163633d769db76a Mon Sep 17 00:00:00 2001 +From: Nicola Tuveri +Date: Tue, 21 Jan 2020 17:00:41 +0200 +Subject: [PATCH 032/217] [EC] harden EC_KEY against leaks from memory accesses + +We should never leak the bit length of the secret scalar in the key, +so we always set the `BN_FLG_CONSTTIME` flag on the internal `BIGNUM` +holding the secret scalar. + +This is important also because `BN_dup()` (and `BN_copy()`) do not +propagate the `BN_FLG_CONSTTIME` flag from the source `BIGNUM`, and +this brings an extra risk of inadvertently losing the flag, even when +the called specifically set it. + +The propagation has been turned on and off a few times in the past +years because in some conditions has shown unintended consequences in +some code paths, so at the moment we can't fix this in the BN layer. + +In `EC_KEY_set_private_key()` we can work around the propagation by +manually setting the flag after `BN_dup()` as we know for sure that +inside the EC module the `BN_FLG_CONSTTIME` is always treated +correctly and should not generate unintended consequences. + +Setting the `BN_FLG_CONSTTIME` flag alone is never enough, we also have +to preallocate the `BIGNUM` internal buffer to a fixed public size big +enough that operations performed during the processing never trigger +a realloc which would leak the size of the scalar through memory +accesses. + +Fixed Length +------------ + +The order of the large prime subgroup of the curve is our choice for +a fixed public size, as that is generally the upper bound for +generating a private key in EC cryptosystems and should fit all valid +secret scalars. + +For preallocating the `BIGNUM` storage we look at the number of "words" +required for the internal representation of the order, and we +preallocate 2 extra "words" in case any of the subsequent processing +might temporarily overflow the order length. + +Future work +----------- + +A separate commit addresses further hardening of `BN_copy()` (and +indirectly `BN_dup()`). + +(cherry picked from commit 0401d766afcd022748763f5614188301c9856c6e) + +Reviewed-by: Matt Caswell +(Merged from https://github.com/openssl/openssl/pull/11127) +--- + crypto/ec/ec_key.c | 76 +++++++++++++++++++++++++++++++++++++++++++++++++++--- + 1 file changed, 73 insertions(+), 3 deletions(-) + +diff --git a/crypto/ec/ec_key.c b/crypto/ec/ec_key.c +index 08aaac5..90698b9 100644 +--- a/crypto/ec/ec_key.c ++++ b/crypto/ec/ec_key.c +@@ -1,5 +1,5 @@ + /* +- * Copyright 2002-2018 The OpenSSL Project Authors. All Rights Reserved. ++ * Copyright 2002-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved + * + * Licensed under the OpenSSL license (the "License"). You may not use +@@ -14,6 +14,7 @@ + #include "internal/refcount.h" + #include + #include ++#include "crypto/bn.h" + + EC_KEY *EC_KEY_new(void) + { +@@ -416,17 +417,86 @@ const BIGNUM *EC_KEY_get0_private_key(const EC_KEY *key) + + int EC_KEY_set_private_key(EC_KEY *key, const BIGNUM *priv_key) + { ++ int fixed_top; ++ const BIGNUM *order = NULL; ++ BIGNUM *tmp_key = NULL; ++ + if (key->group == NULL || key->group->meth == NULL) + return 0; ++ ++ /* ++ * Not only should key->group be set, but it should also be in a valid ++ * fully initialized state. ++ * ++ * Specifically, to operate in constant time, we need that the group order ++ * is set, as we use its length as the fixed public size of any scalar used ++ * as an EC private key. ++ */ ++ order = EC_GROUP_get0_order(key->group); ++ if (order == NULL || BN_is_zero(order)) ++ return 0; /* This should never happen */ ++ + if (key->group->meth->set_private != NULL + && key->group->meth->set_private(key, priv_key) == 0) + return 0; + if (key->meth->set_private != NULL + && key->meth->set_private(key, priv_key) == 0) + return 0; ++ ++ /* ++ * We should never leak the bit length of the secret scalar in the key, ++ * so we always set the `BN_FLG_CONSTTIME` flag on the internal `BIGNUM` ++ * holding the secret scalar. ++ * ++ * This is important also because `BN_dup()` (and `BN_copy()`) do not ++ * propagate the `BN_FLG_CONSTTIME` flag from the source `BIGNUM`, and ++ * this brings an extra risk of inadvertently losing the flag, even when ++ * the called specifically set it. ++ * ++ * The propagation has been turned on and off a few times in the past ++ * years because in some conditions has shown unintended consequences in ++ * some code paths, so at the moment we can't fix this in the BN layer. ++ * ++ * In `EC_KEY_set_private_key()` we can work around the propagation by ++ * manually setting the flag after `BN_dup()` as we know for sure that ++ * inside the EC module the `BN_FLG_CONSTTIME` is always treated ++ * correctly and should not generate unintended consequences. ++ * ++ * Setting the BN_FLG_CONSTTIME flag alone is never enough, we also have ++ * to preallocate the BIGNUM internal buffer to a fixed public size big ++ * enough that operations performed during the processing never trigger ++ * a realloc which would leak the size of the scalar through memory ++ * accesses. ++ * ++ * Fixed Length ++ * ------------ ++ * ++ * The order of the large prime subgroup of the curve is our choice for ++ * a fixed public size, as that is generally the upper bound for ++ * generating a private key in EC cryptosystems and should fit all valid ++ * secret scalars. ++ * ++ * For preallocating the BIGNUM storage we look at the number of "words" ++ * required for the internal representation of the order, and we ++ * preallocate 2 extra "words" in case any of the subsequent processing ++ * might temporarily overflow the order length. ++ */ ++ tmp_key = BN_dup(priv_key); ++ if (tmp_key == NULL) ++ return 0; ++ ++ BN_set_flags(tmp_key, BN_FLG_CONSTTIME); ++ ++ fixed_top = bn_get_top(order) + 2; ++ if (bn_wexpand(tmp_key, fixed_top) == NULL) { ++ BN_clear_free(tmp_key); ++ return 0; ++ } ++ + BN_clear_free(key->priv_key); +- key->priv_key = BN_dup(priv_key); +- return (key->priv_key == NULL) ? 0 : 1; ++ key->priv_key = tmp_key; ++ ++ return 1; + } + + const EC_POINT *EC_KEY_get0_public_key(const EC_KEY *key) +-- +1.8.3.1 + diff --git a/EVP-allow-empty-strings-to-EVP_Decode-functions.patch b/EVP-allow-empty-strings-to-EVP_Decode-functions.patch new file mode 100644 index 0000000000000000000000000000000000000000..3a39e0fc7556e7920d6f32b0546e890f0b2084b6 --- /dev/null +++ b/EVP-allow-empty-strings-to-EVP_Decode-functions.patch @@ -0,0 +1,34 @@ +From 92cef3f186c20e702b7751c5ef959b4fe816a189 Mon Sep 17 00:00:00 2001 +From: Richard Levitte +Date: Sat, 13 Jun 2020 22:16:14 +0200 +Subject: [PATCH 020/147] EVP: allow empty strings to EVP_Decode* functions + +This is a simple check order correction. + +Fixes #12143 + +Reviewed-by: Ben Kaduk +Reviewed-by: Paul Dale +(Merged from https://github.com/openssl/openssl/pull/12144) + +(cherry picked from commit 0800288e6e1d9f44d471043a970ba57743ca8f4c) +--- + crypto/evp/encode.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/crypto/evp/encode.c b/crypto/evp/encode.c +index 9307ff0..b178be0 100644 +--- a/crypto/evp/encode.c ++++ b/crypto/evp/encode.c +@@ -423,7 +423,7 @@ static int evp_decodeblock_int(EVP_ENCODE_CTX *ctx, unsigned char *t, + table = data_ascii2bin; + + /* trim white space from the start of the line. */ +- while ((conv_ascii2bin(*f, table) == B64_WS) && (n > 0)) { ++ while ((n > 0) && (conv_ascii2bin(*f, table) == B64_WS)) { + f++; + n--; + } +-- +1.8.3.1 + diff --git a/EVP_EncryptInit.pod-fix-example.patch b/EVP_EncryptInit.pod-fix-example.patch new file mode 100644 index 0000000000000000000000000000000000000000..2bba5fd8862f8f95ec213b3216af3250ae5591a7 --- /dev/null +++ b/EVP_EncryptInit.pod-fix-example.patch @@ -0,0 +1,32 @@ +From 3c09a5b0ba78a15311252ab8b7fb3ce16e7109ca Mon Sep 17 00:00:00 2001 +From: Patrick Steuer +Date: Wed, 27 May 2020 16:32:43 +0200 +Subject: [PATCH 003/147] EVP_EncryptInit.pod: fix example + +Signed-off-by: Patrick Steuer + +Reviewed-by: Richard Levitte +Reviewed-by: Matt Caswell +(Merged from https://github.com/openssl/openssl/pull/11976) + +(cherry picked from commit d561b84143f5e7956454090e15de0c5e1425ceac) +--- + doc/man3/EVP_EncryptInit.pod | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/doc/man3/EVP_EncryptInit.pod b/doc/man3/EVP_EncryptInit.pod +index aaf9975..2828bca 100644 +--- a/doc/man3/EVP_EncryptInit.pod ++++ b/doc/man3/EVP_EncryptInit.pod +@@ -591,7 +591,7 @@ with a 128-bit key: + + /* Don't set key or IV right away; we want to check lengths */ + ctx = EVP_CIPHER_CTX_new(); +- EVP_CipherInit_ex(&ctx, EVP_aes_128_cbc(), NULL, NULL, NULL, ++ EVP_CipherInit_ex(ctx, EVP_aes_128_cbc(), NULL, NULL, NULL, + do_encrypt); + OPENSSL_assert(EVP_CIPHER_CTX_key_length(ctx) == 16); + OPENSSL_assert(EVP_CIPHER_CTX_iv_length(ctx) == 16); +-- +1.8.3.1 + diff --git a/Ensure-ECDSA_size-always-returns-0.patch b/Ensure-ECDSA_size-always-returns-0.patch new file mode 100644 index 0000000000000000000000000000000000000000..5f82dc5eed3a5a2164cd35ce193661a5ddd20303 --- /dev/null +++ b/Ensure-ECDSA_size-always-returns-0.patch @@ -0,0 +1,32 @@ +From f9f2e609db4de8d1f2022189a99c8277c3f6289d Mon Sep 17 00:00:00 2001 +From: William Brawner +Date: Sun, 5 Apr 2020 09:39:41 -0700 +Subject: [PATCH 009/217] Ensure ECDSA_size always returns >= 0 + +Fixes #10484 + +Signed-off-by: William Brawner + +Reviewed-by: Nicola Tuveri +Reviewed-by: Matt Caswell +Reviewed-by: Tomas Mraz +(Merged from https://github.com/openssl/openssl/pull/11472) +--- + crypto/ec/ec_asn1.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/crypto/ec/ec_asn1.c b/crypto/ec/ec_asn1.c +index 336afc9..831b74c 100644 +--- a/crypto/ec/ec_asn1.c ++++ b/crypto/ec/ec_asn1.c +@@ -1297,5 +1297,7 @@ int ECDSA_size(const EC_KEY *r) + i = i2d_ASN1_INTEGER(&bs, NULL); + i += i; /* r and s */ + ret = ASN1_object_size(1, i, V_ASN1_SEQUENCE); ++ if (ret < 0) ++ return 0; + return ret; + } +-- +1.8.3.1 + diff --git a/Ensure-that-SSL_dup-copies-the-min-max-protocol-vers.patch b/Ensure-that-SSL_dup-copies-the-min-max-protocol-vers.patch new file mode 100644 index 0000000000000000000000000000000000000000..d640498122c8feb9dbb00765589930858fbb6cf7 --- /dev/null +++ b/Ensure-that-SSL_dup-copies-the-min-max-protocol-vers.patch @@ -0,0 +1,30 @@ +From 32d738c9a2abeea5a709de9c33e4e6d6b87938bd Mon Sep 17 00:00:00 2001 +From: Matt Caswell +Date: Fri, 12 Jun 2020 10:52:41 +0100 +Subject: [PATCH 032/147] Ensure that SSL_dup copies the min/max protocol + version + +With thanks to Rebekah Johnson for reporting this issue. + +Reviewed-by: Tomas Mraz +(Merged from https://github.com/openssl/openssl/pull/12245) +--- + ssl/ssl_lib.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c +index 7c7e597..1d96eb4 100644 +--- a/ssl/ssl_lib.c ++++ b/ssl/ssl_lib.c +@@ -3824,6 +3824,8 @@ SSL *SSL_dup(SSL *s) + goto err; + ret->version = s->version; + ret->options = s->options; ++ ret->min_proto_version = s->min_proto_version; ++ ret->max_proto_version = s->max_proto_version; + ret->mode = s->mode; + SSL_set_max_cert_list(ret, SSL_get_max_cert_list(s)); + SSL_set_read_ahead(ret, SSL_get_read_ahead(s)); +-- +1.8.3.1 + diff --git a/Ensure-we-never-use-a-partially-initialised-CMAC_CTX.patch b/Ensure-we-never-use-a-partially-initialised-CMAC_CTX.patch new file mode 100644 index 0000000000000000000000000000000000000000..fe7a78fd3b8b91cb25f6f409fcdc4d04a4605edb --- /dev/null +++ b/Ensure-we-never-use-a-partially-initialised-CMAC_CTX.patch @@ -0,0 +1,44 @@ +From 86863f2ddc4200e5048e28c40ed6521495010699 Mon Sep 17 00:00:00 2001 +From: Matt Caswell +Date: Wed, 27 May 2020 11:37:39 +0100 +Subject: [PATCH 023/147] Ensure we never use a partially initialised CMAC_CTX + +If the CMAC_CTX is partially initialised then we make a note of this so +that future operations will fail if the initialisation has not been +completed. + +Reviewed-by: Tomas Mraz +(Merged from https://github.com/openssl/openssl/pull/12107) +--- + crypto/cmac/cmac.c | 13 ++++++++++--- + 1 file changed, 10 insertions(+), 3 deletions(-) + +diff --git a/crypto/cmac/cmac.c b/crypto/cmac/cmac.c +index 6989c32..dbcc436 100644 +--- a/crypto/cmac/cmac.c ++++ b/crypto/cmac/cmac.c +@@ -116,11 +116,18 @@ int CMAC_Init(CMAC_CTX *ctx, const void *key, size_t keylen, + return 1; + } + /* Initialise context */ +- if (cipher && !EVP_EncryptInit_ex(ctx->cctx, cipher, impl, NULL, NULL)) +- return 0; ++ if (cipher != NULL) { ++ /* Ensure we can't use this ctx until we also have a key */ ++ ctx->nlast_block = -1; ++ if (!EVP_EncryptInit_ex(ctx->cctx, cipher, impl, NULL, NULL)) ++ return 0; ++ } + /* Non-NULL key means initialisation complete */ +- if (key) { ++ if (key != NULL) { + int bl; ++ ++ /* If anything fails then ensure we can't use this ctx */ ++ ctx->nlast_block = -1; + if (!EVP_CIPHER_CTX_cipher(ctx->cctx)) + return 0; + if (!EVP_CIPHER_CTX_set_key_length(ctx->cctx, keylen)) +-- +1.8.3.1 + diff --git a/Fix-AES-CTR_DRBG-on-1.1.1.patch b/Fix-AES-CTR_DRBG-on-1.1.1.patch new file mode 100644 index 0000000000000000000000000000000000000000..e3451627d8288d05af1eb38e7db0b560753abc2d --- /dev/null +++ b/Fix-AES-CTR_DRBG-on-1.1.1.patch @@ -0,0 +1,44 @@ +From 0d011f540400b425aba1c3e59624ad9dbabe83cb Mon Sep 17 00:00:00 2001 +From: Pauli +Date: Wed, 8 Apr 2020 12:33:47 +1000 +Subject: [PATCH 014/217] Fix AES-CTR_DRBG on 1.1.1. + +The backport of the timing information leak fix uses u32 which is defined +in crypto/modes/modes_local.h in 1.1.1 and include/crypto/modes.h for 3.0. + +Reviewed-by: Matt Caswell +(Merged from https://github.com/openssl/openssl/pull/11489) +--- + crypto/rand/build.info | 2 ++ + crypto/rand/drbg_ctr.c | 3 ++- + 2 files changed, 4 insertions(+), 1 deletion(-) + +diff --git a/crypto/rand/build.info b/crypto/rand/build.info +index df9bac6..a4e7900 100644 +--- a/crypto/rand/build.info ++++ b/crypto/rand/build.info +@@ -2,3 +2,5 @@ LIBS=../../libcrypto + SOURCE[../../libcrypto]=\ + randfile.c rand_lib.c rand_err.c rand_egd.c \ + rand_win.c rand_unix.c rand_vms.c drbg_lib.c drbg_ctr.c ++ ++INCLUDE[drbg_ctr.o]=../modes +diff --git a/crypto/rand/drbg_ctr.c b/crypto/rand/drbg_ctr.c +index f41484e..af20197 100644 +--- a/crypto/rand/drbg_ctr.c ++++ b/crypto/rand/drbg_ctr.c +@@ -12,9 +12,10 @@ + #include + #include + #include +-#include "internal/thread_once.h" ++#include "modes_local.h" + #include "internal/thread_once.h" + #include "rand_local.h" ++ + /* + * Implementation of NIST SP 800-90A CTR DRBG. + */ +-- +1.8.3.1 + diff --git a/Fix-AES-GCM-bug-on-aarch64-BigEndian.patch b/Fix-AES-GCM-bug-on-aarch64-BigEndian.patch new file mode 100644 index 0000000000000000000000000000000000000000..209b82f8eaa789df49c5c7c179418439b8f707d1 --- /dev/null +++ b/Fix-AES-GCM-bug-on-aarch64-BigEndian.patch @@ -0,0 +1,77 @@ +From b11aa831cfe09befe3fb3229ca46a4a59352de34 Mon Sep 17 00:00:00 2001 +From: simplelins +Date: Fri, 3 Jan 2020 22:56:18 +0800 +Subject: [PATCH 087/147] Fix AES-GCM bug on aarch64 BigEndian + +Fixes #10638 +Fixes #13188 + +Fixes a bug for aarch64 bigendian with instructions 'st1' and 'ld1' on AES-GCM mode. + +CLA: trivial + +(cherry picked from commit bc8b648f744566031ce84d77333dbbcb9689e975) + +Reviewed-by: Paul Dale +Reviewed-by: Tomas Mraz +(Merged from https://github.com/openssl/openssl/pull/13193) +--- + crypto/aes/asm/aesv8-armx.pl | 10 +++++++++- + crypto/modes/modes_local.h | 7 +++++-- + 2 files changed, 14 insertions(+), 3 deletions(-) + +diff --git a/crypto/aes/asm/aesv8-armx.pl b/crypto/aes/asm/aesv8-armx.pl +index d6068db..f42f7bd 100755 +--- a/crypto/aes/asm/aesv8-armx.pl ++++ b/crypto/aes/asm/aesv8-armx.pl +@@ -183,7 +183,12 @@ $code.=<<___; + .Loop192: + vtbl.8 $key,{$in1},$mask + vext.8 $tmp,$zero,$in0,#12 ++#ifdef __ARMEB__ ++ vst1.32 {$in1},[$out],#16 ++ sub $out,$out,#8 ++#else + vst1.32 {$in1},[$out],#8 ++#endif + aese $key,$zero + subs $bits,$bits,#1 + +@@ -715,8 +720,11 @@ $code.=<<___; + ldr $rounds,[$key,#240] + + ldr $ctr, [$ivp, #12] ++#ifdef __ARMEB__ ++ vld1.8 {$dat0},[$ivp] ++#else + vld1.32 {$dat0},[$ivp] +- ++#endif + vld1.32 {q8-q9},[$key] // load key schedule... + sub $rounds,$rounds,#4 + mov $step,#16 +diff --git a/crypto/modes/modes_local.h b/crypto/modes/modes_local.h +index 28c32c0..8881416 100644 +--- a/crypto/modes/modes_local.h ++++ b/crypto/modes/modes_local.h +@@ -63,12 +63,15 @@ typedef u32 u32_a1; + asm ("bswapl %0" \ + : "+r"(ret_)); ret_; }) + # elif defined(__aarch64__) +-# define BSWAP8(x) ({ u64 ret_; \ ++# if defined(__BYTE_ORDER__) && defined(__ORDER_LITTLE_ENDIAN__) && \ ++ __BYTE_ORDER__==__ORDER_LITTLE_ENDIAN__ ++# define BSWAP8(x) ({ u64 ret_; \ + asm ("rev %0,%1" \ + : "=r"(ret_) : "r"(x)); ret_; }) +-# define BSWAP4(x) ({ u32 ret_; \ ++# define BSWAP4(x) ({ u32 ret_; \ + asm ("rev %w0,%w1" \ + : "=r"(ret_) : "r"(x)); ret_; }) ++# endif + # elif (defined(__arm__) || defined(__arm)) && !defined(STRICT_ALIGNMENT) + # define BSWAP8(x) ({ u32 lo_=(u64)(x)>>32,hi_=(x); \ + asm ("rev %0,%0; rev %1,%1" \ +-- +1.8.3.1 + diff --git a/Fix-PEM-certificate-loading-that-sometimes-fails.patch b/Fix-PEM-certificate-loading-that-sometimes-fails.patch new file mode 100644 index 0000000000000000000000000000000000000000..e20f15bcc2162167ea336a33700d34b3d3fb88d4 --- /dev/null +++ b/Fix-PEM-certificate-loading-that-sometimes-fails.patch @@ -0,0 +1,142 @@ +From 69296e264e58334620f541d09a4e381ee45542d4 Mon Sep 17 00:00:00 2001 +From: Maximilian Blenk +Date: Tue, 7 Apr 2020 19:33:39 +0200 +Subject: [PATCH 046/217] Fix PEM certificate loading that sometimes fails + +As described in https://github.com/openssl/openssl/issues/9187, the +loading of PEM certificates sometimes fails if a line of base64 +content has the length of a multiple of 254. +The problem is in get_header_and_data(). When such a line with a +length of 254 (or a multiple) has been read, the next read will +only read a newline. Due to this get_header_and_data() expects to be +in the header not in the data area. This commit fixes that by checking +if lines have been read completely or only partially. In case of a +previous partial read, a newline will be ignored. + +Reviewed-by: Dmitry Belyavskiy +Reviewed-by: Tomas Mraz +Reviewed-by: Ben Kaduk +(Merged from https://github.com/openssl/openssl/pull/11741) + +(cherry picked from commit 0324ffc5d5d393111288eca2c9d67f2141ed65f5) +--- + crypto/pem/pem_lib.c | 28 ++++++++++++++++------ + test/recipes/04-test_pem.t | 3 +++ + .../04-test_pem_data/cert-254-chars-at-the-end.pem | 6 +++++ + .../cert-254-chars-in-the-middle.pem | 5 ++++ + .../cert-oneline-multiple-of-254.pem | 3 +++ + 5 files changed, 38 insertions(+), 7 deletions(-) + create mode 100644 test/recipes/04-test_pem_data/cert-254-chars-at-the-end.pem + create mode 100644 test/recipes/04-test_pem_data/cert-254-chars-in-the-middle.pem + create mode 100644 test/recipes/04-test_pem_data/cert-oneline-multiple-of-254.pem + +diff --git a/crypto/pem/pem_lib.c b/crypto/pem/pem_lib.c +index 64baf71..0d79f4a 100644 +--- a/crypto/pem/pem_lib.c ++++ b/crypto/pem/pem_lib.c +@@ -791,7 +791,7 @@ static int get_header_and_data(BIO *bp, BIO **header, BIO **data, char *name, + { + BIO *tmp = *header; + char *linebuf, *p; +- int len, line, ret = 0, end = 0; ++ int len, line, ret = 0, end = 0, prev_partial_line_read = 0, partial_line_read = 0; + /* 0 if not seen (yet), 1 if reading header, 2 if finished header */ + enum header_status got_header = MAYBE_HEADER; + unsigned int flags_mask; +@@ -813,6 +813,14 @@ static int get_header_and_data(BIO *bp, BIO **header, BIO **data, char *name, + goto err; + } + ++ /* ++ * Check if line has been read completely or if only part of the line ++ * has been read. Keep the previous value to ignore newlines that ++ * appear due to reading a line up until the char before the newline. ++ */ ++ prev_partial_line_read = partial_line_read; ++ partial_line_read = len == LINESIZE-1 && linebuf[LINESIZE-2] != '\n'; ++ + if (got_header == MAYBE_HEADER) { + if (memchr(linebuf, ':', len) != NULL) + got_header = IN_HEADER; +@@ -823,13 +831,19 @@ static int get_header_and_data(BIO *bp, BIO **header, BIO **data, char *name, + + /* Check for end of header. */ + if (linebuf[0] == '\n') { +- if (got_header == POST_HEADER) { +- /* Another blank line is an error. */ +- PEMerr(PEM_F_GET_HEADER_AND_DATA, PEM_R_BAD_END_LINE); +- goto err; ++ /* ++ * If previous line has been read only partially this newline is a ++ * regular newline at the end of a line and not an empty line. ++ */ ++ if (!prev_partial_line_read) { ++ if (got_header == POST_HEADER) { ++ /* Another blank line is an error. */ ++ PEMerr(PEM_F_GET_HEADER_AND_DATA, PEM_R_BAD_END_LINE); ++ goto err; ++ } ++ got_header = POST_HEADER; ++ tmp = *data; + } +- got_header = POST_HEADER; +- tmp = *data; + continue; + } + +diff --git a/test/recipes/04-test_pem.t b/test/recipes/04-test_pem.t +index c321611..e261275 100644 +--- a/test/recipes/04-test_pem.t ++++ b/test/recipes/04-test_pem.t +@@ -28,6 +28,8 @@ my %cert_expected = ( + "cert-1023line.pem" => 1, + "cert-1024line.pem" => 1, + "cert-1025line.pem" => 1, ++ "cert-254-chars-at-the-end.pem" => 1, ++ "cert-254-chars-in-the-middle.pem" => 1, + "cert-255line.pem" => 1, + "cert-256line.pem" => 1, + "cert-257line.pem" => 1, +@@ -42,6 +44,7 @@ my %cert_expected = ( + "cert-misalignedpad.pem" => 0, + "cert-onecolumn.pem" => 1, + "cert-oneline.pem" => 1, ++ "cert-oneline-multiple-of-254.pem" => 1, + "cert-shortandlongline.pem" => 1, + "cert-shortline.pem" => 1, + "cert-threecolumn.pem" => 1, +diff --git a/test/recipes/04-test_pem_data/cert-254-chars-at-the-end.pem b/test/recipes/04-test_pem_data/cert-254-chars-at-the-end.pem +new file mode 100644 +index 0000000..0b6a3ba +--- /dev/null ++++ b/test/recipes/04-test_pem_data/cert-254-chars-at-the-end.pem +@@ -0,0 +1,6 @@ ++-----BEGIN CERTIFICATE----- ++MIIEcjCCAyegAwIBAgIUPLgYY73GEwkikNCKRJrcbCR+TbQwDQYJKoZIhvcNAQELBQAwgZUxCzAJBgNVBAYTAkFVMWMwYQYDVQQIDFpUaGUgR3JlYXQgU3RhdGUgb2YgTG9uZy1XaW5kZWQgQ2VydGlmaWNhdGUgRmllbGQgTmFtZXMgV2hlcmVieSB0byBJbmNyZWFzZSB0aGUgT3V0cHV0IFNpemUxITAfBgNVBAoMGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDAeFw0yMDA0MDcwMDAwNDJaFw0zMDA0MDUwMDAwNDJaMIGVMQswCQYDVQQGEwJBVTFjMGEGA1UECAxaVGhlIEdyZWF0IFN0YXRlIG9mIExvbmctV2luZGVkIENlcnRpZmljYXRlIEZpZWxkIE5hbWVzIFdoZXJlYnkgdG8gSW5jcmVhc2UgdGhlIE91dHB1dCBTaXplMSEwHwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwggFUMA0GCSqGSIb3DQEBAQUAA4IBQQAwggE8AoIBMwLf ++mipKB41NPXrbp/T5eu+fndvZq72N/Tq0vZp2dRoz89NEFC3jYVBjp4pmVwCS9F/fGX1tnVfhb9k/4fqiI/y9lBVzxaHyMG/pt0D2nTS8iaMTM7uBeRvB5rUZlEbU8uvv4GXu3CeP/NnVceXruGbPb4IpjfoUbGLvn5oK35h8a+LNY5f7QRBlAXtUwYrdxVzT+CqQ4wIAuqoIVXgRIweveS1ArbS8hOtsVnu1bUAQVKqORHx8gtbOyiA4heTCEOkwh45YV6KW+uLI1wTeE4E9erlI4RwZ7umbBnQai/hYL//AUfQKQhpGbgfyJrS0UYY7WEP/mcFQh0U2EBTXtAy/e4XPiftViR3+pd+G2TJ/JFofDDzJRrceeo ++9tUnMr0pKtU7oB77lSKgsruKKkhn6lLH8CAwEAAaNTMFEwHQYDVR0OBBYEFIkawSiFUdL6G3jw8qg1WQI8Xi4rMB8GA1UdIwQYMBaAFIkawSiFUdL6G3jw8qg1WQI8Xi4rMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggE0AAHe/+71vykcq9BQ5h2X7MpnkE5n0Yn0Xi24uuCpv59JjABmOdaeT6XBQ5UJN8WfidawgzbJ6WiWgjflaMfRfjsdCJRgvdw0gfXXXrsseJMeMYnw1hQTGuB83BKjXBdL6zb45qGf2Fgjm3aNW2NUVM+Q2QfMjo ++Kx13hTyDh9l5nOhMv/Rkygcx1Row2WbkvrhxvCLxY0VhL7RuPV8K0ogKicv8VJgQriOUVTTkqBP1xUimKSTaNaZ8KAnC7thxxZHxsNa45a6AouPSzyAOPZQgCJW83OIFxvWsdYU1KvP1wmoi1XC9giSQ/5sLPu/eAYTzmY+Xd6Sq8dF8uyodeI2gFu3AzC28PVKeUriIGfxaqEUn+aXx5W+r8JTE6fQ9mBo9YxJBXG+OTIFgHR27q2dJwqK9c= ++-----END CERTIFICATE----- +diff --git a/test/recipes/04-test_pem_data/cert-254-chars-in-the-middle.pem b/test/recipes/04-test_pem_data/cert-254-chars-in-the-middle.pem +new file mode 100644 +index 0000000..cc9076b +--- /dev/null ++++ b/test/recipes/04-test_pem_data/cert-254-chars-in-the-middle.pem +@@ -0,0 +1,5 @@ ++-----BEGIN CERTIFICATE----- ++MIIEcjCCAyegAwIBAgIUPLgYY73GEwkikNCKRJrcbCR+TbQwDQYJKoZIhvcNAQELBQAwgZUxCzAJBgNVBAYTAkFVMWMwYQYDVQQIDFpUaGUgR3JlYXQgU3RhdGUgb2YgTG9uZy1XaW5kZWQgQ2VydGlmaWNhdGUgRmllbGQgTmFtZXMgV2hlcmVieSB0byBJbmNyZWFzZSB0aGUgT ++3V0cHV0IFNpemUxITAfBgNVBAoMGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDAeFw0yMDA0MDcwMDAwNDJaFw0zMDA0MDUwMDAwNDJaMIGVMQswCQYDVQQGEwJBVTFjMGEGA1UECAxaVGhlIEdyZWF0IFN0YXRlIG9mIExvbmctV2luZGVkIENlcnRpZmljYXRlIEZpZWxkIE5hbWVzIFdoZXJlYnkgdG8gSW5jcmVhc2UgdGhlIE91dHB1dCB ++TaXplMSEwHwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwggFUMA0GCSqGSIb3DQEBAQUAA4IBQQAwggE8AoIBMwLfmipKB41NPXrbp/T5eu+fndvZq72N/Tq0vZp2dRoz89NEFC3jYVBjp4pmVwCS9F/fGX1tnVfhb9k/4fqiI/y9lBVzxaHyMG/pt0D2nTS8iaMTM7uBeRvB5rUZlEbU8uvv4GXu3CeP/NnVceXruGbPb4IpjfoUbGLvn5oK35h8a+LNY5f7QRBlAXtUwYrdxVzT+CqQ4wIAuqoIVXgRIweveS1ArbS8hOtsVnu1bUAQVKqORHx8gtbOyiA4heTCEOkwh45YV6KW+uLI1wTeE4E9erlI4RwZ7umbBnQai/hYL//AUfQKQhpGbgfyJrS0UYY7WEP/mcFQh0U2EBTXtAy/e4XPiftViR3+pd+G2TJ/JFofDDzJRrceeo9tUnMr0pKtU7oB77lSKgsruKKkhn6lLH8CAwEAAaNTMFEwHQYDVR0OBBYEFIkawSiFUdL6G3jw8qg1WQI8Xi4rMB8GA1UdIwQYMBaAFIkawSiFUdL6G3jw8qg1WQI8Xi4rMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggE0AAHe/+71vykcq9BQ5h2X7MpnkE5n0Yn0Xi24uuCpv59JjABmOdaeT6XBQ5UJN8WfidawgzbJ6WiWgjflaMfRfjsdCJRgvdw0gfXXXrsseJMeMYnw1hQTGuB83BKjXBdL6zb45qGf2Fgjm3aNW2NUVM+Q2QfMjoKx13hTyDh9l5nOhMv/Rkygcx1Row2WbkvrhxvCLxY0VhL7RuPV8K0ogKicv8VJgQriOUVTTkqBP1xUimKSTaNaZ8KAnC7thxxZHxsNa45a6AouPSzyAOPZQgCJW83OIFxvWsdYU1KvP1wmoi1XC9giSQ/5sLPu/eAYTzmY+Xd6Sq8dF8uyodeI2gFu3AzC28PVKeUriIGfxaqEUn+aXx5W+r8JTE6fQ9mBo9YxJBXG+OTIFgHR27q2dJwqK9c= ++-----END CERTIFICATE----- +diff --git a/test/recipes/04-test_pem_data/cert-oneline-multiple-of-254.pem b/test/recipes/04-test_pem_data/cert-oneline-multiple-of-254.pem +new file mode 100644 +index 0000000..e0af859 +--- /dev/null ++++ b/test/recipes/04-test_pem_data/cert-oneline-multiple-of-254.pem +@@ -0,0 +1,3 @@ ++-----BEGIN CERTIFICATE----- ++MIIEcjCCAyegAwIBAgIUPLgYY73GEwkikNCKRJrcbCR+TbQwDQYJKoZIhvcNAQELBQAwgZUxCzAJBgNVBAYTAkFVMWMwYQYDVQQIDFpUaGUgR3JlYXQgU3RhdGUgb2YgTG9uZy1XaW5kZWQgQ2VydGlmaWNhdGUgRmllbGQgTmFtZXMgV2hlcmVieSB0byBJbmNyZWFzZSB0aGUgT3V0cHV0IFNpemUxITAfBgNVBAoMGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDAeFw0yMDA0MDcwMDAwNDJaFw0zMDA0MDUwMDAwNDJaMIGVMQswCQYDVQQGEwJBVTFjMGEGA1UECAxaVGhlIEdyZWF0IFN0YXRlIG9mIExvbmctV2luZGVkIENlcnRpZmljYXRlIEZpZWxkIE5hbWVzIFdoZXJlYnkgdG8gSW5jcmVhc2UgdGhlIE91dHB1dCBTaXplMSEwHwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwggFUMA0GCSqGSIb3DQEBAQUAA4IBQQAwggE8AoIBMwLfmipKB41NPXrbp/T5eu+fndvZq72N/Tq0vZp2dRoz89NEFC3jYVBjp4pmVwCS9F/fGX1tnVfhb9k/4fqiI/y9lBVzxaHyMG/pt0D2nTS8iaMTM7uBeRvB5rUZlEbU8uvv4GXu3CeP/NnVceXruGbPb4IpjfoUbGLvn5oK35h8a+LNY5f7QRBlAXtUwYrdxVzT+CqQ4wIAuqoIVXgRIweveS1ArbS8hOtsVnu1bUAQVKqORHx8gtbOyiA4heTCEOkwh45YV6KW+uLI1wTeE4E9erlI4RwZ7umbBnQai/hYL//AUfQKQhpGbgfyJrS0UYY7WEP/mcFQh0U2EBTXtAy/e4XPiftViR3+pd+G2TJ/JFofDDzJRrceeo9tUnMr0pKtU7oB77lSKgsruKKkhn6lLH8CAwEAAaNTMFEwHQYDVR0OBBYEFIkawSiFUdL6G3jw8qg1WQI8Xi4rMB8GA1UdIwQYMBaAFIkawSiFUdL6G3jw8qg1WQI8Xi4rMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggE0AAHe/+71vykcq9BQ5h2X7MpnkE5n0Yn0Xi24uuCpv59JjABmOdaeT6XBQ5UJN8WfidawgzbJ6WiWgjflaMfRfjsdCJRgvdw0gfXXXrsseJMeMYnw1hQTGuB83BKjXBdL6zb45qGf2Fgjm3aNW2NUVM+Q2QfMjoKx13hTyDh9l5nOhMv/Rkygcx1Row2WbkvrhxvCLxY0VhL7RuPV8K0ogKicv8VJgQriOUVTTkqBP1xUimKSTaNaZ8KAnC7thxxZHxsNa45a6AouPSzyAOPZQgCJW83OIFxvWsdYU1KvP1wmoi1XC9giSQ/5sLPu/eAYTzmY+Xd6Sq8dF8uyodeI2gFu3AzC28PVKeUriIGfxaqEUn+aXx5W+r8JTE6fQ9mBo9YxJBXG+OTIFgHR27q2dJwqK9c= ++-----END CERTIFICATE----- +-- +1.8.3.1 + diff --git a/Fix-PEM_write_bio_PrivateKey_traditional-to-not-outp.patch b/Fix-PEM_write_bio_PrivateKey_traditional-to-not-outp.patch new file mode 100644 index 0000000000000000000000000000000000000000..f04a50c951e677c2f1d2af14cc5fed789b2a1268 --- /dev/null +++ b/Fix-PEM_write_bio_PrivateKey_traditional-to-not-outp.patch @@ -0,0 +1,126 @@ +From 56456c3404b0ec27f93816d951ff7a58827481f0 Mon Sep 17 00:00:00 2001 +From: Richard Levitte +Date: Thu, 27 Aug 2020 07:18:55 +0200 +Subject: [PATCH 063/147] Fix PEM_write_bio_PrivateKey_traditional() to not + output PKCS#8 + +PEM_write_bio_PrivateKey_traditional() uses i2d_PrivateKey() to do the +actual encoding to DER. However, i2d_PrivateKey() is a generic +function that will do what it can to produce output according to what +the associated EVP_PKEY_ASN1_METHOD offers. If that method offers a +function 'old_priv_encode', which is expected to produce the +"traditional" encoded form, then i2d_PrivateKey() uses that. If not, +i2d_PrivateKey() will go on and used more modern methods, which are +all expected to produce PKCS#8. + +To ensure that PEM_write_bio_PrivateKey_traditional() never produces +more modern encoded forms, an extra check that 'old_priv_encode' is +non-NULL is added. If it is NULL, an error is returned. + +Reviewed-by: Tomas Mraz +(Merged from https://github.com/openssl/openssl/pull/12729) +--- + crypto/err/openssl.txt | 3 +++ + crypto/pem/pem_err.c | 6 +++++- + crypto/pem/pem_pkey.c | 6 ++++++ + include/openssl/pemerr.h | 4 +++- + 4 files changed, 17 insertions(+), 2 deletions(-) + +diff --git a/crypto/err/openssl.txt b/crypto/err/openssl.txt +index 3ca271b..0b5873e 100644 +--- a/crypto/err/openssl.txt ++++ b/crypto/err/openssl.txt +@@ -934,6 +934,8 @@ PEM_F_PEM_READ_PRIVATEKEY:124:PEM_read_PrivateKey + PEM_F_PEM_SIGNFINAL:112:PEM_SignFinal + PEM_F_PEM_WRITE:113:PEM_write + PEM_F_PEM_WRITE_BIO:114:PEM_write_bio ++PEM_F_PEM_WRITE_BIO_PRIVATEKEY_TRADITIONAL:147:\ ++ PEM_write_bio_PrivateKey_traditional + PEM_F_PEM_WRITE_PRIVATEKEY:139:PEM_write_PrivateKey + PEM_F_PEM_X509_INFO_READ:115:PEM_X509_INFO_read + PEM_F_PEM_X509_INFO_READ_BIO:116:PEM_X509_INFO_read_bio +@@ -2400,6 +2402,7 @@ PEM_R_UNEXPECTED_DEK_IV:130:unexpected dek iv + PEM_R_UNSUPPORTED_CIPHER:113:unsupported cipher + PEM_R_UNSUPPORTED_ENCRYPTION:114:unsupported encryption + PEM_R_UNSUPPORTED_KEY_COMPONENTS:126:unsupported key components ++PEM_R_UNSUPPORTED_PUBLIC_KEY_TYPE:110:unsupported public key type + PKCS12_R_CANT_PACK_STRUCTURE:100:cant pack structure + PKCS12_R_CONTENT_TYPE_NOT_DATA:121:content type not data + PKCS12_R_DECODE_ERROR:101:decode error +diff --git a/crypto/pem/pem_err.c b/crypto/pem/pem_err.c +index f642030..0f3cb02 100644 +--- a/crypto/pem/pem_err.c ++++ b/crypto/pem/pem_err.c +@@ -1,6 +1,6 @@ + /* + * Generated by util/mkerr.pl DO NOT EDIT +- * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. ++ * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the OpenSSL license (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy +@@ -60,6 +60,8 @@ static const ERR_STRING_DATA PEM_str_functs[] = { + {ERR_PACK(ERR_LIB_PEM, PEM_F_PEM_SIGNFINAL, 0), "PEM_SignFinal"}, + {ERR_PACK(ERR_LIB_PEM, PEM_F_PEM_WRITE, 0), "PEM_write"}, + {ERR_PACK(ERR_LIB_PEM, PEM_F_PEM_WRITE_BIO, 0), "PEM_write_bio"}, ++ {ERR_PACK(ERR_LIB_PEM, PEM_F_PEM_WRITE_BIO_PRIVATEKEY_TRADITIONAL, 0), ++ "PEM_write_bio_PrivateKey_traditional"}, + {ERR_PACK(ERR_LIB_PEM, PEM_F_PEM_WRITE_PRIVATEKEY, 0), + "PEM_write_PrivateKey"}, + {ERR_PACK(ERR_LIB_PEM, PEM_F_PEM_X509_INFO_READ, 0), "PEM_X509_INFO_read"}, +@@ -109,6 +111,8 @@ static const ERR_STRING_DATA PEM_str_reasons[] = { + "unsupported encryption"}, + {ERR_PACK(ERR_LIB_PEM, 0, PEM_R_UNSUPPORTED_KEY_COMPONENTS), + "unsupported key components"}, ++ {ERR_PACK(ERR_LIB_PEM, 0, PEM_R_UNSUPPORTED_PUBLIC_KEY_TYPE), ++ "unsupported public key type"}, + {0, NULL} + }; + +diff --git a/crypto/pem/pem_pkey.c b/crypto/pem/pem_pkey.c +index e58cdf4..7bd9aa0 100644 +--- a/crypto/pem/pem_pkey.c ++++ b/crypto/pem/pem_pkey.c +@@ -108,6 +108,12 @@ int PEM_write_bio_PrivateKey_traditional(BIO *bp, EVP_PKEY *x, + pem_password_cb *cb, void *u) + { + char pem_str[80]; ++ ++ if (x->ameth == NULL || x->ameth->old_priv_encode == NULL) { ++ PEMerr(PEM_F_PEM_WRITE_BIO_PRIVATEKEY_TRADITIONAL, ++ PEM_R_UNSUPPORTED_PUBLIC_KEY_TYPE); ++ return 0; ++ } + BIO_snprintf(pem_str, 80, "%s PRIVATE KEY", x->ameth->pem_str); + return PEM_ASN1_write_bio((i2d_of_void *)i2d_PrivateKey, + pem_str, bp, x, enc, kstr, klen, cb, u); +diff --git a/include/openssl/pemerr.h b/include/openssl/pemerr.h +index 0c45918..4f7e357 100644 +--- a/include/openssl/pemerr.h ++++ b/include/openssl/pemerr.h +@@ -1,6 +1,6 @@ + /* + * Generated by util/mkerr.pl DO NOT EDIT +- * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved. ++ * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the OpenSSL license (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy +@@ -61,6 +61,7 @@ int ERR_load_PEM_strings(void); + # define PEM_F_PEM_SIGNFINAL 112 + # define PEM_F_PEM_WRITE 113 + # define PEM_F_PEM_WRITE_BIO 114 ++# define PEM_F_PEM_WRITE_BIO_PRIVATEKEY_TRADITIONAL 147 + # define PEM_F_PEM_WRITE_PRIVATEKEY 139 + # define PEM_F_PEM_X509_INFO_READ 115 + # define PEM_F_PEM_X509_INFO_READ_BIO 116 +@@ -99,5 +100,6 @@ int ERR_load_PEM_strings(void); + # define PEM_R_UNSUPPORTED_CIPHER 113 + # define PEM_R_UNSUPPORTED_ENCRYPTION 114 + # define PEM_R_UNSUPPORTED_KEY_COMPONENTS 126 ++# define PEM_R_UNSUPPORTED_PUBLIC_KEY_TYPE 110 + + #endif +-- +1.8.3.1 + diff --git a/Fix-crash-in-early-data-send-with-out-of-band-PSK-us.patch b/Fix-crash-in-early-data-send-with-out-of-band-PSK-us.patch new file mode 100644 index 0000000000000000000000000000000000000000..72bc1375778401f6d213caaab6eba3449de43521 --- /dev/null +++ b/Fix-crash-in-early-data-send-with-out-of-band-PSK-us.patch @@ -0,0 +1,41 @@ +From dea4e33a92a8c6a49bfabda4e78afa3d0e2e0d61 Mon Sep 17 00:00:00 2001 +From: raja-ashok +Date: Fri, 8 May 2020 19:17:21 +0530 +Subject: [PATCH 052/217] Fix crash in early data send with out-of-band PSK + using AES CCM + +Reviewed-by: Matt Caswell +Reviewed-by: Tomas Mraz +(Merged from https://github.com/openssl/openssl/pull/11809) +--- + ssl/tls13_enc.c | 11 +++++++++-- + 1 file changed, 9 insertions(+), 2 deletions(-) + +diff --git a/ssl/tls13_enc.c b/ssl/tls13_enc.c +index 86754dc..b8fb07f 100644 +--- a/ssl/tls13_enc.c ++++ b/ssl/tls13_enc.c +@@ -390,11 +390,18 @@ static int derive_secret_key_and_iv(SSL *s, int sending, const EVP_MD *md, + uint32_t algenc; + + ivlen = EVP_CCM_TLS_IV_LEN; +- if (s->s3->tmp.new_cipher == NULL) { ++ if (s->s3->tmp.new_cipher != NULL) { ++ algenc = s->s3->tmp.new_cipher->algorithm_enc; ++ } else if (s->session->cipher != NULL) { + /* We've not selected a cipher yet - we must be doing early data */ + algenc = s->session->cipher->algorithm_enc; ++ } else if (s->psksession != NULL && s->psksession->cipher != NULL) { ++ /* We must be doing early data with out-of-band PSK */ ++ algenc = s->psksession->cipher->algorithm_enc; + } else { +- algenc = s->s3->tmp.new_cipher->algorithm_enc; ++ SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_DERIVE_SECRET_KEY_AND_IV, ++ ERR_R_EVP_LIB); ++ goto err; + } + if (algenc & (SSL_AES128CCM8 | SSL_AES256CCM8)) + taglen = EVP_CCM8_TLS_TAG_LEN; +-- +1.8.3.1 + diff --git a/Fix-d2i_PrivateKey-to-work-as-documented.patch b/Fix-d2i_PrivateKey-to-work-as-documented.patch new file mode 100644 index 0000000000000000000000000000000000000000..70653fc43c1094782f4f753353e5868ca05a730a --- /dev/null +++ b/Fix-d2i_PrivateKey-to-work-as-documented.patch @@ -0,0 +1,39 @@ +From 176eb406691f14d560cf7619365830a4d033ee28 Mon Sep 17 00:00:00 2001 +From: Richard Levitte +Date: Mon, 11 May 2020 09:14:11 +0200 +Subject: [PATCH 062/217] Fix d2i_PrivateKey() to work as documented + +d2i_PrivateKey() is documented to return keys of the type given as +first argument |type|, unconditionally. Most specifically, the manual +says this: + +> An error occurs if the decoded key does not match type. + +However, when faced of a PKCS#8 wrapped key, |type| was ignored, which +may lead to unexpected results. + +(cherry picked from commit b2952366dd0248bf35c83e1736cd203033a22378) + +Reviewed-by: Paul Dale +Reviewed-by: Dmitry Belyavskiy +(Merged from https://github.com/openssl/openssl/pull/11888) +--- + crypto/asn1/d2i_pr.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/crypto/asn1/d2i_pr.c b/crypto/asn1/d2i_pr.c +index 6ec0107..ac1a8c4 100644 +--- a/crypto/asn1/d2i_pr.c ++++ b/crypto/asn1/d2i_pr.c +@@ -56,6 +56,8 @@ EVP_PKEY *d2i_PrivateKey(int type, EVP_PKEY **a, const unsigned char **pp, + goto err; + EVP_PKEY_free(ret); + ret = tmp; ++ if (EVP_PKEY_type(type) != EVP_PKEY_base_id(ret)) ++ goto err; + } else { + ASN1err(ASN1_F_D2I_PRIVATEKEY, ERR_R_ASN1_LIB); + goto err; +-- +1.8.3.1 + diff --git a/Fix-err-checking-and-mem-leaks-of-BIO_set_conn_port-.patch b/Fix-err-checking-and-mem-leaks-of-BIO_set_conn_port-.patch new file mode 100644 index 0000000000000000000000000000000000000000..c68721beb43652e722bcfab7e1b1873c1ea038c4 --- /dev/null +++ b/Fix-err-checking-and-mem-leaks-of-BIO_set_conn_port-.patch @@ -0,0 +1,71 @@ +From 7f699cb663741a73cfe95214d4a39a1078c94294 Mon Sep 17 00:00:00 2001 +From: "Dr. David von Oheimb" +Date: Wed, 3 Jun 2020 07:49:27 +0200 +Subject: [PATCH 014/147] Fix err checking and mem leaks of BIO_set_conn_port + and BIO_set_conn_address + +Reviewed-by: Bernd Edlinger +Reviewed-by: Tomas Mraz +(Merged from https://github.com/openssl/openssl/pull/12036) +--- + crypto/bio/bss_conn.c | 25 ++++++++++++++++++------- + 1 file changed, 18 insertions(+), 7 deletions(-) + +diff --git a/crypto/bio/bss_conn.c b/crypto/bio/bss_conn.c +index f4c6b85..807a82b 100644 +--- a/crypto/bio/bss_conn.c ++++ b/crypto/bio/bss_conn.c +@@ -416,12 +416,13 @@ static long conn_ctrl(BIO *b, int cmd, long num, void *ptr) + case BIO_C_SET_CONNECT: + if (ptr != NULL) { + b->init = 1; +- if (num == 0) { ++ if (num == 0) { /* BIO_set_conn_hostname */ + char *hold_service = data->param_service; + /* We affect the hostname regardless. However, the input + * string might contain a host:service spec, so we must + * parse it, which might or might not affect the service + */ ++ + OPENSSL_free(data->param_hostname); + data->param_hostname = NULL; + ret = BIO_parse_hostserv(ptr, +@@ -430,19 +431,29 @@ static long conn_ctrl(BIO *b, int cmd, long num, void *ptr) + BIO_PARSE_PRIO_HOST); + if (hold_service != data->param_service) + OPENSSL_free(hold_service); +- } else if (num == 1) { ++ } else if (num == 1) { /* BIO_set_conn_port */ + OPENSSL_free(data->param_service); +- data->param_service = BUF_strdup(ptr); +- } else if (num == 2) { ++ if ((data->param_service = OPENSSL_strdup(ptr)) == NULL) ++ ret = 0; ++ } else if (num == 2) { /* BIO_set_conn_address */ + const BIO_ADDR *addr = (const BIO_ADDR *)ptr; ++ char *host = BIO_ADDR_hostname_string(addr, 1); ++ char *service = BIO_ADDR_service_string(addr, 1); ++ ++ ret = host != NULL && service != NULL; + if (ret) { +- data->param_hostname = BIO_ADDR_hostname_string(addr, 1); +- data->param_service = BIO_ADDR_service_string(addr, 1); ++ OPENSSL_free(data->param_hostname); ++ data->param_hostname = host; ++ OPENSSL_free(data->param_service); ++ data->param_service = service; + BIO_ADDRINFO_free(data->addr_first); + data->addr_first = NULL; + data->addr_iter = NULL; ++ } else { ++ OPENSSL_free(host); ++ OPENSSL_free(service); + } +- } else if (num == 3) { ++ } else if (num == 3) { /* BIO_set_conn_ip_family */ + data->connect_family = *(int *)ptr; + } else { + ret = 0; +-- +1.8.3.1 + diff --git a/Fix-issue-1418-by-moving-check-of-KU_KEY_CERT_SIGN-a.patch b/Fix-issue-1418-by-moving-check-of-KU_KEY_CERT_SIGN-a.patch new file mode 100644 index 0000000000000000000000000000000000000000..9ba737221eeb82fc91ca1f8c0957408b2b9be7c6 --- /dev/null +++ b/Fix-issue-1418-by-moving-check-of-KU_KEY_CERT_SIGN-a.patch @@ -0,0 +1,377 @@ +From e2590c3a162eb118c36b09c2168164283aa099b4 Mon Sep 17 00:00:00 2001 +From: "Dr. David von Oheimb" +Date: Tue, 24 Dec 2019 11:25:15 +0100 +Subject: [PATCH 050/147] Fix issue 1418 by moving check of KU_KEY_CERT_SIGN + and weakening check_issued() + +Move check that cert signing is allowed from x509v3_cache_extensions() to +where it belongs: internal_verify(), generalize it for proxy cert signing. +Correct and simplify check_issued(), now checking self-issued (not: self-signed). +Add test case to 25-test_verify.t that demonstrates successful fix. + +As prerequisites, this adds the static function check_sig_alg_match() +and the internal functions x509_likely_issued() and x509_signing_allowed(). + +This is a backport of the core of PR #10587. +Fixes #1418 + +Reviewed-by: Tomas Mraz +(Merged from https://github.com/openssl/openssl/pull/12357) +--- + crypto/x509/x509_local.h | 2 + + crypto/x509/x509_vfy.c | 52 +++++++++++++----------- + crypto/x509v3/v3_purp.c | 64 ++++++++++++++++++++++++------ + doc/man3/X509_STORE_set_verify_cb_func.pod | 4 +- + doc/man3/X509_check_issued.pod | 17 ++++---- + include/openssl/x509_vfy.h | 3 ++ + test/certs/ee-self-signed.pem | 18 +++++++++ + test/certs/setup.sh | 3 ++ + test/recipes/25-test_verify.t | 5 ++- + 9 files changed, 123 insertions(+), 45 deletions(-) + create mode 100644 test/certs/ee-self-signed.pem + +diff --git a/crypto/x509/x509_local.h b/crypto/x509/x509_local.h +index c517a77..6ac3c7e 100644 +--- a/crypto/x509/x509_local.h ++++ b/crypto/x509/x509_local.h +@@ -145,3 +145,5 @@ DEFINE_STACK_OF(STACK_OF_X509_NAME_ENTRY) + + void x509_set_signature_info(X509_SIG_INFO *siginf, const X509_ALGOR *alg, + const ASN1_STRING *sig); ++int x509_likely_issued(X509 *issuer, X509 *subject); ++int x509_signing_allowed(const X509 *issuer, const X509 *subject); +diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c +index 5bd3c4c..87b51e9 100644 +--- a/crypto/x509/x509_vfy.c ++++ b/crypto/x509/x509_vfy.c +@@ -104,7 +104,12 @@ static int null_callback(int ok, X509_STORE_CTX *e) + return ok; + } + +-/* Return 1 is a certificate is self signed */ ++/* ++ * Return 1 if given cert is considered self-signed, 0 if not or on error. ++ * This does not verify self-signedness but relies on x509v3_cache_extensions() ++ * matching issuer and subject names (i.e., the cert being self-issued) and any ++ * present authority key identifier matching the subject key identifier, etc. ++ */ + static int cert_self_signed(X509 *x) + { + if (X509_check_purpose(x, -1, 0) != 1) +@@ -325,30 +330,26 @@ static X509 *find_issuer(X509_STORE_CTX *ctx, STACK_OF(X509) *sk, X509 *x) + return rv; + } + +-/* Given a possible certificate and issuer check them */ +- ++/* ++ * Check that the given certificate 'x' is issued by the certificate 'issuer' ++ * and the issuer is not yet in ctx->chain, where the exceptional case ++ * that 'x' is self-issued and ctx->chain has just one element is allowed. ++ */ + static int check_issued(X509_STORE_CTX *ctx, X509 *x, X509 *issuer) + { +- int ret; +- if (x == issuer) +- return cert_self_signed(x); +- ret = X509_check_issued(issuer, x); +- if (ret == X509_V_OK) { ++ if (x509_likely_issued(issuer, x) != X509_V_OK) ++ return 0; ++ if ((x->ex_flags & EXFLAG_SI) == 0 || sk_X509_num(ctx->chain) != 1) { + int i; + X509 *ch; +- /* Special case: single self signed certificate */ +- if (cert_self_signed(x) && sk_X509_num(ctx->chain) == 1) +- return 1; ++ + for (i = 0; i < sk_X509_num(ctx->chain); i++) { + ch = sk_X509_value(ctx->chain, i); +- if (ch == issuer || !X509_cmp(ch, issuer)) { +- ret = X509_V_ERR_PATH_LOOP; +- break; +- } ++ if (ch == issuer || X509_cmp(ch, issuer) == 0) ++ return 0; + } + } +- +- return (ret == X509_V_OK); ++ return 1; + } + + /* Alternative lookup method: look from a STACK stored in other_ctx */ +@@ -1752,18 +1753,23 @@ static int internal_verify(X509_STORE_CTX *ctx) + * is allowed to reset errors (at its own peril). + */ + while (n >= 0) { +- EVP_PKEY *pkey; +- + /* +- * Skip signature check for self signed certificates unless explicitly +- * asked for. It doesn't add any security and just wastes time. If +- * the issuer's public key is unusable, report the issuer certificate ++ * Skip signature check for self-issued certificates unless explicitly ++ * asked for because it does not add any security and just wastes time. ++ * If the issuer's public key is not available or its key usage does ++ * not support issuing the subject cert, report the issuer certificate + * and its depth (rather than the depth of the subject). + */ + if (xs != xi || (ctx->param->flags & X509_V_FLAG_CHECK_SS_SIGNATURE)) { ++ EVP_PKEY *pkey; ++ int issuer_depth = n + (xs == xi ? 0 : 1); ++ int ret = x509_signing_allowed(xi, xs); ++ ++ if (ret != X509_V_OK && !verify_cb_cert(ctx, xi, issuer_depth, ret)) ++ return 0; + if ((pkey = X509_get0_pubkey(xi)) == NULL) { + if (!verify_cb_cert(ctx, xi, xi != xs ? n+1 : n, +- X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY)) ++ X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY)) + return 0; + } else if (X509_verify(xs, pkey) <= 0) { + if (!verify_cb_cert(ctx, xs, n, +diff --git a/crypto/x509v3/v3_purp.c b/crypto/x509v3/v3_purp.c +index f023c64..2b06dba 100644 +--- a/crypto/x509v3/v3_purp.c ++++ b/crypto/x509v3/v3_purp.c +@@ -13,6 +13,7 @@ + #include + #include + #include "crypto/x509.h" ++#include "../x509/x509_local.h" /* for x509_signing_allowed() */ + #include "internal/tsan_assist.h" + + static void x509v3_cache_extensions(X509 *x); +@@ -344,6 +345,21 @@ static int setup_crldp(X509 *x) + return 1; + } + ++/* Check that issuer public key algorithm matches subject signature algorithm */ ++static int check_sig_alg_match(const EVP_PKEY *pkey, const X509 *subject) ++{ ++ int pkey_nid; ++ ++ if (pkey == NULL) ++ return X509_V_ERR_NO_ISSUER_PUBLIC_KEY; ++ if (OBJ_find_sigid_algs(OBJ_obj2nid(subject->cert_info.signature.algorithm), ++ NULL, &pkey_nid) == 0) ++ return X509_V_ERR_UNSUPPORTED_SIGNATURE_ALGORITHM; ++ if (EVP_PKEY_type(pkey_nid) != EVP_PKEY_base_id(pkey)) ++ return X509_V_ERR_SIGNATURE_ALGORITHM_MISMATCH; ++ return X509_V_OK; ++} ++ + #define V1_ROOT (EXFLAG_V1|EXFLAG_SS) + #define ku_reject(x, usage) \ + (((x)->ex_flags & EXFLAG_KUSAGE) && !((x)->ex_kusage & (usage))) +@@ -496,11 +512,11 @@ static void x509v3_cache_extensions(X509 *x) + x->ex_flags |= EXFLAG_INVALID; + /* Does subject name match issuer ? */ + if (!X509_NAME_cmp(X509_get_subject_name(x), X509_get_issuer_name(x))) { +- x->ex_flags |= EXFLAG_SI; +- /* If SKID matches AKID also indicate self signed */ +- if (X509_check_akid(x, x->akid) == X509_V_OK && +- !ku_reject(x, KU_KEY_CERT_SIGN)) +- x->ex_flags |= EXFLAG_SS; ++ x->ex_flags |= EXFLAG_SI; /* cert is self-issued */ ++ if (X509_check_akid(x, x->akid) == X509_V_OK /* SKID matches AKID */ ++ /* .. and the signature alg matches the PUBKEY alg: */ ++ && check_sig_alg_match(X509_get0_pubkey(x), x) == X509_V_OK) ++ x->ex_flags |= EXFLAG_SS; /* indicate self-signed */ + } + x->altname = X509_get_ext_d2i(x, NID_subject_alt_name, &i, NULL); + if (x->altname == NULL && i != -1) +@@ -793,6 +809,23 @@ static int no_check(const X509_PURPOSE *xp, const X509 *x, int ca) + } + + /*- ++ * Check if certificate I is allowed to issue certificate I ++ * according to the B field of I if present ++ * depending on any proxyCertInfo extension of I. ++ * Returns 0 for OK, or positive for reason for rejection ++ * where reason codes match those for X509_verify_cert(). ++ */ ++int x509_signing_allowed(const X509 *issuer, const X509 *subject) ++{ ++ if (subject->ex_flags & EXFLAG_PROXY) { ++ if (ku_reject(issuer, KU_DIGITAL_SIGNATURE)) ++ return X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE; ++ } else if (ku_reject(issuer, KU_KEY_CERT_SIGN)) ++ return X509_V_ERR_KEYUSAGE_NO_CERTSIGN; ++ return X509_V_OK; ++} ++ ++/*- + * Various checks to see if one certificate issued the second. + * This can be used to prune a set of possible issuer certificates + * which have been looked up using some simple method such as by +@@ -800,13 +833,24 @@ static int no_check(const X509_PURPOSE *xp, const X509 *x, int ca) + * These are: + * 1. Check issuer_name(subject) == subject_name(issuer) + * 2. If akid(subject) exists check it matches issuer +- * 3. If key_usage(issuer) exists check it supports certificate signing ++ * 3. Check that issuer public key algorithm matches subject signature algorithm ++ * 4. If key_usage(issuer) exists check it supports certificate signing + * returns 0 for OK, positive for reason for mismatch, reasons match + * codes for X509_verify_cert() + */ + + int X509_check_issued(X509 *issuer, X509 *subject) + { ++ int ret; ++ ++ if ((ret = x509_likely_issued(issuer, subject)) != X509_V_OK) ++ return ret; ++ return x509_signing_allowed(issuer, subject); ++} ++ ++/* do the checks 1., 2., and 3. as described above for X509_check_issued() */ ++int x509_likely_issued(X509 *issuer, X509 *subject) ++{ + if (X509_NAME_cmp(X509_get_subject_name(issuer), + X509_get_issuer_name(subject))) + return X509_V_ERR_SUBJECT_ISSUER_MISMATCH; +@@ -824,12 +868,8 @@ int X509_check_issued(X509 *issuer, X509 *subject) + return ret; + } + +- if (subject->ex_flags & EXFLAG_PROXY) { +- if (ku_reject(issuer, KU_DIGITAL_SIGNATURE)) +- return X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE; +- } else if (ku_reject(issuer, KU_KEY_CERT_SIGN)) +- return X509_V_ERR_KEYUSAGE_NO_CERTSIGN; +- return X509_V_OK; ++ /* check if the subject signature alg matches the issuer's PUBKEY alg */ ++ return check_sig_alg_match(X509_get0_pubkey(issuer), subject); + } + + int X509_check_akid(X509 *issuer, AUTHORITY_KEYID *akid) +diff --git a/doc/man3/X509_STORE_set_verify_cb_func.pod b/doc/man3/X509_STORE_set_verify_cb_func.pod +index d16881e..47de27d 100644 +--- a/doc/man3/X509_STORE_set_verify_cb_func.pod ++++ b/doc/man3/X509_STORE_set_verify_cb_func.pod +@@ -137,7 +137,9 @@ I + + X509_STORE_set_check_issued() sets the function to check that a given +-certificate B is issued with the issuer certificate B. ++certificate B is issued by the issuer certificate B and ++the issuer is not yet in the chain contained in , where the exceptional ++case that B is self-issued and ctx->chain has just one element is allowed. + This function must return 0 on failure (among others if B hasn't + been issued with B) and 1 on success. + I was issued using CA +-certificate I. This function takes into account not only +-matching of issuer field of I with subject field of I, +-but also compares B extension of I with +-B of I if B +-present in the I certificate and checks B field of +-I. ++X509_check_issued() checks if certificate I was apparently issued ++using (CA) certificate I. This function takes into account not only ++matching of the issuer field of I with the subject field of I, ++but also compares all sub-fields of the B extension of ++I, as far as present, with the respective B, ++serial number, and issuer fields of I, as far as present. It also checks ++if the B field (if present) of I allows certificate signing. ++It does not check the certificate signature. + + =head1 RETURN VALUES + +diff --git a/include/openssl/x509_vfy.h b/include/openssl/x509_vfy.h +index adb8bce..0f13739 100644 +--- a/include/openssl/x509_vfy.h ++++ b/include/openssl/x509_vfy.h +@@ -184,6 +184,9 @@ void X509_STORE_CTX_set_depth(X509_STORE_CTX *ctx, int depth); + # define X509_V_ERR_OCSP_VERIFY_NEEDED 73 /* Need OCSP verification */ + # define X509_V_ERR_OCSP_VERIFY_FAILED 74 /* Couldn't verify cert through OCSP */ + # define X509_V_ERR_OCSP_CERT_UNKNOWN 75 /* Certificate wasn't recognized by the OCSP responder */ ++# define X509_V_ERR_SIGNATURE_ALGORITHM_MISMATCH 76 ++# define X509_V_ERR_NO_ISSUER_PUBLIC_KEY 77 ++# define X509_V_ERR_UNSUPPORTED_SIGNATURE_ALGORITHM 78 + + /* Certificate verify flags */ + +diff --git a/test/certs/ee-self-signed.pem b/test/certs/ee-self-signed.pem +new file mode 100644 +index 0000000..ad1e37b +--- /dev/null ++++ b/test/certs/ee-self-signed.pem +@@ -0,0 +1,18 @@ ++-----BEGIN CERTIFICATE----- ++MIICzzCCAbegAwIBAgIUBP7iEKPlKuinZGQNFxSY3IBIb0swDQYJKoZIhvcNAQEL ++BQAwGTEXMBUGA1UEAwwOZWUtc2VsZi1zaWduZWQwHhcNMjAwNjI4MTA1MTQ1WhcN ++MjAwNzI4MTA1MTQ1WjAZMRcwFQYDVQQDDA5lZS1zZWxmLXNpZ25lZDCCASIwDQYJ ++KoZIhvcNAQEBBQADggEPADCCAQoCggEBAKj/iVhhha7e2ywP1XP74reoG3p1YCvU ++fTxzdrWu3pMvfySQbckc9Io4zZ+igBZWy7Qsu5PlFx//DcZD/jE0+CjYdemju4iC ++76Ny4lNiBUVN4DGX76qdENJYDZ4GnjK7GwhWXWUPP2aOwjagEf/AWTX9SRzdHEIz ++BniuBDgj5ed1Z9OUrVqpQB+sWRD1DMFkrUrExjVTs5ZqghsVi9GZq+Seb5Sq0pbl ++V/uMkWSKPCQWxtIZvoJgEztisO0+HbPK+WvfMbl6nktHaKcpxz9K4iIntO+QY9fv ++0HJJPlutuRvUK2+GaN3VcxK4Q8ncQQ+io0ZPi2eIhA9h/nk0H0qJH7cCAwEAAaMP ++MA0wCwYDVR0PBAQDAgeAMA0GCSqGSIb3DQEBCwUAA4IBAQBiLmIUCGb+hmRGbmpO ++lDqEwiRVdxHBs4OSb3IA9QgU1QKUDRqn7q27RRelmzTXllubZZcX3K6o+dunRW5G ++d3f3FVr+3Z7wnmkQtC2y3NWtGuWNczss+6rMLzKvla5CjRiNPlSvluMNpcs7BJxI ++ppk1LxlaiYlQkDW32OPyxzXWDNv1ZkphcOcoCkHAagnq9x1SszvLTjAlo5XpYrm5 ++CPgBOEnVwFCgne5Ab4QPTgkxPh/Ta508I/FKaPLJqci1EfGKipZkS7mMGTUJEeVK ++wZrn4z7RiTfJ4PdqO5iv8eOpt03fqdPEXQWe8DrKyfGM6/e369FaXMFhcd2ZxZy2 ++WHoc ++-----END CERTIFICATE----- +diff --git a/test/certs/setup.sh b/test/certs/setup.sh +index bbe4842..7e40f65 100755 +--- a/test/certs/setup.sh ++++ b/test/certs/setup.sh +@@ -185,6 +185,9 @@ OPENSSL_SIGALG=md5 \ + OPENSSL_KEYBITS=768 \ + ./mkcert.sh genee server.example ee-key-768 ee-cert-768 ca-key ca-cert + ++# self-signed end-entity cert with explicit keyUsage not including KeyCertSign ++openssl req -new -x509 -key ee-key.pem -subj /CN=ee-self-signed -out ee-self-signed.pem -addext keyUsage=digitalSignature ++ + # Proxy certificates, off of ee-client + # Start with some good ones + ./mkcert.sh req pc1-key "0.CN = server.example" "1.CN = proxy 1" | \ +diff --git a/test/recipes/25-test_verify.t b/test/recipes/25-test_verify.t +index cf7842c..0c643e5 100644 +--- a/test/recipes/25-test_verify.t ++++ b/test/recipes/25-test_verify.t +@@ -27,7 +27,7 @@ sub verify { + run(app([@args])); + } + +-plan tests => 135; ++plan tests => 136; + + # Canonical success + ok(verify("ee-cert", "sslserver", ["root-cert"], ["ca-cert"]), +@@ -368,6 +368,9 @@ ok(verify("some-names2", "sslserver", ["many-constraints"], ["many-constraints"] + ok(verify("root-cert-rsa2", "sslserver", ["root-cert-rsa2"], [], "-check_ss_sig"), + "Public Key Algorithm rsa instead of rsaEncryption"); + ++ ok(verify("ee-self-signed", "sslserver", ["ee-self-signed"], []), ++ "accept trusted self-signed EE cert excluding key usage keyCertSign"); ++ + SKIP: { + skip "Ed25519 is not supported by this OpenSSL build", 1 + if disabled("ec"); +-- +1.8.3.1 + diff --git a/Fix-memory-leaks-in-conf_def.c.patch b/Fix-memory-leaks-in-conf_def.c.patch new file mode 100644 index 0000000000000000000000000000000000000000..f8fbcbfd522a49dbb8c63ce14a8b46bc11c9c119 --- /dev/null +++ b/Fix-memory-leaks-in-conf_def.c.patch @@ -0,0 +1,39 @@ +From 526cf60408e1a356ec712b6c88a88864fdbe73af Mon Sep 17 00:00:00 2001 +From: luxinyou +Date: Mon, 7 Sep 2020 18:06:45 +1000 +Subject: [PATCH 065/147] Fix memory leaks in conf_def.c + +Fixes #12471 +CLA: trivial + +Reviewed-by: Matt Caswell +Reviewed-by: Paul Dale +Reviewed-by: Shane Lontis +(Merged from https://github.com/openssl/openssl/pull/12533) + +(cherry picked from commit 4348995b0d818203f37ffa51c9bdf4488cf24bad) +--- + crypto/conf/conf_def.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/crypto/conf/conf_def.c b/crypto/conf/conf_def.c +index ca76fa3..72669b1 100644 +--- a/crypto/conf/conf_def.c ++++ b/crypto/conf/conf_def.c +@@ -376,11 +376,13 @@ static int def_load_bio(CONF *conf, BIO *in, long *line) + if (biosk == NULL) { + if ((biosk = sk_BIO_new_null()) == NULL) { + CONFerr(CONF_F_DEF_LOAD_BIO, ERR_R_MALLOC_FAILURE); ++ BIO_free(next); + goto err; + } + } + if (!sk_BIO_push(biosk, in)) { + CONFerr(CONF_F_DEF_LOAD_BIO, ERR_R_MALLOC_FAILURE); ++ BIO_free(next); + goto err; + } + /* continue with reading from the included BIO */ +-- +1.8.3.1 + diff --git a/Fix-rsa8192.pem.patch b/Fix-rsa8192.pem.patch new file mode 100644 index 0000000000000000000000000000000000000000..125d5a3f709f80543df791708491cd7171122912 --- /dev/null +++ b/Fix-rsa8192.pem.patch @@ -0,0 +1,266 @@ +From 024035b6e018405d7c29bce2e10e884066203601 Mon Sep 17 00:00:00 2001 +From: Bernd Edlinger +Date: Sun, 10 May 2020 06:37:12 +0200 +Subject: [PATCH 048/217] Fix rsa8192.pem + +Q: How did I do that? + +A: That's a long story. + +Precondition: I used sage 8.1 for the math, it could probably +done with simple python as well but I did not try. + +First I extract numbers from rsa8192.pem: + +openssl rsa -in rsa8192.pem -noout -text | sed "s/://g; s/ //g;" + +cut&paste the numbers into sage: + +modulus +00890d9fd57e81b5ed43283d0ea020 +4a1229333d6fb9c37a179375b09c4f +7b5b1cf2eb025979b6d90b709928a0 +6725e04caf2b0f7fe94afbdf9f3fa5 +66f1ba75c2f6dc488039f410eb5fa8 +ab152b8cfdb76791bb853059438edf +ae56bc70a32a9f3e2d883e8b751d08 +3797999dc81a9c4d6bdb3a75362fd1 +d9c497cf5028dfcdd4cc3eb318e79f +c0db45cbeed955da8a447f0872dee5 +65bde4013340e767731441fae4fa54 +51356bfbc84e1271b39f111f5f8ef3 +a6c8973765b39addef80306194f4ea +89fdfc8e9744866323f6936de89b2f +e2741578b8eb3c41676702fabc50ec +c376e6b7b6e7f94e7d7b5c1bab3c9f +23bb0c8f04d8aca64c309fc063c406 +553e1c1421cc45060df7f48c49f5c5 +b459d572e273402d6a3ff008657fe9 +1936714d1823c5cad53d80630b3216 +9bf70feb2ebc1af6a35ee0bf059aed +49c4e367d567e130e2846859b271fd +a8949b182e050819866b8e762ed29f +fb3f7ca14cebfc2488662be4b3980f +c8d31890a05f38ae9690cc7d9d3efc +4808e03da104a8c28bb480bb814995 +a6e8b8978ab8350d90b3894e3abf7d +c4ad0956335752c8d6944b38a1715e +7d9950f49e6cdba171fbe651a2ca26 +65a7c70b6e8cf3a02c2f93dad8aa95 +06481cdb032d04082a5a6c6a733b65 +20fa80e2ef57b9cf858ca5ea11e084 +bc31a386fc6b099f069786207f80d6 +1f2bef294400d59394ad1006431366 +a54ae09b0ecd3377dcd8af8fde9b94 +fd559b0b7adc5113ba66fc4b3dc842 +ee562cfcfd39b4ffc31576635873fc +59535b7aa98605772436c251834e23 +4fb2347cc970a49818cac2a9ee95eb +b55fa2da66edd53e11245c6732140a +ae41491288cbf462eef8a807b46d0d +affa38d9ccfe8033d2d4a3cf5c5b82 +9df12183f7a05d3650153cd317a017 +083ac641c2c3ad11305de0a032be45 +c439bd7bbbe3cb97850f9d2c66f72a +4a66e9d434544fc6d294ca3c92627b +e518bfa44e3017ac8ad9c0a26a227d +2e8677da0a4de8edb53ac9530adb63 +83c72dbf562dc4d0fea4e492f09eb1 +74548381a8686db3aeaaa3a9960cff +25e8c64701115da54fa7a1fb2c566a +fcb4b2a63268d818c3391a62885d13 +41b3492c4f0167291b3d026a44e68c +02f2d4d255d4c0906b92a2ced0c0bb +f2bcdceaec1189895af4232dc386c9 +75bf3477e5a70d3ab0ac0e5dc37024 +0e34a276b155d5e290f77416a1986d +ec47f8c78236ac7df249df9ba21a80 +2e6bd75b4fb1c6ffe0f4cf548761a5 +6a1fcccee156523a718987f3fdaedc +7171c9050db89a83f24c5a283695b9 +c28de6d3b69fc1714b0add335a0ce6 +fbbdbd0bbdb01e44969d775105bba3 +d2947dca2f291250f9b851e76f514d +dc5a3aa4498e6521314991568860eb +ff1258d8b4aee9ee4159153684c0c0 +16c60b17537a50b53cd59aad60678b +d73f0714ab4ccae7416bab417b4907 +36d59b2e9f + +I used echo `echo "" ` | sed "s/ //g" +to get everything in one line, put that again +into the clipboard and +then start sage, type N=0x + +sage: N=0x00890d9fd57e81b5ed43283d0ea0204a1229333d6fb9c37a179375b09c4f7b5b1cf2eb025979b6d90b709928a06725e04caf2b0f7fe94afbdf9f3fa566f1ba75c2f6dc488039f410eb5fa8ab152b8cfdb76791bb853059438edfae56bc70a32a9f3e2d883e8b751d083797999dc81a9c4d6bdb3a75362fd1d9c497cf5028dfcdd4cc3eb318e79fc0db45cbeed955da8a447f0872dee565bde4013340e767731441fae4fa5451356bfbc84e1271b39f111f5f8ef3a6c8973765b39addef80306194f4ea89fdfc8e9744866323f6936de89b2fe2741578b8eb3c41676702fabc50ecc376e6b7b6e7f94e7d7b5c1bab3c9f23bb0c8f04d8aca64c309fc063c406553e1c1421cc45060df7f48c49f5c5b459d572e273402d6a3ff008657fe91936714d1823c5cad53d80630b32169bf70feb2ebc1af6a35ee0bf059aed49c4e367d567e130e2846859b271fda8949b182e050819866b8e762ed29ffb3f7ca14cebfc2488662be4b3980fc8d31890a05f38ae9690cc7d9d3efc4808e03da104a8c28bb480bb814995a6e8b8978ab8350d90b3894e3abf7dc4ad0956335752c8d6944b38a1715e7d9950f49e6cdba171fbe651a2ca2665a7c70b6e8cf3a02c2f93dad8aa9506481cdb032d04082a5a6c6a733b6520fa80e2ef57b9cf858ca5ea11e084bc31a386fc6b099f069786207f80d61f2bef294400d59394ad1006431366a54ae09b0ecd3377dcd8af8fde9b94fd559b0b7adc5113ba66fc4b3dc842ee562cfcfd39b4ffc31576635873fc59535b7aa98605772436c251834e234fb2347cc970a49818cac2a9ee95ebb55fa2da66edd53e11245c6732140aae41491288cbf462eef8a807b46d0daffa38d9ccfe8033d2d4a3cf5c5b829df12183f7a05d3650153cd317a017083ac641c2c3ad11305de0a032be45c439bd7bbbe3cb97850f9d2c66f72a4a66e9d434544fc6d294ca3c92627be518bfa44e3017ac8ad9c0a26a227d2e8677da0a4de8edb53ac9530adb6383c72dbf562dc4d0fea4e492f09eb174548381a8686db3aeaaa3a9960cff25e8c64701115da54fa7a1fb2c566afcb4b2a63268d818c3391a62885d1341b3492c4f0167291b3d026a44e68c02f2d4d255d4c0906b92a2ced0c0bbf2bcdceaec1189895af4232dc386c975bf3477e5a70d3ab0ac0e5dc370240e34a276b155d5e290f77416a1986dec47f8c78236ac7df249df9ba21a802e6bd75b4fb1c6ffe0f4cf548761a56a1fcccee156523a718987f3fdaedc7171c9050db89a83f24c5a283695b9c28de6d3b69fc1714b0add335a0ce6fbbdbd0bbdb01e44969d775105bba3d2947dca2f291250f9b851e76f514ddc5a3aa4498e6521314991568860ebff1258d8b4aee9ee4159153684c0c016c60b17537a50b53cd59aad60678bd73f0714ab4ccae7416bab417b490736d59b2e9f + +likewise for prime1 (P), prime2 (Q) and +privateExponent (D) and publicExponent (E) + +sage: P=0x00c6d6eb9c0f93f8b8de74b2799798c1c1ed47549426a0d76af61f04f0b455184acfeec354c1703709e8727ea0213001738e395b5ca5ed4deec30f8b1ae0e54a516777c5ae897a5562e77dfe378dbba32ee30bcdb275ab7f87f8b9af02712d371a6aa671b44e0f667a6f2d406e5099d942f592ff5c517d452d58cf3f51120062a878fb77066650275b897caf078a5353f1d714963ff90818b6b87c6db438681b4b315c4fd256c1bd383fcf8e67b49a3ee077373a66d77e4c02eebe9350478a51cdfa395d60d905c1189ed7041373f1609075faf9d9f39d3d7b0e7fc8b1d36cb8c5c48731ef5cd87e11f480cdfa4b3ee6cf7eebd3e13f4244647396d52030b82c39d69a3a4075ee90531d1ddb5f1284dc7ab09a3892de5c0ddeed115c7c9ee5fc008658830b0e6f7f366a72f215192498474ade046fc10e92591dfa133e4beff98758e0e92c05f999504a486e3f71c15b73adf7fe0d311f0d0dc1a8e2aff92572475a92e60f970174c80c4948a0cb86635cb438519b18c260ff9f212925e684ef151cc91fa1c4c8dbbc337c9b46f9a93c88cce49e49a670762186e8858051f93ebff7b0b50caadd9b32f93e396b5a6d1cd7f77b2e50e83fae5f3928433268f6cc28810071ce334025a24c7ebf92e631df0d26e99923018946de4ea5e30e868c33ea3d408d8c58815ecf9892fa3afa5f6fbef9a1dfda2da51b6f01f3dae588bdf17b +sage: Q=0x00b073b35a3bba0954b242961630e8e0af8d3ea8aad80d55669e9e79c388983363d96fe471205743001b4798b81de1be3fb06353fd0c9c4fd43f91f9cb2162b00583cc94ff791a615348d01977ca05f4796d5bff41d94dda1cb3ef2433ff4f6500d15ab290a14e651efa91b7df5d5e50f8356188d9842dcdd67c89eb7d40baa78f045969b804f7a985d35a8a8ac32715cb212a34fb89e85e538275e53663fe675944d2b5dba77b7b7abfacd8fbddee4427db6460b728952af882992750c2542d2122247d7f431ec2fe64c0311b0de5290eb619c6ab476308d59f3efff7255d07ebb51fe64ac5967c0b79bae07d36283cf768c8eee2054349cefe90876da66a52e9e0ff20cc00a40fb0c69524e7a01e5c2f07239831a0fa2f56ad405b3a25537907d990e8f5a3e4f3df99dda6afc30d4565aa5881f64adcc6f6be4077893c7e7710623e6158359c3facfef5036779903065fd0d0a2ed8bf2e53a46758dbff06284670bf10bd2e13cba4323ce50fa43df373bd0940011c424f41c5035a10b8095f420ddb67189f6dad62f1257b0f46e353a90eacc145c7db74998a5d0d8772ba1286eb582504465290171e4db87f2e89564214a2317953a7307b1b4c8dad5920866087d7ae80845478813bdf5f6740d0f3b975a344272804b036e4fef09e91d60d1a730fda2f5c222f7636bbe252f9a6caa86d5e8be7e7db2cf912817a0898a4742d +sage: D=0x3b900240c4a416aeb09b123e02f5457bb31023c9249081c5313edaac741686388492020964ce4471a653c9c63c4dc7b74c0188d0ec50bc3a29797da6c9b3616e83dea45ba5d41e6e4cba7eefca6791f45d3c86a491a899a5c42c7e61930a3681d281f34e4b49707e9bba74f68f7a91274c92904b546b5fe6267c5b8ad8d8bb199a523d7fbb5a40748b56dfccf074f3d664e705153dd903b7cd95bac556be3ab59a165d7cbb765e21a4a1d97e34b412baf1caacb57543d2bd8e5ae5cd2a86dc41e256f3f5c0073052859d1c8a12f4973caa88de2e5eb2eef8d6ebdb66fe154d8e383cba74693753affaf4dbc8e2988c08f947b1f8473a7163775656448572c325250ad2cd75c9f5d42721b91ae8fb427773605afa2f4297daf7ab34f5d71144185f3f5cbc94041081fae19fd5d47fc49421080edc5d658b5f223fb1e9b172f4da1a92263fa922225d4c0231e35d94d276fcb0e0999f5f26068528c83f49b0dd79fb157c49fe8b3d80e7cd2b3da76478ebd2ae2c8164583bee2f96591e2f41ad799ae0e2855a5699996fb2c7efb69f86874bca58628e512d579b247e43ee8db04b424e84e44cf753f86e12dd8d2e0ea0b800e6c313317c14658993b8e04c7fb5de1cba0829123dc518957be2a46f76f8ff305fee17b2310bfdd66a93c8b050451f8ceb26c518b7abb72faf08fca0bf6df8a80de511ffc00dc350cd87e52c9cf5771892300e420929da698b6b973da849c89410f089e9b39de79fc1a01a27d2f879ce5cd80ca0a3899d9f480c68d7a5f8c8b3c74936b19f0c7174987df437658046adaffdaddc3540be7fc06a1d2290f58ad9a2992d32e9ecbadf2eed961b4e68c8a89a5709a334082ad297348c4c31c54a3dadccb93afaa9f1786c4167021d4a16dd78afb41131bdd651357bd44f42cfee5d03fdfae087255d18a6a41c03aa6408b6097d8a6848cbbf05a7f20207d5673ea5e6dc849d5d3009c6e8a6c41285cd64f71b536d8345d61f404079278facde0d6e2264cbe655e877468bd3e76380d91f282f26ae17e41a1bac76c148c4c75dd22656816ab259e2c79920e27e6bcfa83732ac6e0a245dcd9cc82f69e45019cf53ac39bebca3ddea0f55ef97b6d8f7b7eadaae792fb1b55c73cf2ed644e651a22c60ed9c0bb063c50fadda6beccbf6c88c41ef1546bab5f21dbe4fbeeb11f3c5c40fa1cc3df2c11bfe7910d1d36a5ec6e66462c7e216481008931039299d23f2be4d838fb010b661a8541a8b7f7bf7d6c8032895e82133e24c835e5a3491249ec69f28e22cf9b0fab9be9ea17026fbadd470eee4676d7ac79976a1c6807e89b5dabab815ffa076caeaeb53f505a31129dac1e9f0b5d919f17aced63574c8524000022b6bc6cb9c8d6a06e44c72e055a1e2706e736af241ab3084fa56cf942aa139440f74e230be31cd8dd4bf0cbdd657f1 +sage: E=0x10001 + +check: +sage: is_pseudoprime(P) +True +sage: gcd(N,P) +811194519730394220204949383061971492284209477134487451053533919242408334468793875483685418435472924384137737409878754330061341487239404629370463160720071782806016579636145456953095810661706004899017496722730291178259805745059054744795252171022091469940626116746608128441399036310378334222880519662696558703165249434265697658704322903051581598088400258377253583825209022558177374913570364047051007093402547387492492645729748176160840842076964161794363721255756097675823463557162877865622894488049720201680509519072521257128596878592149455958732762099800396648453225220977153025222265023206761554302369499402146842619059859650958489842850140873473393484632985863967898676228674751576699965523367097641503814266418957281198265955430221973482931544501209059788536033857660452959160612655542331433647351037413298986228798018950712662579341162832440884265576141868775326408627532047094505284395403786932363148262901839514736964209136867574532808481484592060405175685831168554790879720280778881035860464184791941816702480873202940903024652495084770128062224279875598826600084633389722629461385386069921483006677287847102371176994910369378323222717613076771700378608286670543729473076010314569999636269167049088093674649352610884381826740603 +sage: N%P +0 + +>> P seems to be a prime, and is indeed a factor of N. + +sage: is_pseudoprime(Q) +False +sage: gcd(N,Q) +1 +sage: ecm(Q) +Found composite factor of 3 digits: 675 +Composite cofactor ... has 1231 digits. +Q has a small factor. The large cofactor +is way too large to be factorized (today). + +>> Q must be wrong. + +sage: pow(pow(2,E,N),D,N) +2 +sage: pow(pow(3,E,N),D,N) +3 +sage: pow(pow(5,E,N),D,N) +5 +sage: pow(pow(7,E,N),D,N) +7 +sage: pow(pow(11,E,N),D,N) +11 +sage: pow(pow(1000,E,N),D,N) +1000 + +>> x^D mod N is indeed the inverse of x^E mod N +>> D seems to be correct. + +>> now compute +sage: Qcorrect = N/P +sage: is_prime(Qcorrect) +False +sage: is_pseudoprime(Qcorrect) +True + +>> surprise, this is a sage artefact. +>> is_prime is supposed to tell if Qcorrect +>> is a provable prime, but these numbers are +>> too large for a proof. + +sage: help(Qcorrect) +class Rational +... + +>> oops, it is of course not a rational number. + +sage: Qcorrect = Integer(N/P) +class Integer +... + +>> okay now it is an integer. + +sage: is_prime(Qcorrect) +>> takes way too long: press CTRL-C +sage: is_pseudoprime(Qcorrect) +True + +>> so the correct Q seems to be a prime. + +sage: Q-Qcorrect +4468358315186607582623830645994123175323958284313904132666602205502546750542721902065776801908141680869902222733839989940221831332787838985874881107673910358472026239723185949529735314601712865712198736991916521419325287976337589177915143787138292689484229106140251936135768934015263941567159094923493376 +sage: hex(Q-Qcorrect) +'1a10400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000' + +>> interesting, now figure out the bits that are flipped in Q: + +Q ...20ddb67189f6dad... +Qcorrect ...20dd9c6149f6dad... + +$ openssl rsa -in rsa8192.pem -outform der -out rsa8192.der +writing RSA key +$ xxd -ps < rsa8192.der > rsa8192.hex +$ sed "s/20ddb67189f6dad/20dd9c6149f6dad/" < rsa8192.hex > rsa8192.out +$ diff rsa8192.hex rsa8192.out +100c100 +< 10b8095f420ddb67189f6dad62f1257b0f46e353a90eacc145c7db74998a +--- +> 10b8095f420dd9c6149f6dad62f1257b0f46e353a90eacc145c7db74998a + +>> et voila + +$ xxd -ps -r < rsa8192.out > rsa8192.der +$ openssl rsa -inform der -in rsa8192.der -out rsa8192.pem +writing RSA key +$ openssl rsa -check -noout -in rsa8192.pem +RSA key ok +#$ git diff +#diff --git a/apps/rsa8192.pem b/apps/rsa8192.pem +#index 946a6e5..83d962f 100644 +#--- a/apps/rsa8192.pem +#+++ b/apps/rsa8192.pem +#@@ -1,5 +1,4 @@ +# -----BEGIN RSA PRIVATE KEY----- +#- +# MIISKAIBAAKCBAEAiQ2f1X6Bte1DKD0OoCBKEikzPW+5w3oXk3WwnE97Wxzy6wJZ +# ebbZC3CZKKBnJeBMrysPf+lK+9+fP6Vm8bp1wvbcSIA59BDrX6irFSuM/bdnkbuF +# MFlDjt+uVrxwoyqfPi2IPot1HQg3l5mdyBqcTWvbOnU2L9HZxJfPUCjfzdTMPrMY +#@@ -62,7 +61,7 @@ JH1/Qx7C/mTAMRsN5SkOthnGq0djCNWfPv/3JV0H67Uf5krFlnwLebrgfTYoPPdo +# yO7iBUNJzv6Qh22malLp4P8gzACkD7DGlSTnoB5cLwcjmDGg+i9WrUBbOiVTeQfZ +# kOj1o+Tz35ndpq/DDUVlqliB9krcxva+QHeJPH53EGI+YVg1nD+s/vUDZ3mQMGX9 +# DQou2L8uU6RnWNv/BihGcL8QvS4Ty6QyPOUPpD3zc70JQAEcQk9BxQNaELgJX0IN +#-22cYn22tYvElew9G41OpDqzBRcfbdJmKXQ2HcroShutYJQRGUpAXHk24fy6JVkIU +#+2cYUn22tYvElew9G41OpDqzBRcfbdJmKXQ2HcroShutYJQRGUpAXHk24fy6JVkIU +# ojF5U6cwextMja1ZIIZgh9eugIRUeIE7319nQNDzuXWjRCcoBLA25P7wnpHWDRpz +# D9ovXCIvdja74lL5psqobV6L5+fbLPkSgXoImKR0LQKCAgAIC9Jk8kxumCyIVGCP +# PeM5Uby9M3GMuKrfYsn0Y5e97+kSJF1dpojTodBgR2KQar6eVrvXt+8uZCcIjfx8 +#@@ -98,4 +97,3 @@ TwEgE67iOb2iIoUpon/NyP4LesMzvdpsu2JFlfz13PmmQ34mFI7tWvOb3NA5DP3c +# rMlMLtKfp2w8HlMZpsUlToNCx6CI+tJrohzcs3BAVAbjFAXRKWGijB1rxwyDdHPv +# I+/wJTNaRNPQ1M0SwtEL/zJd21y3KSPn4eL+GP3efhlDSjtlDvZqkdAUsU8= +# -----END RSA PRIVATE KEY----- +#- + +>> DONE. + +Fixes #11776 + +Reviewed-by: Paul Dale +Reviewed-by: Matthias St. Pierre +(Merged from https://github.com/openssl/openssl/pull/11783) + +(cherry picked from commit 7ef43790617cb08b4bb4141df716dfb37385fe5c) +--- + apps/rsa8192.pem | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +diff --git a/apps/rsa8192.pem b/apps/rsa8192.pem +index 946a6e5..83d962f 100644 +--- a/apps/rsa8192.pem ++++ b/apps/rsa8192.pem +@@ -1,5 +1,4 @@ + -----BEGIN RSA PRIVATE KEY----- +- + MIISKAIBAAKCBAEAiQ2f1X6Bte1DKD0OoCBKEikzPW+5w3oXk3WwnE97Wxzy6wJZ + ebbZC3CZKKBnJeBMrysPf+lK+9+fP6Vm8bp1wvbcSIA59BDrX6irFSuM/bdnkbuF + MFlDjt+uVrxwoyqfPi2IPot1HQg3l5mdyBqcTWvbOnU2L9HZxJfPUCjfzdTMPrMY +@@ -62,7 +61,7 @@ JH1/Qx7C/mTAMRsN5SkOthnGq0djCNWfPv/3JV0H67Uf5krFlnwLebrgfTYoPPdo + yO7iBUNJzv6Qh22malLp4P8gzACkD7DGlSTnoB5cLwcjmDGg+i9WrUBbOiVTeQfZ + kOj1o+Tz35ndpq/DDUVlqliB9krcxva+QHeJPH53EGI+YVg1nD+s/vUDZ3mQMGX9 + DQou2L8uU6RnWNv/BihGcL8QvS4Ty6QyPOUPpD3zc70JQAEcQk9BxQNaELgJX0IN +-22cYn22tYvElew9G41OpDqzBRcfbdJmKXQ2HcroShutYJQRGUpAXHk24fy6JVkIU ++2cYUn22tYvElew9G41OpDqzBRcfbdJmKXQ2HcroShutYJQRGUpAXHk24fy6JVkIU + ojF5U6cwextMja1ZIIZgh9eugIRUeIE7319nQNDzuXWjRCcoBLA25P7wnpHWDRpz + D9ovXCIvdja74lL5psqobV6L5+fbLPkSgXoImKR0LQKCAgAIC9Jk8kxumCyIVGCP + PeM5Uby9M3GMuKrfYsn0Y5e97+kSJF1dpojTodBgR2KQar6eVrvXt+8uZCcIjfx8 +@@ -98,4 +97,3 @@ TwEgE67iOb2iIoUpon/NyP4LesMzvdpsu2JFlfz13PmmQ34mFI7tWvOb3NA5DP3c + rMlMLtKfp2w8HlMZpsUlToNCx6CI+tJrohzcs3BAVAbjFAXRKWGijB1rxwyDdHPv + I+/wJTNaRNPQ1M0SwtEL/zJd21y3KSPn4eL+GP3efhlDSjtlDvZqkdAUsU8= + -----END RSA PRIVATE KEY----- +- +-- +1.8.3.1 + diff --git a/Fix-the-error-handling-in-EC_POINTs_mul.patch b/Fix-the-error-handling-in-EC_POINTs_mul.patch new file mode 100644 index 0000000000000000000000000000000000000000..0e1cd7b8cad54f6759b8379f141834da5ad51bc6 --- /dev/null +++ b/Fix-the-error-handling-in-EC_POINTs_mul.patch @@ -0,0 +1,49 @@ +From 5dc91f44a90b72f5c0a79ab9a19d0f2fa0bbac1f Mon Sep 17 00:00:00 2001 +From: Bernd Edlinger +Date: Mon, 6 Apr 2020 10:41:36 +0200 +Subject: [PATCH 010/217] Fix the error handling in EC_POINTs_mul + +This was pointed out by a false-positive +-fsanitizer warning ;-) + +However from the cryptographical POV the +code is wrong: +A point R^0 on the wrong curve +is infinity on the wrong curve. + +[extended tests] + +Reviewed-by: Nicola Tuveri +(Merged from https://github.com/openssl/openssl/pull/11475) + +(cherry picked from commit 1eb9b54af7e00fa12196411964ce742ea8677766) +--- + crypto/ec/ec_lib.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/crypto/ec/ec_lib.c b/crypto/ec/ec_lib.c +index 3554ada..22b00e2 100644 +--- a/crypto/ec/ec_lib.c ++++ b/crypto/ec/ec_lib.c +@@ -1007,14 +1007,14 @@ int EC_POINTs_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar, + size_t i = 0; + BN_CTX *new_ctx = NULL; + +- if ((scalar == NULL) && (num == 0)) { +- return EC_POINT_set_to_infinity(group, r); +- } +- + if (!ec_point_is_compat(r, group)) { + ECerr(EC_F_EC_POINTS_MUL, EC_R_INCOMPATIBLE_OBJECTS); + return 0; + } ++ ++ if (scalar == NULL && num == 0) ++ return EC_POINT_set_to_infinity(group, r); ++ + for (i = 0; i < num; i++) { + if (!ec_point_is_compat(points[i], group)) { + ECerr(EC_F_EC_POINTS_MUL, EC_R_INCOMPATIBLE_OBJECTS); +-- +1.8.3.1 + diff --git a/Fix-type-cast-in-SSL_CTX_set1_groups-macro.patch b/Fix-type-cast-in-SSL_CTX_set1_groups-macro.patch new file mode 100644 index 0000000000000000000000000000000000000000..224ec3cea8725cfc270f05929cf8db164045fdc0 --- /dev/null +++ b/Fix-type-cast-in-SSL_CTX_set1_groups-macro.patch @@ -0,0 +1,40 @@ +From 7d66cb360c448361654a8ffff73e790c474ba302 Mon Sep 17 00:00:00 2001 +From: Arne Schwabe +Date: Thu, 23 Apr 2020 12:42:51 +0200 +Subject: [PATCH 035/217] Fix type cast in SSL_CTX_set1_groups macro + +The macro casts the glist parameter to char* +instead of (int *) like the documentation of the function suggest. + +Also the function tls1_set_groups that is called from SSL_CTX_ctrl +takes an int * argument. This looks like a copy&paste error from +SSL_CTX_set1_groups_list function. + +CLA: trivial +Signed-off-by: Arne Schwabe + +Reviewed-by: Ben Kaduk +Reviewed-by: Tomas Mraz +(Merged from https://github.com/openssl/openssl/pull/11614) + +(cherry picked from commit 7ffce852372799b6cd856b711db21332f0048314) +--- + include/openssl/ssl.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h +index 6724ccf..b2cd11f 100644 +--- a/include/openssl/ssl.h ++++ b/include/openssl/ssl.h +@@ -1393,7 +1393,7 @@ DECLARE_PEM_rw(SSL_SESSION, SSL_SESSION) + # define SSL_get1_groups(s, glist) \ + SSL_ctrl(s,SSL_CTRL_GET_GROUPS,0,(int*)(glist)) + # define SSL_CTX_set1_groups(ctx, glist, glistlen) \ +- SSL_CTX_ctrl(ctx,SSL_CTRL_SET_GROUPS,glistlen,(char *)(glist)) ++ SSL_CTX_ctrl(ctx,SSL_CTRL_SET_GROUPS,glistlen,(int *)(glist)) + # define SSL_CTX_set1_groups_list(ctx, s) \ + SSL_CTX_ctrl(ctx,SSL_CTRL_SET_GROUPS_LIST,0,(char *)(s)) + # define SSL_set1_groups(s, glist, glistlen) \ +-- +1.8.3.1 + diff --git a/Fix-use-after-free-in-BIO_C_SET_SSL-callback.patch b/Fix-use-after-free-in-BIO_C_SET_SSL-callback.patch new file mode 100644 index 0000000000000000000000000000000000000000..cb6526fae99c3f37e6b31dbb82a6634bfc5a71a4 --- /dev/null +++ b/Fix-use-after-free-in-BIO_C_SET_SSL-callback.patch @@ -0,0 +1,35 @@ +From d07e8b0ae66e96cda9c803de36e977fb7dfe941a Mon Sep 17 00:00:00 2001 +From: "Dr. Matthias St. Pierre" +Date: Wed, 6 May 2020 17:24:13 +0200 +Subject: [PATCH 044/217] Fix use-after-free in BIO_C_SET_SSL callback + +Since the BIO_SSL structure was renewed by `ssl_free(b)/ssl_new(b)`, +the `bs` pointer needs to be updated before assigning to `bs->ssl`. + +Thanks to @suishixingkong for reporting the issue and providing a fix. + +Closes #10539 + +Reviewed-by: Tomas Mraz +(Merged from https://github.com/openssl/openssl/pull/11746) + +(cherry picked from commit 73d6b4efe6835a6c97ce61df6bf339b0903e5b7a) +--- + ssl/bio_ssl.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/ssl/bio_ssl.c b/ssl/bio_ssl.c +index ab9e666..efa23bf 100644 +--- a/ssl/bio_ssl.c ++++ b/ssl/bio_ssl.c +@@ -284,6 +284,7 @@ static long ssl_ctrl(BIO *b, int cmd, long num, void *ptr) + ssl_free(b); + if (!ssl_new(b)) + return 0; ++ bs = BIO_get_data(b); + } + BIO_set_shutdown(b, num); + ssl = (SSL *)ptr; +-- +1.8.3.1 + diff --git a/Fix-wrong-return-value-check-of-mmap-function.patch b/Fix-wrong-return-value-check-of-mmap-function.patch new file mode 100644 index 0000000000000000000000000000000000000000..460d76f139523f1002fc1b02eda3c54d31afd8b8 --- /dev/null +++ b/Fix-wrong-return-value-check-of-mmap-function.patch @@ -0,0 +1,34 @@ +From b295a4dca17f00d412043b74393b86a16655fac0 Mon Sep 17 00:00:00 2001 +From: Tristan Bauer <67098820+trisbauer@users.noreply.github.com> +Date: Thu, 18 Jun 2020 11:45:24 +0200 +Subject: [PATCH 028/147] Fix wrong return value check of mmap function + +The mmap function never returns NULL. If an error occurs, the function returns MAP_FAILED. + +CLA: trivial + +Reviewed-by: Tomas Mraz +Reviewed-by: Paul Dale +(Merged from https://github.com/openssl/openssl/pull/12187) + +(cherry picked from commit 1d78129dd205e3e85083a91c33540a70c51b0a23) +--- + crypto/mem_sec.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/crypto/mem_sec.c b/crypto/mem_sec.c +index 9e0f670..8bcb050 100644 +--- a/crypto/mem_sec.c ++++ b/crypto/mem_sec.c +@@ -502,7 +502,7 @@ static void sh_done(void) + OPENSSL_free(sh.freelist); + OPENSSL_free(sh.bittable); + OPENSSL_free(sh.bitmalloc); +- if (sh.map_result != NULL && sh.map_size) ++ if (sh.map_result != MAP_FAILED && sh.map_size) + munmap(sh.map_result, sh.map_size); + memset(&sh, 0, sizeof(sh)); + } +-- +1.8.3.1 + diff --git a/Free-pre_proc_exts-in-SSL_free.patch b/Free-pre_proc_exts-in-SSL_free.patch new file mode 100644 index 0000000000000000000000000000000000000000..a5b4feab36b4ad4bf2635fa20f0b44015d632a41 --- /dev/null +++ b/Free-pre_proc_exts-in-SSL_free.patch @@ -0,0 +1,39 @@ +From bfbf06c4d29086f1c67ed38324a2c4a9f642d291 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Mi=C5=82osz=20Kaniewski?= +Date: Tue, 30 Jun 2020 21:46:38 +0200 +Subject: [PATCH 038/147] Free pre_proc_exts in SSL_free() + +Usually it will be freed in tls_early_post_process_client_hello(). +However if a ClientHello callback will be used and will return +SSL_CLIENT_HELLO_RETRY then tls_early_post_process_client_hello() +may never come to the point where pre_proc_exts is freed. + +Fixes #12194 + +CLA: trivial + +Reviewed-by: Paul Dale +Reviewed-by: Ben Kaduk +(Merged from https://github.com/openssl/openssl/pull/12330) + +(cherry picked from commit 94941cada25433a7dca35b5b9f8cbb751ab65ab3) +--- + ssl/ssl_lib.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c +index f6a4964..433a537 100644 +--- a/ssl/ssl_lib.c ++++ b/ssl/ssl_lib.c +@@ -1200,6 +1200,8 @@ void SSL_free(SSL *s) + OPENSSL_free(s->ext.ocsp.resp); + OPENSSL_free(s->ext.alpn); + OPENSSL_free(s->ext.tls13_cookie); ++ if (s->clienthello != NULL) ++ OPENSSL_free(s->clienthello->pre_proc_exts); + OPENSSL_free(s->clienthello); + OPENSSL_free(s->pha_context); + EVP_MD_CTX_free(s->pha_dgst); +-- +1.8.3.1 + diff --git a/Integer-overflow-in-ASN1_STRING_set.patch b/Integer-overflow-in-ASN1_STRING_set.patch new file mode 100644 index 0000000000000000000000000000000000000000..3055155dce3f7ceff21998aeb82668c455c744f7 --- /dev/null +++ b/Integer-overflow-in-ASN1_STRING_set.patch @@ -0,0 +1,57 @@ +From 163897267fab6d29dff1a4bf8247f8e02e158be8 Mon Sep 17 00:00:00 2001 +From: Pauli +Date: Mon, 6 Apr 2020 09:23:00 +1000 +Subject: [PATCH 012/217] Integer overflow in ASN1_STRING_set. + +Addressing a potential integer overflow condition. + +Reviewed-by: Tomas Mraz +(Merged from https://github.com/openssl/openssl/pull/11473) + +(cherry picked from commit 96218269f4c2da82f143727fb7697d572c190bc5) +--- + crypto/asn1/asn1_lib.c | 21 ++++++++++++++++----- + 1 file changed, 16 insertions(+), 5 deletions(-) + +diff --git a/crypto/asn1/asn1_lib.c b/crypto/asn1/asn1_lib.c +index a7d32ae..5cd0e16 100644 +--- a/crypto/asn1/asn1_lib.c ++++ b/crypto/asn1/asn1_lib.c +@@ -268,18 +268,29 @@ ASN1_STRING *ASN1_STRING_dup(const ASN1_STRING *str) + return ret; + } + +-int ASN1_STRING_set(ASN1_STRING *str, const void *_data, int len) ++int ASN1_STRING_set(ASN1_STRING *str, const void *_data, int len_in) + { + unsigned char *c; + const char *data = _data; ++ size_t len; + +- if (len < 0) { ++ if (len_in < 0) { + if (data == NULL) + return 0; +- else +- len = strlen(data); ++ len = strlen(data); ++ } else { ++ len = (size_t)len_in; ++ } ++ /* ++ * Verify that the length fits within an integer for assignment to ++ * str->length below. The additional 1 is subtracted to allow for the ++ * '\0' terminator even though this isn't strictly necessary. ++ */ ++ if (len > INT_MAX - 1) { ++ ASN1err(0, ASN1_R_TOO_LARGE); ++ return 0; + } +- if ((str->length <= len) || (str->data == NULL)) { ++ if ((size_t)str->length <= len || str->data == NULL) { + c = str->data; + str->data = OPENSSL_realloc(c, len + 1); + if (str->data == NULL) { +-- +1.8.3.1 + diff --git a/Make-BIO_do_connect-and-friends-handle-multiple-IP-a.patch b/Make-BIO_do_connect-and-friends-handle-multiple-IP-a.patch new file mode 100644 index 0000000000000000000000000000000000000000..ad2a0c46024cb011074cf3b012e0b0ff62666707 --- /dev/null +++ b/Make-BIO_do_connect-and-friends-handle-multiple-IP-a.patch @@ -0,0 +1,41 @@ +From ec5aad1ca26599bcaddc3a03708fb925b21f3b6c Mon Sep 17 00:00:00 2001 +From: "Dr. David von Oheimb" +Date: Thu, 28 May 2020 19:03:37 +0200 +Subject: [PATCH 005/147] Make BIO_do_connect() and friends handle multiple IP + addresses + +Backport of #11971 + +Reviewed-by: Tomas Mraz +Reviewed-by: Bernd Edlinger +(Merged from https://github.com/openssl/openssl/pull/11989) +--- + crypto/bio/bss_conn.c | 11 ++++++++++- + 1 file changed, 10 insertions(+), 1 deletion(-) + +diff --git a/crypto/bio/bss_conn.c b/crypto/bio/bss_conn.c +index dd43a40..f4c6b85 100644 +--- a/crypto/bio/bss_conn.c ++++ b/crypto/bio/bss_conn.c +@@ -186,8 +186,17 @@ static int conn_state(BIO *b, BIO_CONNECT *c) + + case BIO_CONN_S_BLOCKED_CONNECT: + i = BIO_sock_error(b->num); +- if (i) { ++ if (i != 0) { + BIO_clear_retry_flags(b); ++ if ((c->addr_iter = BIO_ADDRINFO_next(c->addr_iter)) != NULL) { ++ /* ++ * if there are more addresses to try, do that first ++ */ ++ BIO_closesocket(b->num); ++ c->state = BIO_CONN_S_CREATE_SOCKET; ++ ERR_clear_error(); ++ break; ++ } + SYSerr(SYS_F_CONNECT, i); + ERR_add_error_data(4, + "hostname=", c->param_hostname, +-- +1.8.3.1 + diff --git a/Pass-an-EVP_PKEY-for-SSL_SECOP_TMP_DH-in-the-securit.patch b/Pass-an-EVP_PKEY-for-SSL_SECOP_TMP_DH-in-the-securit.patch new file mode 100644 index 0000000000000000000000000000000000000000..bf113f527e70e581da6298951a0698584f28a19a --- /dev/null +++ b/Pass-an-EVP_PKEY-for-SSL_SECOP_TMP_DH-in-the-securit.patch @@ -0,0 +1,65 @@ +From 7844f3c784bfc93c9b94ae5a4082f9d01e82e0af Mon Sep 17 00:00:00 2001 +From: Matt Caswell +Date: Wed, 14 Oct 2020 15:13:28 +0100 +Subject: [PATCH 083/147] Pass an EVP_PKEY for SSL_SECOP_TMP_DH in the security + callback + +The security operation SSL_SECOP_TMP_DH is defined to take an EVP_PKEY +in the "other" parameter: + + /* Temporary DH key */ + # define SSL_SECOP_TMP_DH (7 | SSL_SECOP_OTHER_PKEY) + +In most places this is what is passed. All these places occur server side. +However there is one client side call of this security operation and it +passes a DH object instead. This is incorrect according to the +definition of SSL_SECOP_TMP_DH, and is inconsistent with all of the other +locations. + +Our own default security callback, and the debug callback in the apps, +never look at this value and therefore this issue was never noticed +previously. In theory a client side application could be relying on this +behaviour and could be broken by this change. This is probably fairly +unlikely but can't be ruled out. + +Reviewed-by: Paul Dale +Reviewed-by: Tomas Mraz +Reviewed-by: Ben Kaduk +(Merged from https://github.com/openssl/openssl/pull/13136) +--- + ssl/statem/statem_clnt.c | 13 +++++++------ + 1 file changed, 7 insertions(+), 6 deletions(-) + +diff --git a/ssl/statem/statem_clnt.c b/ssl/statem/statem_clnt.c +index 64e392c..3bf8aac 100644 +--- a/ssl/statem/statem_clnt.c ++++ b/ssl/statem/statem_clnt.c +@@ -2145,18 +2145,19 @@ static int tls_process_ske_dhe(SSL *s, PACKET *pkt, EVP_PKEY **pkey) + } + bnpub_key = NULL; + +- if (!ssl_security(s, SSL_SECOP_TMP_DH, DH_security_bits(dh), 0, dh)) { +- SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_TLS_PROCESS_SKE_DHE, +- SSL_R_DH_KEY_TOO_SMALL); +- goto err; +- } +- + if (EVP_PKEY_assign_DH(peer_tmp, dh) == 0) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_SKE_DHE, + ERR_R_EVP_LIB); + goto err; + } + ++ if (!ssl_security(s, SSL_SECOP_TMP_DH, EVP_PKEY_security_bits(peer_tmp), ++ 0, peer_tmp)) { ++ SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_TLS_PROCESS_SKE_DHE, ++ SSL_R_DH_KEY_TOO_SMALL); ++ goto err; ++ } ++ + s->s3->peer_tmp = peer_tmp; + + /* +-- +1.8.3.1 + diff --git a/Prevent-use-after-free-of-global_engine_lock.patch b/Prevent-use-after-free-of-global_engine_lock.patch new file mode 100644 index 0000000000000000000000000000000000000000..f6f0c2918a55f23781338c223b1b40d88c4d5f37 --- /dev/null +++ b/Prevent-use-after-free-of-global_engine_lock.patch @@ -0,0 +1,35 @@ +From e512efe0894481679a5d3c57d10bf4ea97046c2a Mon Sep 17 00:00:00 2001 +From: Tomas Mraz +Date: Thu, 21 May 2020 13:16:57 +0200 +Subject: [PATCH 064/217] Prevent use after free of global_engine_lock + +If buggy application calls engine functions after cleanup of engines +already happened the global_engine_lock will be used although +already freed. + +See for example: +https://bugzilla.redhat.com/show_bug.cgi?id=1831086 + +Reviewed-by: Bernd Edlinger +(Merged from https://github.com/openssl/openssl/pull/11896) + +(cherry picked from commit e12813d0d31f4f7be2ccc592d382ef3e94bdb842) +--- + crypto/engine/eng_lib.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/crypto/engine/eng_lib.c b/crypto/engine/eng_lib.c +index b851ff6..dd87eba 100644 +--- a/crypto/engine/eng_lib.c ++++ b/crypto/engine/eng_lib.c +@@ -171,6 +171,7 @@ void engine_cleanup_int(void) + cleanup_stack = NULL; + } + CRYPTO_THREAD_lock_free(global_engine_lock); ++ global_engine_lock = NULL; + } + + /* Now the "ex_data" support */ +-- +1.8.3.1 + diff --git a/Replace-BUF_strdup-call-by-OPENSSL_strdup-adding-fai.patch b/Replace-BUF_strdup-call-by-OPENSSL_strdup-adding-fai.patch new file mode 100644 index 0000000000000000000000000000000000000000..4be9c1c3feff96c76132cf82d98659398cafcb33 --- /dev/null +++ b/Replace-BUF_strdup-call-by-OPENSSL_strdup-adding-fai.patch @@ -0,0 +1,35 @@ +From 46fe1c7caee1442ead1f7c780e5c50045a00f76e Mon Sep 17 00:00:00 2001 +From: "Dr. David von Oheimb" +Date: Wed, 3 Jun 2020 21:38:20 +0200 +Subject: [PATCH 013/147] Replace BUF_strdup() call by OPENSSL_strdup() adding + failure check in bss_acpt.c + +Add OPENSSL_strdup failure check to cpt_ctrl() in bss_acpt.c + +Reviewed-by: Bernd Edlinger +Reviewed-by: Tomas Mraz +(Merged from https://github.com/openssl/openssl/pull/12036) +--- + crypto/bio/bss_acpt.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/crypto/bio/bss_acpt.c b/crypto/bio/bss_acpt.c +index 5a2cb50..4461eae 100644 +--- a/crypto/bio/bss_acpt.c ++++ b/crypto/bio/bss_acpt.c +@@ -434,8 +434,10 @@ static long acpt_ctrl(BIO *b, int cmd, long num, void *ptr) + b->init = 1; + } else if (num == 1) { + OPENSSL_free(data->param_serv); +- data->param_serv = BUF_strdup(ptr); +- b->init = 1; ++ if ((data->param_serv = OPENSSL_strdup(ptr)) == NULL) ++ ret = 0; ++ else ++ b->init = 1; + } else if (num == 2) { + data->bind_mode |= BIO_SOCK_NONBLOCK; + } else if (num == 3) { +-- +1.8.3.1 + diff --git a/Revert-the-check-for-NaN-in-f-format.patch b/Revert-the-check-for-NaN-in-f-format.patch new file mode 100644 index 0000000000000000000000000000000000000000..12cd7c15c2e0e8eba7353eba3e8124db2efdab9e --- /dev/null +++ b/Revert-the-check-for-NaN-in-f-format.patch @@ -0,0 +1,90 @@ +From 3fc83feae0bc3fcfbb7cfc8a927bb4a888a7663b Mon Sep 17 00:00:00 2001 +From: Bernd Edlinger +Date: Sun, 31 May 2020 07:51:23 +0200 +Subject: [PATCH 006/147] Revert the check for NaN in %f format + +Unfortunately -Ofast seems to break that check. + +Fixes #11994 + +Reviewed-by: Paul Dale +(Merged from https://github.com/openssl/openssl/pull/12003) + +(cherry picked from commit 41dccd68b9b9b7622b26d264c5fa190aa5bd4201) +--- + crypto/bio/b_print.c | 4 +--- + test/bioprinttest.c | 33 --------------------------------- + 2 files changed, 1 insertion(+), 36 deletions(-) + +diff --git a/crypto/bio/b_print.c b/crypto/bio/b_print.c +index 48556f7..2f68fe7 100644 +--- a/crypto/bio/b_print.c ++++ b/crypto/bio/b_print.c +@@ -638,10 +638,8 @@ fmtfp(char **sbuffer, + /* + * By subtracting 65535 (2^16-1) we cancel the low order 15 bits + * of ULONG_MAX to avoid using imprecise floating point values. +- * The second condition is necessary to catch NaN values. + */ +- if (ufvalue >= (double)(ULONG_MAX - 65535) + 65536.0 +- || !(ufvalue == ufvalue) /* NaN */) { ++ if (ufvalue >= (double)(ULONG_MAX - 65535) + 65536.0) { + /* Number too big */ + return 0; + } +diff --git a/test/bioprinttest.c b/test/bioprinttest.c +index e37b854..e97de03 100644 +--- a/test/bioprinttest.c ++++ b/test/bioprinttest.c +@@ -241,48 +241,15 @@ static int test_fp(int i) + return r; + } + +-extern double zero_value; +-double zero_value = 0.0; +- + static int test_big(void) + { + char buf[80]; +- double d, z, inf, nan; + + /* Test excessively big number. Should fail */ + if (!TEST_int_eq(BIO_snprintf(buf, sizeof(buf), + "%f\n", 2 * (double)ULONG_MAX), -1)) + return 0; + +- d = 1.0; +- z = zero_value; +- inf = d / z; +- nan = z / z; +- +- /* +- * Test +/-inf, nan. Should fail. +- * Test +/-1.0, +/-0.0. Should work. +- */ +- if (!TEST_int_eq(BIO_snprintf(buf, sizeof(buf), +- "%f", inf), -1) +- || !TEST_int_eq(BIO_snprintf(buf, sizeof(buf), +- "%f", -inf), -1) +- || !TEST_int_eq(BIO_snprintf(buf, sizeof(buf), +- "%f", nan), -1) +- || !TEST_int_eq(BIO_snprintf(buf, sizeof(buf), +- "%f", d), 8) +- || !TEST_str_eq(buf, "1.000000") +- || !TEST_int_eq(BIO_snprintf(buf, sizeof(buf), +- "%f", z), 8) +- || !TEST_str_eq(buf, "0.000000") +- || !TEST_int_eq(BIO_snprintf(buf, sizeof(buf), +- "%f", -d), 9) +- || !TEST_str_eq(buf, "-1.000000") +- || !TEST_int_eq(BIO_snprintf(buf, sizeof(buf), +- "%f", -z), 8) +- || !TEST_str_eq(buf, "0.000000")) +- return 0; +- + return 1; + } + +-- +1.8.3.1 + diff --git a/Support-keys-with-RSA_METHOD_FLAG_NO_CHECK-with-OCSP.patch b/Support-keys-with-RSA_METHOD_FLAG_NO_CHECK-with-OCSP.patch new file mode 100644 index 0000000000000000000000000000000000000000..954f4f7b02f042272d9ed24703c78f24f80735ab --- /dev/null +++ b/Support-keys-with-RSA_METHOD_FLAG_NO_CHECK-with-OCSP.patch @@ -0,0 +1,96 @@ +From 56e8fe0b4efbf582e40ae91319727c9d176c5e1e Mon Sep 17 00:00:00 2001 +From: Norman Ashley +Date: Fri, 10 Jul 2020 19:01:32 -0400 +Subject: [PATCH 071/147] Support keys with RSA_METHOD_FLAG_NO_CHECK with OCSP + sign + +OCSP_basic_sign_ctx() in ocsp_srv.c , does not check for RSA_METHOD_FLAG_NO_CHECK. +If a key has RSA_METHOD_FLAG_NO_CHECK set, OCSP sign operations can fail +because the X509_check_private_key() can fail. + +The check for the RSA_METHOD_FLAG_NO_CHECK was moved to crypto/rsa/rsa_ameth.c +as a common place to check. Checks in ssl_rsa.c were removed. + +Reviewed-by: Matt Caswell +Reviewed-by: Tim Hudson +Reviewed-by: Tomas Mraz +(Merged from https://github.com/openssl/openssl/pull/12419) +--- + crypto/rsa/rsa_ameth.c | 9 +++++++++ + ssl/ssl_rsa.c | 26 -------------------------- + 2 files changed, 9 insertions(+), 26 deletions(-) + +diff --git a/crypto/rsa/rsa_ameth.c b/crypto/rsa/rsa_ameth.c +index 6692a51..cc686fc 100644 +--- a/crypto/rsa/rsa_ameth.c ++++ b/crypto/rsa/rsa_ameth.c +@@ -118,6 +118,15 @@ static int rsa_pub_decode(EVP_PKEY *pkey, X509_PUBKEY *pubkey) + + static int rsa_pub_cmp(const EVP_PKEY *a, const EVP_PKEY *b) + { ++ /* ++ * Don't check the public/private key, this is mostly for smart ++ * cards. ++ */ ++ if (((RSA_flags(a->pkey.rsa) & RSA_METHOD_FLAG_NO_CHECK)) ++ || (RSA_flags(b->pkey.rsa) & RSA_METHOD_FLAG_NO_CHECK)) { ++ return 1; ++ } ++ + if (BN_cmp(b->pkey.rsa->n, a->pkey.rsa->n) != 0 + || BN_cmp(b->pkey.rsa->e, a->pkey.rsa->e) != 0) + return 0; +diff --git a/ssl/ssl_rsa.c b/ssl/ssl_rsa.c +index b969352..51abd27 100644 +--- a/ssl/ssl_rsa.c ++++ b/ssl/ssl_rsa.c +@@ -148,15 +148,6 @@ static int ssl_set_pkey(CERT *c, EVP_PKEY *pkey) + EVP_PKEY_copy_parameters(pktmp, pkey); + ERR_clear_error(); + +-#ifndef OPENSSL_NO_RSA +- /* +- * Don't check the public/private key, this is mostly for smart +- * cards. +- */ +- if (EVP_PKEY_id(pkey) == EVP_PKEY_RSA +- && RSA_flags(EVP_PKEY_get0_RSA(pkey)) & RSA_METHOD_FLAG_NO_CHECK) ; +- else +-#endif + if (!X509_check_private_key(c->pkeys[i].x509, pkey)) { + X509_free(c->pkeys[i].x509); + c->pkeys[i].x509 = NULL; +@@ -342,16 +333,6 @@ static int ssl_set_cert(CERT *c, X509 *x) + EVP_PKEY_copy_parameters(pkey, c->pkeys[i].privatekey); + ERR_clear_error(); + +-#ifndef OPENSSL_NO_RSA +- /* +- * Don't check the public/private key, this is mostly for smart +- * cards. +- */ +- if (EVP_PKEY_id(c->pkeys[i].privatekey) == EVP_PKEY_RSA +- && RSA_flags(EVP_PKEY_get0_RSA(c->pkeys[i].privatekey)) & +- RSA_METHOD_FLAG_NO_CHECK) ; +- else +-#endif /* OPENSSL_NO_RSA */ + if (!X509_check_private_key(x, c->pkeys[i].privatekey)) { + /* + * don't fail for a cert/key mismatch, just free current private +@@ -1082,13 +1063,6 @@ static int ssl_set_cert_and_key(SSL *ssl, SSL_CTX *ctx, X509 *x509, EVP_PKEY *pr + EVP_PKEY_copy_parameters(pubkey, privatekey); + } /* else both have parameters */ + +- /* Copied from ssl_set_cert/pkey */ +-#ifndef OPENSSL_NO_RSA +- if ((EVP_PKEY_id(privatekey) == EVP_PKEY_RSA) && +- ((RSA_flags(EVP_PKEY_get0_RSA(privatekey)) & RSA_METHOD_FLAG_NO_CHECK))) +- /* no-op */ ; +- else +-#endif + /* check that key <-> cert match */ + if (EVP_PKEY_cmp(pubkey, privatekey) != 1) { + SSLerr(SSL_F_SSL_SET_CERT_AND_KEY, SSL_R_PRIVATE_KEY_MISMATCH); +-- +1.8.3.1 + diff --git a/Test-TLSv1.3-out-of-band-PSK-with-all-5-ciphersuites.patch b/Test-TLSv1.3-out-of-band-PSK-with-all-5-ciphersuites.patch new file mode 100644 index 0000000000000000000000000000000000000000..5347b155234aae62c1c4c103826b5e5fb3f37edb --- /dev/null +++ b/Test-TLSv1.3-out-of-band-PSK-with-all-5-ciphersuites.patch @@ -0,0 +1,151 @@ +From 6b4b92d7f212caf4c525af4bf0c35fbbf5f38a3b Mon Sep 17 00:00:00 2001 +From: raja-ashok +Date: Sun, 10 May 2020 22:47:00 +0530 +Subject: [PATCH 053/217] Test TLSv1.3 out-of-band PSK with all 5 ciphersuites + +Reviewed-by: Matt Caswell +Reviewed-by: Tomas Mraz +(Merged from https://github.com/openssl/openssl/pull/11809) +--- + test/sslapitest.c | 110 +++++++++++++++++++++++++++++++++++++++++++++++++++++- + 1 file changed, 109 insertions(+), 1 deletion(-) + +diff --git a/test/sslapitest.c b/test/sslapitest.c +index b3cd30d..62d22e8 100644 +--- a/test/sslapitest.c ++++ b/test/sslapitest.c +@@ -2129,8 +2129,11 @@ static unsigned int psk_server_cb(SSL *ssl, const char *identity, + #define MSG6 "test" + #define MSG7 "message." + +-#define TLS13_AES_256_GCM_SHA384_BYTES ((const unsigned char *)"\x13\x02") + #define TLS13_AES_128_GCM_SHA256_BYTES ((const unsigned char *)"\x13\x01") ++#define TLS13_AES_256_GCM_SHA384_BYTES ((const unsigned char *)"\x13\x02") ++#define TLS13_CHACHA20_POLY1305_SHA256_BYTES ((const unsigned char *)"\x13\x03") ++#define TLS13_AES_128_CCM_SHA256_BYTES ((const unsigned char *)"\x13\x04") ++#define TLS13_AES_128_CCM_8_SHA256_BYTES ((const unsigned char *)"\x13\05") + + + static SSL_SESSION *create_a_psk(SSL *ssl) +@@ -3059,6 +3062,110 @@ static int test_early_data_psk(int idx) + } + + /* ++ * Test TLSv1.3 PSK can be used to send early_data with all 5 ciphersuites ++ * idx == 0: Test with TLS1_3_RFC_AES_128_GCM_SHA256 ++ * idx == 1: Test with TLS1_3_RFC_AES_256_GCM_SHA384 ++ * idx == 2: Test with TLS1_3_RFC_CHACHA20_POLY1305_SHA256, ++ * idx == 3: Test with TLS1_3_RFC_AES_128_CCM_SHA256 ++ * idx == 4: Test with TLS1_3_RFC_AES_128_CCM_8_SHA256 ++ */ ++static int test_early_data_psk_with_all_ciphers(int idx) ++{ ++ SSL_CTX *cctx = NULL, *sctx = NULL; ++ SSL *clientssl = NULL, *serverssl = NULL; ++ int testresult = 0; ++ SSL_SESSION *sess = NULL; ++ unsigned char buf[20]; ++ size_t readbytes, written; ++ const SSL_CIPHER *cipher; ++ const char *cipher_str[] = { ++ TLS1_3_RFC_AES_128_GCM_SHA256, ++ TLS1_3_RFC_AES_256_GCM_SHA384, ++# if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305) ++ TLS1_3_RFC_CHACHA20_POLY1305_SHA256, ++# else ++ NULL, ++# endif ++ TLS1_3_RFC_AES_128_CCM_SHA256, ++ TLS1_3_RFC_AES_128_CCM_8_SHA256 ++ }; ++ const unsigned char *cipher_bytes[] = { ++ TLS13_AES_128_GCM_SHA256_BYTES, ++ TLS13_AES_256_GCM_SHA384_BYTES, ++# if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305) ++ TLS13_CHACHA20_POLY1305_SHA256_BYTES, ++# else ++ NULL, ++# endif ++ TLS13_AES_128_CCM_SHA256_BYTES, ++ TLS13_AES_128_CCM_8_SHA256_BYTES ++ }; ++ ++ if (cipher_str[idx] == NULL) ++ return 1; ++ ++ /* We always set this up with a final parameter of "2" for PSK */ ++ if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl, ++ &serverssl, &sess, 2))) ++ goto end; ++ ++ if (!TEST_true(SSL_set_ciphersuites(clientssl, cipher_str[idx])) ++ || !TEST_true(SSL_set_ciphersuites(serverssl, cipher_str[idx]))) ++ goto end; ++ ++ /* ++ * 'setupearly_data_test' creates only one instance of SSL_SESSION ++ * and assigns to both client and server with incremented reference ++ * and the same instance is updated in 'sess'. ++ * So updating ciphersuite in 'sess' which will get reflected in ++ * PSK handshake using psk use sess and find sess cb. ++ */ ++ cipher = SSL_CIPHER_find(clientssl, cipher_bytes[idx]); ++ if (!TEST_ptr(cipher) || !TEST_true(SSL_SESSION_set_cipher(sess, cipher))) ++ goto end; ++ ++ SSL_set_connect_state(clientssl); ++ if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1), ++ &written))) ++ goto end; ++ ++ if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf), ++ &readbytes), ++ SSL_READ_EARLY_DATA_SUCCESS) ++ || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1)) ++ || !TEST_int_eq(SSL_get_early_data_status(serverssl), ++ SSL_EARLY_DATA_ACCEPTED) ++ || !TEST_int_eq(SSL_connect(clientssl), 1) ++ || !TEST_int_eq(SSL_accept(serverssl), 1)) ++ goto end; ++ ++ /* Send some normal data from client to server */ ++ if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written)) ++ || !TEST_size_t_eq(written, strlen(MSG2))) ++ goto end; ++ ++ if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes)) ++ || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2))) ++ goto end; ++ ++ testresult = 1; ++ end: ++ SSL_SESSION_free(sess); ++ SSL_SESSION_free(clientpsk); ++ SSL_SESSION_free(serverpsk); ++ clientpsk = serverpsk = NULL; ++ if (clientssl != NULL) ++ SSL_shutdown(clientssl); ++ if (serverssl != NULL) ++ SSL_shutdown(serverssl); ++ SSL_free(serverssl); ++ SSL_free(clientssl); ++ SSL_CTX_free(sctx); ++ SSL_CTX_free(cctx); ++ return testresult; ++} ++ ++/* + * Test that a server that doesn't try to read early data can handle a + * client sending some. + */ +@@ -6549,6 +6656,7 @@ int setup_tests(void) + ADD_ALL_TESTS(test_early_data_skip_abort, 3); + ADD_ALL_TESTS(test_early_data_not_sent, 3); + ADD_ALL_TESTS(test_early_data_psk, 8); ++ ADD_ALL_TESTS(test_early_data_psk_with_all_ciphers, 5); + ADD_ALL_TESTS(test_early_data_not_expected, 3); + # ifndef OPENSSL_NO_TLS1_2 + ADD_ALL_TESTS(test_early_data_tls1_2, 3); +-- +1.8.3.1 + diff --git a/Update-EVP_EncodeInit.pod.patch b/Update-EVP_EncodeInit.pod.patch new file mode 100644 index 0000000000000000000000000000000000000000..cef5f09ac57f6c7fc4e8468a647bf8131bf7277e --- /dev/null +++ b/Update-EVP_EncodeInit.pod.patch @@ -0,0 +1,36 @@ +From 7a989af7386e97add7c759fda688c5d2e79e812e Mon Sep 17 00:00:00 2001 +From: Read Hughes +Date: Thu, 23 Jul 2020 10:25:28 -0400 +Subject: [PATCH 057/147] Update EVP_EncodeInit.pod + +Fix EVP_EncodeBlock description using incorrect parameter name for encoding length + +CLA: trivial + +Reviewed-by: Matt Caswell +Reviewed-by: Dmitry Belyavskiy +(Merged from https://github.com/openssl/openssl/pull/12518) + +(cherry picked from commit 1660c8fa6be2d7c4587e490c88a44a870e9b4298) +--- + doc/man3/EVP_EncodeInit.pod | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/doc/man3/EVP_EncodeInit.pod b/doc/man3/EVP_EncodeInit.pod +index 8055b10..2589254 100644 +--- a/doc/man3/EVP_EncodeInit.pod ++++ b/doc/man3/EVP_EncodeInit.pod +@@ -83,8 +83,8 @@ EVP_ENCODE_CTX_num() will return the number of as yet unprocessed bytes still to + be encoded or decoded that are pending in the B object. + + EVP_EncodeBlock() encodes a full block of input data in B and of length +-B and stores it in B. For every 3 bytes of input provided 4 bytes of +-output data will be produced. If B is not divisible by 3 then the block is ++B and stores it in B. For every 3 bytes of input provided 4 bytes of ++output data will be produced. If B is not divisible by 3 then the block is + encoded as a final block of data and the output is padded such that it is always + divisible by 4. Additionally a NUL terminator character will be added. For + example if 16 bytes of input data is provided then 24 bytes of encoded data is +-- +1.8.3.1 + diff --git a/Use-size-of-target-buffer-for-allocation.patch b/Use-size-of-target-buffer-for-allocation.patch new file mode 100644 index 0000000000000000000000000000000000000000..cda3aa52c7194ea03448d6906db6e68e27e78849 --- /dev/null +++ b/Use-size-of-target-buffer-for-allocation.patch @@ -0,0 +1,32 @@ +From ae9bcce2ab57d19119a85788eb48f8e8ba8ed3ee Mon Sep 17 00:00:00 2001 +From: Benny Baumann +Date: Fri, 2 Oct 2020 01:04:06 +0200 +Subject: [PATCH 078/147] Use size of target buffer for allocation + +Reviewed-by: Ben Kaduk +Reviewed-by: Dmitry Belyavskiy +Reviewed-by: Richard Levitte +Reviewed-by: Paul Dale +(Merged from https://github.com/openssl/openssl/pull/13055) + +(cherry picked from commit 8ad369171fc2b435c0ca427111481da4d4c3c1ce) +--- + ssl/ssl_sess.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/ssl/ssl_sess.c b/ssl/ssl_sess.c +index 40c157b..423bb4d 100644 +--- a/ssl/ssl_sess.c ++++ b/ssl/ssl_sess.c +@@ -107,7 +107,7 @@ SSL_SESSION *ssl_session_dup(SSL_SESSION *src, int ticket) + { + SSL_SESSION *dest; + +- dest = OPENSSL_malloc(sizeof(*src)); ++ dest = OPENSSL_malloc(sizeof(*dest)); + if (dest == NULL) { + goto err; + } +-- +1.8.3.1 + diff --git a/Verification-zero-length-content-in-S-MIME-format.patch b/Verification-zero-length-content-in-S-MIME-format.patch new file mode 100644 index 0000000000000000000000000000000000000000..3cdb58dc015f06b5d604d7ee88e67ec3905f5156 --- /dev/null +++ b/Verification-zero-length-content-in-S-MIME-format.patch @@ -0,0 +1,43 @@ +From 6f1bee08cf80b9473496991b51f1f4a0decd96de Mon Sep 17 00:00:00 2001 +From: Dmitry Belyavskiy +Date: Fri, 9 Oct 2020 20:04:05 +0300 +Subject: [PATCH 095/147] Verification zero-length content in S/MIME format + +Fixes #13082 + +Reviewed-by: Paul Dale +(Merged from https://github.com/openssl/openssl/pull/13106) +--- + crypto/cms/cms_smime.c | 2 +- + crypto/pkcs7/pk7_smime.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/crypto/cms/cms_smime.c b/crypto/cms/cms_smime.c +index 652e97b..2c475ea 100644 +--- a/crypto/cms/cms_smime.c ++++ b/crypto/cms/cms_smime.c +@@ -341,7 +341,7 @@ int CMS_verify(CMS_ContentInfo *cms, STACK_OF(X509) *certs, + char *ptr; + long len; + len = BIO_get_mem_data(dcont, &ptr); +- tmpin = BIO_new_mem_buf(ptr, len); ++ tmpin = (len == 0) ? dcont : BIO_new_mem_buf(ptr, len); + if (tmpin == NULL) { + CMSerr(CMS_F_CMS_VERIFY, ERR_R_MALLOC_FAILURE); + goto err2; +diff --git a/crypto/pkcs7/pk7_smime.c b/crypto/pkcs7/pk7_smime.c +index 4418723..4ce44d8 100644 +--- a/crypto/pkcs7/pk7_smime.c ++++ b/crypto/pkcs7/pk7_smime.c +@@ -301,7 +301,7 @@ int PKCS7_verify(PKCS7 *p7, STACK_OF(X509) *certs, X509_STORE *store, + char *ptr; + long len; + len = BIO_get_mem_data(indata, &ptr); +- tmpin = BIO_new_mem_buf(ptr, len); ++ tmpin = (len == 0) ? indata : BIO_new_mem_buf(ptr, len); + if (tmpin == NULL) { + PKCS7err(PKCS7_F_PKCS7_VERIFY, ERR_R_MALLOC_FAILURE); + goto err; +-- +1.8.3.1 + diff --git a/bio-printf-Avoid-using-rounding-errors-in-range-chec.patch b/bio-printf-Avoid-using-rounding-errors-in-range-chec.patch new file mode 100644 index 0000000000000000000000000000000000000000..2e4a05bc847124bb7e8de475b11316cdf741b7d9 --- /dev/null +++ b/bio-printf-Avoid-using-rounding-errors-in-range-chec.patch @@ -0,0 +1,103 @@ +From 7d76c1fa0d6cd085419cb4cfadad8cfdfd24ce1f Mon Sep 17 00:00:00 2001 +From: Bernd Edlinger +Date: Mon, 25 May 2020 20:13:47 +0200 +Subject: [PATCH 004/147] bio printf: Avoid using rounding errors in range + check + +There is a problem casting ULONG_MAX to double which clang-10 is warning about. +ULONG_MAX typically cannot be exactly represented as a double. ULONG_MAX + 1 +can be and this fix uses the latter, however since ULONG_MAX cannot be +represented exactly as a double number we subtract 65535 from this number, +and the result has at most 48 leading one bits, and can therefore be +represented as a double integer without rounding error. By adding +65536.0 to this number we achive the correct result, which should avoid the +warning. + +The addresses a symptom of the underlying problem: we print doubles via an +unsigned long integer. Doubles have a far greater range and should be printed +better. + +Reviewed-by: Paul Dale +(Merged from https://github.com/openssl/openssl/pull/11955) + +(cherry picked from commit 082c041b4233b17b80129d4ac6b33a28014442b0) +--- + crypto/bio/b_print.c | 8 +++++++- + test/bioprinttest.c | 34 ++++++++++++++++++++++++++++++++++ + 2 files changed, 41 insertions(+), 1 deletion(-) + +diff --git a/crypto/bio/b_print.c b/crypto/bio/b_print.c +index 8ef90ac..48556f7 100644 +--- a/crypto/bio/b_print.c ++++ b/crypto/bio/b_print.c +@@ -635,7 +635,13 @@ fmtfp(char **sbuffer, + fvalue = tmpvalue; + } + ufvalue = abs_val(fvalue); +- if (ufvalue > ULONG_MAX) { ++ /* ++ * By subtracting 65535 (2^16-1) we cancel the low order 15 bits ++ * of ULONG_MAX to avoid using imprecise floating point values. ++ * The second condition is necessary to catch NaN values. ++ */ ++ if (ufvalue >= (double)(ULONG_MAX - 65535) + 65536.0 ++ || !(ufvalue == ufvalue) /* NaN */) { + /* Number too big */ + return 0; + } +diff --git a/test/bioprinttest.c b/test/bioprinttest.c +index 680391e..e37b854 100644 +--- a/test/bioprinttest.c ++++ b/test/bioprinttest.c +@@ -241,14 +241,48 @@ static int test_fp(int i) + return r; + } + ++extern double zero_value; ++double zero_value = 0.0; ++ + static int test_big(void) + { + char buf[80]; ++ double d, z, inf, nan; + + /* Test excessively big number. Should fail */ + if (!TEST_int_eq(BIO_snprintf(buf, sizeof(buf), + "%f\n", 2 * (double)ULONG_MAX), -1)) + return 0; ++ ++ d = 1.0; ++ z = zero_value; ++ inf = d / z; ++ nan = z / z; ++ ++ /* ++ * Test +/-inf, nan. Should fail. ++ * Test +/-1.0, +/-0.0. Should work. ++ */ ++ if (!TEST_int_eq(BIO_snprintf(buf, sizeof(buf), ++ "%f", inf), -1) ++ || !TEST_int_eq(BIO_snprintf(buf, sizeof(buf), ++ "%f", -inf), -1) ++ || !TEST_int_eq(BIO_snprintf(buf, sizeof(buf), ++ "%f", nan), -1) ++ || !TEST_int_eq(BIO_snprintf(buf, sizeof(buf), ++ "%f", d), 8) ++ || !TEST_str_eq(buf, "1.000000") ++ || !TEST_int_eq(BIO_snprintf(buf, sizeof(buf), ++ "%f", z), 8) ++ || !TEST_str_eq(buf, "0.000000") ++ || !TEST_int_eq(BIO_snprintf(buf, sizeof(buf), ++ "%f", -d), 9) ++ || !TEST_str_eq(buf, "-1.000000") ++ || !TEST_int_eq(BIO_snprintf(buf, sizeof(buf), ++ "%f", -z), 8) ++ || !TEST_str_eq(buf, "0.000000")) ++ return 0; ++ + return 1; + } + +-- +1.8.3.1 + diff --git a/crypto-poly1305-asm-fix-armv8-pointer-authentication.patch b/crypto-poly1305-asm-fix-armv8-pointer-authentication.patch new file mode 100644 index 0000000000000000000000000000000000000000..8a78409fa7cc86be21e80418bd8e10d5fdec0f03 --- /dev/null +++ b/crypto-poly1305-asm-fix-armv8-pointer-authentication.patch @@ -0,0 +1,38 @@ +From 5795acffd8706e1cb584284ee5bb3a30986d0e75 Mon Sep 17 00:00:00 2001 +From: Ard Biesheuvel +Date: Tue, 27 Oct 2020 18:02:40 +0100 +Subject: [PATCH 091/147] crypto/poly1305/asm: fix armv8 pointer authentication + +PAC pointer authentication signs the return address against the value +of the stack pointer, to prevent stack overrun exploits from corrupting +the control flow. However, this requires that the AUTIASP is issued with +SP holding the same value as it held when the PAC value was generated. +The Poly1305 armv8 code got this wrong, resulting in crashes on PAC +capable hardware. + +Reviewed-by: Paul Dale +Reviewed-by: Tomas Mraz +(Merged from https://github.com/openssl/openssl/pull/13256) + +(cherry picked from commit fcf6e9d056162d5af64c6f7209388a5c3be2ce57) +--- + crypto/poly1305/asm/poly1305-armv8.pl | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/crypto/poly1305/asm/poly1305-armv8.pl b/crypto/poly1305/asm/poly1305-armv8.pl +index d07494b..2a42b64 100755 +--- a/crypto/poly1305/asm/poly1305-armv8.pl ++++ b/crypto/poly1305/asm/poly1305-armv8.pl +@@ -864,8 +864,8 @@ poly1305_blocks_neon: + st1 {$ACC4}[0],[$ctx] + + .Lno_data_neon: +- .inst 0xd50323bf // autiasp + ldr x29,[sp],#80 ++ .inst 0xd50323bf // autiasp + ret + .size poly1305_blocks_neon,.-poly1305_blocks_neon + +-- +1.8.3.1 + diff --git a/doc-Fix-documentation-of-EVP_EncryptUpdate.patch b/doc-Fix-documentation-of-EVP_EncryptUpdate.patch new file mode 100644 index 0000000000000000000000000000000000000000..bd99a9055adc04bb884ad9766b26466a960062ae --- /dev/null +++ b/doc-Fix-documentation-of-EVP_EncryptUpdate.patch @@ -0,0 +1,42 @@ +From a47dd08d6cacc64536c2f57e0f0aee03dcfaab3d Mon Sep 17 00:00:00 2001 +From: Pauli +Date: Tue, 14 Jul 2020 08:39:32 +1000 +Subject: [PATCH 052/147] doc: Fix documentation of EVP_EncryptUpdate(). + +The documentation was off by one for the length this function could return. + +Reviewed-by: Tomas Mraz +(Merged from https://github.com/openssl/openssl/pull/12435) + +(cherry picked from commit 3fc164e8d18dcdef57d297956debf8d966e7fbef) +--- + doc/man3/EVP_EncryptInit.pod | 13 +++++++++---- + 1 file changed, 9 insertions(+), 4 deletions(-) + +diff --git a/doc/man3/EVP_EncryptInit.pod b/doc/man3/EVP_EncryptInit.pod +index 2828bca..23ddf91 100644 +--- a/doc/man3/EVP_EncryptInit.pod ++++ b/doc/man3/EVP_EncryptInit.pod +@@ -146,10 +146,15 @@ appropriate. + EVP_EncryptUpdate() encrypts B bytes from the buffer B and + writes the encrypted version to B. This function can be called + multiple times to encrypt successive blocks of data. The amount +-of data written depends on the block alignment of the encrypted data: +-as a result the amount of data written may be anything from zero bytes +-to (inl + cipher_block_size - 1) so B should contain sufficient +-room. The actual number of bytes written is placed in B. It also ++of data written depends on the block alignment of the encrypted data. ++For most ciphers and modes, the amount of data written can be anything ++from zero bytes to (inl + cipher_block_size - 1) bytes. ++For wrap cipher modes, the amount of data written can be anything ++from zero bytes to (inl + cipher_block_size) bytes. ++For stream ciphers, the amount of data written can be anything from zero ++bytes to inl bytes. ++Thus, B should contain sufficient room for the operation being performed. ++The actual number of bytes written is placed in B. It also + checks if B and B are partially overlapping, and if they are + 0 is returned to indicate failure. + +-- +1.8.3.1 + diff --git a/doc-man3-fix-types-taken-by-HMAC-HMAC_Update.patch b/doc-man3-fix-types-taken-by-HMAC-HMAC_Update.patch new file mode 100644 index 0000000000000000000000000000000000000000..73e24d7825a57c2e9383646374ca24e9321e2bb0 --- /dev/null +++ b/doc-man3-fix-types-taken-by-HMAC-HMAC_Update.patch @@ -0,0 +1,43 @@ +From 7bdf1ee8ccb69a743e29e3d1a72194c30e8583ae Mon Sep 17 00:00:00 2001 +From: pedro martelletto +Date: Wed, 24 Jun 2020 17:48:00 +0200 +Subject: [PATCH 029/147] doc/man3: fix types taken by HMAC(), HMAC_Update() + +HMAC() and HMAC_Update() take size_t for 'n' and 'len' respectively. + +CLA: trivial + +Reviewed-by: Matt Caswell +Reviewed-by: Paul Dale +(Merged from https://github.com/openssl/openssl/pull/12264) + +(cherry picked from commit cc63865f336e0144f8501aa0a862ba0247a50622) +--- + doc/man3/HMAC.pod | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/doc/man3/HMAC.pod b/doc/man3/HMAC.pod +index 30c0e6b..cc0d470 100644 +--- a/doc/man3/HMAC.pod ++++ b/doc/man3/HMAC.pod +@@ -21,7 +21,7 @@ HMAC_size + #include + + unsigned char *HMAC(const EVP_MD *evp_md, const void *key, +- int key_len, const unsigned char *d, int n, ++ int key_len, const unsigned char *d, size_t n, + unsigned char *md, unsigned int *md_len); + + HMAC_CTX *HMAC_CTX_new(void); +@@ -29,7 +29,7 @@ HMAC_size + + int HMAC_Init_ex(HMAC_CTX *ctx, const void *key, int key_len, + const EVP_MD *md, ENGINE *impl); +- int HMAC_Update(HMAC_CTX *ctx, const unsigned char *data, int len); ++ int HMAC_Update(HMAC_CTX *ctx, const unsigned char *data, size_t len); + int HMAC_Final(HMAC_CTX *ctx, unsigned char *md, unsigned int *len); + + void HMAC_CTX_free(HMAC_CTX *ctx); +-- +1.8.3.1 + diff --git a/fix-a-docs-typo.patch b/fix-a-docs-typo.patch new file mode 100644 index 0000000000000000000000000000000000000000..00192279b63f823e3b2591dadb0aaf12e60c854c --- /dev/null +++ b/fix-a-docs-typo.patch @@ -0,0 +1,34 @@ +From 315170f662b3053aa9fe817639e1b78f74f75077 Mon Sep 17 00:00:00 2001 +From: Jack O'Connor +Date: Thu, 28 May 2020 12:42:15 -0400 +Subject: [PATCH 008/147] fix a docs typo + +Correct "EC_KEY_point2buf" to "EC_POINT_point2buf". The former does not exist. + +CLA: trivial + +Reviewed-by: Ben Kaduk +Reviewed-by: Tomas Mraz +(Merged from https://github.com/openssl/openssl/pull/11988) + +(cherry picked from commit a5a87011baeef71c86938a2bae54f89fbe99e5dc) +--- + doc/man3/EC_KEY_new.pod | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/doc/man3/EC_KEY_new.pod b/doc/man3/EC_KEY_new.pod +index 9d32d78..21663a0 100644 +--- a/doc/man3/EC_KEY_new.pod ++++ b/doc/man3/EC_KEY_new.pod +@@ -122,7 +122,7 @@ EC_KEY_precompute_mult() stores multiples of the underlying EC_GROUP generator + for faster point multiplication. See also L. + + EC_KEY_oct2key() and EC_KEY_key2buf() are identical to the functions +-EC_POINT_oct2point() and EC_KEY_point2buf() except they use the public key ++EC_POINT_oct2point() and EC_POINT_point2buf() except they use the public key + EC_POINT in B. + + EC_KEY_oct2priv() and EC_KEY_priv2oct() convert between the private key +-- +1.8.3.1 + diff --git a/fixed-swapped-parameters-descriptions-for-x509.patch b/fixed-swapped-parameters-descriptions-for-x509.patch new file mode 100644 index 0000000000000000000000000000000000000000..e47c699da7af09d01c4d20b215ae489ef69741ce --- /dev/null +++ b/fixed-swapped-parameters-descriptions-for-x509.patch @@ -0,0 +1,33 @@ +From 48fc6cd59c6d4a8f6ecd57d85d6ef4e6373ff147 Mon Sep 17 00:00:00 2001 +From: Nihal Jere +Date: Tue, 21 Jul 2020 11:31:01 -0500 +Subject: [PATCH 055/147] fixed swapped parameters descriptions for x509 + +CLA: trivial + +Reviewed-by: Tomas Mraz +Reviewed-by: Dmitry Belyavskiy +(Merged from https://github.com/openssl/openssl/pull/12505) +--- + apps/x509.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/apps/x509.c b/apps/x509.c +index 5bb110f..1043eba 100644 +--- a/apps/x509.c ++++ b/apps/x509.c +@@ -140,9 +140,9 @@ const OPTIONS x509_options[] = { + {"", OPT_MD, '-', "Any supported digest"}, + #ifndef OPENSSL_NO_MD5 + {"subject_hash_old", OPT_SUBJECT_HASH_OLD, '-', +- "Print old-style (MD5) issuer hash value"}, +- {"issuer_hash_old", OPT_ISSUER_HASH_OLD, '-', + "Print old-style (MD5) subject hash value"}, ++ {"issuer_hash_old", OPT_ISSUER_HASH_OLD, '-', ++ "Print old-style (MD5) issuer hash value"}, + #endif + #ifndef OPENSSL_NO_ENGINE + {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"}, +-- +1.8.3.1 + diff --git a/fuzz-asn1.c-Add-missing-include.patch b/fuzz-asn1.c-Add-missing-include.patch new file mode 100644 index 0000000000000000000000000000000000000000..8993ac09338cc288436aee58b537c5a2e3469c94 --- /dev/null +++ b/fuzz-asn1.c-Add-missing-include.patch @@ -0,0 +1,33 @@ +From 1ab9298e43b6023f4083609493f20e354aa7faab Mon Sep 17 00:00:00 2001 +From: Richard Levitte +Date: Sat, 25 Apr 2020 04:11:09 +0200 +Subject: [PATCH 037/217] fuzz/asn1.c: Add missing #include + + gets included via ts.h... except when 'no-ts' has been +configured. + +Fixes #11597 + +Reviewed-by: Paul Dale +(Merged from https://github.com/openssl/openssl/pull/11640) + +(cherry picked from commit 60ebc0ca5a829e2ae939a9ab13658af202b6dfc7) +--- + fuzz/asn1.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/fuzz/asn1.c b/fuzz/asn1.c +index fd2271b..d3148c0 100644 +--- a/fuzz/asn1.c ++++ b/fuzz/asn1.c +@@ -20,6 +20,7 @@ + #include + #include + #include ++#include + #include + #include + #include +-- +1.8.3.1 + diff --git a/i2b_PVK_bio-don-t-set-PEM_R_BIO_WRITE_FAILURE-in-cas.patch b/i2b_PVK_bio-don-t-set-PEM_R_BIO_WRITE_FAILURE-in-cas.patch new file mode 100644 index 0000000000000000000000000000000000000000..937c8270b41f9b2f4aa0b18f9be17ab1fb078b28 --- /dev/null +++ b/i2b_PVK_bio-don-t-set-PEM_R_BIO_WRITE_FAILURE-in-cas.patch @@ -0,0 +1,38 @@ +From a5ae257ed2d046105cff99d72d2d1335091a3515 Mon Sep 17 00:00:00 2001 +From: Christian Hohnstaedt +Date: Sun, 22 Mar 2020 09:41:30 +0100 +Subject: [PATCH 036/217] i2b_PVK_bio: don't set PEM_R_BIO_WRITE_FAILURE in + case of success + +but in case of an error + +CLA: trivial + +Reviewed-by: Richard Levitte +Reviewed-by: Bernd Edlinger +Reviewed-by: Tomas Mraz +(Merged from https://github.com/openssl/openssl/pull/11380) + +(cherry picked from commit 80b94a5adb461f94629d36db351a051b0a890856) +--- + crypto/pem/pvkfmt.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/crypto/pem/pvkfmt.c b/crypto/pem/pvkfmt.c +index 1fc19c1..46ed2ec 100644 +--- a/crypto/pem/pvkfmt.c ++++ b/crypto/pem/pvkfmt.c +@@ -875,9 +875,9 @@ int i2b_PVK_bio(BIO *out, EVP_PKEY *pk, int enclevel, + wrlen = BIO_write(out, tmp, outlen); + OPENSSL_free(tmp); + if (wrlen == outlen) { +- PEMerr(PEM_F_I2B_PVK_BIO, PEM_R_BIO_WRITE_FAILURE); + return outlen; + } ++ PEMerr(PEM_F_I2B_PVK_BIO, PEM_R_BIO_WRITE_FAILURE); + return -1; + } + +-- +1.8.3.1 + diff --git a/openssl.spec b/openssl.spec index b8828ee51d14c9e0d84b415652975d0ff898dd3d..4028ee4c843b2486814cfc5d04faf47f67ef8a83 100644 --- a/openssl.spec +++ b/openssl.spec @@ -2,7 +2,7 @@ Name: openssl Epoch: 1 Version: 1.1.1f -Release: 3 +Release: 8 Summary: Cryptography and SSL/TLS Toolkit License: OpenSSL and SSLeay URL: https://www.openssl.org/ @@ -11,12 +11,74 @@ Source1: Makefile.certificate Patch1: openssl-1.1.1-build.patch Patch2: openssl-1.1.1-fips.patch Patch3: CVE-2020-1967.patch -Patch4: CVE-2020-1971-0001-DirectoryString-is-a-CHOICE-type-and-therefore-uses-.patch -Patch5: CVE-2020-1971-0002-Correctly-compare-EdiPartyName-in-GENERAL_NAME_cmp.patch -Patch6: CVE-2020-1971-0003-Check-that-multi-strings-CHOICE-types-don-t-use-impl.patch -Patch7: CVE-2020-1971-0004-Complain-if-we-are-attempting-to-encode-with-an-inva.patch -Patch8: CVE-2020-1971-0005-Add-a-test-for-GENERAL_NAME_cmp.patch -Patch9: CVE-2020-1971-0006-Add-a-test-for-encoding-decoding-using-an-invalid-AS.patch +Patch4: Ensure-ECDSA_size-always-returns-0.patch +Patch5: Fix-the-error-handling-in-EC_POINTs_mul.patch +Patch6: Integer-overflow-in-ASN1_STRING_set.patch +Patch7: AES-CTR-DRGB-do-not-leak-timing-information.patch +Patch8: Fix-AES-CTR_DRBG-on-1.1.1.patch +Patch9: BIO_do_accept-correct-error-return-value.patch +Patch10: Add-test-for-CVE-2020-1967.patch +Patch11: EC-Constify-internal-EC_KEY-pointer-usage.patch +Patch12: EC-harden-EC_KEY-against-leaks-from-memory-accesses.patch +Patch13: BN-harden-BN_copy-against-leaks-from-memory-accesses.patch +Patch14: Fix-type-cast-in-SSL_CTX_set1_groups-macro.patch +Patch15: i2b_PVK_bio-don-t-set-PEM_R_BIO_WRITE_FAILURE-in-cas.patch +Patch16: fuzz-asn1.c-Add-missing-include.patch +Patch17: Fix-use-after-free-in-BIO_C_SET_SSL-callback.patch +Patch18: Fix-PEM-certificate-loading-that-sometimes-fails.patch +Patch19: Fix-rsa8192.pem.patch +Patch20: Correct-alignment-calculation-in-ssl3_setup_write.patch +Patch21: Fix-crash-in-early-data-send-with-out-of-band-PSK-us.patch +Patch22: Test-TLSv1.3-out-of-band-PSK-with-all-5-ciphersuites.patch +Patch23: Cast-the-unsigned-char-to-unsigned-int-before-shifti.patch +Patch24: Avoid-potential-overflow-to-the-sign-bit-when-shifti.patch +Patch25: t1_trce-Fix-remaining-places-where-the-24-bit-shift-.patch +Patch26: Fix-d2i_PrivateKey-to-work-as-documented.patch +Patch27: Prevent-use-after-free-of-global_engine_lock.patch +Patch28: Allow-NULL-arg-to-OSSL_STORE_close.patch +Patch29: EVP_EncryptInit.pod-fix-example.patch +Patch30: bio-printf-Avoid-using-rounding-errors-in-range-chec.patch +Patch31: Make-BIO_do_connect-and-friends-handle-multiple-IP-a.patch +Patch32: Revert-the-check-for-NaN-in-f-format.patch +Patch33: fix-a-docs-typo.patch +Patch34: Replace-BUF_strdup-call-by-OPENSSL_strdup-adding-fai.patch +Patch35: Fix-err-checking-and-mem-leaks-of-BIO_set_conn_port-.patch +Patch36: Do-not-allow-dropping-Extended-Master-Secret-extensi.patch +Patch37: EVP-allow-empty-strings-to-EVP_Decode-functions.patch +Patch38: CMS_get0_signers-description.patch +Patch39: Ensure-we-never-use-a-partially-initialised-CMAC_CTX.patch +Patch40: Correctly-handle-the-return-value-from-EVP_Cipher-in.patch +Patch41: Fix-wrong-return-value-check-of-mmap-function.patch +Patch42: doc-man3-fix-types-taken-by-HMAC-HMAC_Update.patch +Patch43: Ensure-that-SSL_dup-copies-the-min-max-protocol-vers.patch +Patch44: Don-t-attempt-to-duplicate-the-BIO-state-in-SSL_dup.patch +Patch45: Add-an-SSL_dup-test.patch +Patch46: Free-pre_proc_exts-in-SSL_free.patch +Patch47: Fix-issue-1418-by-moving-check-of-KU_KEY_CERT_SIGN-a.patch +Patch48: x509_vfy.c-Improve-key-usage-checks-in-internal_veri.patch +Patch49: doc-Fix-documentation-of-EVP_EncryptUpdate.patch +Patch50: Avoid-errors-with-a-priori-inapplicable-protocol-bou.patch +Patch51: fixed-swapped-parameters-descriptions-for-x509.patch +Patch52: Update-EVP_EncodeInit.pod.patch +Patch53: Avoid-segfault-in-SSL_export_keying_material-if-ther.patch +Patch54: sslapitest-Add-test-for-premature-call-of-SSL_export.patch +Patch55: Fix-PEM_write_bio_PrivateKey_traditional-to-not-outp.patch +Patch56: Coverity-Fixes.patch +Patch57: Fix-memory-leaks-in-conf_def.c.patch +Patch58: Support-keys-with-RSA_METHOD_FLAG_NO_CHECK-with-OCSP.patch +Patch59: Use-size-of-target-buffer-for-allocation.patch +Patch60: Avoid-memory-leak-of-parent-on-allocation-failure-fo.patch +Patch61: Pass-an-EVP_PKEY-for-SSL_SECOP_TMP_DH-in-the-securit.patch +Patch62: Avoid-potential-doublefree-on-dh-object-assigned-to-.patch +Patch63: Fix-AES-GCM-bug-on-aarch64-BigEndian.patch +Patch64: crypto-poly1305-asm-fix-armv8-pointer-authentication.patch +Patch65: Verification-zero-length-content-in-S-MIME-format.patch +Patch66: CVE-2020-1971-0001-DirectoryString-is-a-CHOICE-type-and-therefore-uses-.patch +Patch67: CVE-2020-1971-0002-Correctly-compare-EdiPartyName-in-GENERAL_NAME_cmp.patch +Patch68: CVE-2020-1971-0003-Check-that-multi-strings-CHOICE-types-don-t-use-impl.patch +Patch69: CVE-2020-1971-0004-Complain-if-we-are-attempting-to-encode-with-an-inva.patch +Patch70: CVE-2020-1971-0005-Add-a-test-for-GENERAL_NAME_cmp.patch +Patch71: CVE-2020-1971-0006-Add-a-test-for-encoding-decoding-using-an-invalid-AS.patch BuildRequires: gcc make lksctp-tools-devel coreutils util-linux zlib-devel @@ -193,6 +255,9 @@ make test || : %{_pkgdocdir}/html/ %changelog +* Tue Feb 09 2021 Liufeng - 1:1.1.1f-8 +- backport some bugfix patches from OpenSSL community and reset the release + * Mon Jan 19 2021 openEuler Buildteam - 1:1.1.1f-3 - fix CVE-2020-1971 diff --git a/sslapitest-Add-test-for-premature-call-of-SSL_export.patch b/sslapitest-Add-test-for-premature-call-of-SSL_export.patch new file mode 100644 index 0000000000000000000000000000000000000000..880f9509dc74fc20b0f512da838377c1bb1ef57c --- /dev/null +++ b/sslapitest-Add-test-for-premature-call-of-SSL_export.patch @@ -0,0 +1,45 @@ +From 46a9ee8c796c8b5f8d95290676119b4f3d72be91 Mon Sep 17 00:00:00 2001 +From: Tomas Mraz +Date: Thu, 6 Aug 2020 15:14:29 +0200 +Subject: [PATCH 061/147] sslapitest: Add test for premature call of + SSL_export_keying_material + +Reviewed-by: Matt Caswell +(Merged from https://github.com/openssl/openssl/pull/12594) + +(cherry picked from commit ea9f6890eb54e4b9e8b81cc1318ca3a6fc0c8356) +--- + test/sslapitest.c | 17 ++++++++++++++--- + 1 file changed, 14 insertions(+), 3 deletions(-) + +diff --git a/test/sslapitest.c b/test/sslapitest.c +index 5220722..ad1824c 100644 +--- a/test/sslapitest.c ++++ b/test/sslapitest.c +@@ -4432,9 +4432,20 @@ static int test_export_key_mat(int tst) + SSL_CTX_set_min_proto_version(cctx, protocols[tst]); + + if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL, +- NULL)) +- || !TEST_true(create_ssl_connection(serverssl, clientssl, +- SSL_ERROR_NONE))) ++ NULL))) ++ goto end; ++ ++ /* ++ * Premature call of SSL_export_keying_material should just fail. ++ */ ++ if (!TEST_int_le(SSL_export_keying_material(clientssl, ckeymat1, ++ sizeof(ckeymat1), label, ++ SMALL_LABEL_LEN + 1, context, ++ sizeof(context) - 1, 1), 0)) ++ goto end; ++ ++ if (!TEST_true(create_ssl_connection(serverssl, clientssl, ++ SSL_ERROR_NONE))) + goto end; + + if (tst == 5) { +-- +1.8.3.1 + diff --git a/t1_trce-Fix-remaining-places-where-the-24-bit-shift-.patch b/t1_trce-Fix-remaining-places-where-the-24-bit-shift-.patch new file mode 100644 index 0000000000000000000000000000000000000000..c1ea754c5864805d74a5e8b19330c1483b7456e5 --- /dev/null +++ b/t1_trce-Fix-remaining-places-where-the-24-bit-shift-.patch @@ -0,0 +1,72 @@ +From cf94e8430f3cd7c17f62b74443d16347b4b97ac8 Mon Sep 17 00:00:00 2001 +From: Tomas Mraz +Date: Tue, 19 May 2020 10:52:53 +0200 +Subject: [PATCH 061/217] t1_trce: Fix remaining places where the 24 bit shift + overflow happens + +[extended tests] + +Reviewed-by: Richard Levitte +(Merged from https://github.com/openssl/openssl/pull/11857) + +(cherry picked from commit 7486c718e54cc762edc5f1c7c526ab83d0f97ef7) +--- + ssl/t1_trce.c | 21 ++++++++++++++++----- + 1 file changed, 16 insertions(+), 5 deletions(-) + +diff --git a/ssl/t1_trce.c b/ssl/t1_trce.c +index 5c84339..edd839a 100644 +--- a/ssl/t1_trce.c ++++ b/ssl/t1_trce.c +@@ -656,7 +656,10 @@ static int ssl_print_random(BIO *bio, int indent, + + if (*pmsglen < 32) + return 0; +- tm = (p[0] << 24) | (p[1] << 16) | (p[2] << 8) | p[3]; ++ tm = ((unsigned int)p[0] << 24) ++ | ((unsigned int)p[1] << 16) ++ | ((unsigned int)p[2] << 8) ++ | (unsigned int)p[3]; + p += 4; + BIO_indent(bio, indent, 80); + BIO_puts(bio, "Random:\n"); +@@ -864,8 +867,10 @@ static int ssl_print_extension(BIO *bio, int indent, int server, + break; + if (extlen != 4) + return 0; +- max_early_data = (ext[0] << 24) | (ext[1] << 16) | (ext[2] << 8) +- | ext[3]; ++ max_early_data = ((unsigned int)ext[0] << 24) ++ | ((unsigned int)ext[1] << 16) ++ | ((unsigned int)ext[2] << 8) ++ | (unsigned int)ext[3]; + BIO_indent(bio, indent + 2, 80); + BIO_printf(bio, "max_early_data=%u\n", max_early_data); + break; +@@ -1356,7 +1361,10 @@ static int ssl_print_ticket(BIO *bio, int indent, const SSL *ssl, + } + if (msglen < 4) + return 0; +- tick_life = (msg[0] << 24) | (msg[1] << 16) | (msg[2] << 8) | msg[3]; ++ tick_life = ((unsigned int)msg[0] << 24) ++ | ((unsigned int)msg[1] << 16) ++ | ((unsigned int)msg[2] << 8) ++ | (unsigned int)msg[3]; + msglen -= 4; + msg += 4; + BIO_indent(bio, indent + 2, 80); +@@ -1367,7 +1375,10 @@ static int ssl_print_ticket(BIO *bio, int indent, const SSL *ssl, + if (msglen < 4) + return 0; + ticket_age_add = +- (msg[0] << 24) | (msg[1] << 16) | (msg[2] << 8) | msg[3]; ++ ((unsigned int)msg[0] << 24) ++ | ((unsigned int)msg[1] << 16) ++ | ((unsigned int)msg[2] << 8) ++ | (unsigned int)msg[3]; + msglen -= 4; + msg += 4; + BIO_indent(bio, indent + 2, 80); +-- +1.8.3.1 + diff --git a/x509_vfy.c-Improve-key-usage-checks-in-internal_veri.patch b/x509_vfy.c-Improve-key-usage-checks-in-internal_veri.patch new file mode 100644 index 0000000000000000000000000000000000000000..ee450fea6fd21faa181bd9dedb6f99d7cad29574 --- /dev/null +++ b/x509_vfy.c-Improve-key-usage-checks-in-internal_veri.patch @@ -0,0 +1,151 @@ +From 42bb51e59308b3ebc5cc1c35ff4822fba6b52d79 Mon Sep 17 00:00:00 2001 +From: "Dr. David von Oheimb" +Date: Fri, 3 Jul 2020 21:19:55 +0200 +Subject: [PATCH 051/147] x509_vfy.c: Improve key usage checks in + internal_verify() of cert chains + +If a presumably self-signed cert is last in chain we verify its signature +only if X509_V_FLAG_CHECK_SS_SIGNATURE is set. Upon this request we do the +signature verification, but not in case it is a (non-conforming) self-issued +CA certificate with a key usage extension that does not include keyCertSign. + +Make clear when we must verify the signature of a certificate +and when we must adhere to key usage restrictions of the 'issuing' cert. +Add some comments for making internal_verify() easier to understand. +Update the documentation of X509_V_FLAG_CHECK_SS_SIGNATURE accordingly. + +Reviewed-by: Tomas Mraz +(Merged from https://github.com/openssl/openssl/pull/12357) +--- + crypto/x509/x509_vfy.c | 46 ++++++++++++++++++++++++-------- + doc/man1/verify.pod | 7 +++-- + doc/man3/X509_VERIFY_PARAM_set_flags.pod | 13 +++++---- + 3 files changed, 48 insertions(+), 18 deletions(-) + +diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c +index 87b51e9..f30c0f8 100644 +--- a/crypto/x509/x509_vfy.c ++++ b/crypto/x509/x509_vfy.c +@@ -1716,6 +1716,7 @@ int x509_check_cert_time(X509_STORE_CTX *ctx, X509 *x, int depth) + return 1; + } + ++/* verify the issuer signatures and cert times of ctx->chain */ + static int internal_verify(X509_STORE_CTX *ctx) + { + int n = sk_X509_num(ctx->chain) - 1; +@@ -1734,7 +1735,7 @@ static int internal_verify(X509_STORE_CTX *ctx) + } + + if (ctx->check_issued(ctx, xi, xi)) +- xs = xi; ++ xs = xi; /* the typical case: last cert in the chain is self-issued */ + else { + if (ctx->param->flags & X509_V_FLAG_PARTIAL_CHAIN) { + xs = xi; +@@ -1754,26 +1755,49 @@ static int internal_verify(X509_STORE_CTX *ctx) + */ + while (n >= 0) { + /* +- * Skip signature check for self-issued certificates unless explicitly ++ * For each iteration of this loop: ++ * n is the subject depth ++ * xs is the subject cert, for which the signature is to be checked ++ * xi is the supposed issuer cert containing the public key to use ++ * Initially xs == xi if the last cert in the chain is self-issued. ++ * ++ * Skip signature check for self-signed certificates unless explicitly + * asked for because it does not add any security and just wastes time. +- * If the issuer's public key is not available or its key usage does +- * not support issuing the subject cert, report the issuer certificate +- * and its depth (rather than the depth of the subject). + */ +- if (xs != xi || (ctx->param->flags & X509_V_FLAG_CHECK_SS_SIGNATURE)) { ++ if (xs != xi || ((ctx->param->flags & X509_V_FLAG_CHECK_SS_SIGNATURE) ++ && (xi->ex_flags & EXFLAG_SS) != 0)) { + EVP_PKEY *pkey; ++ /* ++ * If the issuer's public key is not available or its key usage ++ * does not support issuing the subject cert, report the issuer ++ * cert and its depth (rather than n, the depth of the subject). ++ */ + int issuer_depth = n + (xs == xi ? 0 : 1); +- int ret = x509_signing_allowed(xi, xs); ++ /* ++ * According to https://tools.ietf.org/html/rfc5280#section-6.1.4 ++ * step (n) we must check any given key usage extension in a CA cert ++ * when preparing the verification of a certificate issued by it. ++ * According to https://tools.ietf.org/html/rfc5280#section-4.2.1.3 ++ * we must not verify a certifiate signature if the key usage of the ++ * CA certificate that issued the certificate prohibits signing. ++ * In case the 'issuing' certificate is the last in the chain and is ++ * not a CA certificate but a 'self-issued' end-entity cert (i.e., ++ * xs == xi && !(xi->ex_flags & EXFLAG_CA)) RFC 5280 does not apply ++ * (see https://tools.ietf.org/html/rfc6818#section-2) and thus ++ * we are free to ignore any key usage restrictions on such certs. ++ */ ++ int ret = xs == xi && (xi->ex_flags & EXFLAG_CA) == 0 ++ ? X509_V_OK : x509_signing_allowed(xi, xs); + + if (ret != X509_V_OK && !verify_cb_cert(ctx, xi, issuer_depth, ret)) + return 0; + if ((pkey = X509_get0_pubkey(xi)) == NULL) { +- if (!verify_cb_cert(ctx, xi, xi != xs ? n+1 : n, +- X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY)) ++ ret = X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY; ++ if (!verify_cb_cert(ctx, xi, issuer_depth, ret)) + return 0; + } else if (X509_verify(xs, pkey) <= 0) { +- if (!verify_cb_cert(ctx, xs, n, +- X509_V_ERR_CERT_SIGNATURE_FAILURE)) ++ ret = X509_V_ERR_CERT_SIGNATURE_FAILURE; ++ if (!verify_cb_cert(ctx, xs, n, ret)) + return 0; + } + } +diff --git a/doc/man1/verify.pod b/doc/man1/verify.pod +index 63ba850..18e803c 100644 +--- a/doc/man1/verify.pod ++++ b/doc/man1/verify.pod +@@ -98,8 +98,11 @@ current system time. B is the number of seconds since + + =item B<-check_ss_sig> + +-Verify the signature on the self-signed root CA. This is disabled by default +-because it doesn't add any security. ++Verify the signature of ++the last certificate in a chain if the certificate is supposedly self-signed. ++This is prohibited and will result in an error if it is a non-conforming CA ++certificate with key usage restrictions not including the keyCertSign bit. ++This verification is disabled by default because it doesn't add any security. + + =item B<-CRLfile file> + +diff --git a/doc/man3/X509_VERIFY_PARAM_set_flags.pod b/doc/man3/X509_VERIFY_PARAM_set_flags.pod +index 7593dea..a87b71d 100644 +--- a/doc/man3/X509_VERIFY_PARAM_set_flags.pod ++++ b/doc/man3/X509_VERIFY_PARAM_set_flags.pod +@@ -264,12 +264,15 @@ they are enabled. + If B is set delta CRLs (if present) are used to + determine certificate status. If not set deltas are ignored. + +-B enables checking of the root CA self signed +-certificate signature. By default this check is disabled because it doesn't ++B requests checking the signature of ++the last certificate in a chain if the certificate is supposedly self-signed. ++This is prohibited and will result in an error if it is a non-conforming CA ++certificate with key usage restrictions not including the keyCertSign bit. ++By default this check is disabled because it doesn't + add any additional security but in some cases applications might want to +-check the signature anyway. A side effect of not checking the root CA +-signature is that disabled or unsupported message digests on the root CA +-are not treated as fatal errors. ++check the signature anyway. A side effect of not checking the self-signature ++of such a certificate is that disabled or unsupported message digests used for ++the signature are not treated as fatal errors. + + When B is set, construction of the certificate chain + in L will search the trust store for issuer certificates +-- +1.8.3.1 +