From 2a7837beaa7e5efb227a88665a2c66901b99cfbd Mon Sep 17 00:00:00 2001 From: openeuler_eason Date: Fri, 13 Nov 2020 17:20:15 +0800 Subject: [PATCH 1/6] make openssl require openssl-help --- openssl.spec | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/openssl.spec b/openssl.spec index c5cdbf7..47f3c3c 100644 --- a/openssl.spec +++ b/openssl.spec @@ -2,7 +2,7 @@ Name: openssl Epoch: 1 Version: 1.1.1f -Release: 1 +Release: 2 Summary: Cryptography and SSL/TLS Toolkit License: OpenSSL and SSLeay URL: https://www.openssl.org/ @@ -15,6 +15,7 @@ Patch3: CVE-2020-1967.patch BuildRequires: gcc make lksctp-tools-devel coreutils util-linux zlib-devel Requires: coreutils perl %{name}-libs%{?_isa} = %{epoch}:%{version}-%{release} +Requires: %{name}-help = %{epoch}:%{version}-%{release} Obsoletes: openssl-perl < %{epoch}:%{version}-%{release} Provides: openssl-perl%{_isa} = %{epoch}:%{version}-%{release} @@ -186,6 +187,9 @@ make test || : %{_pkgdocdir}/html/ %changelog +* Fri Nov 13 2020 Liufeng - 1:1.1.1f-2 +- make openssl require openssl-help + * Tue May 12 2020 openEuler Buildteam - 1:1.1.1f-1 - update openssl-1.1.1d to openssl-1.1.1f and fix CVE-2020-1967 -- Gitee From f7b24b6802493b21d1960ae9bdda48b1c939936b Mon Sep 17 00:00:00 2001 From: guoxiaoqi Date: Tue, 19 Jan 2021 17:10:24 +0800 Subject: [PATCH 2/6] CVE-2020-1971 --- ...is-a-CHOICE-type-and-therefore-uses-.patch | 41 ++ ...are-EdiPartyName-in-GENERAL_NAME_cmp.patch | 101 +++++ ...-strings-CHOICE-types-don-t-use-impl.patch | 103 +++++ ...re-attempting-to-encode-with-an-inva.patch | 116 ++++++ ...0005-Add-a-test-for-GENERAL_NAME_cmp.patch | 372 ++++++++++++++++++ ...ncoding-decoding-using-an-invalid-AS.patch | 121 ++++++ openssl.spec | 11 +- 7 files changed, 864 insertions(+), 1 deletion(-) create mode 100644 CVE-2020-1971-0001-DirectoryString-is-a-CHOICE-type-and-therefore-uses-.patch create mode 100644 CVE-2020-1971-0002-Correctly-compare-EdiPartyName-in-GENERAL_NAME_cmp.patch create mode 100644 CVE-2020-1971-0003-Check-that-multi-strings-CHOICE-types-don-t-use-impl.patch create mode 100644 CVE-2020-1971-0004-Complain-if-we-are-attempting-to-encode-with-an-inva.patch create mode 100644 CVE-2020-1971-0005-Add-a-test-for-GENERAL_NAME_cmp.patch create mode 100644 CVE-2020-1971-0006-Add-a-test-for-encoding-decoding-using-an-invalid-AS.patch diff --git a/CVE-2020-1971-0001-DirectoryString-is-a-CHOICE-type-and-therefore-uses-.patch b/CVE-2020-1971-0001-DirectoryString-is-a-CHOICE-type-and-therefore-uses-.patch new file mode 100644 index 0000000..0bf75e6 --- /dev/null +++ b/CVE-2020-1971-0001-DirectoryString-is-a-CHOICE-type-and-therefore-uses-.patch @@ -0,0 +1,41 @@ +From aa0ad2011d3e7ad8a611da274ef7d9c7706e289b Mon Sep 17 00:00:00 2001 +From: Matt Caswell +Date: Wed, 11 Nov 2020 15:19:34 +0000 +Subject: [PATCH 01/31] DirectoryString is a CHOICE type and therefore uses + explicit tagging + +EDIPartyName has 2 fields that use a DirectoryString. However they were +marked as implicit tagging - which is not correct for a CHOICE type. + +Additionally the partyName field was marked as Optional when, according to +RFC5280 it is not. + +Many thanks to github user @filipnavara for reporting this issue. Also to +David Benjamin from Google who independently identified and reported it. + +Fixes #6859 + +Reviewed-by: Tomas Mraz +--- + crypto/x509v3/v3_genn.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/crypto/x509v3/v3_genn.c b/crypto/x509v3/v3_genn.c +index 23e3bc4..b483f35 100644 +--- a/crypto/x509v3/v3_genn.c ++++ b/crypto/x509v3/v3_genn.c +@@ -22,8 +22,9 @@ ASN1_SEQUENCE(OTHERNAME) = { + IMPLEMENT_ASN1_FUNCTIONS(OTHERNAME) + + ASN1_SEQUENCE(EDIPARTYNAME) = { +- ASN1_IMP_OPT(EDIPARTYNAME, nameAssigner, DIRECTORYSTRING, 0), +- ASN1_IMP_OPT(EDIPARTYNAME, partyName, DIRECTORYSTRING, 1) ++ /* DirectoryString is a CHOICE type so use explicit tagging */ ++ ASN1_EXP_OPT(EDIPARTYNAME, nameAssigner, DIRECTORYSTRING, 0), ++ ASN1_EXP(EDIPARTYNAME, partyName, DIRECTORYSTRING, 1) + } ASN1_SEQUENCE_END(EDIPARTYNAME) + + IMPLEMENT_ASN1_FUNCTIONS(EDIPARTYNAME) +-- +1.8.3.1 + diff --git a/CVE-2020-1971-0002-Correctly-compare-EdiPartyName-in-GENERAL_NAME_cmp.patch b/CVE-2020-1971-0002-Correctly-compare-EdiPartyName-in-GENERAL_NAME_cmp.patch new file mode 100644 index 0000000..36954c1 --- /dev/null +++ b/CVE-2020-1971-0002-Correctly-compare-EdiPartyName-in-GENERAL_NAME_cmp.patch @@ -0,0 +1,101 @@ +From f960d81215ebf3f65e03d4d5d857fb9b666d6920 Mon Sep 17 00:00:00 2001 +From: Matt Caswell +Date: Wed, 11 Nov 2020 16:12:58 +0000 +Subject: [PATCH 02/31] Correctly compare EdiPartyName in GENERAL_NAME_cmp() + +If a GENERAL_NAME field contained EdiPartyName data then it was +incorrectly being handled as type "other". This could lead to a +segmentation fault. + +Many thanks to David Benjamin from Google for reporting this issue. + +CVE-2020-1971 + +Reviewed-by: Tomas Mraz +--- + crypto/x509v3/v3_genn.c | 45 ++++++++++++++++++++++++++++++++++++++++++--- + 1 file changed, 42 insertions(+), 3 deletions(-) + +diff --git a/crypto/x509v3/v3_genn.c b/crypto/x509v3/v3_genn.c +index b483f35..6f0a347 100644 +--- a/crypto/x509v3/v3_genn.c ++++ b/crypto/x509v3/v3_genn.c +@@ -58,6 +58,37 @@ GENERAL_NAME *GENERAL_NAME_dup(GENERAL_NAME *a) + (char *)a); + } + ++static int edipartyname_cmp(const EDIPARTYNAME *a, const EDIPARTYNAME *b) ++{ ++ int res; ++ ++ if (a == NULL || b == NULL) { ++ /* ++ * Shouldn't be possible in a valid GENERAL_NAME, but we handle it ++ * anyway. OTHERNAME_cmp treats NULL != NULL so we do the same here ++ */ ++ return -1; ++ } ++ if (a->nameAssigner == NULL && b->nameAssigner != NULL) ++ return -1; ++ if (a->nameAssigner != NULL && b->nameAssigner == NULL) ++ return 1; ++ /* If we get here then both have nameAssigner set, or both unset */ ++ if (a->nameAssigner != NULL) { ++ res = ASN1_STRING_cmp(a->nameAssigner, b->nameAssigner); ++ if (res != 0) ++ return res; ++ } ++ /* ++ * partyName is required, so these should never be NULL. We treat it in ++ * the same way as the a == NULL || b == NULL case above ++ */ ++ if (a->partyName == NULL || b->partyName == NULL) ++ return -1; ++ ++ return ASN1_STRING_cmp(a->partyName, b->partyName); ++} ++ + /* Returns 0 if they are equal, != 0 otherwise. */ + int GENERAL_NAME_cmp(GENERAL_NAME *a, GENERAL_NAME *b) + { +@@ -67,8 +98,11 @@ int GENERAL_NAME_cmp(GENERAL_NAME *a, GENERAL_NAME *b) + return -1; + switch (a->type) { + case GEN_X400: ++ result = ASN1_TYPE_cmp(a->d.x400Address, b->d.x400Address); ++ break; ++ + case GEN_EDIPARTY: +- result = ASN1_TYPE_cmp(a->d.other, b->d.other); ++ result = edipartyname_cmp(a->d.ediPartyName, b->d.ediPartyName); + break; + + case GEN_OTHERNAME: +@@ -115,8 +149,11 @@ void GENERAL_NAME_set0_value(GENERAL_NAME *a, int type, void *value) + { + switch (type) { + case GEN_X400: ++ a->d.x400Address = value; ++ break; ++ + case GEN_EDIPARTY: +- a->d.other = value; ++ a->d.ediPartyName = value; + break; + + case GEN_OTHERNAME: +@@ -150,8 +187,10 @@ void *GENERAL_NAME_get0_value(const GENERAL_NAME *a, int *ptype) + *ptype = a->type; + switch (a->type) { + case GEN_X400: ++ return a->d.x400Address; ++ + case GEN_EDIPARTY: +- return a->d.other; ++ return a->d.ediPartyName; + + case GEN_OTHERNAME: + return a->d.otherName; +-- +1.8.3.1 + diff --git a/CVE-2020-1971-0003-Check-that-multi-strings-CHOICE-types-don-t-use-impl.patch b/CVE-2020-1971-0003-Check-that-multi-strings-CHOICE-types-don-t-use-impl.patch new file mode 100644 index 0000000..6e810be --- /dev/null +++ b/CVE-2020-1971-0003-Check-that-multi-strings-CHOICE-types-don-t-use-impl.patch @@ -0,0 +1,103 @@ +From 1ecc76f6746cefd502c7e9000bdfa4e5d7911386 Mon Sep 17 00:00:00 2001 +From: Matt Caswell +Date: Thu, 12 Nov 2020 11:58:12 +0000 +Subject: [PATCH 03/31] Check that multi-strings/CHOICE types don't use + implicit tagging + +It never makes sense for multi-string or CHOICE types to use implicit +tagging since the content would be ambiguous. It is an error in the +template if this ever happens. If we detect it we should stop parsing. + +Thanks to David Benjamin from Google for reporting this issue. + +Reviewed-by: Tomas Mraz +--- + crypto/asn1/asn1_err.c | 1 + + crypto/asn1/tasn_dec.c | 19 +++++++++++++++++++ + crypto/err/openssl.txt | 1 + + include/openssl/asn1err.h | 1 + + 4 files changed, 22 insertions(+) + +diff --git a/crypto/asn1/asn1_err.c b/crypto/asn1/asn1_err.c +index 613f9ae..99a087d 100644 +--- a/crypto/asn1/asn1_err.c ++++ b/crypto/asn1/asn1_err.c +@@ -160,6 +160,7 @@ static const ERR_STRING_DATA ASN1_str_reasons[] = { + "asn1 sig parse error"}, + {ERR_PACK(ERR_LIB_ASN1, 0, ASN1_R_AUX_ERROR), "aux error"}, + {ERR_PACK(ERR_LIB_ASN1, 0, ASN1_R_BAD_OBJECT_HEADER), "bad object header"}, ++ {ERR_PACK(ERR_LIB_ASN1, 0, ASN1_R_BAD_TEMPLATE), "bad template"}, + {ERR_PACK(ERR_LIB_ASN1, 0, ASN1_R_BMPSTRING_IS_WRONG_LENGTH), + "bmpstring is wrong length"}, + {ERR_PACK(ERR_LIB_ASN1, 0, ASN1_R_BN_LIB), "bn lib"}, +diff --git a/crypto/asn1/tasn_dec.c b/crypto/asn1/tasn_dec.c +index 2332b20..1021705 100644 +--- a/crypto/asn1/tasn_dec.c ++++ b/crypto/asn1/tasn_dec.c +@@ -182,6 +182,15 @@ static int asn1_item_embed_d2i(ASN1_VALUE **pval, const unsigned char **in, + tag, aclass, opt, ctx); + + case ASN1_ITYPE_MSTRING: ++ /* ++ * It never makes sense for multi-strings to have implicit tagging, so ++ * if tag != -1, then this looks like an error in the template. ++ */ ++ if (tag != -1) { ++ ASN1err(ASN1_F_ASN1_ITEM_EMBED_D2I, ASN1_R_BAD_TEMPLATE); ++ goto err; ++ } ++ + p = *in; + /* Just read in tag and class */ + ret = asn1_check_tlen(NULL, &otag, &oclass, NULL, NULL, +@@ -199,6 +208,7 @@ static int asn1_item_embed_d2i(ASN1_VALUE **pval, const unsigned char **in, + ASN1err(ASN1_F_ASN1_ITEM_EMBED_D2I, ASN1_R_MSTRING_NOT_UNIVERSAL); + goto err; + } ++ + /* Check tag matches bit map */ + if (!(ASN1_tag2bit(otag) & it->utype)) { + /* If OPTIONAL, assume this is OK */ +@@ -215,6 +225,15 @@ static int asn1_item_embed_d2i(ASN1_VALUE **pval, const unsigned char **in, + return ef->asn1_ex_d2i(pval, in, len, it, tag, aclass, opt, ctx); + + case ASN1_ITYPE_CHOICE: ++ /* ++ * It never makes sense for CHOICE types to have implicit tagging, so ++ * if tag != -1, then this looks like an error in the template. ++ */ ++ if (tag != -1) { ++ ASN1err(ASN1_F_ASN1_ITEM_EMBED_D2I, ASN1_R_BAD_TEMPLATE); ++ goto err; ++ } ++ + if (asn1_cb && !asn1_cb(ASN1_OP_D2I_PRE, pval, it, NULL)) + goto auxerr; + if (*pval) { +diff --git a/crypto/err/openssl.txt b/crypto/err/openssl.txt +index 0b5873e..2f93221 100644 +--- a/crypto/err/openssl.txt ++++ b/crypto/err/openssl.txt +@@ -1771,6 +1771,7 @@ ASN1_R_ASN1_PARSE_ERROR:203:asn1 parse error + ASN1_R_ASN1_SIG_PARSE_ERROR:204:asn1 sig parse error + ASN1_R_AUX_ERROR:100:aux error + ASN1_R_BAD_OBJECT_HEADER:102:bad object header ++ASN1_R_BAD_TEMPLATE:230:bad template + ASN1_R_BMPSTRING_IS_WRONG_LENGTH:214:bmpstring is wrong length + ASN1_R_BN_LIB:105:bn lib + ASN1_R_BOOLEAN_IS_WRONG_LENGTH:106:boolean is wrong length +diff --git a/include/openssl/asn1err.h b/include/openssl/asn1err.h +index faed5a5..9070e26 100644 +--- a/include/openssl/asn1err.h ++++ b/include/openssl/asn1err.h +@@ -145,6 +145,7 @@ int ERR_load_ASN1_strings(void); + # define ASN1_R_ASN1_SIG_PARSE_ERROR 204 + # define ASN1_R_AUX_ERROR 100 + # define ASN1_R_BAD_OBJECT_HEADER 102 ++# define ASN1_R_BAD_TEMPLATE 230 + # define ASN1_R_BMPSTRING_IS_WRONG_LENGTH 214 + # define ASN1_R_BN_LIB 105 + # define ASN1_R_BOOLEAN_IS_WRONG_LENGTH 106 +-- +1.8.3.1 + diff --git a/CVE-2020-1971-0004-Complain-if-we-are-attempting-to-encode-with-an-inva.patch b/CVE-2020-1971-0004-Complain-if-we-are-attempting-to-encode-with-an-inva.patch new file mode 100644 index 0000000..c575a53 --- /dev/null +++ b/CVE-2020-1971-0004-Complain-if-we-are-attempting-to-encode-with-an-inva.patch @@ -0,0 +1,116 @@ +From 41d62636fd996c031c0c7cef746476278583dc9e Mon Sep 17 00:00:00 2001 +From: Matt Caswell +Date: Thu, 12 Nov 2020 14:55:31 +0000 +Subject: [PATCH 04/31] Complain if we are attempting to encode with an invalid + ASN.1 template + +It never makes sense for multi-string or CHOICE types to have implicit +tagging. If we have a template that uses the in this way then we +should immediately fail. + +Thanks to David Benjamin from Google for reporting this issue. + +Reviewed-by: Tomas Mraz +--- + crypto/asn1/asn1_err.c | 3 ++- + crypto/asn1/tasn_enc.c | 16 ++++++++++++++++ + crypto/err/openssl.txt | 1 + + include/openssl/asn1err.h | 7 +++---- + 4 files changed, 22 insertions(+), 5 deletions(-) + +diff --git a/crypto/asn1/asn1_err.c b/crypto/asn1/asn1_err.c +index 99a087d..cc0a59c 100644 +--- a/crypto/asn1/asn1_err.c ++++ b/crypto/asn1/asn1_err.c +@@ -1,6 +1,6 @@ + /* + * Generated by util/mkerr.pl DO NOT EDIT +- * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. ++ * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the OpenSSL license (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy +@@ -49,6 +49,7 @@ static const ERR_STRING_DATA ASN1_str_functs[] = { + "asn1_item_embed_d2i"}, + {ERR_PACK(ERR_LIB_ASN1, ASN1_F_ASN1_ITEM_EMBED_NEW, 0), + "asn1_item_embed_new"}, ++ {ERR_PACK(ERR_LIB_ASN1, ASN1_F_ASN1_ITEM_EX_I2D, 0), "ASN1_item_ex_i2d"}, + {ERR_PACK(ERR_LIB_ASN1, ASN1_F_ASN1_ITEM_FLAGS_I2D, 0), + "asn1_item_flags_i2d"}, + {ERR_PACK(ERR_LIB_ASN1, ASN1_F_ASN1_ITEM_I2D_BIO, 0), "ASN1_item_i2d_bio"}, +diff --git a/crypto/asn1/tasn_enc.c b/crypto/asn1/tasn_enc.c +index d600c7a..52a051d 100644 +--- a/crypto/asn1/tasn_enc.c ++++ b/crypto/asn1/tasn_enc.c +@@ -103,9 +103,25 @@ int ASN1_item_ex_i2d(ASN1_VALUE **pval, unsigned char **out, + return asn1_i2d_ex_primitive(pval, out, it, tag, aclass); + + case ASN1_ITYPE_MSTRING: ++ /* ++ * It never makes sense for multi-strings to have implicit tagging, so ++ * if tag != -1, then this looks like an error in the template. ++ */ ++ if (tag != -1) { ++ ASN1err(ASN1_F_ASN1_ITEM_EX_I2D, ASN1_R_BAD_TEMPLATE); ++ return -1; ++ } + return asn1_i2d_ex_primitive(pval, out, it, -1, aclass); + + case ASN1_ITYPE_CHOICE: ++ /* ++ * It never makes sense for CHOICE types to have implicit tagging, so ++ * if tag != -1, then this looks like an error in the template. ++ */ ++ if (tag != -1) { ++ ASN1err(ASN1_F_ASN1_ITEM_EX_I2D, ASN1_R_BAD_TEMPLATE); ++ return -1; ++ } + if (asn1_cb && !asn1_cb(ASN1_OP_I2D_PRE, pval, it, NULL)) + return 0; + i = asn1_get_choice_selector(pval, it); +diff --git a/crypto/err/openssl.txt b/crypto/err/openssl.txt +index 2f93221..815460b 100644 +--- a/crypto/err/openssl.txt ++++ b/crypto/err/openssl.txt +@@ -36,6 +36,7 @@ ASN1_F_ASN1_ITEM_D2I_FP:206:ASN1_item_d2i_fp + ASN1_F_ASN1_ITEM_DUP:191:ASN1_item_dup + ASN1_F_ASN1_ITEM_EMBED_D2I:120:asn1_item_embed_d2i + ASN1_F_ASN1_ITEM_EMBED_NEW:121:asn1_item_embed_new ++ASN1_F_ASN1_ITEM_EX_I2D:144:ASN1_item_ex_i2d + ASN1_F_ASN1_ITEM_FLAGS_I2D:118:asn1_item_flags_i2d + ASN1_F_ASN1_ITEM_I2D_BIO:192:ASN1_item_i2d_bio + ASN1_F_ASN1_ITEM_I2D_FP:193:ASN1_item_i2d_fp +diff --git a/include/openssl/asn1err.h b/include/openssl/asn1err.h +index 9070e26..e1ad1fe 100644 +--- a/include/openssl/asn1err.h ++++ b/include/openssl/asn1err.h +@@ -1,6 +1,6 @@ + /* + * Generated by util/mkerr.pl DO NOT EDIT +- * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved. ++ * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the OpenSSL license (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy +@@ -11,9 +11,7 @@ + #ifndef HEADER_ASN1ERR_H + # define HEADER_ASN1ERR_H + +-# ifndef HEADER_SYMHACKS_H +-# include +-# endif ++# include + + # ifdef __cplusplus + extern "C" +@@ -53,6 +51,7 @@ int ERR_load_ASN1_strings(void); + # define ASN1_F_ASN1_ITEM_DUP 191 + # define ASN1_F_ASN1_ITEM_EMBED_D2I 120 + # define ASN1_F_ASN1_ITEM_EMBED_NEW 121 ++# define ASN1_F_ASN1_ITEM_EX_I2D 144 + # define ASN1_F_ASN1_ITEM_FLAGS_I2D 118 + # define ASN1_F_ASN1_ITEM_I2D_BIO 192 + # define ASN1_F_ASN1_ITEM_I2D_FP 193 +-- +1.8.3.1 + diff --git a/CVE-2020-1971-0005-Add-a-test-for-GENERAL_NAME_cmp.patch b/CVE-2020-1971-0005-Add-a-test-for-GENERAL_NAME_cmp.patch new file mode 100644 index 0000000..614df6c --- /dev/null +++ b/CVE-2020-1971-0005-Add-a-test-for-GENERAL_NAME_cmp.patch @@ -0,0 +1,372 @@ +From 94ece6af0c89d596f9c5221b7df7d6582168c8ba Mon Sep 17 00:00:00 2001 +From: Matt Caswell +Date: Mon, 30 Nov 2020 13:50:52 +0000 +Subject: [PATCH 05/31] Add a test for GENERAL_NAME_cmp + +Based on a boringssl test contributed by David Benjamin + +Reviewed-by: Tomas Mraz +--- + test/v3nametest.c | 344 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ + 1 file changed, 344 insertions(+) + +diff --git a/test/v3nametest.c b/test/v3nametest.c +index 86f3829..4c8af92 100644 +--- a/test/v3nametest.c ++++ b/test/v3nametest.c +@@ -359,8 +359,352 @@ static int call_run_cert(int i) + return failed == 0; + } + ++struct gennamedata { ++ const unsigned char der[22]; ++ size_t derlen; ++} gennames[] = { ++ { ++ /* ++ * [0] { ++ * OBJECT_IDENTIFIER { 1.2.840.113554.4.1.72585.2.1 } ++ * [0] { ++ * SEQUENCE {} ++ * } ++ * } ++ */ ++ { ++ 0xa0, 0x13, 0x06, 0x0d, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x12, 0x04, ++ 0x01, 0x84, 0xb7, 0x09, 0x02, 0x01, 0xa0, 0x02, 0x30, 0x00 ++ }, ++ 21 ++ }, { ++ /* ++ * [0] { ++ * OBJECT_IDENTIFIER { 1.2.840.113554.4.1.72585.2.1 } ++ * [0] { ++ * [APPLICATION 0] {} ++ * } ++ * } ++ */ ++ { ++ 0xa0, 0x13, 0x06, 0x0d, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x12, 0x04, ++ 0x01, 0x84, 0xb7, 0x09, 0x02, 0x01, 0xa0, 0x02, 0x60, 0x00 ++ }, ++ 21 ++ }, { ++ /* ++ * [0] { ++ * OBJECT_IDENTIFIER { 1.2.840.113554.4.1.72585.2.1 } ++ * [0] { ++ * UTF8String { "a" } ++ * } ++ * } ++ */ ++ { ++ 0xa0, 0x14, 0x06, 0x0d, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x12, 0x04, ++ 0x01, 0x84, 0xb7, 0x09, 0x02, 0x01, 0xa0, 0x03, 0x0c, 0x01, 0x61 ++ }, ++ 22 ++ }, { ++ /* ++ * [0] { ++ * OBJECT_IDENTIFIER { 1.2.840.113554.4.1.72585.2.2 } ++ * [0] { ++ * UTF8String { "a" } ++ * } ++ * } ++ */ ++ { ++ 0xa0, 0x14, 0x06, 0x0d, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x12, 0x04, ++ 0x01, 0x84, 0xb7, 0x09, 0x02, 0x02, 0xa0, 0x03, 0x0c, 0x01, 0x61 ++ }, ++ 22 ++ }, { ++ /* ++ * [0] { ++ * OBJECT_IDENTIFIER { 1.2.840.113554.4.1.72585.2.1 } ++ * [0] { ++ * UTF8String { "b" } ++ * } ++ * } ++ */ ++ { ++ 0xa0, 0x14, 0x06, 0x0d, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x12, 0x04, ++ 0x01, 0x84, 0xb7, 0x09, 0x02, 0x01, 0xa0, 0x03, 0x0c, 0x01, 0x62 ++ }, ++ 22 ++ }, { ++ /* ++ * [0] { ++ * OBJECT_IDENTIFIER { 1.2.840.113554.4.1.72585.2.1 } ++ * [0] { ++ * BOOLEAN { TRUE } ++ * } ++ * } ++ */ ++ { ++ 0xa0, 0x14, 0x06, 0x0d, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x12, 0x04, ++ 0x01, 0x84, 0xb7, 0x09, 0x02, 0x01, 0xa0, 0x03, 0x01, 0x01, 0xff ++ }, ++ 22 ++ }, { ++ /* ++ * [0] { ++ * OBJECT_IDENTIFIER { 1.2.840.113554.4.1.72585.2.1 } ++ * [0] { ++ * BOOLEAN { FALSE } ++ * } ++ * } ++ */ ++ { ++ 0xa0, 0x14, 0x06, 0x0d, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x12, 0x04, ++ 0x01, 0x84, 0xb7, 0x09, 0x02, 0x01, 0xa0, 0x03, 0x01, 0x01, 0x00 ++ }, ++ 22 ++ }, { ++ /* [1 PRIMITIVE] { "a" } */ ++ { ++ 0x81, 0x01, 0x61 ++ }, ++ 3 ++ }, { ++ /* [1 PRIMITIVE] { "b" } */ ++ { ++ 0x81, 0x01, 0x62 ++ }, ++ 3 ++ }, { ++ /* [2 PRIMITIVE] { "a" } */ ++ { ++ 0x82, 0x01, 0x61 ++ }, ++ 3 ++ }, { ++ /* [2 PRIMITIVE] { "b" } */ ++ { ++ 0x82, 0x01, 0x62 ++ }, ++ 3 ++ }, { ++ /* ++ * [4] { ++ * SEQUENCE { ++ * SET { ++ * SEQUENCE { ++ * # commonName ++ * OBJECT_IDENTIFIER { 2.5.4.3 } ++ * UTF8String { "a" } ++ * } ++ * } ++ * } ++ * } ++ */ ++ { ++ 0xa4, 0x0e, 0x30, 0x0c, 0x31, 0x0a, 0x30, 0x08, 0x06, 0x03, 0x55, ++ 0x04, 0x03, 0x0c, 0x01, 0x61 ++ }, ++ 16 ++ }, { ++ /* ++ * [4] { ++ * SEQUENCE { ++ * SET { ++ * SEQUENCE { ++ * # commonName ++ * OBJECT_IDENTIFIER { 2.5.4.3 } ++ * UTF8String { "b" } ++ * } ++ * } ++ * } ++ * } ++ */ ++ { ++ 0xa4, 0x0e, 0x30, 0x0c, 0x31, 0x0a, 0x30, 0x08, 0x06, 0x03, 0x55, ++ 0x04, 0x03, 0x0c, 0x01, 0x62 ++ }, ++ 16 ++ }, { ++ /* ++ * [5] { ++ * [1] { ++ * UTF8String { "a" } ++ * } ++ * } ++ */ ++ { ++ 0xa5, 0x05, 0xa1, 0x03, 0x0c, 0x01, 0x61 ++ }, ++ 7 ++ }, { ++ /* ++ * [5] { ++ * [1] { ++ * UTF8String { "b" } ++ * } ++ * } ++ */ ++ { ++ 0xa5, 0x05, 0xa1, 0x03, 0x0c, 0x01, 0x62 ++ }, ++ 7 ++ }, { ++ /* ++ * [5] { ++ * [0] { ++ * UTF8String {} ++ * } ++ * [1] { ++ * UTF8String { "a" } ++ * } ++ * } ++ */ ++ { ++ 0xa5, 0x09, 0xa0, 0x02, 0x0c, 0x00, 0xa1, 0x03, 0x0c, 0x01, 0x61 ++ }, ++ 11 ++ }, { ++ /* ++ * [5] { ++ * [0] { ++ * UTF8String { "a" } ++ * } ++ * [1] { ++ * UTF8String { "a" } ++ * } ++ * } ++ */ ++ { ++ 0xa5, 0x0a, 0xa0, 0x03, 0x0c, 0x01, 0x61, 0xa1, 0x03, 0x0c, 0x01, ++ 0x61 ++ }, ++ 12 ++ }, { ++ /* ++ * [5] { ++ * [0] { ++ * UTF8String { "b" } ++ * } ++ * [1] { ++ * UTF8String { "a" } ++ * } ++ * } ++ */ ++ { ++ 0xa5, 0x0a, 0xa0, 0x03, 0x0c, 0x01, 0x62, 0xa1, 0x03, 0x0c, 0x01, ++ 0x61 ++ }, ++ 12 ++ }, { ++ /* [6 PRIMITIVE] { "a" } */ ++ { ++ 0x86, 0x01, 0x61 ++ }, ++ 3 ++ }, { ++ /* [6 PRIMITIVE] { "b" } */ ++ { ++ 0x86, 0x01, 0x62 ++ }, ++ 3 ++ }, { ++ /* [7 PRIMITIVE] { `11111111` } */ ++ { ++ 0x87, 0x04, 0x11, 0x11, 0x11, 0x11 ++ }, ++ 6 ++ }, { ++ /* [7 PRIMITIVE] { `22222222`} */ ++ { ++ 0x87, 0x04, 0x22, 0x22, 0x22, 0x22 ++ }, ++ 6 ++ }, { ++ /* [7 PRIMITIVE] { `11111111111111111111111111111111` } */ ++ { ++ 0x87, 0x10, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, ++ 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11 ++ }, ++ 18 ++ }, { ++ /* [7 PRIMITIVE] { `22222222222222222222222222222222` } */ ++ { ++ 0x87, 0x10, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, ++ 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22 ++ }, ++ 18 ++ }, { ++ /* [8 PRIMITIVE] { 1.2.840.113554.4.1.72585.2.1 } */ ++ { ++ 0x88, 0x0d, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x12, 0x04, 0x01, 0x84, ++ 0xb7, 0x09, 0x02, 0x01 ++ }, ++ 15 ++ }, { ++ /* [8 PRIMITIVE] { 1.2.840.113554.4.1.72585.2.2 } */ ++ { ++ 0x88, 0x0d, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x12, 0x04, 0x01, 0x84, ++ 0xb7, 0x09, 0x02, 0x02 ++ }, ++ 15 ++ } ++}; ++ ++static int test_GENERAL_NAME_cmp(void) ++{ ++ size_t i, j; ++ GENERAL_NAME **namesa = OPENSSL_malloc(sizeof(*namesa) ++ * OSSL_NELEM(gennames)); ++ GENERAL_NAME **namesb = OPENSSL_malloc(sizeof(*namesb) ++ * OSSL_NELEM(gennames)); ++ int testresult = 0; ++ ++ if (!TEST_ptr(namesa) || !TEST_ptr(namesb)) ++ goto end; ++ ++ for (i = 0; i < OSSL_NELEM(gennames); i++) { ++ const unsigned char *derp = gennames[i].der; ++ ++ /* ++ * We create two versions of each GENERAL_NAME so that we ensure when ++ * we compare them they are always different pointers. ++ */ ++ namesa[i] = d2i_GENERAL_NAME(NULL, &derp, gennames[i].derlen); ++ derp = gennames[i].der; ++ namesb[i] = d2i_GENERAL_NAME(NULL, &derp, gennames[i].derlen); ++ if (!TEST_ptr(namesa[i]) || !TEST_ptr(namesb[i])) ++ goto end; ++ } ++ ++ /* Every name should be equal to itself and not equal to any others. */ ++ for (i = 0; i < OSSL_NELEM(gennames); i++) { ++ for (j = 0; j < OSSL_NELEM(gennames); j++) { ++ if (i == j) { ++ if (!TEST_int_eq(GENERAL_NAME_cmp(namesa[i], namesb[j]), 0)) ++ goto end; ++ } else { ++ if (!TEST_int_ne(GENERAL_NAME_cmp(namesa[i], namesb[j]), 0)) ++ goto end; ++ } ++ } ++ } ++ testresult = 1; ++ ++ end: ++ for (i = 0; i < OSSL_NELEM(gennames); i++) { ++ if (namesa != NULL) ++ GENERAL_NAME_free(namesa[i]); ++ if (namesb != NULL) ++ GENERAL_NAME_free(namesb[i]); ++ } ++ OPENSSL_free(namesa); ++ OPENSSL_free(namesb); ++ ++ return testresult; ++} ++ + int setup_tests(void) + { + ADD_ALL_TESTS(call_run_cert, OSSL_NELEM(name_fns)); ++ ADD_TEST(test_GENERAL_NAME_cmp); + return 1; + } +-- +1.8.3.1 + diff --git a/CVE-2020-1971-0006-Add-a-test-for-encoding-decoding-using-an-invalid-AS.patch b/CVE-2020-1971-0006-Add-a-test-for-encoding-decoding-using-an-invalid-AS.patch new file mode 100644 index 0000000..8569490 --- /dev/null +++ b/CVE-2020-1971-0006-Add-a-test-for-encoding-decoding-using-an-invalid-AS.patch @@ -0,0 +1,121 @@ +From 433974af7b188d55b1da049b84f3fdeca320cb6a Mon Sep 17 00:00:00 2001 +From: Matt Caswell +Date: Mon, 30 Nov 2020 14:46:47 +0000 +Subject: [PATCH 06/31] Add a test for encoding/decoding using an invalid ASN.1 + Template + +If you have a CHOICE type that it must use explicit tagging - otherwise +the template is invalid. We add tests for this. + +Reviewed-by: Tomas Mraz +--- + test/asn1_decode_test.c | 36 ++++++++++++++++++++++++++++++++++++ + test/asn1_encode_test.c | 33 +++++++++++++++++++++++++++++++++ + 2 files changed, 69 insertions(+) + +diff --git a/test/asn1_decode_test.c b/test/asn1_decode_test.c +index 369023d..94a22c6 100644 +--- a/test/asn1_decode_test.c ++++ b/test/asn1_decode_test.c +@@ -160,6 +160,41 @@ static int test_uint64(void) + return 1; + } + ++typedef struct { ++ ASN1_STRING *invalidDirString; ++} INVALIDTEMPLATE; ++ ++ASN1_SEQUENCE(INVALIDTEMPLATE) = { ++ /* ++ * DirectoryString is a CHOICE type so it must use explicit tagging - ++ * but we deliberately use implicit here, which makes this template invalid. ++ */ ++ ASN1_IMP(INVALIDTEMPLATE, invalidDirString, DIRECTORYSTRING, 12) ++} static_ASN1_SEQUENCE_END(INVALIDTEMPLATE) ++ ++IMPLEMENT_STATIC_ASN1_ENCODE_FUNCTIONS(INVALIDTEMPLATE) ++IMPLEMENT_STATIC_ASN1_ALLOC_FUNCTIONS(INVALIDTEMPLATE) ++ ++/* Empty sequence for invalid template test */ ++static unsigned char t_invalid_template[] = { ++ 0x30, 0x03, /* SEQUENCE tag + length */ ++ 0x0c, 0x01, 0x41 /* UTF8String, length 1, "A" */ ++}; ++ ++static int test_invalid_template(void) ++{ ++ const unsigned char *p = t_invalid_template; ++ INVALIDTEMPLATE *tmp = d2i_INVALIDTEMPLATE(NULL, &p, ++ sizeof(t_invalid_template)); ++ ++ /* We expect a NULL pointer return */ ++ if (TEST_ptr_null(tmp)) ++ return 1; ++ ++ INVALIDTEMPLATE_free(tmp); ++ return 0; ++} ++ + int setup_tests(void) + { + #if OPENSSL_API_COMPAT < 0x10200000L +@@ -169,5 +204,6 @@ int setup_tests(void) + ADD_TEST(test_uint32); + ADD_TEST(test_int64); + ADD_TEST(test_uint64); ++ ADD_TEST(test_invalid_template); + return 1; + } +diff --git a/test/asn1_encode_test.c b/test/asn1_encode_test.c +index ed920a4..afbd18b 100644 +--- a/test/asn1_encode_test.c ++++ b/test/asn1_encode_test.c +@@ -856,6 +856,38 @@ static int test_uint64(void) + return test_intern(&uint64_test_package); + } + ++typedef struct { ++ ASN1_STRING *invalidDirString; ++} INVALIDTEMPLATE; ++ ++ASN1_SEQUENCE(INVALIDTEMPLATE) = { ++ /* ++ * DirectoryString is a CHOICE type so it must use explicit tagging - ++ * but we deliberately use implicit here, which makes this template invalid. ++ */ ++ ASN1_IMP(INVALIDTEMPLATE, invalidDirString, DIRECTORYSTRING, 12) ++} static_ASN1_SEQUENCE_END(INVALIDTEMPLATE) ++ ++IMPLEMENT_STATIC_ASN1_ENCODE_FUNCTIONS(INVALIDTEMPLATE) ++IMPLEMENT_STATIC_ASN1_ALLOC_FUNCTIONS(INVALIDTEMPLATE) ++ ++static int test_invalid_template(void) ++{ ++ INVALIDTEMPLATE *temp = INVALIDTEMPLATE_new(); ++ int ret; ++ ++ if (!TEST_ptr(temp)) ++ return 0; ++ ++ ret = i2d_INVALIDTEMPLATE(temp, NULL); ++ ++ INVALIDTEMPLATE_free(temp); ++ ++ /* We expect the i2d operation to fail */ ++ return ret < 0; ++} ++ ++ + int setup_tests(void) + { + #if OPENSSL_API_COMPAT < 0x10200000L +@@ -866,5 +898,6 @@ int setup_tests(void) + ADD_TEST(test_uint32); + ADD_TEST(test_int64); + ADD_TEST(test_uint64); ++ ADD_TEST(test_invalid_template); + return 1; + } +-- +1.8.3.1 + diff --git a/openssl.spec b/openssl.spec index 47f3c3c..b8828ee 100644 --- a/openssl.spec +++ b/openssl.spec @@ -2,7 +2,7 @@ Name: openssl Epoch: 1 Version: 1.1.1f -Release: 2 +Release: 3 Summary: Cryptography and SSL/TLS Toolkit License: OpenSSL and SSLeay URL: https://www.openssl.org/ @@ -11,6 +11,12 @@ Source1: Makefile.certificate Patch1: openssl-1.1.1-build.patch Patch2: openssl-1.1.1-fips.patch Patch3: CVE-2020-1967.patch +Patch4: CVE-2020-1971-0001-DirectoryString-is-a-CHOICE-type-and-therefore-uses-.patch +Patch5: CVE-2020-1971-0002-Correctly-compare-EdiPartyName-in-GENERAL_NAME_cmp.patch +Patch6: CVE-2020-1971-0003-Check-that-multi-strings-CHOICE-types-don-t-use-impl.patch +Patch7: CVE-2020-1971-0004-Complain-if-we-are-attempting-to-encode-with-an-inva.patch +Patch8: CVE-2020-1971-0005-Add-a-test-for-GENERAL_NAME_cmp.patch +Patch9: CVE-2020-1971-0006-Add-a-test-for-encoding-decoding-using-an-invalid-AS.patch BuildRequires: gcc make lksctp-tools-devel coreutils util-linux zlib-devel @@ -187,6 +193,9 @@ make test || : %{_pkgdocdir}/html/ %changelog +* Mon Jan 19 2021 openEuler Buildteam - 1:1.1.1f-3 +- fix CVE-2020-1971 + * Fri Nov 13 2020 Liufeng - 1:1.1.1f-2 - make openssl require openssl-help -- Gitee From 2dff022165866f257ece8c316976ea3f45cc3125 Mon Sep 17 00:00:00 2001 From: openeuler_eason Date: Tue, 9 Feb 2021 18:51:54 +0800 Subject: [PATCH 3/6] backport some bugfix patches from OpenSSL community and reset the release --- ...-DRGB-do-not-leak-timing-information.patch | 52 +++ Add-an-SSL_dup-test.patch | 104 +++++ Add-test-for-CVE-2020-1967.patch | 118 ++++++ Allow-NULL-arg-to-OSSL_STORE_close.patch | 44 ++ ...h-a-priori-inapplicable-protocol-bou.patch | 219 ++++++++++ ...k-of-parent-on-allocation-failure-fo.patch | 38 ++ ...doublefree-on-dh-object-assigned-to-.patch | 29 ++ ...overflow-to-the-sign-bit-when-shifti.patch | 33 ++ ...n-SSL_export_keying_material-if-ther.patch | 33 ++ ...do_accept-correct-error-return-value.patch | 54 +++ ...y-against-leaks-from-memory-accesses.patch | 58 +++ CMS_get0_signers-description.patch | 32 ++ ...d-char-to-unsigned-int-before-shifti.patch | 42 ++ ...ment-calculation-in-ssl3_setup_write.patch | 46 +++ ...-the-return-value-from-EVP_Cipher-in.patch | 50 +++ Coverity-Fixes.patch | 154 +++++++ ...pping-Extended-Master-Secret-extensi.patch | 67 ++++ ...o-duplicate-the-BIO-state-in-SSL_dup.patch | 59 +++ ...nstify-internal-EC_KEY-pointer-usage.patch | 78 ++++ ...Y-against-leaks-from-memory-accesses.patch | 167 ++++++++ ...mpty-strings-to-EVP_Decode-functions.patch | 34 ++ EVP_EncryptInit.pod-fix-example.patch | 32 ++ Ensure-ECDSA_size-always-returns-0.patch | 32 ++ ...dup-copies-the-min-max-protocol-vers.patch | 30 ++ ...use-a-partially-initialised-CMAC_CTX.patch | 44 ++ Fix-AES-CTR_DRBG-on-1.1.1.patch | 44 ++ Fix-AES-GCM-bug-on-aarch64-BigEndian.patch | 77 ++++ ...ificate-loading-that-sometimes-fails.patch | 142 +++++++ ...o_PrivateKey_traditional-to-not-outp.patch | 126 ++++++ ...ly-data-send-with-out-of-band-PSK-us.patch | 41 ++ ...d2i_PrivateKey-to-work-as-documented.patch | 39 ++ ...-and-mem-leaks-of-BIO_set_conn_port-.patch | 71 ++++ ...y-moving-check-of-KU_KEY_CERT_SIGN-a.patch | 377 ++++++++++++++++++ Fix-memory-leaks-in-conf_def.c.patch | 39 ++ Fix-rsa8192.pem.patch | 266 ++++++++++++ Fix-the-error-handling-in-EC_POINTs_mul.patch | 49 +++ ...pe-cast-in-SSL_CTX_set1_groups-macro.patch | 40 ++ ...after-free-in-BIO_C_SET_SSL-callback.patch | 35 ++ ...-return-value-check-of-mmap-function.patch | 34 ++ Free-pre_proc_exts-in-SSL_free.patch | 39 ++ Integer-overflow-in-ASN1_STRING_set.patch | 57 +++ ...ect-and-friends-handle-multiple-IP-a.patch | 41 ++ ...-for-SSL_SECOP_TMP_DH-in-the-securit.patch | 65 +++ ...use-after-free-of-global_engine_lock.patch | 35 ++ ...up-call-by-OPENSSL_strdup-adding-fai.patch | 35 ++ Revert-the-check-for-NaN-in-f-format.patch | 90 +++++ ...h-RSA_METHOD_FLAG_NO_CHECK-with-OCSP.patch | 96 +++++ ...-of-band-PSK-with-all-5-ciphersuites.patch | 151 +++++++ Update-EVP_EncodeInit.pod.patch | 36 ++ ...size-of-target-buffer-for-allocation.patch | 32 ++ ...zero-length-content-in-S-MIME-format.patch | 43 ++ ...-using-rounding-errors-in-range-chec.patch | 103 +++++ ...asm-fix-armv8-pointer-authentication.patch | 38 ++ ...x-documentation-of-EVP_EncryptUpdate.patch | 42 ++ ...-fix-types-taken-by-HMAC-HMAC_Update.patch | 43 ++ fix-a-docs-typo.patch | 34 ++ ...ped-parameters-descriptions-for-x509.patch | 33 ++ fuzz-asn1.c-Add-missing-include.patch | 33 ++ ...t-set-PEM_R_BIO_WRITE_FAILURE-in-cas.patch | 38 ++ openssl.spec | 79 +++- ...est-for-premature-call-of-SSL_export.patch | 45 +++ ...ining-places-where-the-24-bit-shift-.patch | 72 ++++ ...ve-key-usage-checks-in-internal_veri.patch | 151 +++++++ 63 files changed, 4453 insertions(+), 7 deletions(-) create mode 100644 AES-CTR-DRGB-do-not-leak-timing-information.patch create mode 100644 Add-an-SSL_dup-test.patch create mode 100644 Add-test-for-CVE-2020-1967.patch create mode 100644 Allow-NULL-arg-to-OSSL_STORE_close.patch create mode 100644 Avoid-errors-with-a-priori-inapplicable-protocol-bou.patch create mode 100644 Avoid-memory-leak-of-parent-on-allocation-failure-fo.patch create mode 100644 Avoid-potential-doublefree-on-dh-object-assigned-to-.patch create mode 100644 Avoid-potential-overflow-to-the-sign-bit-when-shifti.patch create mode 100644 Avoid-segfault-in-SSL_export_keying_material-if-ther.patch create mode 100644 BIO_do_accept-correct-error-return-value.patch create mode 100644 BN-harden-BN_copy-against-leaks-from-memory-accesses.patch create mode 100644 CMS_get0_signers-description.patch create mode 100644 Cast-the-unsigned-char-to-unsigned-int-before-shifti.patch create mode 100644 Correct-alignment-calculation-in-ssl3_setup_write.patch create mode 100644 Correctly-handle-the-return-value-from-EVP_Cipher-in.patch create mode 100644 Coverity-Fixes.patch create mode 100644 Do-not-allow-dropping-Extended-Master-Secret-extensi.patch create mode 100644 Don-t-attempt-to-duplicate-the-BIO-state-in-SSL_dup.patch create mode 100644 EC-Constify-internal-EC_KEY-pointer-usage.patch create mode 100644 EC-harden-EC_KEY-against-leaks-from-memory-accesses.patch create mode 100644 EVP-allow-empty-strings-to-EVP_Decode-functions.patch create mode 100644 EVP_EncryptInit.pod-fix-example.patch create mode 100644 Ensure-ECDSA_size-always-returns-0.patch create mode 100644 Ensure-that-SSL_dup-copies-the-min-max-protocol-vers.patch create mode 100644 Ensure-we-never-use-a-partially-initialised-CMAC_CTX.patch create mode 100644 Fix-AES-CTR_DRBG-on-1.1.1.patch create mode 100644 Fix-AES-GCM-bug-on-aarch64-BigEndian.patch create mode 100644 Fix-PEM-certificate-loading-that-sometimes-fails.patch create mode 100644 Fix-PEM_write_bio_PrivateKey_traditional-to-not-outp.patch create mode 100644 Fix-crash-in-early-data-send-with-out-of-band-PSK-us.patch create mode 100644 Fix-d2i_PrivateKey-to-work-as-documented.patch create mode 100644 Fix-err-checking-and-mem-leaks-of-BIO_set_conn_port-.patch create mode 100644 Fix-issue-1418-by-moving-check-of-KU_KEY_CERT_SIGN-a.patch create mode 100644 Fix-memory-leaks-in-conf_def.c.patch create mode 100644 Fix-rsa8192.pem.patch create mode 100644 Fix-the-error-handling-in-EC_POINTs_mul.patch create mode 100644 Fix-type-cast-in-SSL_CTX_set1_groups-macro.patch create mode 100644 Fix-use-after-free-in-BIO_C_SET_SSL-callback.patch create mode 100644 Fix-wrong-return-value-check-of-mmap-function.patch create mode 100644 Free-pre_proc_exts-in-SSL_free.patch create mode 100644 Integer-overflow-in-ASN1_STRING_set.patch create mode 100644 Make-BIO_do_connect-and-friends-handle-multiple-IP-a.patch create mode 100644 Pass-an-EVP_PKEY-for-SSL_SECOP_TMP_DH-in-the-securit.patch create mode 100644 Prevent-use-after-free-of-global_engine_lock.patch create mode 100644 Replace-BUF_strdup-call-by-OPENSSL_strdup-adding-fai.patch create mode 100644 Revert-the-check-for-NaN-in-f-format.patch create mode 100644 Support-keys-with-RSA_METHOD_FLAG_NO_CHECK-with-OCSP.patch create mode 100644 Test-TLSv1.3-out-of-band-PSK-with-all-5-ciphersuites.patch create mode 100644 Update-EVP_EncodeInit.pod.patch create mode 100644 Use-size-of-target-buffer-for-allocation.patch create mode 100644 Verification-zero-length-content-in-S-MIME-format.patch create mode 100644 bio-printf-Avoid-using-rounding-errors-in-range-chec.patch create mode 100644 crypto-poly1305-asm-fix-armv8-pointer-authentication.patch create mode 100644 doc-Fix-documentation-of-EVP_EncryptUpdate.patch create mode 100644 doc-man3-fix-types-taken-by-HMAC-HMAC_Update.patch create mode 100644 fix-a-docs-typo.patch create mode 100644 fixed-swapped-parameters-descriptions-for-x509.patch create mode 100644 fuzz-asn1.c-Add-missing-include.patch create mode 100644 i2b_PVK_bio-don-t-set-PEM_R_BIO_WRITE_FAILURE-in-cas.patch create mode 100644 sslapitest-Add-test-for-premature-call-of-SSL_export.patch create mode 100644 t1_trce-Fix-remaining-places-where-the-24-bit-shift-.patch create mode 100644 x509_vfy.c-Improve-key-usage-checks-in-internal_veri.patch diff --git a/AES-CTR-DRGB-do-not-leak-timing-information.patch b/AES-CTR-DRGB-do-not-leak-timing-information.patch new file mode 100644 index 0000000..8c8c970 --- /dev/null +++ b/AES-CTR-DRGB-do-not-leak-timing-information.patch @@ -0,0 +1,52 @@ +From 9cc834d966ea5afc38fb829bfe498aed4c5d498d Mon Sep 17 00:00:00 2001 +From: Patrick Steuer +Date: Sat, 22 Feb 2020 01:20:09 +0100 +Subject: [PATCH 013/217] AES CTR-DRGB: do not leak timing information + +Signed-off-by: Patrick Steuer + +Reviewed-by: Tomas Mraz +Reviewed-by: Paul Dale +(Merged from https://github.com/openssl/openssl/pull/11147) + +(cherry picked from commit 069165d10646a22000c596095cc04d43bbf1f807) +--- + crypto/rand/drbg_ctr.c | 22 +++++++++------------- + 1 file changed, 9 insertions(+), 13 deletions(-) + +diff --git a/crypto/rand/drbg_ctr.c b/crypto/rand/drbg_ctr.c +index 93b82f3..f41484e 100644 +--- a/crypto/rand/drbg_ctr.c ++++ b/crypto/rand/drbg_ctr.c +@@ -21,19 +21,15 @@ + + static void inc_128(RAND_DRBG_CTR *ctr) + { +- int i; +- unsigned char c; +- unsigned char *p = &ctr->V[15]; +- +- for (i = 0; i < 16; i++, p--) { +- c = *p; +- c++; +- *p = c; +- if (c != 0) { +- /* If we didn't wrap around, we're done. */ +- break; +- } +- } ++ unsigned char *p = &ctr->V[0]; ++ u32 n = 16, c = 1; ++ ++ do { ++ --n; ++ c += p[n]; ++ p[n] = (u8)c; ++ c >>= 8; ++ } while (n); + } + + static void ctr_XOR(RAND_DRBG_CTR *ctr, const unsigned char *in, size_t inlen) +-- +1.8.3.1 + diff --git a/Add-an-SSL_dup-test.patch b/Add-an-SSL_dup-test.patch new file mode 100644 index 0000000..0b74608 --- /dev/null +++ b/Add-an-SSL_dup-test.patch @@ -0,0 +1,104 @@ +From 45f02e9095f30abefc799b34a612140a47aa9e27 Mon Sep 17 00:00:00 2001 +From: Matt Caswell +Date: Tue, 16 Jun 2020 17:19:40 +0100 +Subject: [PATCH 035/147] Add an SSL_dup test + +Reviewed-by: Tomas Mraz +(Merged from https://github.com/openssl/openssl/pull/12245) +--- + test/sslapitest.c | 72 +++++++++++++++++++++++++++++++++++++++++++++++++++++++ + 1 file changed, 72 insertions(+) + +diff --git a/test/sslapitest.c b/test/sslapitest.c +index 62d22e8..5220722 100644 +--- a/test/sslapitest.c ++++ b/test/sslapitest.c +@@ -6578,6 +6578,75 @@ static int test_servername(int tst) + return testresult; + } + ++#ifndef OPENSSL_NO_TLS1_2 ++static int test_ssl_dup(void) ++{ ++ SSL_CTX *cctx = NULL, *sctx = NULL; ++ SSL *clientssl = NULL, *serverssl = NULL, *client2ssl = NULL; ++ int testresult = 0; ++ BIO *rbio = NULL, *wbio = NULL; ++ ++ if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), ++ TLS_client_method(), ++ 0, ++ 0, ++ &sctx, &cctx, cert, privkey))) ++ goto end; ++ ++ if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, ++ NULL, NULL))) ++ goto end; ++ ++ if (!TEST_true(SSL_set_min_proto_version(clientssl, TLS1_2_VERSION)) ++ || !TEST_true(SSL_set_max_proto_version(clientssl, TLS1_2_VERSION))) ++ goto end; ++ ++ client2ssl = SSL_dup(clientssl); ++ rbio = SSL_get_rbio(clientssl); ++ if (!TEST_ptr(rbio) ++ || !TEST_true(BIO_up_ref(rbio))) ++ goto end; ++ SSL_set0_rbio(client2ssl, rbio); ++ rbio = NULL; ++ ++ wbio = SSL_get_wbio(clientssl); ++ if (!TEST_ptr(wbio) || !TEST_true(BIO_up_ref(wbio))) ++ goto end; ++ SSL_set0_wbio(client2ssl, wbio); ++ rbio = NULL; ++ ++ if (!TEST_ptr(client2ssl) ++ /* Handshake not started so pointers should be different */ ++ || !TEST_ptr_ne(clientssl, client2ssl)) ++ goto end; ++ ++ if (!TEST_int_eq(SSL_get_min_proto_version(client2ssl), TLS1_2_VERSION) ++ || !TEST_int_eq(SSL_get_max_proto_version(client2ssl), TLS1_2_VERSION)) ++ goto end; ++ ++ if (!TEST_true(create_ssl_connection(serverssl, client2ssl, SSL_ERROR_NONE))) ++ goto end; ++ ++ SSL_free(clientssl); ++ clientssl = SSL_dup(client2ssl); ++ if (!TEST_ptr(clientssl) ++ /* Handshake has finished so pointers should be the same */ ++ || !TEST_ptr_eq(clientssl, client2ssl)) ++ goto end; ++ ++ testresult = 1; ++ ++ end: ++ SSL_free(serverssl); ++ SSL_free(clientssl); ++ SSL_free(client2ssl); ++ SSL_CTX_free(sctx); ++ SSL_CTX_free(cctx); ++ ++ return testresult; ++} ++#endif ++ + int setup_tests(void) + { + if (!TEST_ptr(certsdir = test_get_argument(0)) +@@ -6698,6 +6767,9 @@ int setup_tests(void) + ADD_ALL_TESTS(test_client_cert_cb, 2); + ADD_ALL_TESTS(test_ca_names, 3); + ADD_ALL_TESTS(test_servername, 10); ++#ifndef OPENSSL_NO_TLS1_2 ++ ADD_TEST(test_ssl_dup); ++#endif + return 1; + } + +-- +1.8.3.1 + diff --git a/Add-test-for-CVE-2020-1967.patch b/Add-test-for-CVE-2020-1967.patch new file mode 100644 index 0000000..8bdd923 --- /dev/null +++ b/Add-test-for-CVE-2020-1967.patch @@ -0,0 +1,118 @@ +From 64eef86733fd40a5b7737dc586754c3fa3414b0c Mon Sep 17 00:00:00 2001 +From: Benjamin Kaduk +Date: Fri, 10 Apr 2020 12:27:28 -0700 +Subject: [PATCH 025/217] Add test for CVE-2020-1967 + +Add to test_sslsigalgs a TLSProxy test that injects a +"signature_algorithms_cert" extension that contains an unallocated +codepoint. + +The test currently fails, since s_server segfaults instead of +ignoring the unrecognized value. + +Since "signature_algorithms" and "signature_algorithms_cert" are very +similar, also add the analogous test for "signature_algorithms". + +Reviewed-by: Matt Caswell +--- + test/recipes/70-test_sslsigalgs.t | 66 +++++++++++++++++++++++++++++++++++++-- + 1 file changed, 64 insertions(+), 2 deletions(-) + +diff --git a/test/recipes/70-test_sslsigalgs.t b/test/recipes/70-test_sslsigalgs.t +index b3339ff..9ea9d05 100644 +--- a/test/recipes/70-test_sslsigalgs.t ++++ b/test/recipes/70-test_sslsigalgs.t +@@ -44,7 +44,9 @@ use constant { + COMPAT_SIGALGS => 6, + SIGALGS_CERT_ALL => 7, + SIGALGS_CERT_PKCS => 8, +- SIGALGS_CERT_INVALID => 9 ++ SIGALGS_CERT_INVALID => 9, ++ UNRECOGNIZED_SIGALGS_CERT => 10, ++ UNRECOGNIZED_SIGALG => 11 + }; + + #Note: Throughout this test we override the default ciphersuites where TLSv1.2 +@@ -53,7 +55,7 @@ use constant { + + #Test 1: Default sig algs should succeed + $proxy->start() or plan skip_all => "Unable to start up Proxy for tests"; +-plan tests => 24; ++plan tests => 26; + ok(TLSProxy::Message->success, "Default sigalgs"); + my $testtype; + +@@ -282,6 +284,39 @@ SKIP: { + ok(TLSProxy::Message->fail, "No matching certificate for sigalgs_cert"); + } + ++SKIP: { ++ skip "TLS 1.3 disabled", 2 if disabled("tls1_3"); ++ #Test 25: Send an unrecognized signature_algorithms_cert ++ # We should be able to skip over the unrecognized value and use a ++ # valid one that appears later in the list. ++ $proxy->clear(); ++ $proxy->filter(\&inject_unrecognized_sigalg); ++ $proxy->clientflags("-tls1_3"); ++ # Use -xcert to get SSL_check_chain() to run in the cert_cb. This is ++ # needed to trigger (e.g.) CVE-2020-1967 ++ $proxy->serverflags("" . ++ " -xcert " . srctop_file("test", "certs", "servercert.pem") . ++ " -xkey " . srctop_file("test", "certs", "serverkey.pem") . ++ " -xchain " . srctop_file("test", "certs", "rootcert.pem")); ++ $testtype = UNRECOGNIZED_SIGALGS_CERT; ++ $proxy->start(); ++ ok(TLSProxy::Message->success(), "Unrecognized sigalg_cert in ClientHello"); ++ ++ #Test 26: Send an unrecognized signature_algorithms ++ # We should be able to skip over the unrecognized value and use a ++ # valid one that appears later in the list. ++ $proxy->clear(); ++ $proxy->filter(\&inject_unrecognized_sigalg); ++ $proxy->clientflags("-tls1_3"); ++ $proxy->serverflags("" . ++ " -xcert " . srctop_file("test", "certs", "servercert.pem") . ++ " -xkey " . srctop_file("test", "certs", "serverkey.pem") . ++ " -xchain " . srctop_file("test", "certs", "rootcert.pem")); ++ $testtype = UNRECOGNIZED_SIGALG; ++ $proxy->start(); ++ ok(TLSProxy::Message->success(), "Unrecognized sigalg in ClientHello"); ++} ++ + + + sub sigalgs_filter +@@ -427,3 +462,30 @@ sub modify_cert_verify_sigalg + } + } + } ++ ++sub inject_unrecognized_sigalg ++{ ++ my $proxy = shift; ++ my $type; ++ ++ # We're only interested in the initial ClientHello ++ if ($proxy->flight != 0) { ++ return; ++ } ++ if ($testtype == UNRECOGNIZED_SIGALGS_CERT) { ++ $type = TLSProxy::Message::EXT_SIG_ALGS_CERT; ++ } elsif ($testtype == UNRECOGNIZED_SIGALG) { ++ $type = TLSProxy::Message::EXT_SIG_ALGS; ++ } else { ++ return; ++ } ++ ++ my $ext = pack "C8", ++ 0x00, 0x06, #Extension length ++ 0xfe, 0x18, #private use ++ 0x04, 0x01, #rsa_pkcs1_sha256 ++ 0x08, 0x04; #rsa_pss_rsae_sha256; ++ my $message = ${$proxy->message_list}[0]; ++ $message->set_extension($type, $ext); ++ $message->repack; ++} +-- +1.8.3.1 + diff --git a/Allow-NULL-arg-to-OSSL_STORE_close.patch b/Allow-NULL-arg-to-OSSL_STORE_close.patch new file mode 100644 index 0000000..b11b7c9 --- /dev/null +++ b/Allow-NULL-arg-to-OSSL_STORE_close.patch @@ -0,0 +1,44 @@ +From 767b86ee52227b1c8e5c783b9c3850fa65338058 Mon Sep 17 00:00:00 2001 +From: "Dr. David von Oheimb" +Date: Fri, 22 May 2020 14:56:06 +0200 +Subject: [PATCH 066/217] Allow NULL arg to OSSL_STORE_close() + +Reviewed-by: Tomas Mraz +(Merged from https://github.com/openssl/openssl/pull/11912) +--- + crypto/store/store_lib.c | 6 +++++- + doc/man3/OSSL_STORE_open.pod | 1 + + 2 files changed, 6 insertions(+), 1 deletion(-) + +diff --git a/crypto/store/store_lib.c b/crypto/store/store_lib.c +index fb8184d..637466c 100644 +--- a/crypto/store/store_lib.c ++++ b/crypto/store/store_lib.c +@@ -218,7 +218,11 @@ int OSSL_STORE_eof(OSSL_STORE_CTX *ctx) + + int OSSL_STORE_close(OSSL_STORE_CTX *ctx) + { +- int loader_ret = ctx->loader->close(ctx->loader_ctx); ++ int loader_ret; ++ ++ if (ctx == NULL) ++ return 1; ++ loader_ret = ctx->loader->close(ctx->loader_ctx); + + OPENSSL_free(ctx); + return loader_ret; +diff --git a/doc/man3/OSSL_STORE_open.pod b/doc/man3/OSSL_STORE_open.pod +index 1e8ebf7..309390e 100644 +--- a/doc/man3/OSSL_STORE_open.pod ++++ b/doc/man3/OSSL_STORE_open.pod +@@ -94,6 +94,7 @@ OSSL_STORE_eof() shows that the end of data has been reached. + OSSL_STORE_close() takes a B, closes the channel that was opened + by OSSL_STORE_open() and frees all other information that was stored in the + B, as well as the B itself. ++If B is NULL it does nothing. + + =head1 SUPPORTED SCHEMES + +-- +1.8.3.1 + diff --git a/Avoid-errors-with-a-priori-inapplicable-protocol-bou.patch b/Avoid-errors-with-a-priori-inapplicable-protocol-bou.patch new file mode 100644 index 0000000..250945e --- /dev/null +++ b/Avoid-errors-with-a-priori-inapplicable-protocol-bou.patch @@ -0,0 +1,219 @@ +From c6c9f886ae118fffb0591ea0b5c3e4770b176552 Mon Sep 17 00:00:00 2001 +From: Viktor Dukhovni +Date: Thu, 16 Jul 2020 23:30:43 -0200 +Subject: [PATCH 054/147] Avoid errors with a priori inapplicable protocol + bounds + +The 'MinProtocol' and 'MaxProtocol' configuration commands now silently +ignore TLS protocol version bounds when configurign DTLS-based contexts, +and conversely, silently ignore DTLS protocol version bounds when +configuring TLS-based contexts. The commands can be repeated to set +bounds of both types. The same applies with the corresponding +"min_protocol" and "max_protocol" command-line switches, in case some +application uses both TLS and DTLS. + +SSL_CTX instances that are created for a fixed protocol version (e.g. +TLSv1_server_method()) also silently ignore version bounds. Previously +attempts to apply bounds to these protocol versions would result in an +error. Now only the "version-flexible" SSL_CTX instances are subject to +limits in configuration files in command-line options. + +Expected to resolve #12394 + +Reviewed-by: Paul Dale +Reviewed-by: Matt Caswell + +GH: #12507 +--- + doc/man3/SSL_CONF_cmd.pod | 29 ++++++++++++++++++++--------- + doc/man5/config.pod | 15 +++++++++------ + ssl/ssl_conf.c | 7 +++++++ + ssl/statem/statem_lib.c | 34 +++++++++++++++++++--------------- + 4 files changed, 55 insertions(+), 30 deletions(-) + +diff --git a/doc/man3/SSL_CONF_cmd.pod b/doc/man3/SSL_CONF_cmd.pod +index 7f2449e..c5fed8e 100644 +--- a/doc/man3/SSL_CONF_cmd.pod ++++ b/doc/man3/SSL_CONF_cmd.pod +@@ -147,13 +147,16 @@ B. + =item B<-min_protocol>, B<-max_protocol> + + Sets the minimum and maximum supported protocol. +-Currently supported protocol values are B, B, +-B, B, B for TLS and B, B for DTLS, +-and B for no limit. +-If either bound is not specified then only the other bound applies, +-if specified. +-To restrict the supported protocol versions use these commands rather +-than the deprecated alternative commands below. ++Currently supported protocol values are B, B, B, ++B, B for TLS; B, B for DTLS, and B ++for no limit. ++If either the lower or upper bound is not specified then only the other bound ++applies, if specified. ++If your application supports both TLS and DTLS you can specify any of these ++options twice, once with a bound for TLS and again with an appropriate bound ++for DTLS. ++To restrict the supported protocol versions use these commands rather than the ++deprecated alternative commands below. + + =item B<-no_ssl3>, B<-no_tls1>, B<-no_tls1_1>, B<-no_tls1_2>, B<-no_tls1_3> + +@@ -370,7 +373,11 @@ This sets the minimum supported SSL, TLS or DTLS version. + + Currently supported protocol values are B, B, B, + B, B, B and B. +-The value B will disable the limit. ++The SSL and TLS bounds apply only to TLS-based contexts, while the DTLS bounds ++apply only to DTLS-based contexts. ++The command can be repeated with one instance setting a TLS bound, and the ++other setting a DTLS bound. ++The value B applies to both types of contexts and disables the limits. + + =item B + +@@ -378,7 +385,11 @@ This sets the maximum supported SSL, TLS or DTLS version. + + Currently supported protocol values are B, B, B, + B, B, B and B. +-The value B will disable the limit. ++The SSL and TLS bounds apply only to TLS-based contexts, while the DTLS bounds ++apply only to DTLS-based contexts. ++The command can be repeated with one instance setting a TLS bound, and the ++other setting a DTLS bound. ++The value B applies to both types of contexts and disables the limits. + + =item B + +diff --git a/doc/man5/config.pod b/doc/man5/config.pod +index 7b50b09..7a0459d 100644 +--- a/doc/man5/config.pod ++++ b/doc/man5/config.pod +@@ -262,13 +262,11 @@ Example of a configuration with the system default: + ssl_conf = ssl_sect + + [ssl_sect] +- + system_default = system_default_sect + + [system_default_sect] +- + MinProtocol = TLSv1.2 +- ++ MinProtocol = DTLSv1.2 + + =head1 NOTES + +@@ -355,8 +353,8 @@ Simple OpenSSL library configuration example to enter FIPS mode: + Note: in the above example you will get an error in non FIPS capable versions + of OpenSSL. + +-Simple OpenSSL library configuration to make TLS 1.3 the system-default +-minimum TLS version: ++Simple OpenSSL library configuration to make TLS 1.2 and DTLS 1.2 the ++system-default minimum TLS and DTLS versions, respectively: + + # Toplevel section for openssl (including libssl) + openssl_conf = default_conf_section +@@ -369,7 +367,12 @@ minimum TLS version: + system_default = system_default_section + + [system_default_section] +- MinProtocol = TLSv1.3 ++ MinProtocol = TLSv1.2 ++ MinProtocol = DTLSv1.2 ++ ++The minimum TLS protocol is applied to B objects that are TLS-based, ++and the minimum DTLS protocol to those are DTLS-based. ++The same applies also to maximum versions set with B. + + More complex OpenSSL library configuration. Add OID and don't enter FIPS mode: + +diff --git a/ssl/ssl_conf.c b/ssl/ssl_conf.c +index 8ef29bb..3890d16 100644 +--- a/ssl/ssl_conf.c ++++ b/ssl/ssl_conf.c +@@ -305,6 +305,13 @@ static int protocol_from_string(const char *value) + const char *name; + int version; + }; ++ /* ++ * Note: To avoid breaking previously valid configurations, we must retain ++ * legacy entries in this table even if the underlying protocol is no ++ * longer supported. This also means that the constants SSL3_VERSION, ... ++ * need to be retained indefinitely. This table can only grow, never ++ * shrink. ++ */ + static const struct protocol_versions versions[] = { + {"None", 0}, + {"SSLv3", SSL3_VERSION}, +diff --git a/ssl/statem/statem_lib.c b/ssl/statem/statem_lib.c +index 43d6fd5..0c5ba28 100644 +--- a/ssl/statem/statem_lib.c ++++ b/ssl/statem/statem_lib.c +@@ -1656,11 +1656,22 @@ int ssl_check_version_downgrade(SSL *s) + */ + int ssl_set_version_bound(int method_version, int version, int *bound) + { ++ int valid_tls; ++ int valid_dtls; ++ + if (version == 0) { + *bound = version; + return 1; + } + ++ valid_tls = version >= SSL3_VERSION && version <= TLS_MAX_VERSION; ++ valid_dtls = ++ DTLS_VERSION_LE(version, DTLS_MAX_VERSION) && ++ DTLS_VERSION_GE(version, DTLS1_BAD_VER); ++ ++ if (!valid_tls && !valid_dtls) ++ return 0; ++ + /*- + * Restrict TLS methods to TLS protocol versions. + * Restrict DTLS methods to DTLS protocol versions. +@@ -1671,31 +1682,24 @@ int ssl_set_version_bound(int method_version, int version, int *bound) + * configurations. If the MIN (supported) version ever rises, the user's + * "floor" remains valid even if no longer available. We don't expect the + * MAX ceiling to ever get lower, so making that variable makes sense. ++ * ++ * We ignore attempts to set bounds on version-inflexible methods, ++ * returning success. + */ + switch (method_version) { + default: +- /* +- * XXX For fixed version methods, should we always fail and not set any +- * bounds, always succeed and not set any bounds, or set the bounds and +- * arrange to fail later if they are not met? At present fixed-version +- * methods are not subject to controls that disable individual protocol +- * versions. +- */ +- return 0; ++ break; + + case TLS_ANY_VERSION: +- if (version < SSL3_VERSION || version > TLS_MAX_VERSION) +- return 0; ++ if (valid_tls) ++ *bound = version; + break; + + case DTLS_ANY_VERSION: +- if (DTLS_VERSION_GT(version, DTLS_MAX_VERSION) || +- DTLS_VERSION_LT(version, DTLS1_BAD_VER)) +- return 0; ++ if (valid_dtls) ++ *bound = version; + break; + } +- +- *bound = version; + return 1; + } + +-- +1.8.3.1 + diff --git a/Avoid-memory-leak-of-parent-on-allocation-failure-fo.patch b/Avoid-memory-leak-of-parent-on-allocation-failure-fo.patch new file mode 100644 index 0000000..06caf68 --- /dev/null +++ b/Avoid-memory-leak-of-parent-on-allocation-failure-fo.patch @@ -0,0 +1,38 @@ +From 7455f247e6f9d621fa79ae3af1588df23078fb11 Mon Sep 17 00:00:00 2001 +From: Benny Baumann +Date: Fri, 2 Oct 2020 01:06:12 +0200 +Subject: [PATCH 079/147] Avoid memory leak of parent on allocation failure for + child structure + +Reviewed-by: Ben Kaduk +Reviewed-by: Dmitry Belyavskiy +Reviewed-by: Richard Levitte +Reviewed-by: Paul Dale +(Merged from https://github.com/openssl/openssl/pull/13055) + +(cherry picked from commit a21db568bf3d0ab4194fd3e0917ee982f1fc8bfd) +--- + apps/cms.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/apps/cms.c b/apps/cms.c +index 15edd67..60691f1 100644 +--- a/apps/cms.c ++++ b/apps/cms.c +@@ -545,9 +545,11 @@ int cms_main(int argc, char **argv) + if (key_param == NULL || key_param->idx != keyidx) { + cms_key_param *nparam; + nparam = app_malloc(sizeof(*nparam), "key param buffer"); +- nparam->idx = keyidx; +- if ((nparam->param = sk_OPENSSL_STRING_new_null()) == NULL) ++ if ((nparam->param = sk_OPENSSL_STRING_new_null()) == NULL) { ++ OPENSSL_free(nparam); + goto end; ++ } ++ nparam->idx = keyidx; + nparam->next = NULL; + if (key_first == NULL) + key_first = nparam; +-- +1.8.3.1 + diff --git a/Avoid-potential-doublefree-on-dh-object-assigned-to-.patch b/Avoid-potential-doublefree-on-dh-object-assigned-to-.patch new file mode 100644 index 0000000..a1cc466 --- /dev/null +++ b/Avoid-potential-doublefree-on-dh-object-assigned-to-.patch @@ -0,0 +1,29 @@ +From 7b324bb09f6313b370954fde8f2034a6055d8c2f Mon Sep 17 00:00:00 2001 +From: Tomas Mraz +Date: Tue, 20 Oct 2020 14:16:30 +0200 +Subject: [PATCH 085/147] Avoid potential doublefree on dh object assigned to + EVP_PKEY + +Fixes regression from 7844f3c784bfc93c9b94ae5a4082f9d01e82e0af + +Reviewed-by: Matt Caswell +(Merged from https://github.com/openssl/openssl/pull/13194) +--- + ssl/statem/statem_clnt.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/ssl/statem/statem_clnt.c b/ssl/statem/statem_clnt.c +index 3bf8aac..fd3b79c 100644 +--- a/ssl/statem/statem_clnt.c ++++ b/ssl/statem/statem_clnt.c +@@ -2150,6 +2150,7 @@ static int tls_process_ske_dhe(SSL *s, PACKET *pkt, EVP_PKEY **pkey) + ERR_R_EVP_LIB); + goto err; + } ++ dh = NULL; + + if (!ssl_security(s, SSL_SECOP_TMP_DH, EVP_PKEY_security_bits(peer_tmp), + 0, peer_tmp)) { +-- +1.8.3.1 + diff --git a/Avoid-potential-overflow-to-the-sign-bit-when-shifti.patch b/Avoid-potential-overflow-to-the-sign-bit-when-shifti.patch new file mode 100644 index 0000000..fc40bd1 --- /dev/null +++ b/Avoid-potential-overflow-to-the-sign-bit-when-shifti.patch @@ -0,0 +1,33 @@ +From 5156ecbe691c964ae528c74f94d5b515aeb25542 Mon Sep 17 00:00:00 2001 +From: Tomas Mraz +Date: Tue, 19 May 2020 10:51:53 +0200 +Subject: [PATCH 060/217] Avoid potential overflow to the sign bit when + shifting left 24 places + +Although there are platforms where int is 64 bit, 2GiB large BIGNUMs +instead of 4GiB should be "big enough for everybody". + +Reviewed-by: Richard Levitte +(Merged from https://github.com/openssl/openssl/pull/11857) + +(cherry picked from commit 1d05eb55caa8965a151360c2469c463ecd990987) +--- + crypto/bn/bn_mpi.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/crypto/bn/bn_mpi.c b/crypto/bn/bn_mpi.c +index bdbe822..b6e35a8 100644 +--- a/crypto/bn/bn_mpi.c ++++ b/crypto/bn/bn_mpi.c +@@ -45,7 +45,7 @@ BIGNUM *BN_mpi2bn(const unsigned char *d, int n, BIGNUM *ain) + int neg = 0; + BIGNUM *a = NULL; + +- if (n < 4) { ++ if (n < 4 || (d[0] & 0x80) != 0) { + BNerr(BN_F_BN_MPI2BN, BN_R_INVALID_LENGTH); + return NULL; + } +-- +1.8.3.1 + diff --git a/Avoid-segfault-in-SSL_export_keying_material-if-ther.patch b/Avoid-segfault-in-SSL_export_keying_material-if-ther.patch new file mode 100644 index 0000000..704261b --- /dev/null +++ b/Avoid-segfault-in-SSL_export_keying_material-if-ther.patch @@ -0,0 +1,33 @@ +From 925a9d0a8168bfd0b532bc6600ba3e7ab47a7592 Mon Sep 17 00:00:00 2001 +From: Tomas Mraz +Date: Thu, 6 Aug 2020 11:20:43 +0200 +Subject: [PATCH 060/147] Avoid segfault in SSL_export_keying_material if there + is no session + +Fixes #12588 + +Reviewed-by: Matt Caswell +(Merged from https://github.com/openssl/openssl/pull/12594) + +(cherry picked from commit dffeec1c10a874d7c7b83c221dbbce82f755edb1) +--- + ssl/ssl_lib.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c +index 433a537..b1df374 100644 +--- a/ssl/ssl_lib.c ++++ b/ssl/ssl_lib.c +@@ -2897,7 +2897,8 @@ int SSL_export_keying_material(SSL *s, unsigned char *out, size_t olen, + const unsigned char *context, size_t contextlen, + int use_context) + { +- if (s->version < TLS1_VERSION && s->version != DTLS1_BAD_VER) ++ if (s->session == NULL ++ || (s->version < TLS1_VERSION && s->version != DTLS1_BAD_VER)) + return -1; + + return s->method->ssl3_enc->export_keying_material(s, out, olen, label, +-- +1.8.3.1 + diff --git a/BIO_do_accept-correct-error-return-value.patch b/BIO_do_accept-correct-error-return-value.patch new file mode 100644 index 0000000..5e8a30f --- /dev/null +++ b/BIO_do_accept-correct-error-return-value.patch @@ -0,0 +1,54 @@ +From 5f62ff49a9fdc9079aa6e9aefaf2cee51d2f4455 Mon Sep 17 00:00:00 2001 +From: scott +Date: Thu, 9 Apr 2020 12:36:37 +0100 +Subject: [PATCH 018/217] BIO_do_accept: correct error return value + +`BIO_do_accept` was returning incorrect values when unable to bind to a port. + +Fixes #7717 +CLA: trivial + +Reviewed-by: Viktor Dukhovni +Reviewed-by: Tomas Mraz +(Merged from https://github.com/openssl/openssl/pull/11505) + +(cherry picked from commit 0437435a960123be1ced766d18d715f939698345) +--- + crypto/bio/bss_acpt.c | 13 +++++++------ + 1 file changed, 7 insertions(+), 6 deletions(-) + +diff --git a/crypto/bio/bss_acpt.c b/crypto/bio/bss_acpt.c +index b38e47a..5a2cb50 100644 +--- a/crypto/bio/bss_acpt.c ++++ b/crypto/bio/bss_acpt.c +@@ -222,10 +222,10 @@ static int acpt_state(BIO *b, BIO_ACCEPT *c) + break; + + case ACPT_S_CREATE_SOCKET: +- ret = BIO_socket(BIO_ADDRINFO_family(c->addr_iter), +- BIO_ADDRINFO_socktype(c->addr_iter), +- BIO_ADDRINFO_protocol(c->addr_iter), 0); +- if (ret == (int)INVALID_SOCKET) { ++ s = BIO_socket(BIO_ADDRINFO_family(c->addr_iter), ++ BIO_ADDRINFO_socktype(c->addr_iter), ++ BIO_ADDRINFO_protocol(c->addr_iter), 0); ++ if (s == (int)INVALID_SOCKET) { + SYSerr(SYS_F_SOCKET, get_last_socket_error()); + ERR_add_error_data(4, + "hostname=", c->param_addr, +@@ -233,9 +233,10 @@ static int acpt_state(BIO *b, BIO_ACCEPT *c) + BIOerr(BIO_F_ACPT_STATE, BIO_R_UNABLE_TO_CREATE_SOCKET); + goto exit_loop; + } +- c->accept_sock = ret; +- b->num = ret; ++ c->accept_sock = s; ++ b->num = s; + c->state = ACPT_S_LISTEN; ++ s = -1; + break; + + case ACPT_S_LISTEN: +-- +1.8.3.1 + diff --git a/BN-harden-BN_copy-against-leaks-from-memory-accesses.patch b/BN-harden-BN_copy-against-leaks-from-memory-accesses.patch new file mode 100644 index 0000000..68268e5 --- /dev/null +++ b/BN-harden-BN_copy-against-leaks-from-memory-accesses.patch @@ -0,0 +1,58 @@ +From 3655e35b78df095b367b3334b6515f6d9436fd95 Mon Sep 17 00:00:00 2001 +From: Nicola Tuveri +Date: Tue, 21 Jan 2020 17:08:16 +0200 +Subject: [PATCH 033/217] [BN] harden `BN_copy()` against leaks from memory + accesses + +`BN_copy()` (and indirectly `BN_dup()`) do not propagate the +`BN_FLG_CONSTTIME` flag: the propagation has been turned on and off a +few times in the past years, because in some conditions it has shown +unintended consequences in some code paths. + +Without turning the propagation on once more, we can still improve +`BN_copy()` by avoiding to leak `src->top` in case `src` is flagged with +`BN_FLG_CONSTTIME`. +In this case we can instead use `src->dmax` as the number of words +allocated for `dst` and for the `memcpy` operation. + +Barring compiler or runtime optimizations, if the caller provides `src` +flagged as const time and preallocated to a public size, no leak should +happen due to the copy operation. + +(cherry picked from commit 2d9167ed0b588dacbdd0303fb6041ffe1d8b3a92) + +Reviewed-by: Matt Caswell +(Merged from https://github.com/openssl/openssl/pull/11127) +--- + crypto/bn/bn_lib.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/crypto/bn/bn_lib.c b/crypto/bn/bn_lib.c +index 86d4956..759d4c7 100644 +--- a/crypto/bn/bn_lib.c ++++ b/crypto/bn/bn_lib.c +@@ -322,15 +322,19 @@ BIGNUM *BN_dup(const BIGNUM *a) + + BIGNUM *BN_copy(BIGNUM *a, const BIGNUM *b) + { ++ int bn_words; ++ + bn_check_top(b); + ++ bn_words = BN_get_flags(b, BN_FLG_CONSTTIME) ? b->dmax : b->top; ++ + if (a == b) + return a; +- if (bn_wexpand(a, b->top) == NULL) ++ if (bn_wexpand(a, bn_words) == NULL) + return NULL; + + if (b->top > 0) +- memcpy(a->d, b->d, sizeof(b->d[0]) * b->top); ++ memcpy(a->d, b->d, sizeof(b->d[0]) * bn_words); + + a->neg = b->neg; + a->top = b->top; +-- +1.8.3.1 + diff --git a/CMS_get0_signers-description.patch b/CMS_get0_signers-description.patch new file mode 100644 index 0000000..07eacd7 --- /dev/null +++ b/CMS_get0_signers-description.patch @@ -0,0 +1,32 @@ +From 4151e303a488c53613f7b8c6eae4372759d7fa35 Mon Sep 17 00:00:00 2001 +From: olszomal +Date: Fri, 12 Jun 2020 12:09:02 +0200 +Subject: [PATCH 021/147] CMS_get0_signers() description + +CLA: trivial + +Reviewed-by: Shane Lontis +Reviewed-by: Tomas Mraz +(Merged from https://github.com/openssl/openssl/pull/12055) + +(cherry picked from commit 9ac916c7529a21cd01d1b539362abf8402719e30) +--- + doc/man3/CMS_verify.pod | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/doc/man3/CMS_verify.pod b/doc/man3/CMS_verify.pod +index be68868..b6650fd 100644 +--- a/doc/man3/CMS_verify.pod ++++ b/doc/man3/CMS_verify.pod +@@ -24,7 +24,7 @@ present in B. The content is written to B if it is not NULL. + B is an optional set of flags, which can be used to modify the verify + operation. + +-CMS_get0_signers() retrieves the signing certificate(s) from B, it must ++CMS_get0_signers() retrieves the signing certificate(s) from B, it may only + be called after a successful CMS_verify() operation. + + =head1 VERIFY PROCESS +-- +1.8.3.1 + diff --git a/Cast-the-unsigned-char-to-unsigned-int-before-shifti.patch b/Cast-the-unsigned-char-to-unsigned-int-before-shifti.patch new file mode 100644 index 0000000..038c56d --- /dev/null +++ b/Cast-the-unsigned-char-to-unsigned-int-before-shifti.patch @@ -0,0 +1,42 @@ +From e11072908742e96a1067bb1b9609bfc27ab05835 Mon Sep 17 00:00:00 2001 +From: Tomas Mraz +Date: Tue, 19 May 2020 10:51:19 +0200 +Subject: [PATCH 059/217] Cast the unsigned char to unsigned int before + shifting left + +This is needed to avoid automatic promotion to signed int. + +Fixes #11853 + +[extended tests] + +Reviewed-by: Richard Levitte +(Merged from https://github.com/openssl/openssl/pull/11857) + +(cherry picked from commit cbeb0bfa961412eebfbdf1e72900f05527e81e15) +--- + crypto/pem/pvkfmt.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/crypto/pem/pvkfmt.c b/crypto/pem/pvkfmt.c +index 46ed2ec..e6156df 100644 +--- a/crypto/pem/pvkfmt.c ++++ b/crypto/pem/pvkfmt.c +@@ -29,10 +29,10 @@ static unsigned int read_ledword(const unsigned char **in) + { + const unsigned char *p = *in; + unsigned int ret; +- ret = *p++; +- ret |= (*p++ << 8); +- ret |= (*p++ << 16); +- ret |= (*p++ << 24); ++ ret = (unsigned int)*p++; ++ ret |= (unsigned int)*p++ << 8; ++ ret |= (unsigned int)*p++ << 16; ++ ret |= (unsigned int)*p++ << 24; + *in = p; + return ret; + } +-- +1.8.3.1 + diff --git a/Correct-alignment-calculation-in-ssl3_setup_write.patch b/Correct-alignment-calculation-in-ssl3_setup_write.patch new file mode 100644 index 0000000..21cec9e --- /dev/null +++ b/Correct-alignment-calculation-in-ssl3_setup_write.patch @@ -0,0 +1,46 @@ +From df943912046aee2e5e541949dbdbafa38819f195 Mon Sep 17 00:00:00 2001 +From: Matt Caswell +Date: Fri, 8 May 2020 11:12:10 +0100 +Subject: [PATCH 050/217] Correct alignment calculation in ssl3_setup_write + +The alignment calculation in ssl3_setup_write incorrectly results in an +alignment allowance of +(-SSL3_RT_HEADER_LENGTH) & (SSL3_ALIGN_PAYLOAD - 1) bytes. This equals 3 +in almost all cases. The maximum alignment actually used in do_ssl3_write +is (SSL3_ALIGN_PAYLOAD - 1). This equals 7 bytes in almost all cases. So +there is a potential to overrun the buffer by up to 4 bytes. + +Fortunately, the encryption overhead allowed for is 80 bytes which +consists of 16 bytes for the cipher block size and 64 bytes for the MAC +output. However the biggest MAC that we ever produce is HMAC-384 which is +48 bytes - so we have a headroom of 16 bytes (i.e. more than the 4 bytes +of potential overrun). + +Thanks to Nagesh Hegde for reporting this. + +Fixes #11766 + +Reviewed-by: Ben Kaduk +(Merged from https://github.com/openssl/openssl/pull/11768) + +(cherry picked from commit d30ef639647ad263d09740c931a5bfb5a8b6a5f6) +--- + ssl/record/ssl3_buffer.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/ssl/record/ssl3_buffer.c b/ssl/record/ssl3_buffer.c +index 605f8f9..56c0d78 100644 +--- a/ssl/record/ssl3_buffer.c ++++ b/ssl/record/ssl3_buffer.c +@@ -94,7 +94,7 @@ int ssl3_setup_write_buffer(SSL *s, size_t numwpipes, size_t len) + headerlen = SSL3_RT_HEADER_LENGTH; + + #if defined(SSL3_ALIGN_PAYLOAD) && SSL3_ALIGN_PAYLOAD!=0 +- align = (-SSL3_RT_HEADER_LENGTH) & (SSL3_ALIGN_PAYLOAD - 1); ++ align = SSL3_ALIGN_PAYLOAD - 1; + #endif + + len = ssl_get_max_send_fragment(s) +-- +1.8.3.1 + diff --git a/Correctly-handle-the-return-value-from-EVP_Cipher-in.patch b/Correctly-handle-the-return-value-from-EVP_Cipher-in.patch new file mode 100644 index 0000000..e06fb76 --- /dev/null +++ b/Correctly-handle-the-return-value-from-EVP_Cipher-in.patch @@ -0,0 +1,50 @@ +From ce7bd71a428b0907958beb6dfa71681e751b33d1 Mon Sep 17 00:00:00 2001 +From: Matt Caswell +Date: Wed, 27 May 2020 11:38:39 +0100 +Subject: [PATCH 024/147] Correctly handle the return value from EVP_Cipher() + in the CMAC code + +EVP_Cipher() is a very low level routine that directly calls the +underlying cipher function. It's return value semantics are very odd. +Depending on the type of cipher 0 or -1 is returned on error. We should +just check for <=0 for a failure. + +Fixes #11957 + +Reviewed-by: Tomas Mraz +(Merged from https://github.com/openssl/openssl/pull/12107) +--- + crypto/cmac/cmac.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/crypto/cmac/cmac.c b/crypto/cmac/cmac.c +index dbcc436..1a76486 100644 +--- a/crypto/cmac/cmac.c ++++ b/crypto/cmac/cmac.c +@@ -135,7 +135,7 @@ int CMAC_Init(CMAC_CTX *ctx, const void *key, size_t keylen, + if (!EVP_EncryptInit_ex(ctx->cctx, NULL, NULL, key, zero_iv)) + return 0; + bl = EVP_CIPHER_CTX_block_size(ctx->cctx); +- if (!EVP_Cipher(ctx->cctx, ctx->tbl, zero_iv, bl)) ++ if (EVP_Cipher(ctx->cctx, ctx->tbl, zero_iv, bl) <= 0) + return 0; + make_kn(ctx->k1, ctx->tbl, bl); + make_kn(ctx->k2, ctx->k1, bl); +@@ -173,12 +173,12 @@ int CMAC_Update(CMAC_CTX *ctx, const void *in, size_t dlen) + return 1; + data += nleft; + /* Else not final block so encrypt it */ +- if (!EVP_Cipher(ctx->cctx, ctx->tbl, ctx->last_block, bl)) ++ if (EVP_Cipher(ctx->cctx, ctx->tbl, ctx->last_block, bl) <= 0) + return 0; + } + /* Encrypt all but one of the complete blocks left */ + while (dlen > bl) { +- if (!EVP_Cipher(ctx->cctx, ctx->tbl, data, bl)) ++ if (EVP_Cipher(ctx->cctx, ctx->tbl, data, bl) <= 0) + return 0; + dlen -= bl; + data += bl; +-- +1.8.3.1 + diff --git a/Coverity-Fixes.patch b/Coverity-Fixes.patch new file mode 100644 index 0000000..14ae810 --- /dev/null +++ b/Coverity-Fixes.patch @@ -0,0 +1,154 @@ +From 309e73dfe067b3b774ef6f57bf665f41373a81ca Mon Sep 17 00:00:00 2001 +From: Shane Lontis +Date: Mon, 7 Sep 2020 17:44:38 +1000 +Subject: [PATCH 064/147] Coverity Fixes + +x_algor.c: Explicit null dereferenced +cms_sd.c: Resource leak +ts_rsp_sign.c Resource Leak +extensions_srvr.c: Resourse Leak +v3_alt.c: Resourse Leak +pcy_data.c: Resource Leak +cms_lib.c: Resource Leak +drbg_lib.c: Unchecked return code + +Reviewed-by: Matt Caswell +Reviewed-by: Shane Lontis +(Merged from https://github.com/openssl/openssl/pull/12531) +--- + crypto/cms/cms_lib.c | 3 ++- + crypto/cms/cms_sd.c | 4 +++- + crypto/rand/drbg_lib.c | 8 +++++--- + crypto/ts/ts_rsp_sign.c | 2 ++ + crypto/x509v3/pcy_data.c | 1 + + crypto/x509v3/v3_alt.c | 1 + + ssl/statem/extensions_srvr.c | 2 +- + 7 files changed, 11 insertions(+), 10 deletions(-) + +diff --git a/crypto/cms/cms_lib.c b/crypto/cms/cms_lib.c +index 57afba4..cdd794e 100644 +--- a/crypto/cms/cms_lib.c ++++ b/crypto/cms/cms_lib.c +@@ -92,12 +92,13 @@ BIO *CMS_dataInit(CMS_ContentInfo *cms, BIO *icont) + + default: + CMSerr(CMS_F_CMS_DATAINIT, CMS_R_UNSUPPORTED_TYPE); +- return NULL; ++ goto err; + } + + if (cmsbio) + return BIO_push(cmsbio, cont); + ++err: + if (!icont) + BIO_free(cont); + return NULL; +diff --git a/crypto/cms/cms_sd.c b/crypto/cms/cms_sd.c +index 29ba4c1..6030f07 100644 +--- a/crypto/cms/cms_sd.c ++++ b/crypto/cms/cms_sd.c +@@ -897,8 +897,10 @@ int CMS_add_simple_smimecap(STACK_OF(X509_ALGOR) **algs, + ASN1_INTEGER *key = NULL; + if (keysize > 0) { + key = ASN1_INTEGER_new(); +- if (key == NULL || !ASN1_INTEGER_set(key, keysize)) ++ if (key == NULL || !ASN1_INTEGER_set(key, keysize)) { ++ ASN1_INTEGER_free(key); + return 0; ++ } + } + alg = X509_ALGOR_new(); + if (alg == NULL) { +diff --git a/crypto/rand/drbg_lib.c b/crypto/rand/drbg_lib.c +index faf0590..73fd439 100644 +--- a/crypto/rand/drbg_lib.c ++++ b/crypto/rand/drbg_lib.c +@@ -330,7 +330,7 @@ int RAND_DRBG_instantiate(RAND_DRBG *drbg, + drbg->reseed_next_counter = tsan_load(&drbg->reseed_prop_counter); + if (drbg->reseed_next_counter) { + drbg->reseed_next_counter++; +- if(!drbg->reseed_next_counter) ++ if (!drbg->reseed_next_counter) + drbg->reseed_next_counter = 1; + } + +@@ -432,7 +432,7 @@ int RAND_DRBG_reseed(RAND_DRBG *drbg, + drbg->reseed_next_counter = tsan_load(&drbg->reseed_prop_counter); + if (drbg->reseed_next_counter) { + drbg->reseed_next_counter++; +- if(!drbg->reseed_next_counter) ++ if (!drbg->reseed_next_counter) + drbg->reseed_next_counter = 1; + } + +@@ -554,7 +554,9 @@ int rand_drbg_restart(RAND_DRBG *drbg, + drbg->meth->reseed(drbg, adin, adinlen, NULL, 0); + } else if (reseeded == 0) { + /* do a full reseeding if it has not been done yet above */ +- RAND_DRBG_reseed(drbg, NULL, 0, 0); ++ if (!RAND_DRBG_reseed(drbg, NULL, 0, 0)) { ++ RANDerr(RAND_F_RAND_DRBG_RESTART, RAND_R_RESEED_ERROR); ++ } + } + } + +diff --git a/crypto/ts/ts_rsp_sign.c b/crypto/ts/ts_rsp_sign.c +index 041a187..342582f 100644 +--- a/crypto/ts/ts_rsp_sign.c ++++ b/crypto/ts/ts_rsp_sign.c +@@ -57,12 +57,14 @@ static ASN1_INTEGER *def_serial_cb(struct TS_resp_ctx *ctx, void *data) + goto err; + if (!ASN1_INTEGER_set(serial, 1)) + goto err; ++ + return serial; + + err: + TSerr(TS_F_DEF_SERIAL_CB, ERR_R_MALLOC_FAILURE); + TS_RESP_CTX_set_status_info(ctx, TS_STATUS_REJECTION, + "Error during serial number generation."); ++ ASN1_INTEGER_free(serial); + return NULL; + } + +diff --git a/crypto/x509v3/pcy_data.c b/crypto/x509v3/pcy_data.c +index 0735059..62db3b4 100644 +--- a/crypto/x509v3/pcy_data.c ++++ b/crypto/x509v3/pcy_data.c +@@ -52,6 +52,7 @@ X509_POLICY_DATA *policy_data_new(POLICYINFO *policy, + ret = OPENSSL_zalloc(sizeof(*ret)); + if (ret == NULL) { + X509V3err(X509V3_F_POLICY_DATA_NEW, ERR_R_MALLOC_FAILURE); ++ ASN1_OBJECT_free(id); + return NULL; + } + ret->expected_policy_set = sk_ASN1_OBJECT_new_null(); +diff --git a/crypto/x509v3/v3_alt.c b/crypto/x509v3/v3_alt.c +index 7ac2911..0bcee33 100644 +--- a/crypto/x509v3/v3_alt.c ++++ b/crypto/x509v3/v3_alt.c +@@ -275,6 +275,7 @@ static int copy_issuer(X509V3_CTX *ctx, GENERAL_NAMES *gens) + num = sk_GENERAL_NAME_num(ialt); + if (!sk_GENERAL_NAME_reserve(gens, num)) { + X509V3err(X509V3_F_COPY_ISSUER, ERR_R_MALLOC_FAILURE); ++ sk_GENERAL_NAME_free(ialt); + goto err; + } + +diff --git a/ssl/statem/extensions_srvr.c b/ssl/statem/extensions_srvr.c +index 3b07c6b..3c7395c 100644 +--- a/ssl/statem/extensions_srvr.c ++++ b/ssl/statem/extensions_srvr.c +@@ -1151,7 +1151,7 @@ int tls_parse_ctos_psk(SSL *s, PACKET *pkt, unsigned int context, X509 *x, + if (sesstmp == NULL) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, + SSL_F_TLS_PARSE_CTOS_PSK, ERR_R_INTERNAL_ERROR); +- return 0; ++ goto err; + } + SSL_SESSION_free(sess); + sess = sesstmp; +-- +1.8.3.1 + diff --git a/Do-not-allow-dropping-Extended-Master-Secret-extensi.patch b/Do-not-allow-dropping-Extended-Master-Secret-extensi.patch new file mode 100644 index 0000000..30c366e --- /dev/null +++ b/Do-not-allow-dropping-Extended-Master-Secret-extensi.patch @@ -0,0 +1,67 @@ +From 4b7097025305b219694dd8b04f84155cd12fb71d Mon Sep 17 00:00:00 2001 +From: Tomas Mraz +Date: Thu, 4 Jun 2020 11:40:29 +0200 +Subject: [PATCH 018/147] Do not allow dropping Extended Master Secret + extension on renegotiaton + +Abort renegotiation if server receives client hello with Extended Master +Secret extension dropped in comparison to the initial session. + +Fixes #9754 + +Reviewed-by: Matt Caswell +(Merged from https://github.com/openssl/openssl/pull/12099) +--- + include/openssl/ssl3.h | 3 +++ + ssl/statem/extensions.c | 14 +++++++++++++- + 2 files changed, 16 insertions(+), 1 deletion(-) + +diff --git a/include/openssl/ssl3.h b/include/openssl/ssl3.h +index 8d01fcc..407db0b 100644 +--- a/include/openssl/ssl3.h ++++ b/include/openssl/ssl3.h +@@ -292,6 +292,9 @@ extern "C" { + + # define TLS1_FLAGS_STATELESS 0x0800 + ++/* Set if extended master secret extension required on renegotiation */ ++# define TLS1_FLAGS_REQUIRED_EXTMS 0x1000 ++ + # define SSL3_MT_HELLO_REQUEST 0 + # define SSL3_MT_CLIENT_HELLO 1 + # define SSL3_MT_SERVER_HELLO 2 +diff --git a/ssl/statem/extensions.c b/ssl/statem/extensions.c +index 4ef8b41..c785ab7 100644 +--- a/ssl/statem/extensions.c ++++ b/ssl/statem/extensions.c +@@ -1168,14 +1168,26 @@ static int init_etm(SSL *s, unsigned int context) + + static int init_ems(SSL *s, unsigned int context) + { +- if (!s->server) ++ if (s->s3->flags & TLS1_FLAGS_RECEIVED_EXTMS) { + s->s3->flags &= ~TLS1_FLAGS_RECEIVED_EXTMS; ++ s->s3->flags |= TLS1_FLAGS_REQUIRED_EXTMS; ++ } + + return 1; + } + + static int final_ems(SSL *s, unsigned int context, int sent) + { ++ /* ++ * Check extended master secret extension is not dropped on ++ * renegotiation. ++ */ ++ if (!(s->s3->flags & TLS1_FLAGS_RECEIVED_EXTMS) ++ && (s->s3->flags & TLS1_FLAGS_REQUIRED_EXTMS)) { ++ SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_FINAL_EMS, ++ SSL_R_INCONSISTENT_EXTMS); ++ return 0; ++ } + if (!s->server && s->hit) { + /* + * Check extended master secret extension is consistent with +-- +1.8.3.1 + diff --git a/Don-t-attempt-to-duplicate-the-BIO-state-in-SSL_dup.patch b/Don-t-attempt-to-duplicate-the-BIO-state-in-SSL_dup.patch new file mode 100644 index 0000000..f301f30 --- /dev/null +++ b/Don-t-attempt-to-duplicate-the-BIO-state-in-SSL_dup.patch @@ -0,0 +1,59 @@ +From 4864a232ee7f901388532f65911866ca2478cfa9 Mon Sep 17 00:00:00 2001 +From: Matt Caswell +Date: Tue, 16 Jun 2020 17:40:40 +0100 +Subject: [PATCH 034/147] Don't attempt to duplicate the BIO state in SSL_dup + +SSL_dup attempted to duplicate the BIO state if the source SSL had BIOs +configured for it. This did not work. + +Firstly the SSL_dup code was passing a BIO ** as the destination +argument for BIO_dup_state. However BIO_dup_state expects a BIO * for that +parameter. Any attempt to use this will either (1) fail silently, (2) crash +or fail in some other strange way. + +Secondly many BIOs do not implement the BIO_CTRL_DUP ctrl required to make +this work. + +Thirdly, if rbio == wbio in the original SSL object, then an attempt is made +to up-ref the BIO in the new SSL object - even though it hasn't been set +yet and is NULL. This results in a crash. + +This appears to have been broken for a very long time with at least some of +the problems described above coming from SSLeay. The simplest approach is +to just remove this capability from the function. + +Reviewed-by: Tomas Mraz +(Merged from https://github.com/openssl/openssl/pull/12245) +--- + ssl/ssl_lib.c | 15 --------------- + 1 files changed, 15 deletions(-) + +diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c +index 1d96eb4..f6a4964 100644 +--- a/ssl/ssl_lib.c ++++ b/ssl/ssl_lib.c +@@ -3841,21 +3841,6 @@ SSL *SSL_dup(SSL *s) + if (!CRYPTO_dup_ex_data(CRYPTO_EX_INDEX_SSL, &ret->ex_data, &s->ex_data)) + goto err; + +- /* setup rbio, and wbio */ +- if (s->rbio != NULL) { +- if (!BIO_dup_state(s->rbio, (char *)&ret->rbio)) +- goto err; +- } +- if (s->wbio != NULL) { +- if (s->wbio != s->rbio) { +- if (!BIO_dup_state(s->wbio, (char *)&ret->wbio)) +- goto err; +- } else { +- BIO_up_ref(ret->rbio); +- ret->wbio = ret->rbio; +- } +- } +- + ret->server = s->server; + if (s->handshake_func) { + if (s->server) +-- +1.8.3.1 + diff --git a/EC-Constify-internal-EC_KEY-pointer-usage.patch b/EC-Constify-internal-EC_KEY-pointer-usage.patch new file mode 100644 index 0000000..830c858 --- /dev/null +++ b/EC-Constify-internal-EC_KEY-pointer-usage.patch @@ -0,0 +1,78 @@ +From cd45a57aafddb908eb3a56e118b4c01899765d18 Mon Sep 17 00:00:00 2001 +From: Nicola Tuveri +Date: Tue, 7 Jan 2020 01:19:13 +0200 +Subject: [PATCH 031/217] [EC] Constify internal EC_KEY pointer usage + +A pair of internal functions related to EC_KEY handling could benefit +from declaring `EC_KEY *` variables as `const`, providing clarity for +callers and readers of the code, in addition to enlisting the compiler +in preventing some mistakes. + +(cherry picked from commit cd701de96a147260c2290d85af8a0656120a8ff8) + +In master `id2_ECParameters` and most of the ASN1 public functions have +been properly constified in their signature. + +Unfortunately this has been deemed not doable in a patch release for +1.1.1 as, in subtle ways, this would break API compatibility. +See the discussion at https://github.com/openssl/openssl/pull/9347 for +more details about this. + +This constification commit should still be portable w.r.t. our criteria, +as the constification happens only on internal functions. + +The fix here is to explicitly discard the const qualifier before the +call to `i2d_ECParameters`, which should be safe anyway because we can +expect `i2d_ECParameters()` to treat the first argument as if it was +const. + +Reviewed-by: Matt Caswell +(Merged from https://github.com/openssl/openssl/pull/11127) +--- + crypto/ec/ec_ameth.c | 16 +++++++++++++--- + 1 file changed, 13 insertions(+), 3 deletions(-) + +diff --git a/crypto/ec/ec_ameth.c b/crypto/ec/ec_ameth.c +index 2210383..b7b82e5 100644 +--- a/crypto/ec/ec_ameth.c ++++ b/crypto/ec/ec_ameth.c +@@ -23,7 +23,7 @@ static int ecdh_cms_decrypt(CMS_RecipientInfo *ri); + static int ecdh_cms_encrypt(CMS_RecipientInfo *ri); + #endif + +-static int eckey_param2type(int *pptype, void **ppval, EC_KEY *ec_key) ++static int eckey_param2type(int *pptype, void **ppval, const EC_KEY *ec_key) + { + const EC_GROUP *group; + int nid; +@@ -43,7 +43,17 @@ static int eckey_param2type(int *pptype, void **ppval, EC_KEY *ec_key) + pstr = ASN1_STRING_new(); + if (pstr == NULL) + return 0; +- pstr->length = i2d_ECParameters(ec_key, &pstr->data); ++ ++ /* ++ * The cast in the following line is intentional as the ++ * `i2d_ECParameters` signature can't be constified (see discussion at ++ * https://github.com/openssl/openssl/pull/9347 where related and ++ * required constification backports were rejected). ++ * ++ * This cast should be safe anyway, because we can expect ++ * `i2d_ECParameters()` to treat the first argument as if it was const. ++ */ ++ pstr->length = i2d_ECParameters((EC_KEY *)ec_key, &pstr->data); + if (pstr->length <= 0) { + ASN1_STRING_free(pstr); + ECerr(EC_F_ECKEY_PARAM2TYPE, ERR_R_EC_LIB); +@@ -57,7 +67,7 @@ static int eckey_param2type(int *pptype, void **ppval, EC_KEY *ec_key) + + static int eckey_pub_encode(X509_PUBKEY *pk, const EVP_PKEY *pkey) + { +- EC_KEY *ec_key = pkey->pkey.ec; ++ const EC_KEY *ec_key = pkey->pkey.ec; + void *pval = NULL; + int ptype; + unsigned char *penc = NULL, *p; +-- +1.8.3.1 + diff --git a/EC-harden-EC_KEY-against-leaks-from-memory-accesses.patch b/EC-harden-EC_KEY-against-leaks-from-memory-accesses.patch new file mode 100644 index 0000000..09e8f44 --- /dev/null +++ b/EC-harden-EC_KEY-against-leaks-from-memory-accesses.patch @@ -0,0 +1,167 @@ +From 6a01f6f4b41d045e2a3abcb10163633d769db76a Mon Sep 17 00:00:00 2001 +From: Nicola Tuveri +Date: Tue, 21 Jan 2020 17:00:41 +0200 +Subject: [PATCH 032/217] [EC] harden EC_KEY against leaks from memory accesses + +We should never leak the bit length of the secret scalar in the key, +so we always set the `BN_FLG_CONSTTIME` flag on the internal `BIGNUM` +holding the secret scalar. + +This is important also because `BN_dup()` (and `BN_copy()`) do not +propagate the `BN_FLG_CONSTTIME` flag from the source `BIGNUM`, and +this brings an extra risk of inadvertently losing the flag, even when +the called specifically set it. + +The propagation has been turned on and off a few times in the past +years because in some conditions has shown unintended consequences in +some code paths, so at the moment we can't fix this in the BN layer. + +In `EC_KEY_set_private_key()` we can work around the propagation by +manually setting the flag after `BN_dup()` as we know for sure that +inside the EC module the `BN_FLG_CONSTTIME` is always treated +correctly and should not generate unintended consequences. + +Setting the `BN_FLG_CONSTTIME` flag alone is never enough, we also have +to preallocate the `BIGNUM` internal buffer to a fixed public size big +enough that operations performed during the processing never trigger +a realloc which would leak the size of the scalar through memory +accesses. + +Fixed Length +------------ + +The order of the large prime subgroup of the curve is our choice for +a fixed public size, as that is generally the upper bound for +generating a private key in EC cryptosystems and should fit all valid +secret scalars. + +For preallocating the `BIGNUM` storage we look at the number of "words" +required for the internal representation of the order, and we +preallocate 2 extra "words" in case any of the subsequent processing +might temporarily overflow the order length. + +Future work +----------- + +A separate commit addresses further hardening of `BN_copy()` (and +indirectly `BN_dup()`). + +(cherry picked from commit 0401d766afcd022748763f5614188301c9856c6e) + +Reviewed-by: Matt Caswell +(Merged from https://github.com/openssl/openssl/pull/11127) +--- + crypto/ec/ec_key.c | 76 +++++++++++++++++++++++++++++++++++++++++++++++++++--- + 1 file changed, 73 insertions(+), 3 deletions(-) + +diff --git a/crypto/ec/ec_key.c b/crypto/ec/ec_key.c +index 08aaac5..90698b9 100644 +--- a/crypto/ec/ec_key.c ++++ b/crypto/ec/ec_key.c +@@ -1,5 +1,5 @@ + /* +- * Copyright 2002-2018 The OpenSSL Project Authors. All Rights Reserved. ++ * Copyright 2002-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved + * + * Licensed under the OpenSSL license (the "License"). You may not use +@@ -14,6 +14,7 @@ + #include "internal/refcount.h" + #include + #include ++#include "crypto/bn.h" + + EC_KEY *EC_KEY_new(void) + { +@@ -416,17 +417,86 @@ const BIGNUM *EC_KEY_get0_private_key(const EC_KEY *key) + + int EC_KEY_set_private_key(EC_KEY *key, const BIGNUM *priv_key) + { ++ int fixed_top; ++ const BIGNUM *order = NULL; ++ BIGNUM *tmp_key = NULL; ++ + if (key->group == NULL || key->group->meth == NULL) + return 0; ++ ++ /* ++ * Not only should key->group be set, but it should also be in a valid ++ * fully initialized state. ++ * ++ * Specifically, to operate in constant time, we need that the group order ++ * is set, as we use its length as the fixed public size of any scalar used ++ * as an EC private key. ++ */ ++ order = EC_GROUP_get0_order(key->group); ++ if (order == NULL || BN_is_zero(order)) ++ return 0; /* This should never happen */ ++ + if (key->group->meth->set_private != NULL + && key->group->meth->set_private(key, priv_key) == 0) + return 0; + if (key->meth->set_private != NULL + && key->meth->set_private(key, priv_key) == 0) + return 0; ++ ++ /* ++ * We should never leak the bit length of the secret scalar in the key, ++ * so we always set the `BN_FLG_CONSTTIME` flag on the internal `BIGNUM` ++ * holding the secret scalar. ++ * ++ * This is important also because `BN_dup()` (and `BN_copy()`) do not ++ * propagate the `BN_FLG_CONSTTIME` flag from the source `BIGNUM`, and ++ * this brings an extra risk of inadvertently losing the flag, even when ++ * the called specifically set it. ++ * ++ * The propagation has been turned on and off a few times in the past ++ * years because in some conditions has shown unintended consequences in ++ * some code paths, so at the moment we can't fix this in the BN layer. ++ * ++ * In `EC_KEY_set_private_key()` we can work around the propagation by ++ * manually setting the flag after `BN_dup()` as we know for sure that ++ * inside the EC module the `BN_FLG_CONSTTIME` is always treated ++ * correctly and should not generate unintended consequences. ++ * ++ * Setting the BN_FLG_CONSTTIME flag alone is never enough, we also have ++ * to preallocate the BIGNUM internal buffer to a fixed public size big ++ * enough that operations performed during the processing never trigger ++ * a realloc which would leak the size of the scalar through memory ++ * accesses. ++ * ++ * Fixed Length ++ * ------------ ++ * ++ * The order of the large prime subgroup of the curve is our choice for ++ * a fixed public size, as that is generally the upper bound for ++ * generating a private key in EC cryptosystems and should fit all valid ++ * secret scalars. ++ * ++ * For preallocating the BIGNUM storage we look at the number of "words" ++ * required for the internal representation of the order, and we ++ * preallocate 2 extra "words" in case any of the subsequent processing ++ * might temporarily overflow the order length. ++ */ ++ tmp_key = BN_dup(priv_key); ++ if (tmp_key == NULL) ++ return 0; ++ ++ BN_set_flags(tmp_key, BN_FLG_CONSTTIME); ++ ++ fixed_top = bn_get_top(order) + 2; ++ if (bn_wexpand(tmp_key, fixed_top) == NULL) { ++ BN_clear_free(tmp_key); ++ return 0; ++ } ++ + BN_clear_free(key->priv_key); +- key->priv_key = BN_dup(priv_key); +- return (key->priv_key == NULL) ? 0 : 1; ++ key->priv_key = tmp_key; ++ ++ return 1; + } + + const EC_POINT *EC_KEY_get0_public_key(const EC_KEY *key) +-- +1.8.3.1 + diff --git a/EVP-allow-empty-strings-to-EVP_Decode-functions.patch b/EVP-allow-empty-strings-to-EVP_Decode-functions.patch new file mode 100644 index 0000000..3a39e0f --- /dev/null +++ b/EVP-allow-empty-strings-to-EVP_Decode-functions.patch @@ -0,0 +1,34 @@ +From 92cef3f186c20e702b7751c5ef959b4fe816a189 Mon Sep 17 00:00:00 2001 +From: Richard Levitte +Date: Sat, 13 Jun 2020 22:16:14 +0200 +Subject: [PATCH 020/147] EVP: allow empty strings to EVP_Decode* functions + +This is a simple check order correction. + +Fixes #12143 + +Reviewed-by: Ben Kaduk +Reviewed-by: Paul Dale +(Merged from https://github.com/openssl/openssl/pull/12144) + +(cherry picked from commit 0800288e6e1d9f44d471043a970ba57743ca8f4c) +--- + crypto/evp/encode.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/crypto/evp/encode.c b/crypto/evp/encode.c +index 9307ff0..b178be0 100644 +--- a/crypto/evp/encode.c ++++ b/crypto/evp/encode.c +@@ -423,7 +423,7 @@ static int evp_decodeblock_int(EVP_ENCODE_CTX *ctx, unsigned char *t, + table = data_ascii2bin; + + /* trim white space from the start of the line. */ +- while ((conv_ascii2bin(*f, table) == B64_WS) && (n > 0)) { ++ while ((n > 0) && (conv_ascii2bin(*f, table) == B64_WS)) { + f++; + n--; + } +-- +1.8.3.1 + diff --git a/EVP_EncryptInit.pod-fix-example.patch b/EVP_EncryptInit.pod-fix-example.patch new file mode 100644 index 0000000..2bba5fd --- /dev/null +++ b/EVP_EncryptInit.pod-fix-example.patch @@ -0,0 +1,32 @@ +From 3c09a5b0ba78a15311252ab8b7fb3ce16e7109ca Mon Sep 17 00:00:00 2001 +From: Patrick Steuer +Date: Wed, 27 May 2020 16:32:43 +0200 +Subject: [PATCH 003/147] EVP_EncryptInit.pod: fix example + +Signed-off-by: Patrick Steuer + +Reviewed-by: Richard Levitte +Reviewed-by: Matt Caswell +(Merged from https://github.com/openssl/openssl/pull/11976) + +(cherry picked from commit d561b84143f5e7956454090e15de0c5e1425ceac) +--- + doc/man3/EVP_EncryptInit.pod | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/doc/man3/EVP_EncryptInit.pod b/doc/man3/EVP_EncryptInit.pod +index aaf9975..2828bca 100644 +--- a/doc/man3/EVP_EncryptInit.pod ++++ b/doc/man3/EVP_EncryptInit.pod +@@ -591,7 +591,7 @@ with a 128-bit key: + + /* Don't set key or IV right away; we want to check lengths */ + ctx = EVP_CIPHER_CTX_new(); +- EVP_CipherInit_ex(&ctx, EVP_aes_128_cbc(), NULL, NULL, NULL, ++ EVP_CipherInit_ex(ctx, EVP_aes_128_cbc(), NULL, NULL, NULL, + do_encrypt); + OPENSSL_assert(EVP_CIPHER_CTX_key_length(ctx) == 16); + OPENSSL_assert(EVP_CIPHER_CTX_iv_length(ctx) == 16); +-- +1.8.3.1 + diff --git a/Ensure-ECDSA_size-always-returns-0.patch b/Ensure-ECDSA_size-always-returns-0.patch new file mode 100644 index 0000000..5f82dc5 --- /dev/null +++ b/Ensure-ECDSA_size-always-returns-0.patch @@ -0,0 +1,32 @@ +From f9f2e609db4de8d1f2022189a99c8277c3f6289d Mon Sep 17 00:00:00 2001 +From: William Brawner +Date: Sun, 5 Apr 2020 09:39:41 -0700 +Subject: [PATCH 009/217] Ensure ECDSA_size always returns >= 0 + +Fixes #10484 + +Signed-off-by: William Brawner + +Reviewed-by: Nicola Tuveri +Reviewed-by: Matt Caswell +Reviewed-by: Tomas Mraz +(Merged from https://github.com/openssl/openssl/pull/11472) +--- + crypto/ec/ec_asn1.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/crypto/ec/ec_asn1.c b/crypto/ec/ec_asn1.c +index 336afc9..831b74c 100644 +--- a/crypto/ec/ec_asn1.c ++++ b/crypto/ec/ec_asn1.c +@@ -1297,5 +1297,7 @@ int ECDSA_size(const EC_KEY *r) + i = i2d_ASN1_INTEGER(&bs, NULL); + i += i; /* r and s */ + ret = ASN1_object_size(1, i, V_ASN1_SEQUENCE); ++ if (ret < 0) ++ return 0; + return ret; + } +-- +1.8.3.1 + diff --git a/Ensure-that-SSL_dup-copies-the-min-max-protocol-vers.patch b/Ensure-that-SSL_dup-copies-the-min-max-protocol-vers.patch new file mode 100644 index 0000000..d640498 --- /dev/null +++ b/Ensure-that-SSL_dup-copies-the-min-max-protocol-vers.patch @@ -0,0 +1,30 @@ +From 32d738c9a2abeea5a709de9c33e4e6d6b87938bd Mon Sep 17 00:00:00 2001 +From: Matt Caswell +Date: Fri, 12 Jun 2020 10:52:41 +0100 +Subject: [PATCH 032/147] Ensure that SSL_dup copies the min/max protocol + version + +With thanks to Rebekah Johnson for reporting this issue. + +Reviewed-by: Tomas Mraz +(Merged from https://github.com/openssl/openssl/pull/12245) +--- + ssl/ssl_lib.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c +index 7c7e597..1d96eb4 100644 +--- a/ssl/ssl_lib.c ++++ b/ssl/ssl_lib.c +@@ -3824,6 +3824,8 @@ SSL *SSL_dup(SSL *s) + goto err; + ret->version = s->version; + ret->options = s->options; ++ ret->min_proto_version = s->min_proto_version; ++ ret->max_proto_version = s->max_proto_version; + ret->mode = s->mode; + SSL_set_max_cert_list(ret, SSL_get_max_cert_list(s)); + SSL_set_read_ahead(ret, SSL_get_read_ahead(s)); +-- +1.8.3.1 + diff --git a/Ensure-we-never-use-a-partially-initialised-CMAC_CTX.patch b/Ensure-we-never-use-a-partially-initialised-CMAC_CTX.patch new file mode 100644 index 0000000..fe7a78f --- /dev/null +++ b/Ensure-we-never-use-a-partially-initialised-CMAC_CTX.patch @@ -0,0 +1,44 @@ +From 86863f2ddc4200e5048e28c40ed6521495010699 Mon Sep 17 00:00:00 2001 +From: Matt Caswell +Date: Wed, 27 May 2020 11:37:39 +0100 +Subject: [PATCH 023/147] Ensure we never use a partially initialised CMAC_CTX + +If the CMAC_CTX is partially initialised then we make a note of this so +that future operations will fail if the initialisation has not been +completed. + +Reviewed-by: Tomas Mraz +(Merged from https://github.com/openssl/openssl/pull/12107) +--- + crypto/cmac/cmac.c | 13 ++++++++++--- + 1 file changed, 10 insertions(+), 3 deletions(-) + +diff --git a/crypto/cmac/cmac.c b/crypto/cmac/cmac.c +index 6989c32..dbcc436 100644 +--- a/crypto/cmac/cmac.c ++++ b/crypto/cmac/cmac.c +@@ -116,11 +116,18 @@ int CMAC_Init(CMAC_CTX *ctx, const void *key, size_t keylen, + return 1; + } + /* Initialise context */ +- if (cipher && !EVP_EncryptInit_ex(ctx->cctx, cipher, impl, NULL, NULL)) +- return 0; ++ if (cipher != NULL) { ++ /* Ensure we can't use this ctx until we also have a key */ ++ ctx->nlast_block = -1; ++ if (!EVP_EncryptInit_ex(ctx->cctx, cipher, impl, NULL, NULL)) ++ return 0; ++ } + /* Non-NULL key means initialisation complete */ +- if (key) { ++ if (key != NULL) { + int bl; ++ ++ /* If anything fails then ensure we can't use this ctx */ ++ ctx->nlast_block = -1; + if (!EVP_CIPHER_CTX_cipher(ctx->cctx)) + return 0; + if (!EVP_CIPHER_CTX_set_key_length(ctx->cctx, keylen)) +-- +1.8.3.1 + diff --git a/Fix-AES-CTR_DRBG-on-1.1.1.patch b/Fix-AES-CTR_DRBG-on-1.1.1.patch new file mode 100644 index 0000000..e345162 --- /dev/null +++ b/Fix-AES-CTR_DRBG-on-1.1.1.patch @@ -0,0 +1,44 @@ +From 0d011f540400b425aba1c3e59624ad9dbabe83cb Mon Sep 17 00:00:00 2001 +From: Pauli +Date: Wed, 8 Apr 2020 12:33:47 +1000 +Subject: [PATCH 014/217] Fix AES-CTR_DRBG on 1.1.1. + +The backport of the timing information leak fix uses u32 which is defined +in crypto/modes/modes_local.h in 1.1.1 and include/crypto/modes.h for 3.0. + +Reviewed-by: Matt Caswell +(Merged from https://github.com/openssl/openssl/pull/11489) +--- + crypto/rand/build.info | 2 ++ + crypto/rand/drbg_ctr.c | 3 ++- + 2 files changed, 4 insertions(+), 1 deletion(-) + +diff --git a/crypto/rand/build.info b/crypto/rand/build.info +index df9bac6..a4e7900 100644 +--- a/crypto/rand/build.info ++++ b/crypto/rand/build.info +@@ -2,3 +2,5 @@ LIBS=../../libcrypto + SOURCE[../../libcrypto]=\ + randfile.c rand_lib.c rand_err.c rand_egd.c \ + rand_win.c rand_unix.c rand_vms.c drbg_lib.c drbg_ctr.c ++ ++INCLUDE[drbg_ctr.o]=../modes +diff --git a/crypto/rand/drbg_ctr.c b/crypto/rand/drbg_ctr.c +index f41484e..af20197 100644 +--- a/crypto/rand/drbg_ctr.c ++++ b/crypto/rand/drbg_ctr.c +@@ -12,9 +12,10 @@ + #include + #include + #include +-#include "internal/thread_once.h" ++#include "modes_local.h" + #include "internal/thread_once.h" + #include "rand_local.h" ++ + /* + * Implementation of NIST SP 800-90A CTR DRBG. + */ +-- +1.8.3.1 + diff --git a/Fix-AES-GCM-bug-on-aarch64-BigEndian.patch b/Fix-AES-GCM-bug-on-aarch64-BigEndian.patch new file mode 100644 index 0000000..209b82f --- /dev/null +++ b/Fix-AES-GCM-bug-on-aarch64-BigEndian.patch @@ -0,0 +1,77 @@ +From b11aa831cfe09befe3fb3229ca46a4a59352de34 Mon Sep 17 00:00:00 2001 +From: simplelins +Date: Fri, 3 Jan 2020 22:56:18 +0800 +Subject: [PATCH 087/147] Fix AES-GCM bug on aarch64 BigEndian + +Fixes #10638 +Fixes #13188 + +Fixes a bug for aarch64 bigendian with instructions 'st1' and 'ld1' on AES-GCM mode. + +CLA: trivial + +(cherry picked from commit bc8b648f744566031ce84d77333dbbcb9689e975) + +Reviewed-by: Paul Dale +Reviewed-by: Tomas Mraz +(Merged from https://github.com/openssl/openssl/pull/13193) +--- + crypto/aes/asm/aesv8-armx.pl | 10 +++++++++- + crypto/modes/modes_local.h | 7 +++++-- + 2 files changed, 14 insertions(+), 3 deletions(-) + +diff --git a/crypto/aes/asm/aesv8-armx.pl b/crypto/aes/asm/aesv8-armx.pl +index d6068db..f42f7bd 100755 +--- a/crypto/aes/asm/aesv8-armx.pl ++++ b/crypto/aes/asm/aesv8-armx.pl +@@ -183,7 +183,12 @@ $code.=<<___; + .Loop192: + vtbl.8 $key,{$in1},$mask + vext.8 $tmp,$zero,$in0,#12 ++#ifdef __ARMEB__ ++ vst1.32 {$in1},[$out],#16 ++ sub $out,$out,#8 ++#else + vst1.32 {$in1},[$out],#8 ++#endif + aese $key,$zero + subs $bits,$bits,#1 + +@@ -715,8 +720,11 @@ $code.=<<___; + ldr $rounds,[$key,#240] + + ldr $ctr, [$ivp, #12] ++#ifdef __ARMEB__ ++ vld1.8 {$dat0},[$ivp] ++#else + vld1.32 {$dat0},[$ivp] +- ++#endif + vld1.32 {q8-q9},[$key] // load key schedule... + sub $rounds,$rounds,#4 + mov $step,#16 +diff --git a/crypto/modes/modes_local.h b/crypto/modes/modes_local.h +index 28c32c0..8881416 100644 +--- a/crypto/modes/modes_local.h ++++ b/crypto/modes/modes_local.h +@@ -63,12 +63,15 @@ typedef u32 u32_a1; + asm ("bswapl %0" \ + : "+r"(ret_)); ret_; }) + # elif defined(__aarch64__) +-# define BSWAP8(x) ({ u64 ret_; \ ++# if defined(__BYTE_ORDER__) && defined(__ORDER_LITTLE_ENDIAN__) && \ ++ __BYTE_ORDER__==__ORDER_LITTLE_ENDIAN__ ++# define BSWAP8(x) ({ u64 ret_; \ + asm ("rev %0,%1" \ + : "=r"(ret_) : "r"(x)); ret_; }) +-# define BSWAP4(x) ({ u32 ret_; \ ++# define BSWAP4(x) ({ u32 ret_; \ + asm ("rev %w0,%w1" \ + : "=r"(ret_) : "r"(x)); ret_; }) ++# endif + # elif (defined(__arm__) || defined(__arm)) && !defined(STRICT_ALIGNMENT) + # define BSWAP8(x) ({ u32 lo_=(u64)(x)>>32,hi_=(x); \ + asm ("rev %0,%0; rev %1,%1" \ +-- +1.8.3.1 + diff --git a/Fix-PEM-certificate-loading-that-sometimes-fails.patch b/Fix-PEM-certificate-loading-that-sometimes-fails.patch new file mode 100644 index 0000000..e20f15b --- /dev/null +++ b/Fix-PEM-certificate-loading-that-sometimes-fails.patch @@ -0,0 +1,142 @@ +From 69296e264e58334620f541d09a4e381ee45542d4 Mon Sep 17 00:00:00 2001 +From: Maximilian Blenk +Date: Tue, 7 Apr 2020 19:33:39 +0200 +Subject: [PATCH 046/217] Fix PEM certificate loading that sometimes fails + +As described in https://github.com/openssl/openssl/issues/9187, the +loading of PEM certificates sometimes fails if a line of base64 +content has the length of a multiple of 254. +The problem is in get_header_and_data(). When such a line with a +length of 254 (or a multiple) has been read, the next read will +only read a newline. Due to this get_header_and_data() expects to be +in the header not in the data area. This commit fixes that by checking +if lines have been read completely or only partially. In case of a +previous partial read, a newline will be ignored. + +Reviewed-by: Dmitry Belyavskiy +Reviewed-by: Tomas Mraz +Reviewed-by: Ben Kaduk +(Merged from https://github.com/openssl/openssl/pull/11741) + +(cherry picked from commit 0324ffc5d5d393111288eca2c9d67f2141ed65f5) +--- + crypto/pem/pem_lib.c | 28 ++++++++++++++++------ + test/recipes/04-test_pem.t | 3 +++ + .../04-test_pem_data/cert-254-chars-at-the-end.pem | 6 +++++ + .../cert-254-chars-in-the-middle.pem | 5 ++++ + .../cert-oneline-multiple-of-254.pem | 3 +++ + 5 files changed, 38 insertions(+), 7 deletions(-) + create mode 100644 test/recipes/04-test_pem_data/cert-254-chars-at-the-end.pem + create mode 100644 test/recipes/04-test_pem_data/cert-254-chars-in-the-middle.pem + create mode 100644 test/recipes/04-test_pem_data/cert-oneline-multiple-of-254.pem + +diff --git a/crypto/pem/pem_lib.c b/crypto/pem/pem_lib.c +index 64baf71..0d79f4a 100644 +--- a/crypto/pem/pem_lib.c ++++ b/crypto/pem/pem_lib.c +@@ -791,7 +791,7 @@ static int get_header_and_data(BIO *bp, BIO **header, BIO **data, char *name, + { + BIO *tmp = *header; + char *linebuf, *p; +- int len, line, ret = 0, end = 0; ++ int len, line, ret = 0, end = 0, prev_partial_line_read = 0, partial_line_read = 0; + /* 0 if not seen (yet), 1 if reading header, 2 if finished header */ + enum header_status got_header = MAYBE_HEADER; + unsigned int flags_mask; +@@ -813,6 +813,14 @@ static int get_header_and_data(BIO *bp, BIO **header, BIO **data, char *name, + goto err; + } + ++ /* ++ * Check if line has been read completely or if only part of the line ++ * has been read. Keep the previous value to ignore newlines that ++ * appear due to reading a line up until the char before the newline. ++ */ ++ prev_partial_line_read = partial_line_read; ++ partial_line_read = len == LINESIZE-1 && linebuf[LINESIZE-2] != '\n'; ++ + if (got_header == MAYBE_HEADER) { + if (memchr(linebuf, ':', len) != NULL) + got_header = IN_HEADER; +@@ -823,13 +831,19 @@ static int get_header_and_data(BIO *bp, BIO **header, BIO **data, char *name, + + /* Check for end of header. */ + if (linebuf[0] == '\n') { +- if (got_header == POST_HEADER) { +- /* Another blank line is an error. */ +- PEMerr(PEM_F_GET_HEADER_AND_DATA, PEM_R_BAD_END_LINE); +- goto err; ++ /* ++ * If previous line has been read only partially this newline is a ++ * regular newline at the end of a line and not an empty line. ++ */ ++ if (!prev_partial_line_read) { ++ if (got_header == POST_HEADER) { ++ /* Another blank line is an error. */ ++ PEMerr(PEM_F_GET_HEADER_AND_DATA, PEM_R_BAD_END_LINE); ++ goto err; ++ } ++ got_header = POST_HEADER; ++ tmp = *data; + } +- got_header = POST_HEADER; +- tmp = *data; + continue; + } + +diff --git a/test/recipes/04-test_pem.t b/test/recipes/04-test_pem.t +index c321611..e261275 100644 +--- a/test/recipes/04-test_pem.t ++++ b/test/recipes/04-test_pem.t +@@ -28,6 +28,8 @@ my %cert_expected = ( + "cert-1023line.pem" => 1, + "cert-1024line.pem" => 1, + "cert-1025line.pem" => 1, ++ "cert-254-chars-at-the-end.pem" => 1, ++ "cert-254-chars-in-the-middle.pem" => 1, + "cert-255line.pem" => 1, + "cert-256line.pem" => 1, + "cert-257line.pem" => 1, +@@ -42,6 +44,7 @@ my %cert_expected = ( + "cert-misalignedpad.pem" => 0, + "cert-onecolumn.pem" => 1, + "cert-oneline.pem" => 1, ++ "cert-oneline-multiple-of-254.pem" => 1, + "cert-shortandlongline.pem" => 1, + "cert-shortline.pem" => 1, + "cert-threecolumn.pem" => 1, +diff --git a/test/recipes/04-test_pem_data/cert-254-chars-at-the-end.pem b/test/recipes/04-test_pem_data/cert-254-chars-at-the-end.pem +new file mode 100644 +index 0000000..0b6a3ba +--- /dev/null ++++ b/test/recipes/04-test_pem_data/cert-254-chars-at-the-end.pem +@@ -0,0 +1,6 @@ ++-----BEGIN CERTIFICATE----- ++MIIEcjCCAyegAwIBAgIUPLgYY73GEwkikNCKRJrcbCR+TbQwDQYJKoZIhvcNAQELBQAwgZUxCzAJBgNVBAYTAkFVMWMwYQYDVQQIDFpUaGUgR3JlYXQgU3RhdGUgb2YgTG9uZy1XaW5kZWQgQ2VydGlmaWNhdGUgRmllbGQgTmFtZXMgV2hlcmVieSB0byBJbmNyZWFzZSB0aGUgT3V0cHV0IFNpemUxITAfBgNVBAoMGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDAeFw0yMDA0MDcwMDAwNDJaFw0zMDA0MDUwMDAwNDJaMIGVMQswCQYDVQQGEwJBVTFjMGEGA1UECAxaVGhlIEdyZWF0IFN0YXRlIG9mIExvbmctV2luZGVkIENlcnRpZmljYXRlIEZpZWxkIE5hbWVzIFdoZXJlYnkgdG8gSW5jcmVhc2UgdGhlIE91dHB1dCBTaXplMSEwHwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwggFUMA0GCSqGSIb3DQEBAQUAA4IBQQAwggE8AoIBMwLf ++mipKB41NPXrbp/T5eu+fndvZq72N/Tq0vZp2dRoz89NEFC3jYVBjp4pmVwCS9F/fGX1tnVfhb9k/4fqiI/y9lBVzxaHyMG/pt0D2nTS8iaMTM7uBeRvB5rUZlEbU8uvv4GXu3CeP/NnVceXruGbPb4IpjfoUbGLvn5oK35h8a+LNY5f7QRBlAXtUwYrdxVzT+CqQ4wIAuqoIVXgRIweveS1ArbS8hOtsVnu1bUAQVKqORHx8gtbOyiA4heTCEOkwh45YV6KW+uLI1wTeE4E9erlI4RwZ7umbBnQai/hYL//AUfQKQhpGbgfyJrS0UYY7WEP/mcFQh0U2EBTXtAy/e4XPiftViR3+pd+G2TJ/JFofDDzJRrceeo ++9tUnMr0pKtU7oB77lSKgsruKKkhn6lLH8CAwEAAaNTMFEwHQYDVR0OBBYEFIkawSiFUdL6G3jw8qg1WQI8Xi4rMB8GA1UdIwQYMBaAFIkawSiFUdL6G3jw8qg1WQI8Xi4rMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggE0AAHe/+71vykcq9BQ5h2X7MpnkE5n0Yn0Xi24uuCpv59JjABmOdaeT6XBQ5UJN8WfidawgzbJ6WiWgjflaMfRfjsdCJRgvdw0gfXXXrsseJMeMYnw1hQTGuB83BKjXBdL6zb45qGf2Fgjm3aNW2NUVM+Q2QfMjo ++Kx13hTyDh9l5nOhMv/Rkygcx1Row2WbkvrhxvCLxY0VhL7RuPV8K0ogKicv8VJgQriOUVTTkqBP1xUimKSTaNaZ8KAnC7thxxZHxsNa45a6AouPSzyAOPZQgCJW83OIFxvWsdYU1KvP1wmoi1XC9giSQ/5sLPu/eAYTzmY+Xd6Sq8dF8uyodeI2gFu3AzC28PVKeUriIGfxaqEUn+aXx5W+r8JTE6fQ9mBo9YxJBXG+OTIFgHR27q2dJwqK9c= ++-----END CERTIFICATE----- +diff --git a/test/recipes/04-test_pem_data/cert-254-chars-in-the-middle.pem b/test/recipes/04-test_pem_data/cert-254-chars-in-the-middle.pem +new file mode 100644 +index 0000000..cc9076b +--- /dev/null ++++ b/test/recipes/04-test_pem_data/cert-254-chars-in-the-middle.pem +@@ -0,0 +1,5 @@ ++-----BEGIN CERTIFICATE----- ++MIIEcjCCAyegAwIBAgIUPLgYY73GEwkikNCKRJrcbCR+TbQwDQYJKoZIhvcNAQELBQAwgZUxCzAJBgNVBAYTAkFVMWMwYQYDVQQIDFpUaGUgR3JlYXQgU3RhdGUgb2YgTG9uZy1XaW5kZWQgQ2VydGlmaWNhdGUgRmllbGQgTmFtZXMgV2hlcmVieSB0byBJbmNyZWFzZSB0aGUgT ++3V0cHV0IFNpemUxITAfBgNVBAoMGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDAeFw0yMDA0MDcwMDAwNDJaFw0zMDA0MDUwMDAwNDJaMIGVMQswCQYDVQQGEwJBVTFjMGEGA1UECAxaVGhlIEdyZWF0IFN0YXRlIG9mIExvbmctV2luZGVkIENlcnRpZmljYXRlIEZpZWxkIE5hbWVzIFdoZXJlYnkgdG8gSW5jcmVhc2UgdGhlIE91dHB1dCB ++TaXplMSEwHwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwggFUMA0GCSqGSIb3DQEBAQUAA4IBQQAwggE8AoIBMwLfmipKB41NPXrbp/T5eu+fndvZq72N/Tq0vZp2dRoz89NEFC3jYVBjp4pmVwCS9F/fGX1tnVfhb9k/4fqiI/y9lBVzxaHyMG/pt0D2nTS8iaMTM7uBeRvB5rUZlEbU8uvv4GXu3CeP/NnVceXruGbPb4IpjfoUbGLvn5oK35h8a+LNY5f7QRBlAXtUwYrdxVzT+CqQ4wIAuqoIVXgRIweveS1ArbS8hOtsVnu1bUAQVKqORHx8gtbOyiA4heTCEOkwh45YV6KW+uLI1wTeE4E9erlI4RwZ7umbBnQai/hYL//AUfQKQhpGbgfyJrS0UYY7WEP/mcFQh0U2EBTXtAy/e4XPiftViR3+pd+G2TJ/JFofDDzJRrceeo9tUnMr0pKtU7oB77lSKgsruKKkhn6lLH8CAwEAAaNTMFEwHQYDVR0OBBYEFIkawSiFUdL6G3jw8qg1WQI8Xi4rMB8GA1UdIwQYMBaAFIkawSiFUdL6G3jw8qg1WQI8Xi4rMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggE0AAHe/+71vykcq9BQ5h2X7MpnkE5n0Yn0Xi24uuCpv59JjABmOdaeT6XBQ5UJN8WfidawgzbJ6WiWgjflaMfRfjsdCJRgvdw0gfXXXrsseJMeMYnw1hQTGuB83BKjXBdL6zb45qGf2Fgjm3aNW2NUVM+Q2QfMjoKx13hTyDh9l5nOhMv/Rkygcx1Row2WbkvrhxvCLxY0VhL7RuPV8K0ogKicv8VJgQriOUVTTkqBP1xUimKSTaNaZ8KAnC7thxxZHxsNa45a6AouPSzyAOPZQgCJW83OIFxvWsdYU1KvP1wmoi1XC9giSQ/5sLPu/eAYTzmY+Xd6Sq8dF8uyodeI2gFu3AzC28PVKeUriIGfxaqEUn+aXx5W+r8JTE6fQ9mBo9YxJBXG+OTIFgHR27q2dJwqK9c= ++-----END CERTIFICATE----- +diff --git a/test/recipes/04-test_pem_data/cert-oneline-multiple-of-254.pem b/test/recipes/04-test_pem_data/cert-oneline-multiple-of-254.pem +new file mode 100644 +index 0000000..e0af859 +--- /dev/null ++++ b/test/recipes/04-test_pem_data/cert-oneline-multiple-of-254.pem +@@ -0,0 +1,3 @@ ++-----BEGIN CERTIFICATE----- ++MIIEcjCCAyegAwIBAgIUPLgYY73GEwkikNCKRJrcbCR+TbQwDQYJKoZIhvcNAQELBQAwgZUxCzAJBgNVBAYTAkFVMWMwYQYDVQQIDFpUaGUgR3JlYXQgU3RhdGUgb2YgTG9uZy1XaW5kZWQgQ2VydGlmaWNhdGUgRmllbGQgTmFtZXMgV2hlcmVieSB0byBJbmNyZWFzZSB0aGUgT3V0cHV0IFNpemUxITAfBgNVBAoMGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDAeFw0yMDA0MDcwMDAwNDJaFw0zMDA0MDUwMDAwNDJaMIGVMQswCQYDVQQGEwJBVTFjMGEGA1UECAxaVGhlIEdyZWF0IFN0YXRlIG9mIExvbmctV2luZGVkIENlcnRpZmljYXRlIEZpZWxkIE5hbWVzIFdoZXJlYnkgdG8gSW5jcmVhc2UgdGhlIE91dHB1dCBTaXplMSEwHwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwggFUMA0GCSqGSIb3DQEBAQUAA4IBQQAwggE8AoIBMwLfmipKB41NPXrbp/T5eu+fndvZq72N/Tq0vZp2dRoz89NEFC3jYVBjp4pmVwCS9F/fGX1tnVfhb9k/4fqiI/y9lBVzxaHyMG/pt0D2nTS8iaMTM7uBeRvB5rUZlEbU8uvv4GXu3CeP/NnVceXruGbPb4IpjfoUbGLvn5oK35h8a+LNY5f7QRBlAXtUwYrdxVzT+CqQ4wIAuqoIVXgRIweveS1ArbS8hOtsVnu1bUAQVKqORHx8gtbOyiA4heTCEOkwh45YV6KW+uLI1wTeE4E9erlI4RwZ7umbBnQai/hYL//AUfQKQhpGbgfyJrS0UYY7WEP/mcFQh0U2EBTXtAy/e4XPiftViR3+pd+G2TJ/JFofDDzJRrceeo9tUnMr0pKtU7oB77lSKgsruKKkhn6lLH8CAwEAAaNTMFEwHQYDVR0OBBYEFIkawSiFUdL6G3jw8qg1WQI8Xi4rMB8GA1UdIwQYMBaAFIkawSiFUdL6G3jw8qg1WQI8Xi4rMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggE0AAHe/+71vykcq9BQ5h2X7MpnkE5n0Yn0Xi24uuCpv59JjABmOdaeT6XBQ5UJN8WfidawgzbJ6WiWgjflaMfRfjsdCJRgvdw0gfXXXrsseJMeMYnw1hQTGuB83BKjXBdL6zb45qGf2Fgjm3aNW2NUVM+Q2QfMjoKx13hTyDh9l5nOhMv/Rkygcx1Row2WbkvrhxvCLxY0VhL7RuPV8K0ogKicv8VJgQriOUVTTkqBP1xUimKSTaNaZ8KAnC7thxxZHxsNa45a6AouPSzyAOPZQgCJW83OIFxvWsdYU1KvP1wmoi1XC9giSQ/5sLPu/eAYTzmY+Xd6Sq8dF8uyodeI2gFu3AzC28PVKeUriIGfxaqEUn+aXx5W+r8JTE6fQ9mBo9YxJBXG+OTIFgHR27q2dJwqK9c= ++-----END CERTIFICATE----- +-- +1.8.3.1 + diff --git a/Fix-PEM_write_bio_PrivateKey_traditional-to-not-outp.patch b/Fix-PEM_write_bio_PrivateKey_traditional-to-not-outp.patch new file mode 100644 index 0000000..f04a50c --- /dev/null +++ b/Fix-PEM_write_bio_PrivateKey_traditional-to-not-outp.patch @@ -0,0 +1,126 @@ +From 56456c3404b0ec27f93816d951ff7a58827481f0 Mon Sep 17 00:00:00 2001 +From: Richard Levitte +Date: Thu, 27 Aug 2020 07:18:55 +0200 +Subject: [PATCH 063/147] Fix PEM_write_bio_PrivateKey_traditional() to not + output PKCS#8 + +PEM_write_bio_PrivateKey_traditional() uses i2d_PrivateKey() to do the +actual encoding to DER. However, i2d_PrivateKey() is a generic +function that will do what it can to produce output according to what +the associated EVP_PKEY_ASN1_METHOD offers. If that method offers a +function 'old_priv_encode', which is expected to produce the +"traditional" encoded form, then i2d_PrivateKey() uses that. If not, +i2d_PrivateKey() will go on and used more modern methods, which are +all expected to produce PKCS#8. + +To ensure that PEM_write_bio_PrivateKey_traditional() never produces +more modern encoded forms, an extra check that 'old_priv_encode' is +non-NULL is added. If it is NULL, an error is returned. + +Reviewed-by: Tomas Mraz +(Merged from https://github.com/openssl/openssl/pull/12729) +--- + crypto/err/openssl.txt | 3 +++ + crypto/pem/pem_err.c | 6 +++++- + crypto/pem/pem_pkey.c | 6 ++++++ + include/openssl/pemerr.h | 4 +++- + 4 files changed, 17 insertions(+), 2 deletions(-) + +diff --git a/crypto/err/openssl.txt b/crypto/err/openssl.txt +index 3ca271b..0b5873e 100644 +--- a/crypto/err/openssl.txt ++++ b/crypto/err/openssl.txt +@@ -934,6 +934,8 @@ PEM_F_PEM_READ_PRIVATEKEY:124:PEM_read_PrivateKey + PEM_F_PEM_SIGNFINAL:112:PEM_SignFinal + PEM_F_PEM_WRITE:113:PEM_write + PEM_F_PEM_WRITE_BIO:114:PEM_write_bio ++PEM_F_PEM_WRITE_BIO_PRIVATEKEY_TRADITIONAL:147:\ ++ PEM_write_bio_PrivateKey_traditional + PEM_F_PEM_WRITE_PRIVATEKEY:139:PEM_write_PrivateKey + PEM_F_PEM_X509_INFO_READ:115:PEM_X509_INFO_read + PEM_F_PEM_X509_INFO_READ_BIO:116:PEM_X509_INFO_read_bio +@@ -2400,6 +2402,7 @@ PEM_R_UNEXPECTED_DEK_IV:130:unexpected dek iv + PEM_R_UNSUPPORTED_CIPHER:113:unsupported cipher + PEM_R_UNSUPPORTED_ENCRYPTION:114:unsupported encryption + PEM_R_UNSUPPORTED_KEY_COMPONENTS:126:unsupported key components ++PEM_R_UNSUPPORTED_PUBLIC_KEY_TYPE:110:unsupported public key type + PKCS12_R_CANT_PACK_STRUCTURE:100:cant pack structure + PKCS12_R_CONTENT_TYPE_NOT_DATA:121:content type not data + PKCS12_R_DECODE_ERROR:101:decode error +diff --git a/crypto/pem/pem_err.c b/crypto/pem/pem_err.c +index f642030..0f3cb02 100644 +--- a/crypto/pem/pem_err.c ++++ b/crypto/pem/pem_err.c +@@ -1,6 +1,6 @@ + /* + * Generated by util/mkerr.pl DO NOT EDIT +- * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. ++ * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the OpenSSL license (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy +@@ -60,6 +60,8 @@ static const ERR_STRING_DATA PEM_str_functs[] = { + {ERR_PACK(ERR_LIB_PEM, PEM_F_PEM_SIGNFINAL, 0), "PEM_SignFinal"}, + {ERR_PACK(ERR_LIB_PEM, PEM_F_PEM_WRITE, 0), "PEM_write"}, + {ERR_PACK(ERR_LIB_PEM, PEM_F_PEM_WRITE_BIO, 0), "PEM_write_bio"}, ++ {ERR_PACK(ERR_LIB_PEM, PEM_F_PEM_WRITE_BIO_PRIVATEKEY_TRADITIONAL, 0), ++ "PEM_write_bio_PrivateKey_traditional"}, + {ERR_PACK(ERR_LIB_PEM, PEM_F_PEM_WRITE_PRIVATEKEY, 0), + "PEM_write_PrivateKey"}, + {ERR_PACK(ERR_LIB_PEM, PEM_F_PEM_X509_INFO_READ, 0), "PEM_X509_INFO_read"}, +@@ -109,6 +111,8 @@ static const ERR_STRING_DATA PEM_str_reasons[] = { + "unsupported encryption"}, + {ERR_PACK(ERR_LIB_PEM, 0, PEM_R_UNSUPPORTED_KEY_COMPONENTS), + "unsupported key components"}, ++ {ERR_PACK(ERR_LIB_PEM, 0, PEM_R_UNSUPPORTED_PUBLIC_KEY_TYPE), ++ "unsupported public key type"}, + {0, NULL} + }; + +diff --git a/crypto/pem/pem_pkey.c b/crypto/pem/pem_pkey.c +index e58cdf4..7bd9aa0 100644 +--- a/crypto/pem/pem_pkey.c ++++ b/crypto/pem/pem_pkey.c +@@ -108,6 +108,12 @@ int PEM_write_bio_PrivateKey_traditional(BIO *bp, EVP_PKEY *x, + pem_password_cb *cb, void *u) + { + char pem_str[80]; ++ ++ if (x->ameth == NULL || x->ameth->old_priv_encode == NULL) { ++ PEMerr(PEM_F_PEM_WRITE_BIO_PRIVATEKEY_TRADITIONAL, ++ PEM_R_UNSUPPORTED_PUBLIC_KEY_TYPE); ++ return 0; ++ } + BIO_snprintf(pem_str, 80, "%s PRIVATE KEY", x->ameth->pem_str); + return PEM_ASN1_write_bio((i2d_of_void *)i2d_PrivateKey, + pem_str, bp, x, enc, kstr, klen, cb, u); +diff --git a/include/openssl/pemerr.h b/include/openssl/pemerr.h +index 0c45918..4f7e357 100644 +--- a/include/openssl/pemerr.h ++++ b/include/openssl/pemerr.h +@@ -1,6 +1,6 @@ + /* + * Generated by util/mkerr.pl DO NOT EDIT +- * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved. ++ * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the OpenSSL license (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy +@@ -61,6 +61,7 @@ int ERR_load_PEM_strings(void); + # define PEM_F_PEM_SIGNFINAL 112 + # define PEM_F_PEM_WRITE 113 + # define PEM_F_PEM_WRITE_BIO 114 ++# define PEM_F_PEM_WRITE_BIO_PRIVATEKEY_TRADITIONAL 147 + # define PEM_F_PEM_WRITE_PRIVATEKEY 139 + # define PEM_F_PEM_X509_INFO_READ 115 + # define PEM_F_PEM_X509_INFO_READ_BIO 116 +@@ -99,5 +100,6 @@ int ERR_load_PEM_strings(void); + # define PEM_R_UNSUPPORTED_CIPHER 113 + # define PEM_R_UNSUPPORTED_ENCRYPTION 114 + # define PEM_R_UNSUPPORTED_KEY_COMPONENTS 126 ++# define PEM_R_UNSUPPORTED_PUBLIC_KEY_TYPE 110 + + #endif +-- +1.8.3.1 + diff --git a/Fix-crash-in-early-data-send-with-out-of-band-PSK-us.patch b/Fix-crash-in-early-data-send-with-out-of-band-PSK-us.patch new file mode 100644 index 0000000..72bc137 --- /dev/null +++ b/Fix-crash-in-early-data-send-with-out-of-band-PSK-us.patch @@ -0,0 +1,41 @@ +From dea4e33a92a8c6a49bfabda4e78afa3d0e2e0d61 Mon Sep 17 00:00:00 2001 +From: raja-ashok +Date: Fri, 8 May 2020 19:17:21 +0530 +Subject: [PATCH 052/217] Fix crash in early data send with out-of-band PSK + using AES CCM + +Reviewed-by: Matt Caswell +Reviewed-by: Tomas Mraz +(Merged from https://github.com/openssl/openssl/pull/11809) +--- + ssl/tls13_enc.c | 11 +++++++++-- + 1 file changed, 9 insertions(+), 2 deletions(-) + +diff --git a/ssl/tls13_enc.c b/ssl/tls13_enc.c +index 86754dc..b8fb07f 100644 +--- a/ssl/tls13_enc.c ++++ b/ssl/tls13_enc.c +@@ -390,11 +390,18 @@ static int derive_secret_key_and_iv(SSL *s, int sending, const EVP_MD *md, + uint32_t algenc; + + ivlen = EVP_CCM_TLS_IV_LEN; +- if (s->s3->tmp.new_cipher == NULL) { ++ if (s->s3->tmp.new_cipher != NULL) { ++ algenc = s->s3->tmp.new_cipher->algorithm_enc; ++ } else if (s->session->cipher != NULL) { + /* We've not selected a cipher yet - we must be doing early data */ + algenc = s->session->cipher->algorithm_enc; ++ } else if (s->psksession != NULL && s->psksession->cipher != NULL) { ++ /* We must be doing early data with out-of-band PSK */ ++ algenc = s->psksession->cipher->algorithm_enc; + } else { +- algenc = s->s3->tmp.new_cipher->algorithm_enc; ++ SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_DERIVE_SECRET_KEY_AND_IV, ++ ERR_R_EVP_LIB); ++ goto err; + } + if (algenc & (SSL_AES128CCM8 | SSL_AES256CCM8)) + taglen = EVP_CCM8_TLS_TAG_LEN; +-- +1.8.3.1 + diff --git a/Fix-d2i_PrivateKey-to-work-as-documented.patch b/Fix-d2i_PrivateKey-to-work-as-documented.patch new file mode 100644 index 0000000..70653fc --- /dev/null +++ b/Fix-d2i_PrivateKey-to-work-as-documented.patch @@ -0,0 +1,39 @@ +From 176eb406691f14d560cf7619365830a4d033ee28 Mon Sep 17 00:00:00 2001 +From: Richard Levitte +Date: Mon, 11 May 2020 09:14:11 +0200 +Subject: [PATCH 062/217] Fix d2i_PrivateKey() to work as documented + +d2i_PrivateKey() is documented to return keys of the type given as +first argument |type|, unconditionally. Most specifically, the manual +says this: + +> An error occurs if the decoded key does not match type. + +However, when faced of a PKCS#8 wrapped key, |type| was ignored, which +may lead to unexpected results. + +(cherry picked from commit b2952366dd0248bf35c83e1736cd203033a22378) + +Reviewed-by: Paul Dale +Reviewed-by: Dmitry Belyavskiy +(Merged from https://github.com/openssl/openssl/pull/11888) +--- + crypto/asn1/d2i_pr.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/crypto/asn1/d2i_pr.c b/crypto/asn1/d2i_pr.c +index 6ec0107..ac1a8c4 100644 +--- a/crypto/asn1/d2i_pr.c ++++ b/crypto/asn1/d2i_pr.c +@@ -56,6 +56,8 @@ EVP_PKEY *d2i_PrivateKey(int type, EVP_PKEY **a, const unsigned char **pp, + goto err; + EVP_PKEY_free(ret); + ret = tmp; ++ if (EVP_PKEY_type(type) != EVP_PKEY_base_id(ret)) ++ goto err; + } else { + ASN1err(ASN1_F_D2I_PRIVATEKEY, ERR_R_ASN1_LIB); + goto err; +-- +1.8.3.1 + diff --git a/Fix-err-checking-and-mem-leaks-of-BIO_set_conn_port-.patch b/Fix-err-checking-and-mem-leaks-of-BIO_set_conn_port-.patch new file mode 100644 index 0000000..c68721b --- /dev/null +++ b/Fix-err-checking-and-mem-leaks-of-BIO_set_conn_port-.patch @@ -0,0 +1,71 @@ +From 7f699cb663741a73cfe95214d4a39a1078c94294 Mon Sep 17 00:00:00 2001 +From: "Dr. David von Oheimb" +Date: Wed, 3 Jun 2020 07:49:27 +0200 +Subject: [PATCH 014/147] Fix err checking and mem leaks of BIO_set_conn_port + and BIO_set_conn_address + +Reviewed-by: Bernd Edlinger +Reviewed-by: Tomas Mraz +(Merged from https://github.com/openssl/openssl/pull/12036) +--- + crypto/bio/bss_conn.c | 25 ++++++++++++++++++------- + 1 file changed, 18 insertions(+), 7 deletions(-) + +diff --git a/crypto/bio/bss_conn.c b/crypto/bio/bss_conn.c +index f4c6b85..807a82b 100644 +--- a/crypto/bio/bss_conn.c ++++ b/crypto/bio/bss_conn.c +@@ -416,12 +416,13 @@ static long conn_ctrl(BIO *b, int cmd, long num, void *ptr) + case BIO_C_SET_CONNECT: + if (ptr != NULL) { + b->init = 1; +- if (num == 0) { ++ if (num == 0) { /* BIO_set_conn_hostname */ + char *hold_service = data->param_service; + /* We affect the hostname regardless. However, the input + * string might contain a host:service spec, so we must + * parse it, which might or might not affect the service + */ ++ + OPENSSL_free(data->param_hostname); + data->param_hostname = NULL; + ret = BIO_parse_hostserv(ptr, +@@ -430,19 +431,29 @@ static long conn_ctrl(BIO *b, int cmd, long num, void *ptr) + BIO_PARSE_PRIO_HOST); + if (hold_service != data->param_service) + OPENSSL_free(hold_service); +- } else if (num == 1) { ++ } else if (num == 1) { /* BIO_set_conn_port */ + OPENSSL_free(data->param_service); +- data->param_service = BUF_strdup(ptr); +- } else if (num == 2) { ++ if ((data->param_service = OPENSSL_strdup(ptr)) == NULL) ++ ret = 0; ++ } else if (num == 2) { /* BIO_set_conn_address */ + const BIO_ADDR *addr = (const BIO_ADDR *)ptr; ++ char *host = BIO_ADDR_hostname_string(addr, 1); ++ char *service = BIO_ADDR_service_string(addr, 1); ++ ++ ret = host != NULL && service != NULL; + if (ret) { +- data->param_hostname = BIO_ADDR_hostname_string(addr, 1); +- data->param_service = BIO_ADDR_service_string(addr, 1); ++ OPENSSL_free(data->param_hostname); ++ data->param_hostname = host; ++ OPENSSL_free(data->param_service); ++ data->param_service = service; + BIO_ADDRINFO_free(data->addr_first); + data->addr_first = NULL; + data->addr_iter = NULL; ++ } else { ++ OPENSSL_free(host); ++ OPENSSL_free(service); + } +- } else if (num == 3) { ++ } else if (num == 3) { /* BIO_set_conn_ip_family */ + data->connect_family = *(int *)ptr; + } else { + ret = 0; +-- +1.8.3.1 + diff --git a/Fix-issue-1418-by-moving-check-of-KU_KEY_CERT_SIGN-a.patch b/Fix-issue-1418-by-moving-check-of-KU_KEY_CERT_SIGN-a.patch new file mode 100644 index 0000000..9ba7372 --- /dev/null +++ b/Fix-issue-1418-by-moving-check-of-KU_KEY_CERT_SIGN-a.patch @@ -0,0 +1,377 @@ +From e2590c3a162eb118c36b09c2168164283aa099b4 Mon Sep 17 00:00:00 2001 +From: "Dr. David von Oheimb" +Date: Tue, 24 Dec 2019 11:25:15 +0100 +Subject: [PATCH 050/147] Fix issue 1418 by moving check of KU_KEY_CERT_SIGN + and weakening check_issued() + +Move check that cert signing is allowed from x509v3_cache_extensions() to +where it belongs: internal_verify(), generalize it for proxy cert signing. +Correct and simplify check_issued(), now checking self-issued (not: self-signed). +Add test case to 25-test_verify.t that demonstrates successful fix. + +As prerequisites, this adds the static function check_sig_alg_match() +and the internal functions x509_likely_issued() and x509_signing_allowed(). + +This is a backport of the core of PR #10587. +Fixes #1418 + +Reviewed-by: Tomas Mraz +(Merged from https://github.com/openssl/openssl/pull/12357) +--- + crypto/x509/x509_local.h | 2 + + crypto/x509/x509_vfy.c | 52 +++++++++++++----------- + crypto/x509v3/v3_purp.c | 64 ++++++++++++++++++++++++------ + doc/man3/X509_STORE_set_verify_cb_func.pod | 4 +- + doc/man3/X509_check_issued.pod | 17 ++++---- + include/openssl/x509_vfy.h | 3 ++ + test/certs/ee-self-signed.pem | 18 +++++++++ + test/certs/setup.sh | 3 ++ + test/recipes/25-test_verify.t | 5 ++- + 9 files changed, 123 insertions(+), 45 deletions(-) + create mode 100644 test/certs/ee-self-signed.pem + +diff --git a/crypto/x509/x509_local.h b/crypto/x509/x509_local.h +index c517a77..6ac3c7e 100644 +--- a/crypto/x509/x509_local.h ++++ b/crypto/x509/x509_local.h +@@ -145,3 +145,5 @@ DEFINE_STACK_OF(STACK_OF_X509_NAME_ENTRY) + + void x509_set_signature_info(X509_SIG_INFO *siginf, const X509_ALGOR *alg, + const ASN1_STRING *sig); ++int x509_likely_issued(X509 *issuer, X509 *subject); ++int x509_signing_allowed(const X509 *issuer, const X509 *subject); +diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c +index 5bd3c4c..87b51e9 100644 +--- a/crypto/x509/x509_vfy.c ++++ b/crypto/x509/x509_vfy.c +@@ -104,7 +104,12 @@ static int null_callback(int ok, X509_STORE_CTX *e) + return ok; + } + +-/* Return 1 is a certificate is self signed */ ++/* ++ * Return 1 if given cert is considered self-signed, 0 if not or on error. ++ * This does not verify self-signedness but relies on x509v3_cache_extensions() ++ * matching issuer and subject names (i.e., the cert being self-issued) and any ++ * present authority key identifier matching the subject key identifier, etc. ++ */ + static int cert_self_signed(X509 *x) + { + if (X509_check_purpose(x, -1, 0) != 1) +@@ -325,30 +330,26 @@ static X509 *find_issuer(X509_STORE_CTX *ctx, STACK_OF(X509) *sk, X509 *x) + return rv; + } + +-/* Given a possible certificate and issuer check them */ +- ++/* ++ * Check that the given certificate 'x' is issued by the certificate 'issuer' ++ * and the issuer is not yet in ctx->chain, where the exceptional case ++ * that 'x' is self-issued and ctx->chain has just one element is allowed. ++ */ + static int check_issued(X509_STORE_CTX *ctx, X509 *x, X509 *issuer) + { +- int ret; +- if (x == issuer) +- return cert_self_signed(x); +- ret = X509_check_issued(issuer, x); +- if (ret == X509_V_OK) { ++ if (x509_likely_issued(issuer, x) != X509_V_OK) ++ return 0; ++ if ((x->ex_flags & EXFLAG_SI) == 0 || sk_X509_num(ctx->chain) != 1) { + int i; + X509 *ch; +- /* Special case: single self signed certificate */ +- if (cert_self_signed(x) && sk_X509_num(ctx->chain) == 1) +- return 1; ++ + for (i = 0; i < sk_X509_num(ctx->chain); i++) { + ch = sk_X509_value(ctx->chain, i); +- if (ch == issuer || !X509_cmp(ch, issuer)) { +- ret = X509_V_ERR_PATH_LOOP; +- break; +- } ++ if (ch == issuer || X509_cmp(ch, issuer) == 0) ++ return 0; + } + } +- +- return (ret == X509_V_OK); ++ return 1; + } + + /* Alternative lookup method: look from a STACK stored in other_ctx */ +@@ -1752,18 +1753,23 @@ static int internal_verify(X509_STORE_CTX *ctx) + * is allowed to reset errors (at its own peril). + */ + while (n >= 0) { +- EVP_PKEY *pkey; +- + /* +- * Skip signature check for self signed certificates unless explicitly +- * asked for. It doesn't add any security and just wastes time. If +- * the issuer's public key is unusable, report the issuer certificate ++ * Skip signature check for self-issued certificates unless explicitly ++ * asked for because it does not add any security and just wastes time. ++ * If the issuer's public key is not available or its key usage does ++ * not support issuing the subject cert, report the issuer certificate + * and its depth (rather than the depth of the subject). + */ + if (xs != xi || (ctx->param->flags & X509_V_FLAG_CHECK_SS_SIGNATURE)) { ++ EVP_PKEY *pkey; ++ int issuer_depth = n + (xs == xi ? 0 : 1); ++ int ret = x509_signing_allowed(xi, xs); ++ ++ if (ret != X509_V_OK && !verify_cb_cert(ctx, xi, issuer_depth, ret)) ++ return 0; + if ((pkey = X509_get0_pubkey(xi)) == NULL) { + if (!verify_cb_cert(ctx, xi, xi != xs ? n+1 : n, +- X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY)) ++ X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY)) + return 0; + } else if (X509_verify(xs, pkey) <= 0) { + if (!verify_cb_cert(ctx, xs, n, +diff --git a/crypto/x509v3/v3_purp.c b/crypto/x509v3/v3_purp.c +index f023c64..2b06dba 100644 +--- a/crypto/x509v3/v3_purp.c ++++ b/crypto/x509v3/v3_purp.c +@@ -13,6 +13,7 @@ + #include + #include + #include "crypto/x509.h" ++#include "../x509/x509_local.h" /* for x509_signing_allowed() */ + #include "internal/tsan_assist.h" + + static void x509v3_cache_extensions(X509 *x); +@@ -344,6 +345,21 @@ static int setup_crldp(X509 *x) + return 1; + } + ++/* Check that issuer public key algorithm matches subject signature algorithm */ ++static int check_sig_alg_match(const EVP_PKEY *pkey, const X509 *subject) ++{ ++ int pkey_nid; ++ ++ if (pkey == NULL) ++ return X509_V_ERR_NO_ISSUER_PUBLIC_KEY; ++ if (OBJ_find_sigid_algs(OBJ_obj2nid(subject->cert_info.signature.algorithm), ++ NULL, &pkey_nid) == 0) ++ return X509_V_ERR_UNSUPPORTED_SIGNATURE_ALGORITHM; ++ if (EVP_PKEY_type(pkey_nid) != EVP_PKEY_base_id(pkey)) ++ return X509_V_ERR_SIGNATURE_ALGORITHM_MISMATCH; ++ return X509_V_OK; ++} ++ + #define V1_ROOT (EXFLAG_V1|EXFLAG_SS) + #define ku_reject(x, usage) \ + (((x)->ex_flags & EXFLAG_KUSAGE) && !((x)->ex_kusage & (usage))) +@@ -496,11 +512,11 @@ static void x509v3_cache_extensions(X509 *x) + x->ex_flags |= EXFLAG_INVALID; + /* Does subject name match issuer ? */ + if (!X509_NAME_cmp(X509_get_subject_name(x), X509_get_issuer_name(x))) { +- x->ex_flags |= EXFLAG_SI; +- /* If SKID matches AKID also indicate self signed */ +- if (X509_check_akid(x, x->akid) == X509_V_OK && +- !ku_reject(x, KU_KEY_CERT_SIGN)) +- x->ex_flags |= EXFLAG_SS; ++ x->ex_flags |= EXFLAG_SI; /* cert is self-issued */ ++ if (X509_check_akid(x, x->akid) == X509_V_OK /* SKID matches AKID */ ++ /* .. and the signature alg matches the PUBKEY alg: */ ++ && check_sig_alg_match(X509_get0_pubkey(x), x) == X509_V_OK) ++ x->ex_flags |= EXFLAG_SS; /* indicate self-signed */ + } + x->altname = X509_get_ext_d2i(x, NID_subject_alt_name, &i, NULL); + if (x->altname == NULL && i != -1) +@@ -793,6 +809,23 @@ static int no_check(const X509_PURPOSE *xp, const X509 *x, int ca) + } + + /*- ++ * Check if certificate I is allowed to issue certificate I ++ * according to the B field of I if present ++ * depending on any proxyCertInfo extension of I. ++ * Returns 0 for OK, or positive for reason for rejection ++ * where reason codes match those for X509_verify_cert(). ++ */ ++int x509_signing_allowed(const X509 *issuer, const X509 *subject) ++{ ++ if (subject->ex_flags & EXFLAG_PROXY) { ++ if (ku_reject(issuer, KU_DIGITAL_SIGNATURE)) ++ return X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE; ++ } else if (ku_reject(issuer, KU_KEY_CERT_SIGN)) ++ return X509_V_ERR_KEYUSAGE_NO_CERTSIGN; ++ return X509_V_OK; ++} ++ ++/*- + * Various checks to see if one certificate issued the second. + * This can be used to prune a set of possible issuer certificates + * which have been looked up using some simple method such as by +@@ -800,13 +833,24 @@ static int no_check(const X509_PURPOSE *xp, const X509 *x, int ca) + * These are: + * 1. Check issuer_name(subject) == subject_name(issuer) + * 2. If akid(subject) exists check it matches issuer +- * 3. If key_usage(issuer) exists check it supports certificate signing ++ * 3. Check that issuer public key algorithm matches subject signature algorithm ++ * 4. If key_usage(issuer) exists check it supports certificate signing + * returns 0 for OK, positive for reason for mismatch, reasons match + * codes for X509_verify_cert() + */ + + int X509_check_issued(X509 *issuer, X509 *subject) + { ++ int ret; ++ ++ if ((ret = x509_likely_issued(issuer, subject)) != X509_V_OK) ++ return ret; ++ return x509_signing_allowed(issuer, subject); ++} ++ ++/* do the checks 1., 2., and 3. as described above for X509_check_issued() */ ++int x509_likely_issued(X509 *issuer, X509 *subject) ++{ + if (X509_NAME_cmp(X509_get_subject_name(issuer), + X509_get_issuer_name(subject))) + return X509_V_ERR_SUBJECT_ISSUER_MISMATCH; +@@ -824,12 +868,8 @@ int X509_check_issued(X509 *issuer, X509 *subject) + return ret; + } + +- if (subject->ex_flags & EXFLAG_PROXY) { +- if (ku_reject(issuer, KU_DIGITAL_SIGNATURE)) +- return X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE; +- } else if (ku_reject(issuer, KU_KEY_CERT_SIGN)) +- return X509_V_ERR_KEYUSAGE_NO_CERTSIGN; +- return X509_V_OK; ++ /* check if the subject signature alg matches the issuer's PUBKEY alg */ ++ return check_sig_alg_match(X509_get0_pubkey(issuer), subject); + } + + int X509_check_akid(X509 *issuer, AUTHORITY_KEYID *akid) +diff --git a/doc/man3/X509_STORE_set_verify_cb_func.pod b/doc/man3/X509_STORE_set_verify_cb_func.pod +index d16881e..47de27d 100644 +--- a/doc/man3/X509_STORE_set_verify_cb_func.pod ++++ b/doc/man3/X509_STORE_set_verify_cb_func.pod +@@ -137,7 +137,9 @@ I + + X509_STORE_set_check_issued() sets the function to check that a given +-certificate B is issued with the issuer certificate B. ++certificate B is issued by the issuer certificate B and ++the issuer is not yet in the chain contained in , where the exceptional ++case that B is self-issued and ctx->chain has just one element is allowed. + This function must return 0 on failure (among others if B hasn't + been issued with B) and 1 on success. + I was issued using CA +-certificate I. This function takes into account not only +-matching of issuer field of I with subject field of I, +-but also compares B extension of I with +-B of I if B +-present in the I certificate and checks B field of +-I. ++X509_check_issued() checks if certificate I was apparently issued ++using (CA) certificate I. This function takes into account not only ++matching of the issuer field of I with the subject field of I, ++but also compares all sub-fields of the B extension of ++I, as far as present, with the respective B, ++serial number, and issuer fields of I, as far as present. It also checks ++if the B field (if present) of I allows certificate signing. ++It does not check the certificate signature. + + =head1 RETURN VALUES + +diff --git a/include/openssl/x509_vfy.h b/include/openssl/x509_vfy.h +index adb8bce..0f13739 100644 +--- a/include/openssl/x509_vfy.h ++++ b/include/openssl/x509_vfy.h +@@ -184,6 +184,9 @@ void X509_STORE_CTX_set_depth(X509_STORE_CTX *ctx, int depth); + # define X509_V_ERR_OCSP_VERIFY_NEEDED 73 /* Need OCSP verification */ + # define X509_V_ERR_OCSP_VERIFY_FAILED 74 /* Couldn't verify cert through OCSP */ + # define X509_V_ERR_OCSP_CERT_UNKNOWN 75 /* Certificate wasn't recognized by the OCSP responder */ ++# define X509_V_ERR_SIGNATURE_ALGORITHM_MISMATCH 76 ++# define X509_V_ERR_NO_ISSUER_PUBLIC_KEY 77 ++# define X509_V_ERR_UNSUPPORTED_SIGNATURE_ALGORITHM 78 + + /* Certificate verify flags */ + +diff --git a/test/certs/ee-self-signed.pem b/test/certs/ee-self-signed.pem +new file mode 100644 +index 0000000..ad1e37b +--- /dev/null ++++ b/test/certs/ee-self-signed.pem +@@ -0,0 +1,18 @@ ++-----BEGIN CERTIFICATE----- ++MIICzzCCAbegAwIBAgIUBP7iEKPlKuinZGQNFxSY3IBIb0swDQYJKoZIhvcNAQEL ++BQAwGTEXMBUGA1UEAwwOZWUtc2VsZi1zaWduZWQwHhcNMjAwNjI4MTA1MTQ1WhcN ++MjAwNzI4MTA1MTQ1WjAZMRcwFQYDVQQDDA5lZS1zZWxmLXNpZ25lZDCCASIwDQYJ ++KoZIhvcNAQEBBQADggEPADCCAQoCggEBAKj/iVhhha7e2ywP1XP74reoG3p1YCvU ++fTxzdrWu3pMvfySQbckc9Io4zZ+igBZWy7Qsu5PlFx//DcZD/jE0+CjYdemju4iC ++76Ny4lNiBUVN4DGX76qdENJYDZ4GnjK7GwhWXWUPP2aOwjagEf/AWTX9SRzdHEIz ++BniuBDgj5ed1Z9OUrVqpQB+sWRD1DMFkrUrExjVTs5ZqghsVi9GZq+Seb5Sq0pbl ++V/uMkWSKPCQWxtIZvoJgEztisO0+HbPK+WvfMbl6nktHaKcpxz9K4iIntO+QY9fv ++0HJJPlutuRvUK2+GaN3VcxK4Q8ncQQ+io0ZPi2eIhA9h/nk0H0qJH7cCAwEAAaMP ++MA0wCwYDVR0PBAQDAgeAMA0GCSqGSIb3DQEBCwUAA4IBAQBiLmIUCGb+hmRGbmpO ++lDqEwiRVdxHBs4OSb3IA9QgU1QKUDRqn7q27RRelmzTXllubZZcX3K6o+dunRW5G ++d3f3FVr+3Z7wnmkQtC2y3NWtGuWNczss+6rMLzKvla5CjRiNPlSvluMNpcs7BJxI ++ppk1LxlaiYlQkDW32OPyxzXWDNv1ZkphcOcoCkHAagnq9x1SszvLTjAlo5XpYrm5 ++CPgBOEnVwFCgne5Ab4QPTgkxPh/Ta508I/FKaPLJqci1EfGKipZkS7mMGTUJEeVK ++wZrn4z7RiTfJ4PdqO5iv8eOpt03fqdPEXQWe8DrKyfGM6/e369FaXMFhcd2ZxZy2 ++WHoc ++-----END CERTIFICATE----- +diff --git a/test/certs/setup.sh b/test/certs/setup.sh +index bbe4842..7e40f65 100755 +--- a/test/certs/setup.sh ++++ b/test/certs/setup.sh +@@ -185,6 +185,9 @@ OPENSSL_SIGALG=md5 \ + OPENSSL_KEYBITS=768 \ + ./mkcert.sh genee server.example ee-key-768 ee-cert-768 ca-key ca-cert + ++# self-signed end-entity cert with explicit keyUsage not including KeyCertSign ++openssl req -new -x509 -key ee-key.pem -subj /CN=ee-self-signed -out ee-self-signed.pem -addext keyUsage=digitalSignature ++ + # Proxy certificates, off of ee-client + # Start with some good ones + ./mkcert.sh req pc1-key "0.CN = server.example" "1.CN = proxy 1" | \ +diff --git a/test/recipes/25-test_verify.t b/test/recipes/25-test_verify.t +index cf7842c..0c643e5 100644 +--- a/test/recipes/25-test_verify.t ++++ b/test/recipes/25-test_verify.t +@@ -27,7 +27,7 @@ sub verify { + run(app([@args])); + } + +-plan tests => 135; ++plan tests => 136; + + # Canonical success + ok(verify("ee-cert", "sslserver", ["root-cert"], ["ca-cert"]), +@@ -368,6 +368,9 @@ ok(verify("some-names2", "sslserver", ["many-constraints"], ["many-constraints"] + ok(verify("root-cert-rsa2", "sslserver", ["root-cert-rsa2"], [], "-check_ss_sig"), + "Public Key Algorithm rsa instead of rsaEncryption"); + ++ ok(verify("ee-self-signed", "sslserver", ["ee-self-signed"], []), ++ "accept trusted self-signed EE cert excluding key usage keyCertSign"); ++ + SKIP: { + skip "Ed25519 is not supported by this OpenSSL build", 1 + if disabled("ec"); +-- +1.8.3.1 + diff --git a/Fix-memory-leaks-in-conf_def.c.patch b/Fix-memory-leaks-in-conf_def.c.patch new file mode 100644 index 0000000..f8fbcbf --- /dev/null +++ b/Fix-memory-leaks-in-conf_def.c.patch @@ -0,0 +1,39 @@ +From 526cf60408e1a356ec712b6c88a88864fdbe73af Mon Sep 17 00:00:00 2001 +From: luxinyou +Date: Mon, 7 Sep 2020 18:06:45 +1000 +Subject: [PATCH 065/147] Fix memory leaks in conf_def.c + +Fixes #12471 +CLA: trivial + +Reviewed-by: Matt Caswell +Reviewed-by: Paul Dale +Reviewed-by: Shane Lontis +(Merged from https://github.com/openssl/openssl/pull/12533) + +(cherry picked from commit 4348995b0d818203f37ffa51c9bdf4488cf24bad) +--- + crypto/conf/conf_def.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/crypto/conf/conf_def.c b/crypto/conf/conf_def.c +index ca76fa3..72669b1 100644 +--- a/crypto/conf/conf_def.c ++++ b/crypto/conf/conf_def.c +@@ -376,11 +376,13 @@ static int def_load_bio(CONF *conf, BIO *in, long *line) + if (biosk == NULL) { + if ((biosk = sk_BIO_new_null()) == NULL) { + CONFerr(CONF_F_DEF_LOAD_BIO, ERR_R_MALLOC_FAILURE); ++ BIO_free(next); + goto err; + } + } + if (!sk_BIO_push(biosk, in)) { + CONFerr(CONF_F_DEF_LOAD_BIO, ERR_R_MALLOC_FAILURE); ++ BIO_free(next); + goto err; + } + /* continue with reading from the included BIO */ +-- +1.8.3.1 + diff --git a/Fix-rsa8192.pem.patch b/Fix-rsa8192.pem.patch new file mode 100644 index 0000000..125d5a3 --- /dev/null +++ b/Fix-rsa8192.pem.patch @@ -0,0 +1,266 @@ +From 024035b6e018405d7c29bce2e10e884066203601 Mon Sep 17 00:00:00 2001 +From: Bernd Edlinger +Date: Sun, 10 May 2020 06:37:12 +0200 +Subject: [PATCH 048/217] Fix rsa8192.pem + +Q: How did I do that? + +A: That's a long story. + +Precondition: I used sage 8.1 for the math, it could probably +done with simple python as well but I did not try. + +First I extract numbers from rsa8192.pem: + +openssl rsa -in rsa8192.pem -noout -text | sed "s/://g; s/ //g;" + +cut&paste the numbers into sage: + +modulus +00890d9fd57e81b5ed43283d0ea020 +4a1229333d6fb9c37a179375b09c4f +7b5b1cf2eb025979b6d90b709928a0 +6725e04caf2b0f7fe94afbdf9f3fa5 +66f1ba75c2f6dc488039f410eb5fa8 +ab152b8cfdb76791bb853059438edf +ae56bc70a32a9f3e2d883e8b751d08 +3797999dc81a9c4d6bdb3a75362fd1 +d9c497cf5028dfcdd4cc3eb318e79f +c0db45cbeed955da8a447f0872dee5 +65bde4013340e767731441fae4fa54 +51356bfbc84e1271b39f111f5f8ef3 +a6c8973765b39addef80306194f4ea +89fdfc8e9744866323f6936de89b2f +e2741578b8eb3c41676702fabc50ec +c376e6b7b6e7f94e7d7b5c1bab3c9f +23bb0c8f04d8aca64c309fc063c406 +553e1c1421cc45060df7f48c49f5c5 +b459d572e273402d6a3ff008657fe9 +1936714d1823c5cad53d80630b3216 +9bf70feb2ebc1af6a35ee0bf059aed +49c4e367d567e130e2846859b271fd +a8949b182e050819866b8e762ed29f +fb3f7ca14cebfc2488662be4b3980f +c8d31890a05f38ae9690cc7d9d3efc +4808e03da104a8c28bb480bb814995 +a6e8b8978ab8350d90b3894e3abf7d +c4ad0956335752c8d6944b38a1715e +7d9950f49e6cdba171fbe651a2ca26 +65a7c70b6e8cf3a02c2f93dad8aa95 +06481cdb032d04082a5a6c6a733b65 +20fa80e2ef57b9cf858ca5ea11e084 +bc31a386fc6b099f069786207f80d6 +1f2bef294400d59394ad1006431366 +a54ae09b0ecd3377dcd8af8fde9b94 +fd559b0b7adc5113ba66fc4b3dc842 +ee562cfcfd39b4ffc31576635873fc +59535b7aa98605772436c251834e23 +4fb2347cc970a49818cac2a9ee95eb +b55fa2da66edd53e11245c6732140a +ae41491288cbf462eef8a807b46d0d +affa38d9ccfe8033d2d4a3cf5c5b82 +9df12183f7a05d3650153cd317a017 +083ac641c2c3ad11305de0a032be45 +c439bd7bbbe3cb97850f9d2c66f72a +4a66e9d434544fc6d294ca3c92627b +e518bfa44e3017ac8ad9c0a26a227d +2e8677da0a4de8edb53ac9530adb63 +83c72dbf562dc4d0fea4e492f09eb1 +74548381a8686db3aeaaa3a9960cff +25e8c64701115da54fa7a1fb2c566a +fcb4b2a63268d818c3391a62885d13 +41b3492c4f0167291b3d026a44e68c +02f2d4d255d4c0906b92a2ced0c0bb +f2bcdceaec1189895af4232dc386c9 +75bf3477e5a70d3ab0ac0e5dc37024 +0e34a276b155d5e290f77416a1986d +ec47f8c78236ac7df249df9ba21a80 +2e6bd75b4fb1c6ffe0f4cf548761a5 +6a1fcccee156523a718987f3fdaedc +7171c9050db89a83f24c5a283695b9 +c28de6d3b69fc1714b0add335a0ce6 +fbbdbd0bbdb01e44969d775105bba3 +d2947dca2f291250f9b851e76f514d +dc5a3aa4498e6521314991568860eb +ff1258d8b4aee9ee4159153684c0c0 +16c60b17537a50b53cd59aad60678b +d73f0714ab4ccae7416bab417b4907 +36d59b2e9f + +I used echo `echo "" ` | sed "s/ //g" +to get everything in one line, put that again +into the clipboard and +then start sage, type N=0x + +sage: N=0x00890d9fd57e81b5ed43283d0ea0204a1229333d6fb9c37a179375b09c4f7b5b1cf2eb025979b6d90b709928a06725e04caf2b0f7fe94afbdf9f3fa566f1ba75c2f6dc488039f410eb5fa8ab152b8cfdb76791bb853059438edfae56bc70a32a9f3e2d883e8b751d083797999dc81a9c4d6bdb3a75362fd1d9c497cf5028dfcdd4cc3eb318e79fc0db45cbeed955da8a447f0872dee565bde4013340e767731441fae4fa5451356bfbc84e1271b39f111f5f8ef3a6c8973765b39addef80306194f4ea89fdfc8e9744866323f6936de89b2fe2741578b8eb3c41676702fabc50ecc376e6b7b6e7f94e7d7b5c1bab3c9f23bb0c8f04d8aca64c309fc063c406553e1c1421cc45060df7f48c49f5c5b459d572e273402d6a3ff008657fe91936714d1823c5cad53d80630b32169bf70feb2ebc1af6a35ee0bf059aed49c4e367d567e130e2846859b271fda8949b182e050819866b8e762ed29ffb3f7ca14cebfc2488662be4b3980fc8d31890a05f38ae9690cc7d9d3efc4808e03da104a8c28bb480bb814995a6e8b8978ab8350d90b3894e3abf7dc4ad0956335752c8d6944b38a1715e7d9950f49e6cdba171fbe651a2ca2665a7c70b6e8cf3a02c2f93dad8aa9506481cdb032d04082a5a6c6a733b6520fa80e2ef57b9cf858ca5ea11e084bc31a386fc6b099f069786207f80d61f2bef294400d59394ad1006431366a54ae09b0ecd3377dcd8af8fde9b94fd559b0b7adc5113ba66fc4b3dc842ee562cfcfd39b4ffc31576635873fc59535b7aa98605772436c251834e234fb2347cc970a49818cac2a9ee95ebb55fa2da66edd53e11245c6732140aae41491288cbf462eef8a807b46d0daffa38d9ccfe8033d2d4a3cf5c5b829df12183f7a05d3650153cd317a017083ac641c2c3ad11305de0a032be45c439bd7bbbe3cb97850f9d2c66f72a4a66e9d434544fc6d294ca3c92627be518bfa44e3017ac8ad9c0a26a227d2e8677da0a4de8edb53ac9530adb6383c72dbf562dc4d0fea4e492f09eb174548381a8686db3aeaaa3a9960cff25e8c64701115da54fa7a1fb2c566afcb4b2a63268d818c3391a62885d1341b3492c4f0167291b3d026a44e68c02f2d4d255d4c0906b92a2ced0c0bbf2bcdceaec1189895af4232dc386c975bf3477e5a70d3ab0ac0e5dc370240e34a276b155d5e290f77416a1986dec47f8c78236ac7df249df9ba21a802e6bd75b4fb1c6ffe0f4cf548761a56a1fcccee156523a718987f3fdaedc7171c9050db89a83f24c5a283695b9c28de6d3b69fc1714b0add335a0ce6fbbdbd0bbdb01e44969d775105bba3d2947dca2f291250f9b851e76f514ddc5a3aa4498e6521314991568860ebff1258d8b4aee9ee4159153684c0c016c60b17537a50b53cd59aad60678bd73f0714ab4ccae7416bab417b490736d59b2e9f + +likewise for prime1 (P), prime2 (Q) and +privateExponent (D) and publicExponent (E) + +sage: P=0x00c6d6eb9c0f93f8b8de74b2799798c1c1ed47549426a0d76af61f04f0b455184acfeec354c1703709e8727ea0213001738e395b5ca5ed4deec30f8b1ae0e54a516777c5ae897a5562e77dfe378dbba32ee30bcdb275ab7f87f8b9af02712d371a6aa671b44e0f667a6f2d406e5099d942f592ff5c517d452d58cf3f51120062a878fb77066650275b897caf078a5353f1d714963ff90818b6b87c6db438681b4b315c4fd256c1bd383fcf8e67b49a3ee077373a66d77e4c02eebe9350478a51cdfa395d60d905c1189ed7041373f1609075faf9d9f39d3d7b0e7fc8b1d36cb8c5c48731ef5cd87e11f480cdfa4b3ee6cf7eebd3e13f4244647396d52030b82c39d69a3a4075ee90531d1ddb5f1284dc7ab09a3892de5c0ddeed115c7c9ee5fc008658830b0e6f7f366a72f215192498474ade046fc10e92591dfa133e4beff98758e0e92c05f999504a486e3f71c15b73adf7fe0d311f0d0dc1a8e2aff92572475a92e60f970174c80c4948a0cb86635cb438519b18c260ff9f212925e684ef151cc91fa1c4c8dbbc337c9b46f9a93c88cce49e49a670762186e8858051f93ebff7b0b50caadd9b32f93e396b5a6d1cd7f77b2e50e83fae5f3928433268f6cc28810071ce334025a24c7ebf92e631df0d26e99923018946de4ea5e30e868c33ea3d408d8c58815ecf9892fa3afa5f6fbef9a1dfda2da51b6f01f3dae588bdf17b +sage: Q=0x00b073b35a3bba0954b242961630e8e0af8d3ea8aad80d55669e9e79c388983363d96fe471205743001b4798b81de1be3fb06353fd0c9c4fd43f91f9cb2162b00583cc94ff791a615348d01977ca05f4796d5bff41d94dda1cb3ef2433ff4f6500d15ab290a14e651efa91b7df5d5e50f8356188d9842dcdd67c89eb7d40baa78f045969b804f7a985d35a8a8ac32715cb212a34fb89e85e538275e53663fe675944d2b5dba77b7b7abfacd8fbddee4427db6460b728952af882992750c2542d2122247d7f431ec2fe64c0311b0de5290eb619c6ab476308d59f3efff7255d07ebb51fe64ac5967c0b79bae07d36283cf768c8eee2054349cefe90876da66a52e9e0ff20cc00a40fb0c69524e7a01e5c2f07239831a0fa2f56ad405b3a25537907d990e8f5a3e4f3df99dda6afc30d4565aa5881f64adcc6f6be4077893c7e7710623e6158359c3facfef5036779903065fd0d0a2ed8bf2e53a46758dbff06284670bf10bd2e13cba4323ce50fa43df373bd0940011c424f41c5035a10b8095f420ddb67189f6dad62f1257b0f46e353a90eacc145c7db74998a5d0d8772ba1286eb582504465290171e4db87f2e89564214a2317953a7307b1b4c8dad5920866087d7ae80845478813bdf5f6740d0f3b975a344272804b036e4fef09e91d60d1a730fda2f5c222f7636bbe252f9a6caa86d5e8be7e7db2cf912817a0898a4742d +sage: D=0x3b900240c4a416aeb09b123e02f5457bb31023c9249081c5313edaac741686388492020964ce4471a653c9c63c4dc7b74c0188d0ec50bc3a29797da6c9b3616e83dea45ba5d41e6e4cba7eefca6791f45d3c86a491a899a5c42c7e61930a3681d281f34e4b49707e9bba74f68f7a91274c92904b546b5fe6267c5b8ad8d8bb199a523d7fbb5a40748b56dfccf074f3d664e705153dd903b7cd95bac556be3ab59a165d7cbb765e21a4a1d97e34b412baf1caacb57543d2bd8e5ae5cd2a86dc41e256f3f5c0073052859d1c8a12f4973caa88de2e5eb2eef8d6ebdb66fe154d8e383cba74693753affaf4dbc8e2988c08f947b1f8473a7163775656448572c325250ad2cd75c9f5d42721b91ae8fb427773605afa2f4297daf7ab34f5d71144185f3f5cbc94041081fae19fd5d47fc49421080edc5d658b5f223fb1e9b172f4da1a92263fa922225d4c0231e35d94d276fcb0e0999f5f26068528c83f49b0dd79fb157c49fe8b3d80e7cd2b3da76478ebd2ae2c8164583bee2f96591e2f41ad799ae0e2855a5699996fb2c7efb69f86874bca58628e512d579b247e43ee8db04b424e84e44cf753f86e12dd8d2e0ea0b800e6c313317c14658993b8e04c7fb5de1cba0829123dc518957be2a46f76f8ff305fee17b2310bfdd66a93c8b050451f8ceb26c518b7abb72faf08fca0bf6df8a80de511ffc00dc350cd87e52c9cf5771892300e420929da698b6b973da849c89410f089e9b39de79fc1a01a27d2f879ce5cd80ca0a3899d9f480c68d7a5f8c8b3c74936b19f0c7174987df437658046adaffdaddc3540be7fc06a1d2290f58ad9a2992d32e9ecbadf2eed961b4e68c8a89a5709a334082ad297348c4c31c54a3dadccb93afaa9f1786c4167021d4a16dd78afb41131bdd651357bd44f42cfee5d03fdfae087255d18a6a41c03aa6408b6097d8a6848cbbf05a7f20207d5673ea5e6dc849d5d3009c6e8a6c41285cd64f71b536d8345d61f404079278facde0d6e2264cbe655e877468bd3e76380d91f282f26ae17e41a1bac76c148c4c75dd22656816ab259e2c79920e27e6bcfa83732ac6e0a245dcd9cc82f69e45019cf53ac39bebca3ddea0f55ef97b6d8f7b7eadaae792fb1b55c73cf2ed644e651a22c60ed9c0bb063c50fadda6beccbf6c88c41ef1546bab5f21dbe4fbeeb11f3c5c40fa1cc3df2c11bfe7910d1d36a5ec6e66462c7e216481008931039299d23f2be4d838fb010b661a8541a8b7f7bf7d6c8032895e82133e24c835e5a3491249ec69f28e22cf9b0fab9be9ea17026fbadd470eee4676d7ac79976a1c6807e89b5dabab815ffa076caeaeb53f505a31129dac1e9f0b5d919f17aced63574c8524000022b6bc6cb9c8d6a06e44c72e055a1e2706e736af241ab3084fa56cf942aa139440f74e230be31cd8dd4bf0cbdd657f1 +sage: E=0x10001 + +check: +sage: is_pseudoprime(P) +True +sage: gcd(N,P) +811194519730394220204949383061971492284209477134487451053533919242408334468793875483685418435472924384137737409878754330061341487239404629370463160720071782806016579636145456953095810661706004899017496722730291178259805745059054744795252171022091469940626116746608128441399036310378334222880519662696558703165249434265697658704322903051581598088400258377253583825209022558177374913570364047051007093402547387492492645729748176160840842076964161794363721255756097675823463557162877865622894488049720201680509519072521257128596878592149455958732762099800396648453225220977153025222265023206761554302369499402146842619059859650958489842850140873473393484632985863967898676228674751576699965523367097641503814266418957281198265955430221973482931544501209059788536033857660452959160612655542331433647351037413298986228798018950712662579341162832440884265576141868775326408627532047094505284395403786932363148262901839514736964209136867574532808481484592060405175685831168554790879720280778881035860464184791941816702480873202940903024652495084770128062224279875598826600084633389722629461385386069921483006677287847102371176994910369378323222717613076771700378608286670543729473076010314569999636269167049088093674649352610884381826740603 +sage: N%P +0 + +>> P seems to be a prime, and is indeed a factor of N. + +sage: is_pseudoprime(Q) +False +sage: gcd(N,Q) +1 +sage: ecm(Q) +Found composite factor of 3 digits: 675 +Composite cofactor ... has 1231 digits. +Q has a small factor. The large cofactor +is way too large to be factorized (today). + +>> Q must be wrong. + +sage: pow(pow(2,E,N),D,N) +2 +sage: pow(pow(3,E,N),D,N) +3 +sage: pow(pow(5,E,N),D,N) +5 +sage: pow(pow(7,E,N),D,N) +7 +sage: pow(pow(11,E,N),D,N) +11 +sage: pow(pow(1000,E,N),D,N) +1000 + +>> x^D mod N is indeed the inverse of x^E mod N +>> D seems to be correct. + +>> now compute +sage: Qcorrect = N/P +sage: is_prime(Qcorrect) +False +sage: is_pseudoprime(Qcorrect) +True + +>> surprise, this is a sage artefact. +>> is_prime is supposed to tell if Qcorrect +>> is a provable prime, but these numbers are +>> too large for a proof. + +sage: help(Qcorrect) +class Rational +... + +>> oops, it is of course not a rational number. + +sage: Qcorrect = Integer(N/P) +class Integer +... + +>> okay now it is an integer. + +sage: is_prime(Qcorrect) +>> takes way too long: press CTRL-C +sage: is_pseudoprime(Qcorrect) +True + +>> so the correct Q seems to be a prime. + +sage: Q-Qcorrect +4468358315186607582623830645994123175323958284313904132666602205502546750542721902065776801908141680869902222733839989940221831332787838985874881107673910358472026239723185949529735314601712865712198736991916521419325287976337589177915143787138292689484229106140251936135768934015263941567159094923493376 +sage: hex(Q-Qcorrect) +'1a10400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000' + +>> interesting, now figure out the bits that are flipped in Q: + +Q ...20ddb67189f6dad... +Qcorrect ...20dd9c6149f6dad... + +$ openssl rsa -in rsa8192.pem -outform der -out rsa8192.der +writing RSA key +$ xxd -ps < rsa8192.der > rsa8192.hex +$ sed "s/20ddb67189f6dad/20dd9c6149f6dad/" < rsa8192.hex > rsa8192.out +$ diff rsa8192.hex rsa8192.out +100c100 +< 10b8095f420ddb67189f6dad62f1257b0f46e353a90eacc145c7db74998a +--- +> 10b8095f420dd9c6149f6dad62f1257b0f46e353a90eacc145c7db74998a + +>> et voila + +$ xxd -ps -r < rsa8192.out > rsa8192.der +$ openssl rsa -inform der -in rsa8192.der -out rsa8192.pem +writing RSA key +$ openssl rsa -check -noout -in rsa8192.pem +RSA key ok +#$ git diff +#diff --git a/apps/rsa8192.pem b/apps/rsa8192.pem +#index 946a6e5..83d962f 100644 +#--- a/apps/rsa8192.pem +#+++ b/apps/rsa8192.pem +#@@ -1,5 +1,4 @@ +# -----BEGIN RSA PRIVATE KEY----- +#- +# MIISKAIBAAKCBAEAiQ2f1X6Bte1DKD0OoCBKEikzPW+5w3oXk3WwnE97Wxzy6wJZ +# ebbZC3CZKKBnJeBMrysPf+lK+9+fP6Vm8bp1wvbcSIA59BDrX6irFSuM/bdnkbuF +# MFlDjt+uVrxwoyqfPi2IPot1HQg3l5mdyBqcTWvbOnU2L9HZxJfPUCjfzdTMPrMY +#@@ -62,7 +61,7 @@ JH1/Qx7C/mTAMRsN5SkOthnGq0djCNWfPv/3JV0H67Uf5krFlnwLebrgfTYoPPdo +# yO7iBUNJzv6Qh22malLp4P8gzACkD7DGlSTnoB5cLwcjmDGg+i9WrUBbOiVTeQfZ +# kOj1o+Tz35ndpq/DDUVlqliB9krcxva+QHeJPH53EGI+YVg1nD+s/vUDZ3mQMGX9 +# DQou2L8uU6RnWNv/BihGcL8QvS4Ty6QyPOUPpD3zc70JQAEcQk9BxQNaELgJX0IN +#-22cYn22tYvElew9G41OpDqzBRcfbdJmKXQ2HcroShutYJQRGUpAXHk24fy6JVkIU +#+2cYUn22tYvElew9G41OpDqzBRcfbdJmKXQ2HcroShutYJQRGUpAXHk24fy6JVkIU +# ojF5U6cwextMja1ZIIZgh9eugIRUeIE7319nQNDzuXWjRCcoBLA25P7wnpHWDRpz +# D9ovXCIvdja74lL5psqobV6L5+fbLPkSgXoImKR0LQKCAgAIC9Jk8kxumCyIVGCP +# PeM5Uby9M3GMuKrfYsn0Y5e97+kSJF1dpojTodBgR2KQar6eVrvXt+8uZCcIjfx8 +#@@ -98,4 +97,3 @@ TwEgE67iOb2iIoUpon/NyP4LesMzvdpsu2JFlfz13PmmQ34mFI7tWvOb3NA5DP3c +# rMlMLtKfp2w8HlMZpsUlToNCx6CI+tJrohzcs3BAVAbjFAXRKWGijB1rxwyDdHPv +# I+/wJTNaRNPQ1M0SwtEL/zJd21y3KSPn4eL+GP3efhlDSjtlDvZqkdAUsU8= +# -----END RSA PRIVATE KEY----- +#- + +>> DONE. + +Fixes #11776 + +Reviewed-by: Paul Dale +Reviewed-by: Matthias St. Pierre +(Merged from https://github.com/openssl/openssl/pull/11783) + +(cherry picked from commit 7ef43790617cb08b4bb4141df716dfb37385fe5c) +--- + apps/rsa8192.pem | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +diff --git a/apps/rsa8192.pem b/apps/rsa8192.pem +index 946a6e5..83d962f 100644 +--- a/apps/rsa8192.pem ++++ b/apps/rsa8192.pem +@@ -1,5 +1,4 @@ + -----BEGIN RSA PRIVATE KEY----- +- + MIISKAIBAAKCBAEAiQ2f1X6Bte1DKD0OoCBKEikzPW+5w3oXk3WwnE97Wxzy6wJZ + ebbZC3CZKKBnJeBMrysPf+lK+9+fP6Vm8bp1wvbcSIA59BDrX6irFSuM/bdnkbuF + MFlDjt+uVrxwoyqfPi2IPot1HQg3l5mdyBqcTWvbOnU2L9HZxJfPUCjfzdTMPrMY +@@ -62,7 +61,7 @@ JH1/Qx7C/mTAMRsN5SkOthnGq0djCNWfPv/3JV0H67Uf5krFlnwLebrgfTYoPPdo + yO7iBUNJzv6Qh22malLp4P8gzACkD7DGlSTnoB5cLwcjmDGg+i9WrUBbOiVTeQfZ + kOj1o+Tz35ndpq/DDUVlqliB9krcxva+QHeJPH53EGI+YVg1nD+s/vUDZ3mQMGX9 + DQou2L8uU6RnWNv/BihGcL8QvS4Ty6QyPOUPpD3zc70JQAEcQk9BxQNaELgJX0IN +-22cYn22tYvElew9G41OpDqzBRcfbdJmKXQ2HcroShutYJQRGUpAXHk24fy6JVkIU ++2cYUn22tYvElew9G41OpDqzBRcfbdJmKXQ2HcroShutYJQRGUpAXHk24fy6JVkIU + ojF5U6cwextMja1ZIIZgh9eugIRUeIE7319nQNDzuXWjRCcoBLA25P7wnpHWDRpz + D9ovXCIvdja74lL5psqobV6L5+fbLPkSgXoImKR0LQKCAgAIC9Jk8kxumCyIVGCP + PeM5Uby9M3GMuKrfYsn0Y5e97+kSJF1dpojTodBgR2KQar6eVrvXt+8uZCcIjfx8 +@@ -98,4 +97,3 @@ TwEgE67iOb2iIoUpon/NyP4LesMzvdpsu2JFlfz13PmmQ34mFI7tWvOb3NA5DP3c + rMlMLtKfp2w8HlMZpsUlToNCx6CI+tJrohzcs3BAVAbjFAXRKWGijB1rxwyDdHPv + I+/wJTNaRNPQ1M0SwtEL/zJd21y3KSPn4eL+GP3efhlDSjtlDvZqkdAUsU8= + -----END RSA PRIVATE KEY----- +- +-- +1.8.3.1 + diff --git a/Fix-the-error-handling-in-EC_POINTs_mul.patch b/Fix-the-error-handling-in-EC_POINTs_mul.patch new file mode 100644 index 0000000..0e1cd7b --- /dev/null +++ b/Fix-the-error-handling-in-EC_POINTs_mul.patch @@ -0,0 +1,49 @@ +From 5dc91f44a90b72f5c0a79ab9a19d0f2fa0bbac1f Mon Sep 17 00:00:00 2001 +From: Bernd Edlinger +Date: Mon, 6 Apr 2020 10:41:36 +0200 +Subject: [PATCH 010/217] Fix the error handling in EC_POINTs_mul + +This was pointed out by a false-positive +-fsanitizer warning ;-) + +However from the cryptographical POV the +code is wrong: +A point R^0 on the wrong curve +is infinity on the wrong curve. + +[extended tests] + +Reviewed-by: Nicola Tuveri +(Merged from https://github.com/openssl/openssl/pull/11475) + +(cherry picked from commit 1eb9b54af7e00fa12196411964ce742ea8677766) +--- + crypto/ec/ec_lib.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/crypto/ec/ec_lib.c b/crypto/ec/ec_lib.c +index 3554ada..22b00e2 100644 +--- a/crypto/ec/ec_lib.c ++++ b/crypto/ec/ec_lib.c +@@ -1007,14 +1007,14 @@ int EC_POINTs_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar, + size_t i = 0; + BN_CTX *new_ctx = NULL; + +- if ((scalar == NULL) && (num == 0)) { +- return EC_POINT_set_to_infinity(group, r); +- } +- + if (!ec_point_is_compat(r, group)) { + ECerr(EC_F_EC_POINTS_MUL, EC_R_INCOMPATIBLE_OBJECTS); + return 0; + } ++ ++ if (scalar == NULL && num == 0) ++ return EC_POINT_set_to_infinity(group, r); ++ + for (i = 0; i < num; i++) { + if (!ec_point_is_compat(points[i], group)) { + ECerr(EC_F_EC_POINTS_MUL, EC_R_INCOMPATIBLE_OBJECTS); +-- +1.8.3.1 + diff --git a/Fix-type-cast-in-SSL_CTX_set1_groups-macro.patch b/Fix-type-cast-in-SSL_CTX_set1_groups-macro.patch new file mode 100644 index 0000000..224ec3c --- /dev/null +++ b/Fix-type-cast-in-SSL_CTX_set1_groups-macro.patch @@ -0,0 +1,40 @@ +From 7d66cb360c448361654a8ffff73e790c474ba302 Mon Sep 17 00:00:00 2001 +From: Arne Schwabe +Date: Thu, 23 Apr 2020 12:42:51 +0200 +Subject: [PATCH 035/217] Fix type cast in SSL_CTX_set1_groups macro + +The macro casts the glist parameter to char* +instead of (int *) like the documentation of the function suggest. + +Also the function tls1_set_groups that is called from SSL_CTX_ctrl +takes an int * argument. This looks like a copy&paste error from +SSL_CTX_set1_groups_list function. + +CLA: trivial +Signed-off-by: Arne Schwabe + +Reviewed-by: Ben Kaduk +Reviewed-by: Tomas Mraz +(Merged from https://github.com/openssl/openssl/pull/11614) + +(cherry picked from commit 7ffce852372799b6cd856b711db21332f0048314) +--- + include/openssl/ssl.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h +index 6724ccf..b2cd11f 100644 +--- a/include/openssl/ssl.h ++++ b/include/openssl/ssl.h +@@ -1393,7 +1393,7 @@ DECLARE_PEM_rw(SSL_SESSION, SSL_SESSION) + # define SSL_get1_groups(s, glist) \ + SSL_ctrl(s,SSL_CTRL_GET_GROUPS,0,(int*)(glist)) + # define SSL_CTX_set1_groups(ctx, glist, glistlen) \ +- SSL_CTX_ctrl(ctx,SSL_CTRL_SET_GROUPS,glistlen,(char *)(glist)) ++ SSL_CTX_ctrl(ctx,SSL_CTRL_SET_GROUPS,glistlen,(int *)(glist)) + # define SSL_CTX_set1_groups_list(ctx, s) \ + SSL_CTX_ctrl(ctx,SSL_CTRL_SET_GROUPS_LIST,0,(char *)(s)) + # define SSL_set1_groups(s, glist, glistlen) \ +-- +1.8.3.1 + diff --git a/Fix-use-after-free-in-BIO_C_SET_SSL-callback.patch b/Fix-use-after-free-in-BIO_C_SET_SSL-callback.patch new file mode 100644 index 0000000..cb6526f --- /dev/null +++ b/Fix-use-after-free-in-BIO_C_SET_SSL-callback.patch @@ -0,0 +1,35 @@ +From d07e8b0ae66e96cda9c803de36e977fb7dfe941a Mon Sep 17 00:00:00 2001 +From: "Dr. Matthias St. Pierre" +Date: Wed, 6 May 2020 17:24:13 +0200 +Subject: [PATCH 044/217] Fix use-after-free in BIO_C_SET_SSL callback + +Since the BIO_SSL structure was renewed by `ssl_free(b)/ssl_new(b)`, +the `bs` pointer needs to be updated before assigning to `bs->ssl`. + +Thanks to @suishixingkong for reporting the issue and providing a fix. + +Closes #10539 + +Reviewed-by: Tomas Mraz +(Merged from https://github.com/openssl/openssl/pull/11746) + +(cherry picked from commit 73d6b4efe6835a6c97ce61df6bf339b0903e5b7a) +--- + ssl/bio_ssl.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/ssl/bio_ssl.c b/ssl/bio_ssl.c +index ab9e666..efa23bf 100644 +--- a/ssl/bio_ssl.c ++++ b/ssl/bio_ssl.c +@@ -284,6 +284,7 @@ static long ssl_ctrl(BIO *b, int cmd, long num, void *ptr) + ssl_free(b); + if (!ssl_new(b)) + return 0; ++ bs = BIO_get_data(b); + } + BIO_set_shutdown(b, num); + ssl = (SSL *)ptr; +-- +1.8.3.1 + diff --git a/Fix-wrong-return-value-check-of-mmap-function.patch b/Fix-wrong-return-value-check-of-mmap-function.patch new file mode 100644 index 0000000..460d76f --- /dev/null +++ b/Fix-wrong-return-value-check-of-mmap-function.patch @@ -0,0 +1,34 @@ +From b295a4dca17f00d412043b74393b86a16655fac0 Mon Sep 17 00:00:00 2001 +From: Tristan Bauer <67098820+trisbauer@users.noreply.github.com> +Date: Thu, 18 Jun 2020 11:45:24 +0200 +Subject: [PATCH 028/147] Fix wrong return value check of mmap function + +The mmap function never returns NULL. If an error occurs, the function returns MAP_FAILED. + +CLA: trivial + +Reviewed-by: Tomas Mraz +Reviewed-by: Paul Dale +(Merged from https://github.com/openssl/openssl/pull/12187) + +(cherry picked from commit 1d78129dd205e3e85083a91c33540a70c51b0a23) +--- + crypto/mem_sec.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/crypto/mem_sec.c b/crypto/mem_sec.c +index 9e0f670..8bcb050 100644 +--- a/crypto/mem_sec.c ++++ b/crypto/mem_sec.c +@@ -502,7 +502,7 @@ static void sh_done(void) + OPENSSL_free(sh.freelist); + OPENSSL_free(sh.bittable); + OPENSSL_free(sh.bitmalloc); +- if (sh.map_result != NULL && sh.map_size) ++ if (sh.map_result != MAP_FAILED && sh.map_size) + munmap(sh.map_result, sh.map_size); + memset(&sh, 0, sizeof(sh)); + } +-- +1.8.3.1 + diff --git a/Free-pre_proc_exts-in-SSL_free.patch b/Free-pre_proc_exts-in-SSL_free.patch new file mode 100644 index 0000000..a5b4fea --- /dev/null +++ b/Free-pre_proc_exts-in-SSL_free.patch @@ -0,0 +1,39 @@ +From bfbf06c4d29086f1c67ed38324a2c4a9f642d291 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Mi=C5=82osz=20Kaniewski?= +Date: Tue, 30 Jun 2020 21:46:38 +0200 +Subject: [PATCH 038/147] Free pre_proc_exts in SSL_free() + +Usually it will be freed in tls_early_post_process_client_hello(). +However if a ClientHello callback will be used and will return +SSL_CLIENT_HELLO_RETRY then tls_early_post_process_client_hello() +may never come to the point where pre_proc_exts is freed. + +Fixes #12194 + +CLA: trivial + +Reviewed-by: Paul Dale +Reviewed-by: Ben Kaduk +(Merged from https://github.com/openssl/openssl/pull/12330) + +(cherry picked from commit 94941cada25433a7dca35b5b9f8cbb751ab65ab3) +--- + ssl/ssl_lib.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c +index f6a4964..433a537 100644 +--- a/ssl/ssl_lib.c ++++ b/ssl/ssl_lib.c +@@ -1200,6 +1200,8 @@ void SSL_free(SSL *s) + OPENSSL_free(s->ext.ocsp.resp); + OPENSSL_free(s->ext.alpn); + OPENSSL_free(s->ext.tls13_cookie); ++ if (s->clienthello != NULL) ++ OPENSSL_free(s->clienthello->pre_proc_exts); + OPENSSL_free(s->clienthello); + OPENSSL_free(s->pha_context); + EVP_MD_CTX_free(s->pha_dgst); +-- +1.8.3.1 + diff --git a/Integer-overflow-in-ASN1_STRING_set.patch b/Integer-overflow-in-ASN1_STRING_set.patch new file mode 100644 index 0000000..3055155 --- /dev/null +++ b/Integer-overflow-in-ASN1_STRING_set.patch @@ -0,0 +1,57 @@ +From 163897267fab6d29dff1a4bf8247f8e02e158be8 Mon Sep 17 00:00:00 2001 +From: Pauli +Date: Mon, 6 Apr 2020 09:23:00 +1000 +Subject: [PATCH 012/217] Integer overflow in ASN1_STRING_set. + +Addressing a potential integer overflow condition. + +Reviewed-by: Tomas Mraz +(Merged from https://github.com/openssl/openssl/pull/11473) + +(cherry picked from commit 96218269f4c2da82f143727fb7697d572c190bc5) +--- + crypto/asn1/asn1_lib.c | 21 ++++++++++++++++----- + 1 file changed, 16 insertions(+), 5 deletions(-) + +diff --git a/crypto/asn1/asn1_lib.c b/crypto/asn1/asn1_lib.c +index a7d32ae..5cd0e16 100644 +--- a/crypto/asn1/asn1_lib.c ++++ b/crypto/asn1/asn1_lib.c +@@ -268,18 +268,29 @@ ASN1_STRING *ASN1_STRING_dup(const ASN1_STRING *str) + return ret; + } + +-int ASN1_STRING_set(ASN1_STRING *str, const void *_data, int len) ++int ASN1_STRING_set(ASN1_STRING *str, const void *_data, int len_in) + { + unsigned char *c; + const char *data = _data; ++ size_t len; + +- if (len < 0) { ++ if (len_in < 0) { + if (data == NULL) + return 0; +- else +- len = strlen(data); ++ len = strlen(data); ++ } else { ++ len = (size_t)len_in; ++ } ++ /* ++ * Verify that the length fits within an integer for assignment to ++ * str->length below. The additional 1 is subtracted to allow for the ++ * '\0' terminator even though this isn't strictly necessary. ++ */ ++ if (len > INT_MAX - 1) { ++ ASN1err(0, ASN1_R_TOO_LARGE); ++ return 0; + } +- if ((str->length <= len) || (str->data == NULL)) { ++ if ((size_t)str->length <= len || str->data == NULL) { + c = str->data; + str->data = OPENSSL_realloc(c, len + 1); + if (str->data == NULL) { +-- +1.8.3.1 + diff --git a/Make-BIO_do_connect-and-friends-handle-multiple-IP-a.patch b/Make-BIO_do_connect-and-friends-handle-multiple-IP-a.patch new file mode 100644 index 0000000..ad2a0c4 --- /dev/null +++ b/Make-BIO_do_connect-and-friends-handle-multiple-IP-a.patch @@ -0,0 +1,41 @@ +From ec5aad1ca26599bcaddc3a03708fb925b21f3b6c Mon Sep 17 00:00:00 2001 +From: "Dr. David von Oheimb" +Date: Thu, 28 May 2020 19:03:37 +0200 +Subject: [PATCH 005/147] Make BIO_do_connect() and friends handle multiple IP + addresses + +Backport of #11971 + +Reviewed-by: Tomas Mraz +Reviewed-by: Bernd Edlinger +(Merged from https://github.com/openssl/openssl/pull/11989) +--- + crypto/bio/bss_conn.c | 11 ++++++++++- + 1 file changed, 10 insertions(+), 1 deletion(-) + +diff --git a/crypto/bio/bss_conn.c b/crypto/bio/bss_conn.c +index dd43a40..f4c6b85 100644 +--- a/crypto/bio/bss_conn.c ++++ b/crypto/bio/bss_conn.c +@@ -186,8 +186,17 @@ static int conn_state(BIO *b, BIO_CONNECT *c) + + case BIO_CONN_S_BLOCKED_CONNECT: + i = BIO_sock_error(b->num); +- if (i) { ++ if (i != 0) { + BIO_clear_retry_flags(b); ++ if ((c->addr_iter = BIO_ADDRINFO_next(c->addr_iter)) != NULL) { ++ /* ++ * if there are more addresses to try, do that first ++ */ ++ BIO_closesocket(b->num); ++ c->state = BIO_CONN_S_CREATE_SOCKET; ++ ERR_clear_error(); ++ break; ++ } + SYSerr(SYS_F_CONNECT, i); + ERR_add_error_data(4, + "hostname=", c->param_hostname, +-- +1.8.3.1 + diff --git a/Pass-an-EVP_PKEY-for-SSL_SECOP_TMP_DH-in-the-securit.patch b/Pass-an-EVP_PKEY-for-SSL_SECOP_TMP_DH-in-the-securit.patch new file mode 100644 index 0000000..bf113f5 --- /dev/null +++ b/Pass-an-EVP_PKEY-for-SSL_SECOP_TMP_DH-in-the-securit.patch @@ -0,0 +1,65 @@ +From 7844f3c784bfc93c9b94ae5a4082f9d01e82e0af Mon Sep 17 00:00:00 2001 +From: Matt Caswell +Date: Wed, 14 Oct 2020 15:13:28 +0100 +Subject: [PATCH 083/147] Pass an EVP_PKEY for SSL_SECOP_TMP_DH in the security + callback + +The security operation SSL_SECOP_TMP_DH is defined to take an EVP_PKEY +in the "other" parameter: + + /* Temporary DH key */ + # define SSL_SECOP_TMP_DH (7 | SSL_SECOP_OTHER_PKEY) + +In most places this is what is passed. All these places occur server side. +However there is one client side call of this security operation and it +passes a DH object instead. This is incorrect according to the +definition of SSL_SECOP_TMP_DH, and is inconsistent with all of the other +locations. + +Our own default security callback, and the debug callback in the apps, +never look at this value and therefore this issue was never noticed +previously. In theory a client side application could be relying on this +behaviour and could be broken by this change. This is probably fairly +unlikely but can't be ruled out. + +Reviewed-by: Paul Dale +Reviewed-by: Tomas Mraz +Reviewed-by: Ben Kaduk +(Merged from https://github.com/openssl/openssl/pull/13136) +--- + ssl/statem/statem_clnt.c | 13 +++++++------ + 1 file changed, 7 insertions(+), 6 deletions(-) + +diff --git a/ssl/statem/statem_clnt.c b/ssl/statem/statem_clnt.c +index 64e392c..3bf8aac 100644 +--- a/ssl/statem/statem_clnt.c ++++ b/ssl/statem/statem_clnt.c +@@ -2145,18 +2145,19 @@ static int tls_process_ske_dhe(SSL *s, PACKET *pkt, EVP_PKEY **pkey) + } + bnpub_key = NULL; + +- if (!ssl_security(s, SSL_SECOP_TMP_DH, DH_security_bits(dh), 0, dh)) { +- SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_TLS_PROCESS_SKE_DHE, +- SSL_R_DH_KEY_TOO_SMALL); +- goto err; +- } +- + if (EVP_PKEY_assign_DH(peer_tmp, dh) == 0) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_SKE_DHE, + ERR_R_EVP_LIB); + goto err; + } + ++ if (!ssl_security(s, SSL_SECOP_TMP_DH, EVP_PKEY_security_bits(peer_tmp), ++ 0, peer_tmp)) { ++ SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_TLS_PROCESS_SKE_DHE, ++ SSL_R_DH_KEY_TOO_SMALL); ++ goto err; ++ } ++ + s->s3->peer_tmp = peer_tmp; + + /* +-- +1.8.3.1 + diff --git a/Prevent-use-after-free-of-global_engine_lock.patch b/Prevent-use-after-free-of-global_engine_lock.patch new file mode 100644 index 0000000..f6f0c29 --- /dev/null +++ b/Prevent-use-after-free-of-global_engine_lock.patch @@ -0,0 +1,35 @@ +From e512efe0894481679a5d3c57d10bf4ea97046c2a Mon Sep 17 00:00:00 2001 +From: Tomas Mraz +Date: Thu, 21 May 2020 13:16:57 +0200 +Subject: [PATCH 064/217] Prevent use after free of global_engine_lock + +If buggy application calls engine functions after cleanup of engines +already happened the global_engine_lock will be used although +already freed. + +See for example: +https://bugzilla.redhat.com/show_bug.cgi?id=1831086 + +Reviewed-by: Bernd Edlinger +(Merged from https://github.com/openssl/openssl/pull/11896) + +(cherry picked from commit e12813d0d31f4f7be2ccc592d382ef3e94bdb842) +--- + crypto/engine/eng_lib.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/crypto/engine/eng_lib.c b/crypto/engine/eng_lib.c +index b851ff6..dd87eba 100644 +--- a/crypto/engine/eng_lib.c ++++ b/crypto/engine/eng_lib.c +@@ -171,6 +171,7 @@ void engine_cleanup_int(void) + cleanup_stack = NULL; + } + CRYPTO_THREAD_lock_free(global_engine_lock); ++ global_engine_lock = NULL; + } + + /* Now the "ex_data" support */ +-- +1.8.3.1 + diff --git a/Replace-BUF_strdup-call-by-OPENSSL_strdup-adding-fai.patch b/Replace-BUF_strdup-call-by-OPENSSL_strdup-adding-fai.patch new file mode 100644 index 0000000..4be9c1c --- /dev/null +++ b/Replace-BUF_strdup-call-by-OPENSSL_strdup-adding-fai.patch @@ -0,0 +1,35 @@ +From 46fe1c7caee1442ead1f7c780e5c50045a00f76e Mon Sep 17 00:00:00 2001 +From: "Dr. David von Oheimb" +Date: Wed, 3 Jun 2020 21:38:20 +0200 +Subject: [PATCH 013/147] Replace BUF_strdup() call by OPENSSL_strdup() adding + failure check in bss_acpt.c + +Add OPENSSL_strdup failure check to cpt_ctrl() in bss_acpt.c + +Reviewed-by: Bernd Edlinger +Reviewed-by: Tomas Mraz +(Merged from https://github.com/openssl/openssl/pull/12036) +--- + crypto/bio/bss_acpt.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/crypto/bio/bss_acpt.c b/crypto/bio/bss_acpt.c +index 5a2cb50..4461eae 100644 +--- a/crypto/bio/bss_acpt.c ++++ b/crypto/bio/bss_acpt.c +@@ -434,8 +434,10 @@ static long acpt_ctrl(BIO *b, int cmd, long num, void *ptr) + b->init = 1; + } else if (num == 1) { + OPENSSL_free(data->param_serv); +- data->param_serv = BUF_strdup(ptr); +- b->init = 1; ++ if ((data->param_serv = OPENSSL_strdup(ptr)) == NULL) ++ ret = 0; ++ else ++ b->init = 1; + } else if (num == 2) { + data->bind_mode |= BIO_SOCK_NONBLOCK; + } else if (num == 3) { +-- +1.8.3.1 + diff --git a/Revert-the-check-for-NaN-in-f-format.patch b/Revert-the-check-for-NaN-in-f-format.patch new file mode 100644 index 0000000..12cd7c1 --- /dev/null +++ b/Revert-the-check-for-NaN-in-f-format.patch @@ -0,0 +1,90 @@ +From 3fc83feae0bc3fcfbb7cfc8a927bb4a888a7663b Mon Sep 17 00:00:00 2001 +From: Bernd Edlinger +Date: Sun, 31 May 2020 07:51:23 +0200 +Subject: [PATCH 006/147] Revert the check for NaN in %f format + +Unfortunately -Ofast seems to break that check. + +Fixes #11994 + +Reviewed-by: Paul Dale +(Merged from https://github.com/openssl/openssl/pull/12003) + +(cherry picked from commit 41dccd68b9b9b7622b26d264c5fa190aa5bd4201) +--- + crypto/bio/b_print.c | 4 +--- + test/bioprinttest.c | 33 --------------------------------- + 2 files changed, 1 insertion(+), 36 deletions(-) + +diff --git a/crypto/bio/b_print.c b/crypto/bio/b_print.c +index 48556f7..2f68fe7 100644 +--- a/crypto/bio/b_print.c ++++ b/crypto/bio/b_print.c +@@ -638,10 +638,8 @@ fmtfp(char **sbuffer, + /* + * By subtracting 65535 (2^16-1) we cancel the low order 15 bits + * of ULONG_MAX to avoid using imprecise floating point values. +- * The second condition is necessary to catch NaN values. + */ +- if (ufvalue >= (double)(ULONG_MAX - 65535) + 65536.0 +- || !(ufvalue == ufvalue) /* NaN */) { ++ if (ufvalue >= (double)(ULONG_MAX - 65535) + 65536.0) { + /* Number too big */ + return 0; + } +diff --git a/test/bioprinttest.c b/test/bioprinttest.c +index e37b854..e97de03 100644 +--- a/test/bioprinttest.c ++++ b/test/bioprinttest.c +@@ -241,48 +241,15 @@ static int test_fp(int i) + return r; + } + +-extern double zero_value; +-double zero_value = 0.0; +- + static int test_big(void) + { + char buf[80]; +- double d, z, inf, nan; + + /* Test excessively big number. Should fail */ + if (!TEST_int_eq(BIO_snprintf(buf, sizeof(buf), + "%f\n", 2 * (double)ULONG_MAX), -1)) + return 0; + +- d = 1.0; +- z = zero_value; +- inf = d / z; +- nan = z / z; +- +- /* +- * Test +/-inf, nan. Should fail. +- * Test +/-1.0, +/-0.0. Should work. +- */ +- if (!TEST_int_eq(BIO_snprintf(buf, sizeof(buf), +- "%f", inf), -1) +- || !TEST_int_eq(BIO_snprintf(buf, sizeof(buf), +- "%f", -inf), -1) +- || !TEST_int_eq(BIO_snprintf(buf, sizeof(buf), +- "%f", nan), -1) +- || !TEST_int_eq(BIO_snprintf(buf, sizeof(buf), +- "%f", d), 8) +- || !TEST_str_eq(buf, "1.000000") +- || !TEST_int_eq(BIO_snprintf(buf, sizeof(buf), +- "%f", z), 8) +- || !TEST_str_eq(buf, "0.000000") +- || !TEST_int_eq(BIO_snprintf(buf, sizeof(buf), +- "%f", -d), 9) +- || !TEST_str_eq(buf, "-1.000000") +- || !TEST_int_eq(BIO_snprintf(buf, sizeof(buf), +- "%f", -z), 8) +- || !TEST_str_eq(buf, "0.000000")) +- return 0; +- + return 1; + } + +-- +1.8.3.1 + diff --git a/Support-keys-with-RSA_METHOD_FLAG_NO_CHECK-with-OCSP.patch b/Support-keys-with-RSA_METHOD_FLAG_NO_CHECK-with-OCSP.patch new file mode 100644 index 0000000..954f4f7 --- /dev/null +++ b/Support-keys-with-RSA_METHOD_FLAG_NO_CHECK-with-OCSP.patch @@ -0,0 +1,96 @@ +From 56e8fe0b4efbf582e40ae91319727c9d176c5e1e Mon Sep 17 00:00:00 2001 +From: Norman Ashley +Date: Fri, 10 Jul 2020 19:01:32 -0400 +Subject: [PATCH 071/147] Support keys with RSA_METHOD_FLAG_NO_CHECK with OCSP + sign + +OCSP_basic_sign_ctx() in ocsp_srv.c , does not check for RSA_METHOD_FLAG_NO_CHECK. +If a key has RSA_METHOD_FLAG_NO_CHECK set, OCSP sign operations can fail +because the X509_check_private_key() can fail. + +The check for the RSA_METHOD_FLAG_NO_CHECK was moved to crypto/rsa/rsa_ameth.c +as a common place to check. Checks in ssl_rsa.c were removed. + +Reviewed-by: Matt Caswell +Reviewed-by: Tim Hudson +Reviewed-by: Tomas Mraz +(Merged from https://github.com/openssl/openssl/pull/12419) +--- + crypto/rsa/rsa_ameth.c | 9 +++++++++ + ssl/ssl_rsa.c | 26 -------------------------- + 2 files changed, 9 insertions(+), 26 deletions(-) + +diff --git a/crypto/rsa/rsa_ameth.c b/crypto/rsa/rsa_ameth.c +index 6692a51..cc686fc 100644 +--- a/crypto/rsa/rsa_ameth.c ++++ b/crypto/rsa/rsa_ameth.c +@@ -118,6 +118,15 @@ static int rsa_pub_decode(EVP_PKEY *pkey, X509_PUBKEY *pubkey) + + static int rsa_pub_cmp(const EVP_PKEY *a, const EVP_PKEY *b) + { ++ /* ++ * Don't check the public/private key, this is mostly for smart ++ * cards. ++ */ ++ if (((RSA_flags(a->pkey.rsa) & RSA_METHOD_FLAG_NO_CHECK)) ++ || (RSA_flags(b->pkey.rsa) & RSA_METHOD_FLAG_NO_CHECK)) { ++ return 1; ++ } ++ + if (BN_cmp(b->pkey.rsa->n, a->pkey.rsa->n) != 0 + || BN_cmp(b->pkey.rsa->e, a->pkey.rsa->e) != 0) + return 0; +diff --git a/ssl/ssl_rsa.c b/ssl/ssl_rsa.c +index b969352..51abd27 100644 +--- a/ssl/ssl_rsa.c ++++ b/ssl/ssl_rsa.c +@@ -148,15 +148,6 @@ static int ssl_set_pkey(CERT *c, EVP_PKEY *pkey) + EVP_PKEY_copy_parameters(pktmp, pkey); + ERR_clear_error(); + +-#ifndef OPENSSL_NO_RSA +- /* +- * Don't check the public/private key, this is mostly for smart +- * cards. +- */ +- if (EVP_PKEY_id(pkey) == EVP_PKEY_RSA +- && RSA_flags(EVP_PKEY_get0_RSA(pkey)) & RSA_METHOD_FLAG_NO_CHECK) ; +- else +-#endif + if (!X509_check_private_key(c->pkeys[i].x509, pkey)) { + X509_free(c->pkeys[i].x509); + c->pkeys[i].x509 = NULL; +@@ -342,16 +333,6 @@ static int ssl_set_cert(CERT *c, X509 *x) + EVP_PKEY_copy_parameters(pkey, c->pkeys[i].privatekey); + ERR_clear_error(); + +-#ifndef OPENSSL_NO_RSA +- /* +- * Don't check the public/private key, this is mostly for smart +- * cards. +- */ +- if (EVP_PKEY_id(c->pkeys[i].privatekey) == EVP_PKEY_RSA +- && RSA_flags(EVP_PKEY_get0_RSA(c->pkeys[i].privatekey)) & +- RSA_METHOD_FLAG_NO_CHECK) ; +- else +-#endif /* OPENSSL_NO_RSA */ + if (!X509_check_private_key(x, c->pkeys[i].privatekey)) { + /* + * don't fail for a cert/key mismatch, just free current private +@@ -1082,13 +1063,6 @@ static int ssl_set_cert_and_key(SSL *ssl, SSL_CTX *ctx, X509 *x509, EVP_PKEY *pr + EVP_PKEY_copy_parameters(pubkey, privatekey); + } /* else both have parameters */ + +- /* Copied from ssl_set_cert/pkey */ +-#ifndef OPENSSL_NO_RSA +- if ((EVP_PKEY_id(privatekey) == EVP_PKEY_RSA) && +- ((RSA_flags(EVP_PKEY_get0_RSA(privatekey)) & RSA_METHOD_FLAG_NO_CHECK))) +- /* no-op */ ; +- else +-#endif + /* check that key <-> cert match */ + if (EVP_PKEY_cmp(pubkey, privatekey) != 1) { + SSLerr(SSL_F_SSL_SET_CERT_AND_KEY, SSL_R_PRIVATE_KEY_MISMATCH); +-- +1.8.3.1 + diff --git a/Test-TLSv1.3-out-of-band-PSK-with-all-5-ciphersuites.patch b/Test-TLSv1.3-out-of-band-PSK-with-all-5-ciphersuites.patch new file mode 100644 index 0000000..5347b15 --- /dev/null +++ b/Test-TLSv1.3-out-of-band-PSK-with-all-5-ciphersuites.patch @@ -0,0 +1,151 @@ +From 6b4b92d7f212caf4c525af4bf0c35fbbf5f38a3b Mon Sep 17 00:00:00 2001 +From: raja-ashok +Date: Sun, 10 May 2020 22:47:00 +0530 +Subject: [PATCH 053/217] Test TLSv1.3 out-of-band PSK with all 5 ciphersuites + +Reviewed-by: Matt Caswell +Reviewed-by: Tomas Mraz +(Merged from https://github.com/openssl/openssl/pull/11809) +--- + test/sslapitest.c | 110 +++++++++++++++++++++++++++++++++++++++++++++++++++++- + 1 file changed, 109 insertions(+), 1 deletion(-) + +diff --git a/test/sslapitest.c b/test/sslapitest.c +index b3cd30d..62d22e8 100644 +--- a/test/sslapitest.c ++++ b/test/sslapitest.c +@@ -2129,8 +2129,11 @@ static unsigned int psk_server_cb(SSL *ssl, const char *identity, + #define MSG6 "test" + #define MSG7 "message." + +-#define TLS13_AES_256_GCM_SHA384_BYTES ((const unsigned char *)"\x13\x02") + #define TLS13_AES_128_GCM_SHA256_BYTES ((const unsigned char *)"\x13\x01") ++#define TLS13_AES_256_GCM_SHA384_BYTES ((const unsigned char *)"\x13\x02") ++#define TLS13_CHACHA20_POLY1305_SHA256_BYTES ((const unsigned char *)"\x13\x03") ++#define TLS13_AES_128_CCM_SHA256_BYTES ((const unsigned char *)"\x13\x04") ++#define TLS13_AES_128_CCM_8_SHA256_BYTES ((const unsigned char *)"\x13\05") + + + static SSL_SESSION *create_a_psk(SSL *ssl) +@@ -3059,6 +3062,110 @@ static int test_early_data_psk(int idx) + } + + /* ++ * Test TLSv1.3 PSK can be used to send early_data with all 5 ciphersuites ++ * idx == 0: Test with TLS1_3_RFC_AES_128_GCM_SHA256 ++ * idx == 1: Test with TLS1_3_RFC_AES_256_GCM_SHA384 ++ * idx == 2: Test with TLS1_3_RFC_CHACHA20_POLY1305_SHA256, ++ * idx == 3: Test with TLS1_3_RFC_AES_128_CCM_SHA256 ++ * idx == 4: Test with TLS1_3_RFC_AES_128_CCM_8_SHA256 ++ */ ++static int test_early_data_psk_with_all_ciphers(int idx) ++{ ++ SSL_CTX *cctx = NULL, *sctx = NULL; ++ SSL *clientssl = NULL, *serverssl = NULL; ++ int testresult = 0; ++ SSL_SESSION *sess = NULL; ++ unsigned char buf[20]; ++ size_t readbytes, written; ++ const SSL_CIPHER *cipher; ++ const char *cipher_str[] = { ++ TLS1_3_RFC_AES_128_GCM_SHA256, ++ TLS1_3_RFC_AES_256_GCM_SHA384, ++# if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305) ++ TLS1_3_RFC_CHACHA20_POLY1305_SHA256, ++# else ++ NULL, ++# endif ++ TLS1_3_RFC_AES_128_CCM_SHA256, ++ TLS1_3_RFC_AES_128_CCM_8_SHA256 ++ }; ++ const unsigned char *cipher_bytes[] = { ++ TLS13_AES_128_GCM_SHA256_BYTES, ++ TLS13_AES_256_GCM_SHA384_BYTES, ++# if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305) ++ TLS13_CHACHA20_POLY1305_SHA256_BYTES, ++# else ++ NULL, ++# endif ++ TLS13_AES_128_CCM_SHA256_BYTES, ++ TLS13_AES_128_CCM_8_SHA256_BYTES ++ }; ++ ++ if (cipher_str[idx] == NULL) ++ return 1; ++ ++ /* We always set this up with a final parameter of "2" for PSK */ ++ if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl, ++ &serverssl, &sess, 2))) ++ goto end; ++ ++ if (!TEST_true(SSL_set_ciphersuites(clientssl, cipher_str[idx])) ++ || !TEST_true(SSL_set_ciphersuites(serverssl, cipher_str[idx]))) ++ goto end; ++ ++ /* ++ * 'setupearly_data_test' creates only one instance of SSL_SESSION ++ * and assigns to both client and server with incremented reference ++ * and the same instance is updated in 'sess'. ++ * So updating ciphersuite in 'sess' which will get reflected in ++ * PSK handshake using psk use sess and find sess cb. ++ */ ++ cipher = SSL_CIPHER_find(clientssl, cipher_bytes[idx]); ++ if (!TEST_ptr(cipher) || !TEST_true(SSL_SESSION_set_cipher(sess, cipher))) ++ goto end; ++ ++ SSL_set_connect_state(clientssl); ++ if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1), ++ &written))) ++ goto end; ++ ++ if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf), ++ &readbytes), ++ SSL_READ_EARLY_DATA_SUCCESS) ++ || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1)) ++ || !TEST_int_eq(SSL_get_early_data_status(serverssl), ++ SSL_EARLY_DATA_ACCEPTED) ++ || !TEST_int_eq(SSL_connect(clientssl), 1) ++ || !TEST_int_eq(SSL_accept(serverssl), 1)) ++ goto end; ++ ++ /* Send some normal data from client to server */ ++ if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written)) ++ || !TEST_size_t_eq(written, strlen(MSG2))) ++ goto end; ++ ++ if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes)) ++ || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2))) ++ goto end; ++ ++ testresult = 1; ++ end: ++ SSL_SESSION_free(sess); ++ SSL_SESSION_free(clientpsk); ++ SSL_SESSION_free(serverpsk); ++ clientpsk = serverpsk = NULL; ++ if (clientssl != NULL) ++ SSL_shutdown(clientssl); ++ if (serverssl != NULL) ++ SSL_shutdown(serverssl); ++ SSL_free(serverssl); ++ SSL_free(clientssl); ++ SSL_CTX_free(sctx); ++ SSL_CTX_free(cctx); ++ return testresult; ++} ++ ++/* + * Test that a server that doesn't try to read early data can handle a + * client sending some. + */ +@@ -6549,6 +6656,7 @@ int setup_tests(void) + ADD_ALL_TESTS(test_early_data_skip_abort, 3); + ADD_ALL_TESTS(test_early_data_not_sent, 3); + ADD_ALL_TESTS(test_early_data_psk, 8); ++ ADD_ALL_TESTS(test_early_data_psk_with_all_ciphers, 5); + ADD_ALL_TESTS(test_early_data_not_expected, 3); + # ifndef OPENSSL_NO_TLS1_2 + ADD_ALL_TESTS(test_early_data_tls1_2, 3); +-- +1.8.3.1 + diff --git a/Update-EVP_EncodeInit.pod.patch b/Update-EVP_EncodeInit.pod.patch new file mode 100644 index 0000000..cef5f09 --- /dev/null +++ b/Update-EVP_EncodeInit.pod.patch @@ -0,0 +1,36 @@ +From 7a989af7386e97add7c759fda688c5d2e79e812e Mon Sep 17 00:00:00 2001 +From: Read Hughes +Date: Thu, 23 Jul 2020 10:25:28 -0400 +Subject: [PATCH 057/147] Update EVP_EncodeInit.pod + +Fix EVP_EncodeBlock description using incorrect parameter name for encoding length + +CLA: trivial + +Reviewed-by: Matt Caswell +Reviewed-by: Dmitry Belyavskiy +(Merged from https://github.com/openssl/openssl/pull/12518) + +(cherry picked from commit 1660c8fa6be2d7c4587e490c88a44a870e9b4298) +--- + doc/man3/EVP_EncodeInit.pod | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/doc/man3/EVP_EncodeInit.pod b/doc/man3/EVP_EncodeInit.pod +index 8055b10..2589254 100644 +--- a/doc/man3/EVP_EncodeInit.pod ++++ b/doc/man3/EVP_EncodeInit.pod +@@ -83,8 +83,8 @@ EVP_ENCODE_CTX_num() will return the number of as yet unprocessed bytes still to + be encoded or decoded that are pending in the B object. + + EVP_EncodeBlock() encodes a full block of input data in B and of length +-B and stores it in B. For every 3 bytes of input provided 4 bytes of +-output data will be produced. If B is not divisible by 3 then the block is ++B and stores it in B. For every 3 bytes of input provided 4 bytes of ++output data will be produced. If B is not divisible by 3 then the block is + encoded as a final block of data and the output is padded such that it is always + divisible by 4. Additionally a NUL terminator character will be added. For + example if 16 bytes of input data is provided then 24 bytes of encoded data is +-- +1.8.3.1 + diff --git a/Use-size-of-target-buffer-for-allocation.patch b/Use-size-of-target-buffer-for-allocation.patch new file mode 100644 index 0000000..cda3aa5 --- /dev/null +++ b/Use-size-of-target-buffer-for-allocation.patch @@ -0,0 +1,32 @@ +From ae9bcce2ab57d19119a85788eb48f8e8ba8ed3ee Mon Sep 17 00:00:00 2001 +From: Benny Baumann +Date: Fri, 2 Oct 2020 01:04:06 +0200 +Subject: [PATCH 078/147] Use size of target buffer for allocation + +Reviewed-by: Ben Kaduk +Reviewed-by: Dmitry Belyavskiy +Reviewed-by: Richard Levitte +Reviewed-by: Paul Dale +(Merged from https://github.com/openssl/openssl/pull/13055) + +(cherry picked from commit 8ad369171fc2b435c0ca427111481da4d4c3c1ce) +--- + ssl/ssl_sess.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/ssl/ssl_sess.c b/ssl/ssl_sess.c +index 40c157b..423bb4d 100644 +--- a/ssl/ssl_sess.c ++++ b/ssl/ssl_sess.c +@@ -107,7 +107,7 @@ SSL_SESSION *ssl_session_dup(SSL_SESSION *src, int ticket) + { + SSL_SESSION *dest; + +- dest = OPENSSL_malloc(sizeof(*src)); ++ dest = OPENSSL_malloc(sizeof(*dest)); + if (dest == NULL) { + goto err; + } +-- +1.8.3.1 + diff --git a/Verification-zero-length-content-in-S-MIME-format.patch b/Verification-zero-length-content-in-S-MIME-format.patch new file mode 100644 index 0000000..3cdb58d --- /dev/null +++ b/Verification-zero-length-content-in-S-MIME-format.patch @@ -0,0 +1,43 @@ +From 6f1bee08cf80b9473496991b51f1f4a0decd96de Mon Sep 17 00:00:00 2001 +From: Dmitry Belyavskiy +Date: Fri, 9 Oct 2020 20:04:05 +0300 +Subject: [PATCH 095/147] Verification zero-length content in S/MIME format + +Fixes #13082 + +Reviewed-by: Paul Dale +(Merged from https://github.com/openssl/openssl/pull/13106) +--- + crypto/cms/cms_smime.c | 2 +- + crypto/pkcs7/pk7_smime.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/crypto/cms/cms_smime.c b/crypto/cms/cms_smime.c +index 652e97b..2c475ea 100644 +--- a/crypto/cms/cms_smime.c ++++ b/crypto/cms/cms_smime.c +@@ -341,7 +341,7 @@ int CMS_verify(CMS_ContentInfo *cms, STACK_OF(X509) *certs, + char *ptr; + long len; + len = BIO_get_mem_data(dcont, &ptr); +- tmpin = BIO_new_mem_buf(ptr, len); ++ tmpin = (len == 0) ? dcont : BIO_new_mem_buf(ptr, len); + if (tmpin == NULL) { + CMSerr(CMS_F_CMS_VERIFY, ERR_R_MALLOC_FAILURE); + goto err2; +diff --git a/crypto/pkcs7/pk7_smime.c b/crypto/pkcs7/pk7_smime.c +index 4418723..4ce44d8 100644 +--- a/crypto/pkcs7/pk7_smime.c ++++ b/crypto/pkcs7/pk7_smime.c +@@ -301,7 +301,7 @@ int PKCS7_verify(PKCS7 *p7, STACK_OF(X509) *certs, X509_STORE *store, + char *ptr; + long len; + len = BIO_get_mem_data(indata, &ptr); +- tmpin = BIO_new_mem_buf(ptr, len); ++ tmpin = (len == 0) ? indata : BIO_new_mem_buf(ptr, len); + if (tmpin == NULL) { + PKCS7err(PKCS7_F_PKCS7_VERIFY, ERR_R_MALLOC_FAILURE); + goto err; +-- +1.8.3.1 + diff --git a/bio-printf-Avoid-using-rounding-errors-in-range-chec.patch b/bio-printf-Avoid-using-rounding-errors-in-range-chec.patch new file mode 100644 index 0000000..2e4a05b --- /dev/null +++ b/bio-printf-Avoid-using-rounding-errors-in-range-chec.patch @@ -0,0 +1,103 @@ +From 7d76c1fa0d6cd085419cb4cfadad8cfdfd24ce1f Mon Sep 17 00:00:00 2001 +From: Bernd Edlinger +Date: Mon, 25 May 2020 20:13:47 +0200 +Subject: [PATCH 004/147] bio printf: Avoid using rounding errors in range + check + +There is a problem casting ULONG_MAX to double which clang-10 is warning about. +ULONG_MAX typically cannot be exactly represented as a double. ULONG_MAX + 1 +can be and this fix uses the latter, however since ULONG_MAX cannot be +represented exactly as a double number we subtract 65535 from this number, +and the result has at most 48 leading one bits, and can therefore be +represented as a double integer without rounding error. By adding +65536.0 to this number we achive the correct result, which should avoid the +warning. + +The addresses a symptom of the underlying problem: we print doubles via an +unsigned long integer. Doubles have a far greater range and should be printed +better. + +Reviewed-by: Paul Dale +(Merged from https://github.com/openssl/openssl/pull/11955) + +(cherry picked from commit 082c041b4233b17b80129d4ac6b33a28014442b0) +--- + crypto/bio/b_print.c | 8 +++++++- + test/bioprinttest.c | 34 ++++++++++++++++++++++++++++++++++ + 2 files changed, 41 insertions(+), 1 deletion(-) + +diff --git a/crypto/bio/b_print.c b/crypto/bio/b_print.c +index 8ef90ac..48556f7 100644 +--- a/crypto/bio/b_print.c ++++ b/crypto/bio/b_print.c +@@ -635,7 +635,13 @@ fmtfp(char **sbuffer, + fvalue = tmpvalue; + } + ufvalue = abs_val(fvalue); +- if (ufvalue > ULONG_MAX) { ++ /* ++ * By subtracting 65535 (2^16-1) we cancel the low order 15 bits ++ * of ULONG_MAX to avoid using imprecise floating point values. ++ * The second condition is necessary to catch NaN values. ++ */ ++ if (ufvalue >= (double)(ULONG_MAX - 65535) + 65536.0 ++ || !(ufvalue == ufvalue) /* NaN */) { + /* Number too big */ + return 0; + } +diff --git a/test/bioprinttest.c b/test/bioprinttest.c +index 680391e..e37b854 100644 +--- a/test/bioprinttest.c ++++ b/test/bioprinttest.c +@@ -241,14 +241,48 @@ static int test_fp(int i) + return r; + } + ++extern double zero_value; ++double zero_value = 0.0; ++ + static int test_big(void) + { + char buf[80]; ++ double d, z, inf, nan; + + /* Test excessively big number. Should fail */ + if (!TEST_int_eq(BIO_snprintf(buf, sizeof(buf), + "%f\n", 2 * (double)ULONG_MAX), -1)) + return 0; ++ ++ d = 1.0; ++ z = zero_value; ++ inf = d / z; ++ nan = z / z; ++ ++ /* ++ * Test +/-inf, nan. Should fail. ++ * Test +/-1.0, +/-0.0. Should work. ++ */ ++ if (!TEST_int_eq(BIO_snprintf(buf, sizeof(buf), ++ "%f", inf), -1) ++ || !TEST_int_eq(BIO_snprintf(buf, sizeof(buf), ++ "%f", -inf), -1) ++ || !TEST_int_eq(BIO_snprintf(buf, sizeof(buf), ++ "%f", nan), -1) ++ || !TEST_int_eq(BIO_snprintf(buf, sizeof(buf), ++ "%f", d), 8) ++ || !TEST_str_eq(buf, "1.000000") ++ || !TEST_int_eq(BIO_snprintf(buf, sizeof(buf), ++ "%f", z), 8) ++ || !TEST_str_eq(buf, "0.000000") ++ || !TEST_int_eq(BIO_snprintf(buf, sizeof(buf), ++ "%f", -d), 9) ++ || !TEST_str_eq(buf, "-1.000000") ++ || !TEST_int_eq(BIO_snprintf(buf, sizeof(buf), ++ "%f", -z), 8) ++ || !TEST_str_eq(buf, "0.000000")) ++ return 0; ++ + return 1; + } + +-- +1.8.3.1 + diff --git a/crypto-poly1305-asm-fix-armv8-pointer-authentication.patch b/crypto-poly1305-asm-fix-armv8-pointer-authentication.patch new file mode 100644 index 0000000..8a78409 --- /dev/null +++ b/crypto-poly1305-asm-fix-armv8-pointer-authentication.patch @@ -0,0 +1,38 @@ +From 5795acffd8706e1cb584284ee5bb3a30986d0e75 Mon Sep 17 00:00:00 2001 +From: Ard Biesheuvel +Date: Tue, 27 Oct 2020 18:02:40 +0100 +Subject: [PATCH 091/147] crypto/poly1305/asm: fix armv8 pointer authentication + +PAC pointer authentication signs the return address against the value +of the stack pointer, to prevent stack overrun exploits from corrupting +the control flow. However, this requires that the AUTIASP is issued with +SP holding the same value as it held when the PAC value was generated. +The Poly1305 armv8 code got this wrong, resulting in crashes on PAC +capable hardware. + +Reviewed-by: Paul Dale +Reviewed-by: Tomas Mraz +(Merged from https://github.com/openssl/openssl/pull/13256) + +(cherry picked from commit fcf6e9d056162d5af64c6f7209388a5c3be2ce57) +--- + crypto/poly1305/asm/poly1305-armv8.pl | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/crypto/poly1305/asm/poly1305-armv8.pl b/crypto/poly1305/asm/poly1305-armv8.pl +index d07494b..2a42b64 100755 +--- a/crypto/poly1305/asm/poly1305-armv8.pl ++++ b/crypto/poly1305/asm/poly1305-armv8.pl +@@ -864,8 +864,8 @@ poly1305_blocks_neon: + st1 {$ACC4}[0],[$ctx] + + .Lno_data_neon: +- .inst 0xd50323bf // autiasp + ldr x29,[sp],#80 ++ .inst 0xd50323bf // autiasp + ret + .size poly1305_blocks_neon,.-poly1305_blocks_neon + +-- +1.8.3.1 + diff --git a/doc-Fix-documentation-of-EVP_EncryptUpdate.patch b/doc-Fix-documentation-of-EVP_EncryptUpdate.patch new file mode 100644 index 0000000..bd99a90 --- /dev/null +++ b/doc-Fix-documentation-of-EVP_EncryptUpdate.patch @@ -0,0 +1,42 @@ +From a47dd08d6cacc64536c2f57e0f0aee03dcfaab3d Mon Sep 17 00:00:00 2001 +From: Pauli +Date: Tue, 14 Jul 2020 08:39:32 +1000 +Subject: [PATCH 052/147] doc: Fix documentation of EVP_EncryptUpdate(). + +The documentation was off by one for the length this function could return. + +Reviewed-by: Tomas Mraz +(Merged from https://github.com/openssl/openssl/pull/12435) + +(cherry picked from commit 3fc164e8d18dcdef57d297956debf8d966e7fbef) +--- + doc/man3/EVP_EncryptInit.pod | 13 +++++++++---- + 1 file changed, 9 insertions(+), 4 deletions(-) + +diff --git a/doc/man3/EVP_EncryptInit.pod b/doc/man3/EVP_EncryptInit.pod +index 2828bca..23ddf91 100644 +--- a/doc/man3/EVP_EncryptInit.pod ++++ b/doc/man3/EVP_EncryptInit.pod +@@ -146,10 +146,15 @@ appropriate. + EVP_EncryptUpdate() encrypts B bytes from the buffer B and + writes the encrypted version to B. This function can be called + multiple times to encrypt successive blocks of data. The amount +-of data written depends on the block alignment of the encrypted data: +-as a result the amount of data written may be anything from zero bytes +-to (inl + cipher_block_size - 1) so B should contain sufficient +-room. The actual number of bytes written is placed in B. It also ++of data written depends on the block alignment of the encrypted data. ++For most ciphers and modes, the amount of data written can be anything ++from zero bytes to (inl + cipher_block_size - 1) bytes. ++For wrap cipher modes, the amount of data written can be anything ++from zero bytes to (inl + cipher_block_size) bytes. ++For stream ciphers, the amount of data written can be anything from zero ++bytes to inl bytes. ++Thus, B should contain sufficient room for the operation being performed. ++The actual number of bytes written is placed in B. It also + checks if B and B are partially overlapping, and if they are + 0 is returned to indicate failure. + +-- +1.8.3.1 + diff --git a/doc-man3-fix-types-taken-by-HMAC-HMAC_Update.patch b/doc-man3-fix-types-taken-by-HMAC-HMAC_Update.patch new file mode 100644 index 0000000..73e24d7 --- /dev/null +++ b/doc-man3-fix-types-taken-by-HMAC-HMAC_Update.patch @@ -0,0 +1,43 @@ +From 7bdf1ee8ccb69a743e29e3d1a72194c30e8583ae Mon Sep 17 00:00:00 2001 +From: pedro martelletto +Date: Wed, 24 Jun 2020 17:48:00 +0200 +Subject: [PATCH 029/147] doc/man3: fix types taken by HMAC(), HMAC_Update() + +HMAC() and HMAC_Update() take size_t for 'n' and 'len' respectively. + +CLA: trivial + +Reviewed-by: Matt Caswell +Reviewed-by: Paul Dale +(Merged from https://github.com/openssl/openssl/pull/12264) + +(cherry picked from commit cc63865f336e0144f8501aa0a862ba0247a50622) +--- + doc/man3/HMAC.pod | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/doc/man3/HMAC.pod b/doc/man3/HMAC.pod +index 30c0e6b..cc0d470 100644 +--- a/doc/man3/HMAC.pod ++++ b/doc/man3/HMAC.pod +@@ -21,7 +21,7 @@ HMAC_size + #include + + unsigned char *HMAC(const EVP_MD *evp_md, const void *key, +- int key_len, const unsigned char *d, int n, ++ int key_len, const unsigned char *d, size_t n, + unsigned char *md, unsigned int *md_len); + + HMAC_CTX *HMAC_CTX_new(void); +@@ -29,7 +29,7 @@ HMAC_size + + int HMAC_Init_ex(HMAC_CTX *ctx, const void *key, int key_len, + const EVP_MD *md, ENGINE *impl); +- int HMAC_Update(HMAC_CTX *ctx, const unsigned char *data, int len); ++ int HMAC_Update(HMAC_CTX *ctx, const unsigned char *data, size_t len); + int HMAC_Final(HMAC_CTX *ctx, unsigned char *md, unsigned int *len); + + void HMAC_CTX_free(HMAC_CTX *ctx); +-- +1.8.3.1 + diff --git a/fix-a-docs-typo.patch b/fix-a-docs-typo.patch new file mode 100644 index 0000000..0019227 --- /dev/null +++ b/fix-a-docs-typo.patch @@ -0,0 +1,34 @@ +From 315170f662b3053aa9fe817639e1b78f74f75077 Mon Sep 17 00:00:00 2001 +From: Jack O'Connor +Date: Thu, 28 May 2020 12:42:15 -0400 +Subject: [PATCH 008/147] fix a docs typo + +Correct "EC_KEY_point2buf" to "EC_POINT_point2buf". The former does not exist. + +CLA: trivial + +Reviewed-by: Ben Kaduk +Reviewed-by: Tomas Mraz +(Merged from https://github.com/openssl/openssl/pull/11988) + +(cherry picked from commit a5a87011baeef71c86938a2bae54f89fbe99e5dc) +--- + doc/man3/EC_KEY_new.pod | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/doc/man3/EC_KEY_new.pod b/doc/man3/EC_KEY_new.pod +index 9d32d78..21663a0 100644 +--- a/doc/man3/EC_KEY_new.pod ++++ b/doc/man3/EC_KEY_new.pod +@@ -122,7 +122,7 @@ EC_KEY_precompute_mult() stores multiples of the underlying EC_GROUP generator + for faster point multiplication. See also L. + + EC_KEY_oct2key() and EC_KEY_key2buf() are identical to the functions +-EC_POINT_oct2point() and EC_KEY_point2buf() except they use the public key ++EC_POINT_oct2point() and EC_POINT_point2buf() except they use the public key + EC_POINT in B. + + EC_KEY_oct2priv() and EC_KEY_priv2oct() convert between the private key +-- +1.8.3.1 + diff --git a/fixed-swapped-parameters-descriptions-for-x509.patch b/fixed-swapped-parameters-descriptions-for-x509.patch new file mode 100644 index 0000000..e47c699 --- /dev/null +++ b/fixed-swapped-parameters-descriptions-for-x509.patch @@ -0,0 +1,33 @@ +From 48fc6cd59c6d4a8f6ecd57d85d6ef4e6373ff147 Mon Sep 17 00:00:00 2001 +From: Nihal Jere +Date: Tue, 21 Jul 2020 11:31:01 -0500 +Subject: [PATCH 055/147] fixed swapped parameters descriptions for x509 + +CLA: trivial + +Reviewed-by: Tomas Mraz +Reviewed-by: Dmitry Belyavskiy +(Merged from https://github.com/openssl/openssl/pull/12505) +--- + apps/x509.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/apps/x509.c b/apps/x509.c +index 5bb110f..1043eba 100644 +--- a/apps/x509.c ++++ b/apps/x509.c +@@ -140,9 +140,9 @@ const OPTIONS x509_options[] = { + {"", OPT_MD, '-', "Any supported digest"}, + #ifndef OPENSSL_NO_MD5 + {"subject_hash_old", OPT_SUBJECT_HASH_OLD, '-', +- "Print old-style (MD5) issuer hash value"}, +- {"issuer_hash_old", OPT_ISSUER_HASH_OLD, '-', + "Print old-style (MD5) subject hash value"}, ++ {"issuer_hash_old", OPT_ISSUER_HASH_OLD, '-', ++ "Print old-style (MD5) issuer hash value"}, + #endif + #ifndef OPENSSL_NO_ENGINE + {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"}, +-- +1.8.3.1 + diff --git a/fuzz-asn1.c-Add-missing-include.patch b/fuzz-asn1.c-Add-missing-include.patch new file mode 100644 index 0000000..8993ac0 --- /dev/null +++ b/fuzz-asn1.c-Add-missing-include.patch @@ -0,0 +1,33 @@ +From 1ab9298e43b6023f4083609493f20e354aa7faab Mon Sep 17 00:00:00 2001 +From: Richard Levitte +Date: Sat, 25 Apr 2020 04:11:09 +0200 +Subject: [PATCH 037/217] fuzz/asn1.c: Add missing #include + + gets included via ts.h... except when 'no-ts' has been +configured. + +Fixes #11597 + +Reviewed-by: Paul Dale +(Merged from https://github.com/openssl/openssl/pull/11640) + +(cherry picked from commit 60ebc0ca5a829e2ae939a9ab13658af202b6dfc7) +--- + fuzz/asn1.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/fuzz/asn1.c b/fuzz/asn1.c +index fd2271b..d3148c0 100644 +--- a/fuzz/asn1.c ++++ b/fuzz/asn1.c +@@ -20,6 +20,7 @@ + #include + #include + #include ++#include + #include + #include + #include +-- +1.8.3.1 + diff --git a/i2b_PVK_bio-don-t-set-PEM_R_BIO_WRITE_FAILURE-in-cas.patch b/i2b_PVK_bio-don-t-set-PEM_R_BIO_WRITE_FAILURE-in-cas.patch new file mode 100644 index 0000000..937c827 --- /dev/null +++ b/i2b_PVK_bio-don-t-set-PEM_R_BIO_WRITE_FAILURE-in-cas.patch @@ -0,0 +1,38 @@ +From a5ae257ed2d046105cff99d72d2d1335091a3515 Mon Sep 17 00:00:00 2001 +From: Christian Hohnstaedt +Date: Sun, 22 Mar 2020 09:41:30 +0100 +Subject: [PATCH 036/217] i2b_PVK_bio: don't set PEM_R_BIO_WRITE_FAILURE in + case of success + +but in case of an error + +CLA: trivial + +Reviewed-by: Richard Levitte +Reviewed-by: Bernd Edlinger +Reviewed-by: Tomas Mraz +(Merged from https://github.com/openssl/openssl/pull/11380) + +(cherry picked from commit 80b94a5adb461f94629d36db351a051b0a890856) +--- + crypto/pem/pvkfmt.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/crypto/pem/pvkfmt.c b/crypto/pem/pvkfmt.c +index 1fc19c1..46ed2ec 100644 +--- a/crypto/pem/pvkfmt.c ++++ b/crypto/pem/pvkfmt.c +@@ -875,9 +875,9 @@ int i2b_PVK_bio(BIO *out, EVP_PKEY *pk, int enclevel, + wrlen = BIO_write(out, tmp, outlen); + OPENSSL_free(tmp); + if (wrlen == outlen) { +- PEMerr(PEM_F_I2B_PVK_BIO, PEM_R_BIO_WRITE_FAILURE); + return outlen; + } ++ PEMerr(PEM_F_I2B_PVK_BIO, PEM_R_BIO_WRITE_FAILURE); + return -1; + } + +-- +1.8.3.1 + diff --git a/openssl.spec b/openssl.spec index b8828ee..4028ee4 100644 --- a/openssl.spec +++ b/openssl.spec @@ -2,7 +2,7 @@ Name: openssl Epoch: 1 Version: 1.1.1f -Release: 3 +Release: 8 Summary: Cryptography and SSL/TLS Toolkit License: OpenSSL and SSLeay URL: https://www.openssl.org/ @@ -11,12 +11,74 @@ Source1: Makefile.certificate Patch1: openssl-1.1.1-build.patch Patch2: openssl-1.1.1-fips.patch Patch3: CVE-2020-1967.patch -Patch4: CVE-2020-1971-0001-DirectoryString-is-a-CHOICE-type-and-therefore-uses-.patch -Patch5: CVE-2020-1971-0002-Correctly-compare-EdiPartyName-in-GENERAL_NAME_cmp.patch -Patch6: CVE-2020-1971-0003-Check-that-multi-strings-CHOICE-types-don-t-use-impl.patch -Patch7: CVE-2020-1971-0004-Complain-if-we-are-attempting-to-encode-with-an-inva.patch -Patch8: CVE-2020-1971-0005-Add-a-test-for-GENERAL_NAME_cmp.patch -Patch9: CVE-2020-1971-0006-Add-a-test-for-encoding-decoding-using-an-invalid-AS.patch +Patch4: Ensure-ECDSA_size-always-returns-0.patch +Patch5: Fix-the-error-handling-in-EC_POINTs_mul.patch +Patch6: Integer-overflow-in-ASN1_STRING_set.patch +Patch7: AES-CTR-DRGB-do-not-leak-timing-information.patch +Patch8: Fix-AES-CTR_DRBG-on-1.1.1.patch +Patch9: BIO_do_accept-correct-error-return-value.patch +Patch10: Add-test-for-CVE-2020-1967.patch +Patch11: EC-Constify-internal-EC_KEY-pointer-usage.patch +Patch12: EC-harden-EC_KEY-against-leaks-from-memory-accesses.patch +Patch13: BN-harden-BN_copy-against-leaks-from-memory-accesses.patch +Patch14: Fix-type-cast-in-SSL_CTX_set1_groups-macro.patch +Patch15: i2b_PVK_bio-don-t-set-PEM_R_BIO_WRITE_FAILURE-in-cas.patch +Patch16: fuzz-asn1.c-Add-missing-include.patch +Patch17: Fix-use-after-free-in-BIO_C_SET_SSL-callback.patch +Patch18: Fix-PEM-certificate-loading-that-sometimes-fails.patch +Patch19: Fix-rsa8192.pem.patch +Patch20: Correct-alignment-calculation-in-ssl3_setup_write.patch +Patch21: Fix-crash-in-early-data-send-with-out-of-band-PSK-us.patch +Patch22: Test-TLSv1.3-out-of-band-PSK-with-all-5-ciphersuites.patch +Patch23: Cast-the-unsigned-char-to-unsigned-int-before-shifti.patch +Patch24: Avoid-potential-overflow-to-the-sign-bit-when-shifti.patch +Patch25: t1_trce-Fix-remaining-places-where-the-24-bit-shift-.patch +Patch26: Fix-d2i_PrivateKey-to-work-as-documented.patch +Patch27: Prevent-use-after-free-of-global_engine_lock.patch +Patch28: Allow-NULL-arg-to-OSSL_STORE_close.patch +Patch29: EVP_EncryptInit.pod-fix-example.patch +Patch30: bio-printf-Avoid-using-rounding-errors-in-range-chec.patch +Patch31: Make-BIO_do_connect-and-friends-handle-multiple-IP-a.patch +Patch32: Revert-the-check-for-NaN-in-f-format.patch +Patch33: fix-a-docs-typo.patch +Patch34: Replace-BUF_strdup-call-by-OPENSSL_strdup-adding-fai.patch +Patch35: Fix-err-checking-and-mem-leaks-of-BIO_set_conn_port-.patch +Patch36: Do-not-allow-dropping-Extended-Master-Secret-extensi.patch +Patch37: EVP-allow-empty-strings-to-EVP_Decode-functions.patch +Patch38: CMS_get0_signers-description.patch +Patch39: Ensure-we-never-use-a-partially-initialised-CMAC_CTX.patch +Patch40: Correctly-handle-the-return-value-from-EVP_Cipher-in.patch +Patch41: Fix-wrong-return-value-check-of-mmap-function.patch +Patch42: doc-man3-fix-types-taken-by-HMAC-HMAC_Update.patch +Patch43: Ensure-that-SSL_dup-copies-the-min-max-protocol-vers.patch +Patch44: Don-t-attempt-to-duplicate-the-BIO-state-in-SSL_dup.patch +Patch45: Add-an-SSL_dup-test.patch +Patch46: Free-pre_proc_exts-in-SSL_free.patch +Patch47: Fix-issue-1418-by-moving-check-of-KU_KEY_CERT_SIGN-a.patch +Patch48: x509_vfy.c-Improve-key-usage-checks-in-internal_veri.patch +Patch49: doc-Fix-documentation-of-EVP_EncryptUpdate.patch +Patch50: Avoid-errors-with-a-priori-inapplicable-protocol-bou.patch +Patch51: fixed-swapped-parameters-descriptions-for-x509.patch +Patch52: Update-EVP_EncodeInit.pod.patch +Patch53: Avoid-segfault-in-SSL_export_keying_material-if-ther.patch +Patch54: sslapitest-Add-test-for-premature-call-of-SSL_export.patch +Patch55: Fix-PEM_write_bio_PrivateKey_traditional-to-not-outp.patch +Patch56: Coverity-Fixes.patch +Patch57: Fix-memory-leaks-in-conf_def.c.patch +Patch58: Support-keys-with-RSA_METHOD_FLAG_NO_CHECK-with-OCSP.patch +Patch59: Use-size-of-target-buffer-for-allocation.patch +Patch60: Avoid-memory-leak-of-parent-on-allocation-failure-fo.patch +Patch61: Pass-an-EVP_PKEY-for-SSL_SECOP_TMP_DH-in-the-securit.patch +Patch62: Avoid-potential-doublefree-on-dh-object-assigned-to-.patch +Patch63: Fix-AES-GCM-bug-on-aarch64-BigEndian.patch +Patch64: crypto-poly1305-asm-fix-armv8-pointer-authentication.patch +Patch65: Verification-zero-length-content-in-S-MIME-format.patch +Patch66: CVE-2020-1971-0001-DirectoryString-is-a-CHOICE-type-and-therefore-uses-.patch +Patch67: CVE-2020-1971-0002-Correctly-compare-EdiPartyName-in-GENERAL_NAME_cmp.patch +Patch68: CVE-2020-1971-0003-Check-that-multi-strings-CHOICE-types-don-t-use-impl.patch +Patch69: CVE-2020-1971-0004-Complain-if-we-are-attempting-to-encode-with-an-inva.patch +Patch70: CVE-2020-1971-0005-Add-a-test-for-GENERAL_NAME_cmp.patch +Patch71: CVE-2020-1971-0006-Add-a-test-for-encoding-decoding-using-an-invalid-AS.patch BuildRequires: gcc make lksctp-tools-devel coreutils util-linux zlib-devel @@ -193,6 +255,9 @@ make test || : %{_pkgdocdir}/html/ %changelog +* Tue Feb 09 2021 Liufeng - 1:1.1.1f-8 +- backport some bugfix patches from OpenSSL community and reset the release + * Mon Jan 19 2021 openEuler Buildteam - 1:1.1.1f-3 - fix CVE-2020-1971 diff --git a/sslapitest-Add-test-for-premature-call-of-SSL_export.patch b/sslapitest-Add-test-for-premature-call-of-SSL_export.patch new file mode 100644 index 0000000..880f950 --- /dev/null +++ b/sslapitest-Add-test-for-premature-call-of-SSL_export.patch @@ -0,0 +1,45 @@ +From 46a9ee8c796c8b5f8d95290676119b4f3d72be91 Mon Sep 17 00:00:00 2001 +From: Tomas Mraz +Date: Thu, 6 Aug 2020 15:14:29 +0200 +Subject: [PATCH 061/147] sslapitest: Add test for premature call of + SSL_export_keying_material + +Reviewed-by: Matt Caswell +(Merged from https://github.com/openssl/openssl/pull/12594) + +(cherry picked from commit ea9f6890eb54e4b9e8b81cc1318ca3a6fc0c8356) +--- + test/sslapitest.c | 17 ++++++++++++++--- + 1 file changed, 14 insertions(+), 3 deletions(-) + +diff --git a/test/sslapitest.c b/test/sslapitest.c +index 5220722..ad1824c 100644 +--- a/test/sslapitest.c ++++ b/test/sslapitest.c +@@ -4432,9 +4432,20 @@ static int test_export_key_mat(int tst) + SSL_CTX_set_min_proto_version(cctx, protocols[tst]); + + if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL, +- NULL)) +- || !TEST_true(create_ssl_connection(serverssl, clientssl, +- SSL_ERROR_NONE))) ++ NULL))) ++ goto end; ++ ++ /* ++ * Premature call of SSL_export_keying_material should just fail. ++ */ ++ if (!TEST_int_le(SSL_export_keying_material(clientssl, ckeymat1, ++ sizeof(ckeymat1), label, ++ SMALL_LABEL_LEN + 1, context, ++ sizeof(context) - 1, 1), 0)) ++ goto end; ++ ++ if (!TEST_true(create_ssl_connection(serverssl, clientssl, ++ SSL_ERROR_NONE))) + goto end; + + if (tst == 5) { +-- +1.8.3.1 + diff --git a/t1_trce-Fix-remaining-places-where-the-24-bit-shift-.patch b/t1_trce-Fix-remaining-places-where-the-24-bit-shift-.patch new file mode 100644 index 0000000..c1ea754 --- /dev/null +++ b/t1_trce-Fix-remaining-places-where-the-24-bit-shift-.patch @@ -0,0 +1,72 @@ +From cf94e8430f3cd7c17f62b74443d16347b4b97ac8 Mon Sep 17 00:00:00 2001 +From: Tomas Mraz +Date: Tue, 19 May 2020 10:52:53 +0200 +Subject: [PATCH 061/217] t1_trce: Fix remaining places where the 24 bit shift + overflow happens + +[extended tests] + +Reviewed-by: Richard Levitte +(Merged from https://github.com/openssl/openssl/pull/11857) + +(cherry picked from commit 7486c718e54cc762edc5f1c7c526ab83d0f97ef7) +--- + ssl/t1_trce.c | 21 ++++++++++++++++----- + 1 file changed, 16 insertions(+), 5 deletions(-) + +diff --git a/ssl/t1_trce.c b/ssl/t1_trce.c +index 5c84339..edd839a 100644 +--- a/ssl/t1_trce.c ++++ b/ssl/t1_trce.c +@@ -656,7 +656,10 @@ static int ssl_print_random(BIO *bio, int indent, + + if (*pmsglen < 32) + return 0; +- tm = (p[0] << 24) | (p[1] << 16) | (p[2] << 8) | p[3]; ++ tm = ((unsigned int)p[0] << 24) ++ | ((unsigned int)p[1] << 16) ++ | ((unsigned int)p[2] << 8) ++ | (unsigned int)p[3]; + p += 4; + BIO_indent(bio, indent, 80); + BIO_puts(bio, "Random:\n"); +@@ -864,8 +867,10 @@ static int ssl_print_extension(BIO *bio, int indent, int server, + break; + if (extlen != 4) + return 0; +- max_early_data = (ext[0] << 24) | (ext[1] << 16) | (ext[2] << 8) +- | ext[3]; ++ max_early_data = ((unsigned int)ext[0] << 24) ++ | ((unsigned int)ext[1] << 16) ++ | ((unsigned int)ext[2] << 8) ++ | (unsigned int)ext[3]; + BIO_indent(bio, indent + 2, 80); + BIO_printf(bio, "max_early_data=%u\n", max_early_data); + break; +@@ -1356,7 +1361,10 @@ static int ssl_print_ticket(BIO *bio, int indent, const SSL *ssl, + } + if (msglen < 4) + return 0; +- tick_life = (msg[0] << 24) | (msg[1] << 16) | (msg[2] << 8) | msg[3]; ++ tick_life = ((unsigned int)msg[0] << 24) ++ | ((unsigned int)msg[1] << 16) ++ | ((unsigned int)msg[2] << 8) ++ | (unsigned int)msg[3]; + msglen -= 4; + msg += 4; + BIO_indent(bio, indent + 2, 80); +@@ -1367,7 +1375,10 @@ static int ssl_print_ticket(BIO *bio, int indent, const SSL *ssl, + if (msglen < 4) + return 0; + ticket_age_add = +- (msg[0] << 24) | (msg[1] << 16) | (msg[2] << 8) | msg[3]; ++ ((unsigned int)msg[0] << 24) ++ | ((unsigned int)msg[1] << 16) ++ | ((unsigned int)msg[2] << 8) ++ | (unsigned int)msg[3]; + msglen -= 4; + msg += 4; + BIO_indent(bio, indent + 2, 80); +-- +1.8.3.1 + diff --git a/x509_vfy.c-Improve-key-usage-checks-in-internal_veri.patch b/x509_vfy.c-Improve-key-usage-checks-in-internal_veri.patch new file mode 100644 index 0000000..ee450fe --- /dev/null +++ b/x509_vfy.c-Improve-key-usage-checks-in-internal_veri.patch @@ -0,0 +1,151 @@ +From 42bb51e59308b3ebc5cc1c35ff4822fba6b52d79 Mon Sep 17 00:00:00 2001 +From: "Dr. David von Oheimb" +Date: Fri, 3 Jul 2020 21:19:55 +0200 +Subject: [PATCH 051/147] x509_vfy.c: Improve key usage checks in + internal_verify() of cert chains + +If a presumably self-signed cert is last in chain we verify its signature +only if X509_V_FLAG_CHECK_SS_SIGNATURE is set. Upon this request we do the +signature verification, but not in case it is a (non-conforming) self-issued +CA certificate with a key usage extension that does not include keyCertSign. + +Make clear when we must verify the signature of a certificate +and when we must adhere to key usage restrictions of the 'issuing' cert. +Add some comments for making internal_verify() easier to understand. +Update the documentation of X509_V_FLAG_CHECK_SS_SIGNATURE accordingly. + +Reviewed-by: Tomas Mraz +(Merged from https://github.com/openssl/openssl/pull/12357) +--- + crypto/x509/x509_vfy.c | 46 ++++++++++++++++++++++++-------- + doc/man1/verify.pod | 7 +++-- + doc/man3/X509_VERIFY_PARAM_set_flags.pod | 13 +++++---- + 3 files changed, 48 insertions(+), 18 deletions(-) + +diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c +index 87b51e9..f30c0f8 100644 +--- a/crypto/x509/x509_vfy.c ++++ b/crypto/x509/x509_vfy.c +@@ -1716,6 +1716,7 @@ int x509_check_cert_time(X509_STORE_CTX *ctx, X509 *x, int depth) + return 1; + } + ++/* verify the issuer signatures and cert times of ctx->chain */ + static int internal_verify(X509_STORE_CTX *ctx) + { + int n = sk_X509_num(ctx->chain) - 1; +@@ -1734,7 +1735,7 @@ static int internal_verify(X509_STORE_CTX *ctx) + } + + if (ctx->check_issued(ctx, xi, xi)) +- xs = xi; ++ xs = xi; /* the typical case: last cert in the chain is self-issued */ + else { + if (ctx->param->flags & X509_V_FLAG_PARTIAL_CHAIN) { + xs = xi; +@@ -1754,26 +1755,49 @@ static int internal_verify(X509_STORE_CTX *ctx) + */ + while (n >= 0) { + /* +- * Skip signature check for self-issued certificates unless explicitly ++ * For each iteration of this loop: ++ * n is the subject depth ++ * xs is the subject cert, for which the signature is to be checked ++ * xi is the supposed issuer cert containing the public key to use ++ * Initially xs == xi if the last cert in the chain is self-issued. ++ * ++ * Skip signature check for self-signed certificates unless explicitly + * asked for because it does not add any security and just wastes time. +- * If the issuer's public key is not available or its key usage does +- * not support issuing the subject cert, report the issuer certificate +- * and its depth (rather than the depth of the subject). + */ +- if (xs != xi || (ctx->param->flags & X509_V_FLAG_CHECK_SS_SIGNATURE)) { ++ if (xs != xi || ((ctx->param->flags & X509_V_FLAG_CHECK_SS_SIGNATURE) ++ && (xi->ex_flags & EXFLAG_SS) != 0)) { + EVP_PKEY *pkey; ++ /* ++ * If the issuer's public key is not available or its key usage ++ * does not support issuing the subject cert, report the issuer ++ * cert and its depth (rather than n, the depth of the subject). ++ */ + int issuer_depth = n + (xs == xi ? 0 : 1); +- int ret = x509_signing_allowed(xi, xs); ++ /* ++ * According to https://tools.ietf.org/html/rfc5280#section-6.1.4 ++ * step (n) we must check any given key usage extension in a CA cert ++ * when preparing the verification of a certificate issued by it. ++ * According to https://tools.ietf.org/html/rfc5280#section-4.2.1.3 ++ * we must not verify a certifiate signature if the key usage of the ++ * CA certificate that issued the certificate prohibits signing. ++ * In case the 'issuing' certificate is the last in the chain and is ++ * not a CA certificate but a 'self-issued' end-entity cert (i.e., ++ * xs == xi && !(xi->ex_flags & EXFLAG_CA)) RFC 5280 does not apply ++ * (see https://tools.ietf.org/html/rfc6818#section-2) and thus ++ * we are free to ignore any key usage restrictions on such certs. ++ */ ++ int ret = xs == xi && (xi->ex_flags & EXFLAG_CA) == 0 ++ ? X509_V_OK : x509_signing_allowed(xi, xs); + + if (ret != X509_V_OK && !verify_cb_cert(ctx, xi, issuer_depth, ret)) + return 0; + if ((pkey = X509_get0_pubkey(xi)) == NULL) { +- if (!verify_cb_cert(ctx, xi, xi != xs ? n+1 : n, +- X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY)) ++ ret = X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY; ++ if (!verify_cb_cert(ctx, xi, issuer_depth, ret)) + return 0; + } else if (X509_verify(xs, pkey) <= 0) { +- if (!verify_cb_cert(ctx, xs, n, +- X509_V_ERR_CERT_SIGNATURE_FAILURE)) ++ ret = X509_V_ERR_CERT_SIGNATURE_FAILURE; ++ if (!verify_cb_cert(ctx, xs, n, ret)) + return 0; + } + } +diff --git a/doc/man1/verify.pod b/doc/man1/verify.pod +index 63ba850..18e803c 100644 +--- a/doc/man1/verify.pod ++++ b/doc/man1/verify.pod +@@ -98,8 +98,11 @@ current system time. B is the number of seconds since + + =item B<-check_ss_sig> + +-Verify the signature on the self-signed root CA. This is disabled by default +-because it doesn't add any security. ++Verify the signature of ++the last certificate in a chain if the certificate is supposedly self-signed. ++This is prohibited and will result in an error if it is a non-conforming CA ++certificate with key usage restrictions not including the keyCertSign bit. ++This verification is disabled by default because it doesn't add any security. + + =item B<-CRLfile file> + +diff --git a/doc/man3/X509_VERIFY_PARAM_set_flags.pod b/doc/man3/X509_VERIFY_PARAM_set_flags.pod +index 7593dea..a87b71d 100644 +--- a/doc/man3/X509_VERIFY_PARAM_set_flags.pod ++++ b/doc/man3/X509_VERIFY_PARAM_set_flags.pod +@@ -264,12 +264,15 @@ they are enabled. + If B is set delta CRLs (if present) are used to + determine certificate status. If not set deltas are ignored. + +-B enables checking of the root CA self signed +-certificate signature. By default this check is disabled because it doesn't ++B requests checking the signature of ++the last certificate in a chain if the certificate is supposedly self-signed. ++This is prohibited and will result in an error if it is a non-conforming CA ++certificate with key usage restrictions not including the keyCertSign bit. ++By default this check is disabled because it doesn't + add any additional security but in some cases applications might want to +-check the signature anyway. A side effect of not checking the root CA +-signature is that disabled or unsupported message digests on the root CA +-are not treated as fatal errors. ++check the signature anyway. A side effect of not checking the self-signature ++of such a certificate is that disabled or unsupported message digests used for ++the signature are not treated as fatal errors. + + When B is set, construction of the certificate chain + in L will search the trust store for issuer certificates +-- +1.8.3.1 + -- Gitee From 810a65d4b328946ae67fc3ba60ea122b8c3956f9 Mon Sep 17 00:00:00 2001 From: guoxiaoqi Date: Thu, 11 Mar 2021 09:31:41 +0800 Subject: [PATCH 4/6] fix CVE-2021-23840 and CVE-2021-23841 --- CVE-2021-23840.patch | 141 +++++++++++++++++++++++++++++++++++++++++++ CVE-2021-23841.patch | 44 ++++++++++++++ openssl.spec | 9 ++- 3 files changed, 192 insertions(+), 2 deletions(-) create mode 100644 CVE-2021-23840.patch create mode 100644 CVE-2021-23841.patch diff --git a/CVE-2021-23840.patch b/CVE-2021-23840.patch new file mode 100644 index 0000000..c57b54c --- /dev/null +++ b/CVE-2021-23840.patch @@ -0,0 +1,141 @@ +From 6a51b9e1d0cf0bf8515f7201b68fb0a3482b3dc1 Mon Sep 17 00:00:00 2001 +From: Matt Caswell +Date: Tue, 2 Feb 2021 17:17:23 +0000 +Subject: [PATCH] Don't overflow the output length in EVP_CipherUpdate calls + +CVE-2021-23840 + +Reviewed-by: Paul Dale +Signed-off-by: guoxiaoqi +--- + crypto/err/openssl.txt | 3 ++- + crypto/evp/evp_enc.c | 27 +++++++++++++++++++++++++++ + crypto/evp/evp_err.c | 4 +++- + include/openssl/evperr.h | 7 +++---- + 4 files changed, 35 insertions(+), 6 deletions(-) + +diff --git a/crypto/err/openssl.txt b/crypto/err/openssl.txt +index 815460b..7e17763 100644 +--- a/crypto/err/openssl.txt ++++ b/crypto/err/openssl.txt +@@ -1,4 +1,4 @@ +-# Copyright 1999-2020 The OpenSSL Project Authors. All Rights Reserved. ++# Copyright 1999-2021 The OpenSSL Project Authors. All Rights Reserved. + # + # Licensed under the OpenSSL license (the "License"). You may not use + # this file except in compliance with the License. You can obtain a copy +@@ -2283,6 +2283,7 @@ EVP_R_ONLY_ONESHOT_SUPPORTED:177:only oneshot supported + EVP_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE:150:\ + operation not supported for this keytype + EVP_R_OPERATON_NOT_INITIALIZED:151:operaton not initialized ++EVP_R_OUTPUT_WOULD_OVERFLOW:184:output would overflow + EVP_R_PARTIALLY_OVERLAPPING:162:partially overlapping buffers + EVP_R_PBKDF2_ERROR:181:pbkdf2 error + EVP_R_PKEY_APPLICATION_ASN1_METHOD_ALREADY_REGISTERED:179:\ +diff --git a/crypto/evp/evp_enc.c b/crypto/evp/evp_enc.c +index b9b6490..0843caf 100644 +--- a/crypto/evp/evp_enc.c ++++ b/crypto/evp/evp_enc.c +@@ -8,6 +8,7 @@ + */ + + #include ++#include + #include + #include "internal/cryptlib.h" + #include +@@ -355,6 +356,19 @@ static int evp_EncryptDecryptUpdate(EVP_CIPHER_CTX *ctx, + return 1; + } else { + j = bl - i; ++ ++ /* ++ * Once we've processed the first j bytes from in, the amount of ++ * data left that is a multiple of the block length is: ++ * (inl - j) & ~(bl - 1) ++ * We must ensure that this amount of data, plus the one block that ++ * we process from ctx->buf does not exceed INT_MAX ++ */ ++ if (((inl - j) & ~(bl - 1)) > INT_MAX - bl) { ++ EVPerr(EVP_F_EVP_ENCRYPTDECRYPTUPDATE, ++ EVP_R_OUTPUT_WOULD_OVERFLOW); ++ return 0; ++ } + memcpy(&(ctx->buf[i]), in, j); + inl -= j; + in += j; +@@ -502,6 +516,19 @@ int EVP_DecryptUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl, + EVPerr(EVP_F_EVP_DECRYPTUPDATE, EVP_R_PARTIALLY_OVERLAPPING); + return 0; + } ++ /* ++ * final_used is only ever set if buf_len is 0. Therefore the maximum ++ * length output we will ever see from evp_EncryptDecryptUpdate is ++ * the maximum multiple of the block length that is <= inl, or just: ++ * inl & ~(b - 1) ++ * Since final_used has been set then the final output length is: ++ * (inl & ~(b - 1)) + b ++ * This must never exceed INT_MAX ++ */ ++ if ((inl & ~(b - 1)) > INT_MAX - b) { ++ EVPerr(EVP_F_EVP_DECRYPTUPDATE, EVP_R_OUTPUT_WOULD_OVERFLOW); ++ return 0; ++ } + memcpy(out, ctx->final, b); + out += b; + fix_len = 1; +diff --git a/crypto/evp/evp_err.c b/crypto/evp/evp_err.c +index 05481d8..32ac012 100644 +--- a/crypto/evp/evp_err.c ++++ b/crypto/evp/evp_err.c +@@ -1,6 +1,6 @@ + /* + * Generated by util/mkerr.pl DO NOT EDIT +- * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved. ++ * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the OpenSSL license (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy +@@ -239,6 +239,8 @@ static const ERR_STRING_DATA EVP_str_reasons[] = { + "operation not supported for this keytype"}, + {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_OPERATON_NOT_INITIALIZED), + "operaton not initialized"}, ++ {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_OUTPUT_WOULD_OVERFLOW), ++ "output would overflow"}, + {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_PARTIALLY_OVERLAPPING), + "partially overlapping buffers"}, + {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_PBKDF2_ERROR), "pbkdf2 error"}, +diff --git a/include/openssl/evperr.h b/include/openssl/evperr.h +index d2b26ea..b4ea90a 100644 +--- a/include/openssl/evperr.h ++++ b/include/openssl/evperr.h +@@ -1,6 +1,6 @@ + /* + * Generated by util/mkerr.pl DO NOT EDIT +- * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved. ++ * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the OpenSSL license (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy +@@ -11,9 +11,7 @@ + #ifndef HEADER_EVPERR_H + # define HEADER_EVPERR_H + +-# ifndef HEADER_SYMHACKS_H +-# include +-# endif ++# include + + # ifdef __cplusplus + extern "C" +@@ -179,6 +177,7 @@ int ERR_load_EVP_strings(void); + # define EVP_R_ONLY_ONESHOT_SUPPORTED 177 + # define EVP_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE 150 + # define EVP_R_OPERATON_NOT_INITIALIZED 151 ++# define EVP_R_OUTPUT_WOULD_OVERFLOW 184 + # define EVP_R_PARTIALLY_OVERLAPPING 162 + # define EVP_R_PBKDF2_ERROR 181 + # define EVP_R_PKEY_APPLICATION_ASN1_METHOD_ALREADY_REGISTERED 179 +-- +1.8.3.1 + diff --git a/CVE-2021-23841.patch b/CVE-2021-23841.patch new file mode 100644 index 0000000..b48e238 --- /dev/null +++ b/CVE-2021-23841.patch @@ -0,0 +1,44 @@ +From 122a19ab48091c657f7cb1fb3af9fc07bd557bbf Mon Sep 17 00:00:00 2001 +From: Matt Caswell +Date: Wed, 10 Feb 2021 16:10:36 +0000 +Subject: [PATCH] Fix Null pointer deref in X509_issuer_and_serial_hash() + +The OpenSSL public API function X509_issuer_and_serial_hash() attempts +to create a unique hash value based on the issuer and serial number data +contained within an X509 certificate. However it fails to correctly +handle any errors that may occur while parsing the issuer field (which +might occur if the issuer field is maliciously constructed). This may +subsequently result in a NULL pointer deref and a crash leading to a +potential denial of service attack. + +The function X509_issuer_and_serial_hash() is never directly called by +OpenSSL itself so applications are only vulnerable if they use this +function directly and they use it on certificates that may have been +obtained from untrusted sources. + +CVE-2021-23841 + +Reviewed-by: Richard Levitte +Reviewed-by: Paul Dale +(cherry picked from commit 8130d654d1de922ea224fa18ee3bc7262edc39c0) +Signed-off-by: guoxiaoqi +--- + crypto/x509/x509_cmp.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/crypto/x509/x509_cmp.c b/crypto/x509/x509_cmp.c +index c9d8933..a964bbf 100644 +--- a/crypto/x509/x509_cmp.c ++++ b/crypto/x509/x509_cmp.c +@@ -39,6 +39,8 @@ unsigned long X509_issuer_and_serial_hash(X509 *a) + if (ctx == NULL) + goto err; + f = X509_NAME_oneline(a->cert_info.issuer, NULL, 0); ++ if (f == NULL) ++ goto err; + if (!EVP_DigestInit_ex(ctx, EVP_md5(), NULL)) + goto err; + if (!EVP_DigestUpdate(ctx, (unsigned char *)f, strlen(f))) +-- +1.8.3.1 + diff --git a/openssl.spec b/openssl.spec index 4028ee4..c73f33f 100644 --- a/openssl.spec +++ b/openssl.spec @@ -2,9 +2,9 @@ Name: openssl Epoch: 1 Version: 1.1.1f -Release: 8 +Release: 9 Summary: Cryptography and SSL/TLS Toolkit -License: OpenSSL and SSLeay +License: OpenSSL and SSLeay and GPLv2+ URL: https://www.openssl.org/ Source0: https://www.openssl.org/source/old/1.1.1/%{name}-%{version}.tar.gz Source1: Makefile.certificate @@ -79,6 +79,8 @@ Patch68: CVE-2020-1971-0003-Check-that-multi-strings-CHOICE-types-don-t-use- Patch69: CVE-2020-1971-0004-Complain-if-we-are-attempting-to-encode-with-an-inva.patch Patch70: CVE-2020-1971-0005-Add-a-test-for-GENERAL_NAME_cmp.patch Patch71: CVE-2020-1971-0006-Add-a-test-for-encoding-decoding-using-an-invalid-AS.patch +Patch72: CVE-2021-23840.patch +Patch73: CVE-2021-23841.patch BuildRequires: gcc make lksctp-tools-devel coreutils util-linux zlib-devel @@ -255,6 +257,9 @@ make test || : %{_pkgdocdir}/html/ %changelog +* Thu Mar 11 2021 openEuler Buildteam - 1:1.1.1f-9 +- fix CVE-2021-23840 and CVE-2021-23841 + * Tue Feb 09 2021 Liufeng - 1:1.1.1f-8 - backport some bugfix patches from OpenSSL community and reset the release -- Gitee From 21321db13aee4a47846732c4dec8b54fe15ba1a3 Mon Sep 17 00:00:00 2001 From: guoxiaoqi Date: Wed, 7 Apr 2021 16:15:10 +0800 Subject: [PATCH 5/6] fix CVE-2021-3449 --- CVE-2021-3449.patch | 47 +++++++++++++++++++++++++++++++++++++++++++++ openssl.spec | 6 +++++- 2 files changed, 52 insertions(+), 1 deletion(-) create mode 100644 CVE-2021-3449.patch diff --git a/CVE-2021-3449.patch b/CVE-2021-3449.patch new file mode 100644 index 0000000..159e143 --- /dev/null +++ b/CVE-2021-3449.patch @@ -0,0 +1,47 @@ +From fb9fa6b51defd48157eeb207f52181f735d96148 Mon Sep 17 00:00:00 2001 +From: Peter Kaestle +Date: Mon, 15 Mar 2021 13:19:56 +0100 +Subject: [PATCH] ssl sigalg extension: fix NULL pointer dereference +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +As the variable peer_sigalgslen is not cleared on ssl rehandshake, it's +possible to crash an openssl tls secured server remotely by sending a +manipulated hello message in a rehandshake. + +On such a manipulated rehandshake, tls1_set_shared_sigalgs() calls +tls12_shared_sigalgs() with the peer_sigalgslen of the previous +handshake, while the peer_sigalgs has been freed. +As a result tls12_shared_sigalgs() walks over the available +peer_sigalgs and tries to access data of a NULL pointer. + +This issue was introduced by c589c34e61 (Add support for the TLS 1.3 +signature_algorithms_cert extension, 2018-01-11). + +Signed-off-by: Peter Kästle +Signed-off-by: Samuel Sapalski + +CVE-2021-3449 + +CLA: trivial + +Reviewed-by: Tomas Mraz +Reviewed-by: Paul Dale +Reviewed-by: Matt Caswell +--- + ssl/statem/extensions.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/ssl/statem/extensions.c b/ssl/statem/extensions.c +index b055935d697b..4aed508d0f03 100644 +--- a/ssl/statem/extensions.c ++++ b/ssl/statem/extensions.c +@@ -1139,6 +1139,7 @@ static int init_sig_algs(SSL *s, unsigned int context) + /* Clear any signature algorithms extension received */ + OPENSSL_free(s->s3->tmp.peer_sigalgs); + s->s3->tmp.peer_sigalgs = NULL; ++ s->s3->tmp.peer_sigalgslen = 0; + + return 1; + } diff --git a/openssl.spec b/openssl.spec index c73f33f..6addfa7 100644 --- a/openssl.spec +++ b/openssl.spec @@ -2,7 +2,7 @@ Name: openssl Epoch: 1 Version: 1.1.1f -Release: 9 +Release: 10 Summary: Cryptography and SSL/TLS Toolkit License: OpenSSL and SSLeay and GPLv2+ URL: https://www.openssl.org/ @@ -81,6 +81,7 @@ Patch70: CVE-2020-1971-0005-Add-a-test-for-GENERAL_NAME_cmp.patch Patch71: CVE-2020-1971-0006-Add-a-test-for-encoding-decoding-using-an-invalid-AS.patch Patch72: CVE-2021-23840.patch Patch73: CVE-2021-23841.patch +Patch74: CVE-2021-3449.patch BuildRequires: gcc make lksctp-tools-devel coreutils util-linux zlib-devel @@ -257,6 +258,9 @@ make test || : %{_pkgdocdir}/html/ %changelog +* Wed Apr 7 2021 openEuler Buildteam - 1:1.1.1f-10 +- fix CVE-2021-3449 + * Thu Mar 11 2021 openEuler Buildteam - 1:1.1.1f-9 - fix CVE-2021-23840 and CVE-2021-23841 -- Gitee From dcb66ff6f32285c0c53797725c06423ed4a96229 Mon Sep 17 00:00:00 2001 From: hzero1996 Date: Mon, 30 Aug 2021 19:50:23 +0800 Subject: [PATCH 6/6] fix CVE-2021-3711 and CVE-2021-3712 --- ...ext-buffer-is-large-enough-when-decr.patch | 37 ++++++ ...ate-the-length-of-SM2-plaintext-give.patch | 124 ++++++++++++++++++ ...0003-Extend-tests-for-SM2-decryption.patch | 42 ++++++ ...ead-buffer-overrun-in-X509_aux_print.patch | 63 +++++++++ ..._from_ecparameters-to-check-the-base.patch | 38 ++++++ openssl.spec | 10 +- 6 files changed, 313 insertions(+), 1 deletion(-) create mode 100644 CVE-2021-3711-0001-Check-the-plaintext-buffer-is-large-enough-when-decr.patch create mode 100644 CVE-2021-3711-0002-Correctly-calculate-the-length-of-SM2-plaintext-give.patch create mode 100644 CVE-2021-3711-0003-Extend-tests-for-SM2-decryption.patch create mode 100644 CVE-2021-3712-0001-Fix-a-read-buffer-overrun-in-X509_aux_print.patch create mode 100644 CVE-2021-3712-0002-Fix-EC_GROUP_new_from_ecparameters-to-check-the-base.patch diff --git a/CVE-2021-3711-0001-Check-the-plaintext-buffer-is-large-enough-when-decr.patch b/CVE-2021-3711-0001-Check-the-plaintext-buffer-is-large-enough-when-decr.patch new file mode 100644 index 0000000..26a3cdc --- /dev/null +++ b/CVE-2021-3711-0001-Check-the-plaintext-buffer-is-large-enough-when-decr.patch @@ -0,0 +1,37 @@ +From 515ac8b5e544dd713a2b4cabfc54b722d122c218 Mon Sep 17 00:00:00 2001 +From: Matt Caswell +Date: Fri, 13 Aug 2021 16:58:21 +0100 +Subject: [PATCH] Check the plaintext buffer is large enough when decrypting + SM2 + +Previously there was no check that the supplied buffer was large enough. +It was just assumed to be sufficient. Instead we should check and fail if +not. + +Reviewed-by: Paul Dale +Reviewed-by: Nicola Tuveri + +Reference: https://github.com/openssl/openssl/commit/515ac8b5e544dd713a2b4cabfc54b722d122c218 +Conflict: NA +--- + crypto/sm2/sm2_crypt.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/crypto/sm2/sm2_crypt.c b/crypto/sm2/sm2_crypt.c +index 1188abfc6b..00055a4e51 100644 +--- a/crypto/sm2/sm2_crypt.c ++++ b/crypto/sm2/sm2_crypt.c +@@ -294,6 +294,10 @@ int sm2_decrypt(const EC_KEY *key, + C2 = sm2_ctext->C2->data; + C3 = sm2_ctext->C3->data; + msg_len = sm2_ctext->C2->length; ++ if (*ptext_len < (size_t)msg_len) { ++ SM2err(SM2_F_SM2_DECRYPT, SM2_R_BUFFER_TOO_SMALL); ++ goto done; ++ } + + ctx = BN_CTX_new(); + if (ctx == NULL) { +-- +2.23.0 + diff --git a/CVE-2021-3711-0002-Correctly-calculate-the-length-of-SM2-plaintext-give.patch b/CVE-2021-3711-0002-Correctly-calculate-the-length-of-SM2-plaintext-give.patch new file mode 100644 index 0000000..d7373ca --- /dev/null +++ b/CVE-2021-3711-0002-Correctly-calculate-the-length-of-SM2-plaintext-give.patch @@ -0,0 +1,124 @@ +From 59f5e75f3bced8fc0e130d72a3f582cf7b480b46 Mon Sep 17 00:00:00 2001 +From: Matt Caswell +Date: Fri, 13 Aug 2021 14:14:51 +0100 +Subject: [PATCH] Correctly calculate the length of SM2 plaintext given the + ciphertext + +Previously the length of the SM2 plaintext could be incorrectly calculated. +The plaintext length was calculated by taking the ciphertext length and +taking off an "overhead" value. + +The overhead value was assumed to have a "fixed" element of 10 bytes. +This is incorrect since in some circumstances it can be more than 10 bytes. +Additionally the overhead included the length of two integers C1x and C1y, +which were assumed to be the same length as the field size (32 bytes for +the SM2 curve). However in some cases these integers can have an additional +padding byte when the msb is set, to disambiguate them from negative +integers. Additionally the integers can also be less than 32 bytes in +length in some cases. + +If the calculated overhead is incorrect and larger than the actual value +this can result in the calculated plaintext length being too small. +Applications are likely to allocate buffer sizes based on this and therefore +a buffer overrun can occur. + +CVE-2021-3711 + +Issue reported by John Ouyang. + +Reviewed-by: Paul Dale +Reviewed-by: Nicola Tuveri + +Reference: https://github.com/openssl/openssl/commit/59f5e75f3bced8fc0e130d72a3f582cf7b480b46 +Conflict: NA +--- + crypto/sm2/sm2_crypt.c | 23 +++++++---------------- + crypto/sm2/sm2_pmeth.c | 2 +- + include/crypto/sm2.h | 3 +-- + test/sm2_internal_test.c | 2 +- + 4 files changed, 10 insertions(+), 20 deletions(-) + +diff --git a/crypto/sm2/sm2_crypt.c b/crypto/sm2/sm2_crypt.c +index ef505f6441..1188abfc6b 100644 +--- a/crypto/sm2/sm2_crypt.c ++++ b/crypto/sm2/sm2_crypt.c +@@ -61,29 +61,20 @@ static size_t ec_field_size(const EC_GROUP *group) + return field_size; + } + +-int sm2_plaintext_size(const EC_KEY *key, const EVP_MD *digest, size_t msg_len, +- size_t *pt_size) ++int sm2_plaintext_size(const unsigned char *ct, size_t ct_size, size_t *pt_size) + { +- const size_t field_size = ec_field_size(EC_KEY_get0_group(key)); +- const int md_size = EVP_MD_size(digest); +- size_t overhead; ++ struct SM2_Ciphertext_st *sm2_ctext = NULL; + +- if (md_size < 0) { +- SM2err(SM2_F_SM2_PLAINTEXT_SIZE, SM2_R_INVALID_DIGEST); +- return 0; +- } +- if (field_size == 0) { +- SM2err(SM2_F_SM2_PLAINTEXT_SIZE, SM2_R_INVALID_FIELD); +- return 0; +- } ++ sm2_ctext = d2i_SM2_Ciphertext(NULL, &ct, ct_size); + +- overhead = 10 + 2 * field_size + (size_t)md_size; +- if (msg_len <= overhead) { ++ if (sm2_ctext == NULL) { + SM2err(SM2_F_SM2_PLAINTEXT_SIZE, SM2_R_INVALID_ENCODING); + return 0; + } + +- *pt_size = msg_len - overhead; ++ *pt_size = sm2_ctext->C2->length; ++ SM2_Ciphertext_free(sm2_ctext); ++ + return 1; + } + +diff --git a/crypto/sm2/sm2_pmeth.c b/crypto/sm2/sm2_pmeth.c +index b42a14c32f..27025fbf3a 100644 +--- a/crypto/sm2/sm2_pmeth.c ++++ b/crypto/sm2/sm2_pmeth.c +@@ -151,7 +151,7 @@ static int pkey_sm2_decrypt(EVP_PKEY_CTX *ctx, + const EVP_MD *md = (dctx->md == NULL) ? EVP_sm3() : dctx->md; + + if (out == NULL) { +- if (!sm2_plaintext_size(ec, md, inlen, outlen)) ++ if (!sm2_plaintext_size(in, inlen, outlen)) + return -1; + else + return 1; +diff --git a/include/crypto/sm2.h b/include/crypto/sm2.h +index 76ee80baff..50851a83ce 100644 +--- a/include/crypto/sm2.h ++++ b/include/crypto/sm2.h +@@ -60,8 +60,7 @@ int sm2_verify(const unsigned char *dgst, int dgstlen, + int sm2_ciphertext_size(const EC_KEY *key, const EVP_MD *digest, size_t msg_len, + size_t *ct_size); + +-int sm2_plaintext_size(const EC_KEY *key, const EVP_MD *digest, size_t msg_len, +- size_t *pt_size); ++int sm2_plaintext_size(const unsigned char *ct, size_t ct_size, size_t *pt_size); + + int sm2_encrypt(const EC_KEY *key, + const EVP_MD *digest, +diff --git a/test/sm2_internal_test.c b/test/sm2_internal_test.c +index 2bb73947ff..41827bb82f 100644 +--- a/test/sm2_internal_test.c ++++ b/test/sm2_internal_test.c +@@ -185,7 +185,7 @@ static int test_sm2_crypt(const EC_GROUP *group, + if (!TEST_mem_eq(ctext, ctext_len, expected, ctext_len)) + goto done; + +- if (!TEST_true(sm2_plaintext_size(key, digest, ctext_len, &ptext_len)) ++ if (!TEST_true(sm2_plaintext_size(ctext, ctext_len, &ptext_len)) + || !TEST_int_eq(ptext_len, msg_len)) + goto done; + +-- +2.23.0 + diff --git a/CVE-2021-3711-0003-Extend-tests-for-SM2-decryption.patch b/CVE-2021-3711-0003-Extend-tests-for-SM2-decryption.patch new file mode 100644 index 0000000..fda5a45 --- /dev/null +++ b/CVE-2021-3711-0003-Extend-tests-for-SM2-decryption.patch @@ -0,0 +1,42 @@ +From 733fa41c3fc4bcac37f94aa917f7242420f8a5a6 Mon Sep 17 00:00:00 2001 +From: Matt Caswell +Date: Fri, 13 Aug 2021 14:49:47 +0100 +Subject: [PATCH] Extend tests for SM2 decryption + +Check the case where C1y < 32 bytes in length (i.e. short overhead), and +also the case with longer plaintext and C1x and C1y > 32 bytes in length +(i.e. long overhead) + +Reviewed-by: Paul Dale +Reviewed-by: Nicola Tuveri + +Reference: https://github.com/openssl/openssl/commit/733fa41c3fc4bcac37f94aa917f7242420f8a5a6 +Conflict: NA +--- + test/recipes/30-test_evp_data/evppkey.txt | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/test/recipes/30-test_evp_data/evppkey.txt b/test/recipes/30-test_evp_data/evppkey.txt +index 736e0ce4d3..c3947cb000 100644 +--- a/test/recipes/30-test_evp_data/evppkey.txt ++++ b/test/recipes/30-test_evp_data/evppkey.txt +@@ -18444,6 +18444,16 @@ Decrypt = SM2_key1 + Input = 30818A0220466BE2EF5C11782EC77864A0055417F407A5AFC11D653C6BCE69E417BB1D05B6022062B572E21FF0DDF5C726BD3F9FF2EAE56E6294713A607E9B9525628965F62CC804203C1B5713B5DB2728EB7BF775E44F4689FC32668BDC564F52EA45B09E8DF2A5F40422084A9D0CC2997092B7D3C404FCE95956EB604D732B2307A8E5B8900ED6608CA5B197 + Output = "The floofy bunnies hop at midnight" + ++# Test with an C1y value < 32 bytes in length (self generated) ++Decrypt = SM2_key1 ++Input = 3072022070DAD60CDA7C30D64CF4F278A849003581223F5324BFEC9BB329229BFFAD21A6021F18AFAB2B35459D2643243B242BE4EA80C6FA5071D2D847340CC57EB9309E5D04200B772E4DB664B2601E3B85E39C4AA8C2C1910308BE13B331E009C5A9258C29FD040B6D588BE9260A94DA18E0E6 ++Output = "Hello World" ++ ++# Test with an C1x and C1y valuey > 32 bytes in length, and longer plaintext (self generated) ++Decrypt = SM2_key1 ++Input = 3081DD022100CD49634BBCB21CAFFFA6D33669A5A867231CB2A942A14352EF4CAF6DC3344D54022100C35B41D4DEBB3A2735EFEE821B9EBA566BD86900176A0C06672E30EE5CC04E930420C4190A3D80D86C4BD20E99F7E4B59BF6427C6808793533EEA9591D1188EC56B50473747295470E81D951BED279AC1B86A1AFE388CD2833FA9632799EC199C7D364E5663D5A94888BB2358CFCBF6283184DE0CBC41CCEA91D24746E99D231A1DA77AFD83CDF908190ED628B7369724494568A27C782A1D1D7294BCAD80C34569ED22859896301128A8118F48924D8CCD43E998D9533 ++Output = "Some longer plaintext for testing SM2 decryption. Blah blah blah blah blah blah blah blah blah blah blah blah blah." ++ + # This is a "fake" test as it does only verify that the SM2 EVP_PKEY interface + # is capable of creating a signature without failing, but it does not say + # anything about the generated signature being valid, nor does it test the +-- +2.23.0 + diff --git a/CVE-2021-3712-0001-Fix-a-read-buffer-overrun-in-X509_aux_print.patch b/CVE-2021-3712-0001-Fix-a-read-buffer-overrun-in-X509_aux_print.patch new file mode 100644 index 0000000..dc9c757 --- /dev/null +++ b/CVE-2021-3712-0001-Fix-a-read-buffer-overrun-in-X509_aux_print.patch @@ -0,0 +1,63 @@ +From d9d838ddc0ed083fb4c26dd067e71aad7c65ad16 Mon Sep 17 00:00:00 2001 +From: Ingo Schwarze +Date: Sun, 18 Jul 2021 17:48:06 +0200 +Subject: [PATCH] Fix a read buffer overrun in X509_aux_print(). + +The ASN1_STRING_get0_data(3) manual explitely cautions the reader +that the data is not necessarily NUL-terminated, and the function +X509_alias_set1(3) does not sanitize the data passed into it in any +way either, so we must assume the return value from X509_alias_get0(3) +is merely a byte array and not necessarily a string in the sense +of the C language. + +I found this bug while writing manual pages for X509_print_ex(3) +and related functions. Theo Buehler checked my +patch to fix the same bug in LibreSSL, see + +http://cvsweb.openbsd.org/src/lib/libcrypto/asn1/t_x509a.c#rev1.9 + +As an aside, note that the function still produces incomplete and +misleading results when the data contains a NUL byte in the middle +and that error handling is consistently absent throughout, even +though the function provides an "int" return value obviously intended +to be 1 for success and 0 for failure, and even though this function +is called by another function that also wants to return 1 for success +and 0 for failure and even does so in many of its code paths, though +not in others. But let's stay focussed. Many things would be nice +to have in the wide wild world, but a buffer overflow must not be +allowed to remain in our backyard. + +CLA: trivial + +Reviewed-by: Tim Hudson +Reviewed-by: Paul Dale +Reviewed-by: Tomas Mraz +(Merged from https://github.com/openssl/openssl/pull/16108) + +(cherry picked from commit c5dc9ab965f2a69bca964c709e648158f3e4cd67) + +Reference: https://github.com/openssl/openssl/commit/d9d838ddc0ed083fb4c26dd067e71aad7c65ad16 +Conflict: NA +--- + crypto/x509/t_x509.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/crypto/x509/t_x509.c b/crypto/x509/t_x509.c +index 12d807f705..3ba0b3a045 100644 +--- a/crypto/x509/t_x509.c ++++ b/crypto/x509/t_x509.c +@@ -365,9 +365,9 @@ int X509_aux_print(BIO *out, X509 *x, int indent) + BIO_puts(out, "\n"); + } else + BIO_printf(out, "%*sNo Rejected Uses.\n", indent, ""); +- alias = X509_alias_get0(x, NULL); ++ alias = X509_alias_get0(x, &i); + if (alias) +- BIO_printf(out, "%*sAlias: %s\n", indent, "", alias); ++ BIO_printf(out, "%*sAlias: %.*s\n", indent, "", i, alias); + keyid = X509_keyid_get0(x, &keyidlen); + if (keyid) { + BIO_printf(out, "%*sKey Id: ", indent, ""); +-- +2.23.0 + diff --git a/CVE-2021-3712-0002-Fix-EC_GROUP_new_from_ecparameters-to-check-the-base.patch b/CVE-2021-3712-0002-Fix-EC_GROUP_new_from_ecparameters-to-check-the-base.patch new file mode 100644 index 0000000..bb770f1 --- /dev/null +++ b/CVE-2021-3712-0002-Fix-EC_GROUP_new_from_ecparameters-to-check-the-base.patch @@ -0,0 +1,38 @@ +From 94d23fcff9b2a7a8368dfe52214d5c2569882c11 Mon Sep 17 00:00:00 2001 +From: Matt Caswell +Date: Thu, 19 Aug 2021 12:24:17 +0100 +Subject: [PATCH] Fix EC_GROUP_new_from_ecparameters to check the base length + +Check that there's at least one byte in params->base before trying to +read it. + +CVE-2021-3712 + +Reviewed-by: Viktor Dukhovni +Reviewed-by: Paul Dale + +Reference: https://github.com/openssl/openssl/commit/94d23fcff9b2a7a8368dfe52214d5c2569882c11 +Conflict: NA +--- + crypto/ec/ec_asn1.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/crypto/ec/ec_asn1.c b/crypto/ec/ec_asn1.c +index 7b7c75ce84..e497a25909 100644 +--- a/crypto/ec/ec_asn1.c ++++ b/crypto/ec/ec_asn1.c +@@ -761,7 +761,10 @@ EC_GROUP *EC_GROUP_new_from_ecparameters(const ECPARAMETERS *params) + ret->seed_len = params->curve->seed->length; + } + +- if (!params->order || !params->base || !params->base->data) { ++ if (params->order == NULL ++ || params->base == NULL ++ || params->base->data == NULL ++ || params->base->length == 0) { + ECerr(EC_F_EC_GROUP_NEW_FROM_ECPARAMETERS, EC_R_ASN1_ERROR); + goto err; + } +-- +2.23.0 + diff --git a/openssl.spec b/openssl.spec index 6addfa7..b181676 100644 --- a/openssl.spec +++ b/openssl.spec @@ -2,7 +2,7 @@ Name: openssl Epoch: 1 Version: 1.1.1f -Release: 10 +Release: 11 Summary: Cryptography and SSL/TLS Toolkit License: OpenSSL and SSLeay and GPLv2+ URL: https://www.openssl.org/ @@ -82,6 +82,11 @@ Patch71: CVE-2020-1971-0006-Add-a-test-for-encoding-decoding-using-an-invali Patch72: CVE-2021-23840.patch Patch73: CVE-2021-23841.patch Patch74: CVE-2021-3449.patch +Patch75: CVE-2021-3711-0001-Check-the-plaintext-buffer-is-large-enough-when-decr.patch +Patch76: CVE-2021-3711-0002-Correctly-calculate-the-length-of-SM2-plaintext-give.patch +Patch77: CVE-2021-3711-0003-Extend-tests-for-SM2-decryption.patch +Patch78: CVE-2021-3712-0001-Fix-a-read-buffer-overrun-in-X509_aux_print.patch +Patch79: CVE-2021-3712-0002-Fix-EC_GROUP_new_from_ecparameters-to-check-the-base.patch BuildRequires: gcc make lksctp-tools-devel coreutils util-linux zlib-devel @@ -258,6 +263,9 @@ make test || : %{_pkgdocdir}/html/ %changelog +* Mon Aug 30 2021 openEuler Buildteam - 1:1.1.1f-11 +- fix CVE-2021-3711 and CVE-2021-3712 + * Wed Apr 7 2021 openEuler Buildteam - 1:1.1.1f-10 - fix CVE-2021-3449 -- Gitee