Source-Changes-HG archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

[src/trunk]: src/crypto/external/bsd/openssl/dist merge OpenSSL-1.1.1m and Op...



details:   https://anonhg.NetBSD.org/src/rev/e7ac568cd719
branches:  trunk
changeset: 363920:e7ac568cd719
user:      christos <christos%NetBSD.org@localhost>
date:      Tue Mar 15 20:51:12 2022 +0000

description:
merge OpenSSL-1.1.1m and OpenSSL-1.1.1n

diffstat:

 crypto/external/bsd/openssl/dist/CHANGES                                  |  37 ++++
 crypto/external/bsd/openssl/dist/Configure                                |  22 +-
 crypto/external/bsd/openssl/dist/NEWS                                     |   5 +
 crypto/external/bsd/openssl/dist/README                                   |   2 +-
 crypto/external/bsd/openssl/dist/apps/openssl.c                           |   6 +-
 crypto/external/bsd/openssl/dist/apps/s_client.c                          |  11 +
 crypto/external/bsd/openssl/dist/crypto/bn/bn_print.c                     |   2 +-
 crypto/external/bsd/openssl/dist/crypto/engine/eng_all.c                  |   5 +-
 crypto/external/bsd/openssl/dist/crypto/lhash/lhash.c                     |   8 +-
 crypto/external/bsd/openssl/dist/crypto/ui/ui_openssl.c                   |   8 +-
 crypto/external/bsd/openssl/dist/crypto/x509/x509_vfy.c                   |  13 +-
 crypto/external/bsd/openssl/dist/ssl/s3_lib.c                             |  14 +-
 crypto/external/bsd/openssl/dist/test/bntest.c                            |  58 +++++++-
 crypto/external/bsd/openssl/dist/test/evp_extra_test.c                    |  80 +++++++++-
 crypto/external/bsd/openssl/dist/test/recipes/30-test_evp_data/evpkdf.txt |   9 +-
 15 files changed, 232 insertions(+), 48 deletions(-)

diffs (truncated from 594 to 300 lines):

diff -r 464dade28043 -r e7ac568cd719 crypto/external/bsd/openssl/dist/CHANGES
--- a/crypto/external/bsd/openssl/dist/CHANGES  Tue Mar 15 20:47:08 2022 +0000
+++ b/crypto/external/bsd/openssl/dist/CHANGES  Tue Mar 15 20:51:12 2022 +0000
@@ -7,6 +7,43 @@
  https://github.com/openssl/openssl/commits/ and pick the appropriate
  release branch.
 
+ Changes between 1.1.1m and 1.1.1n [15 Mar 2022]
+
+  *) Fixed a bug in the BN_mod_sqrt() function that can cause it to loop forever
+     for non-prime moduli.
+
+     Internally this function is used when parsing certificates that contain
+     elliptic curve public keys in compressed form or explicit elliptic curve
+     parameters with a base point encoded in compressed form.
+
+     It is possible to trigger the infinite loop by crafting a certificate that
+     has invalid explicit curve parameters.
+
+     Since certificate parsing happens prior to verification of the certificate
+     signature, any process that parses an externally supplied certificate may
+     thus be subject to a denial of service attack. The infinite loop can also
+     be reached when parsing crafted private keys as they can contain explicit
+     elliptic curve parameters.
+
+     Thus vulnerable situations include:
+
+      - TLS clients consuming server certificates
+      - TLS servers consuming client certificates
+      - Hosting providers taking certificates or private keys from customers
+      - Certificate authorities parsing certification requests from subscribers
+      - Anything else which parses ASN.1 elliptic curve parameters
+
+     Also any other applications that use the BN_mod_sqrt() where the attacker
+     can control the parameter values are vulnerable to this DoS issue.
+     (CVE-2022-0778)
+     [Tomáš Mráz]
+
+  *) Add ciphersuites based on DHE_PSK (RFC 4279) and ECDHE_PSK (RFC 5489)
+     to the list of ciphersuites providing Perfect Forward Secrecy as
+     required by SECLEVEL >= 3.
+
+     [Dmitry Belyavskiy, Nicola Tuveri]
+
  Changes between 1.1.1l and 1.1.1m [14 Dec 2021]
 
   *) Avoid loading of a dynamic engine twice.
diff -r 464dade28043 -r e7ac568cd719 crypto/external/bsd/openssl/dist/Configure
--- a/crypto/external/bsd/openssl/dist/Configure        Tue Mar 15 20:47:08 2022 +0000
+++ b/crypto/external/bsd/openssl/dist/Configure        Tue Mar 15 20:51:12 2022 +0000
@@ -3161,25 +3161,25 @@
         }
     }
 
-    foreach (sort keys %all_keys) {
-        my $previous = $combined_inheritance{$_};
+    foreach my $key (sort keys %all_keys) {
+        my $previous = $combined_inheritance{$key};
 
         # Current target doesn't have a value for the current key?
         # Assign it the default combiner, the rest of this loop body
         # will handle it just like any other coderef.
-        if (!exists $table{$target}->{$_}) {
-            $table{$target}->{$_} = $default_combiner;
+        if (!exists $table{$target}->{$key}) {
+            $table{$target}->{$key} = $default_combiner;
         }
 
-        $table{$target}->{$_} = process_values($table{$target}->{$_},
-                                               $combined_inheritance{$_},
-                                               $target, $_);
-        unless(defined($table{$target}->{$_})) {
-            delete $table{$target}->{$_};
+        $table{$target}->{$key} = process_values($table{$target}->{$key},
+                                               $combined_inheritance{$key},
+                                               $target, $key);
+        unless(defined($table{$target}->{$key})) {
+            delete $table{$target}->{$key};
         }
 #        if ($extra_checks &&
-#            $previous && !($add_called ||  $previous ~~ $table{$target}->{$_})) {
-#            warn "$_ got replaced in $target\n";
+#            $previous && !($add_called ||  $previous ~~ $table{$target}->{$key})) {
+#            warn "$key got replaced in $target\n";
 #        }
     }
 
diff -r 464dade28043 -r e7ac568cd719 crypto/external/bsd/openssl/dist/NEWS
--- a/crypto/external/bsd/openssl/dist/NEWS     Tue Mar 15 20:47:08 2022 +0000
+++ b/crypto/external/bsd/openssl/dist/NEWS     Tue Mar 15 20:51:12 2022 +0000
@@ -5,6 +5,11 @@
   This file gives a brief overview of the major changes between each OpenSSL
   release. For more details please read the CHANGES file.
 
+  Major changes between OpenSSL 1.1.1m and OpenSSL 1.1.1n [15 Mar 2022]
+
+      o Fixed a bug in the BN_mod_sqrt() function that can cause it to loop
+        forever for non-prime moduli ([CVE-2022-0778])
+
   Major changes between OpenSSL 1.1.1l and OpenSSL 1.1.1m [14 Dec 2021]
 
       o None
diff -r 464dade28043 -r e7ac568cd719 crypto/external/bsd/openssl/dist/README
--- a/crypto/external/bsd/openssl/dist/README   Tue Mar 15 20:47:08 2022 +0000
+++ b/crypto/external/bsd/openssl/dist/README   Tue Mar 15 20:51:12 2022 +0000
@@ -1,5 +1,5 @@
 
- OpenSSL 1.1.1m 14 Dec 2021
+ OpenSSL 1.1.1n 15 Mar 2022
 
  Copyright (c) 1998-2021 The OpenSSL Project
  Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson
diff -r 464dade28043 -r e7ac568cd719 crypto/external/bsd/openssl/dist/apps/openssl.c
--- a/crypto/external/bsd/openssl/dist/apps/openssl.c   Tue Mar 15 20:47:08 2022 +0000
+++ b/crypto/external/bsd/openssl/dist/apps/openssl.c   Tue Mar 15 20:51:12 2022 +0000
@@ -1,5 +1,5 @@
 /*
- * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the OpenSSL license (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
@@ -120,7 +120,6 @@
 {
     FUNCTION f, *fp;
     LHASH_OF(FUNCTION) *prog = NULL;
-    char **copied_argv = NULL;
     char *p, *pname;
     char buf[1024];
     const char *prompt;
@@ -137,7 +136,7 @@
     bio_err = dup_bio_err(FORMAT_TEXT);
 
 #if defined(OPENSSL_SYS_VMS) && defined(__DECC)
-    copied_argv = argv = copy_argv(&argc, argv);
+    argv = copy_argv(&argc, argv);
 #elif defined(_WIN32)
     /*
      * Replace argv[] with UTF-8 encoded strings.
@@ -258,7 +257,6 @@
     }
     ret = 1;
  end:
-    OPENSSL_free(copied_argv);
     OPENSSL_free(default_config_file);
     lh_FUNCTION_free(prog);
     OPENSSL_free(arg.argv);
diff -r 464dade28043 -r e7ac568cd719 crypto/external/bsd/openssl/dist/apps/s_client.c
--- a/crypto/external/bsd/openssl/dist/apps/s_client.c  Tue Mar 15 20:47:08 2022 +0000
+++ b/crypto/external/bsd/openssl/dist/apps/s_client.c  Tue Mar 15 20:51:12 2022 +0000
@@ -938,6 +938,7 @@
     struct timeval tv;
 #endif
     const char *servername = NULL;
+    char *sname_alloc = NULL;
     int noservername = 0;
     const char *alpn_in = NULL;
     tlsextctx tlsextcbp = { NULL, 0 };
@@ -1588,6 +1589,15 @@
                        "%s: -proxy argument malformed or ambiguous\n", prog);
             goto end;
         }
+        if (servername == NULL && !noservername) {
+            res = BIO_parse_hostserv(connectstr, &sname_alloc, NULL, BIO_PARSE_PRIO_HOST);
+            if (!res) {
+                BIO_printf(bio_err,
+                        "%s: -connect argument malformed or ambiguous\n", prog);
+                goto end;
+            }
+            servername = sname_alloc;
+        }
     } else {
         int res = 1;
         char *tmp_host = host, *tmp_port = port;
@@ -3159,6 +3169,7 @@
 #ifndef OPENSSL_NO_SRP
     OPENSSL_free(srp_arg.srppassin);
 #endif
+    OPENSSL_free(sname_alloc);
     OPENSSL_free(connectstr);
     OPENSSL_free(bindstr);
     OPENSSL_free(bindhost);
diff -r 464dade28043 -r e7ac568cd719 crypto/external/bsd/openssl/dist/crypto/bn/bn_print.c
--- a/crypto/external/bsd/openssl/dist/crypto/bn/bn_print.c     Tue Mar 15 20:47:08 2022 +0000
+++ b/crypto/external/bsd/openssl/dist/crypto/bn/bn_print.c     Tue Mar 15 20:51:12 2022 +0000
@@ -142,7 +142,7 @@
         continue;
 
     if (i == 0 || i > INT_MAX / 4)
-        goto err;
+        return 0;
 
     num = i + neg;
     if (bn == NULL)
diff -r 464dade28043 -r e7ac568cd719 crypto/external/bsd/openssl/dist/crypto/engine/eng_all.c
--- a/crypto/external/bsd/openssl/dist/crypto/engine/eng_all.c  Tue Mar 15 20:47:08 2022 +0000
+++ b/crypto/external/bsd/openssl/dist/crypto/engine/eng_all.c  Tue Mar 15 20:51:12 2022 +0000
@@ -1,5 +1,5 @@
 /*
- * Copyright 2001-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2001-2022 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the OpenSSL license (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
@@ -12,9 +12,6 @@
 
 void ENGINE_load_builtin_engines(void)
 {
-    /* Some ENGINEs need this */
-    OPENSSL_cpuid_setup();
-
     OPENSSL_init_crypto(OPENSSL_INIT_ENGINE_ALL_BUILTIN, NULL);
 }
 
diff -r 464dade28043 -r e7ac568cd719 crypto/external/bsd/openssl/dist/crypto/lhash/lhash.c
--- a/crypto/external/bsd/openssl/dist/crypto/lhash/lhash.c     Tue Mar 15 20:47:08 2022 +0000
+++ b/crypto/external/bsd/openssl/dist/crypto/lhash/lhash.c     Tue Mar 15 20:51:12 2022 +0000
@@ -1,5 +1,5 @@
 /*
- * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the OpenSSL license (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
@@ -343,7 +343,8 @@
         v = n | (*c);
         n += 0x100;
         r = (int)((v >> 2) ^ v) & 0x0f;
-        ret = (ret << r) | (ret >> (32 - r));
+        /* cast to uint64_t to avoid 32 bit shift of 32 bit value */
+        ret = (ret << r) | (unsigned long)((uint64_t)ret >> (32 - r));
         ret &= 0xFFFFFFFFL;
         ret ^= v * v;
         c++;
@@ -364,7 +365,8 @@
     for (n = 0x100; *c != '\0'; n += 0x100) {
         v = n | ossl_tolower(*c);
         r = (int)((v >> 2) ^ v) & 0x0f;
-        ret = (ret << r) | (ret >> (32 - r));
+        /* cast to uint64_t to avoid 32 bit shift of 32 bit value */
+        ret = (ret << r) | (unsigned long)((uint64_t)ret >> (32 - r));
         ret &= 0xFFFFFFFFL;
         ret ^= v * v;
         c++;
diff -r 464dade28043 -r e7ac568cd719 crypto/external/bsd/openssl/dist/crypto/ui/ui_openssl.c
--- a/crypto/external/bsd/openssl/dist/crypto/ui/ui_openssl.c   Tue Mar 15 20:47:08 2022 +0000
+++ b/crypto/external/bsd/openssl/dist/crypto/ui/ui_openssl.c   Tue Mar 15 20:51:12 2022 +0000
@@ -1,5 +1,5 @@
 /*
- * Copyright 2001-2020 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2001-2022 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the OpenSSL license (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
@@ -572,6 +572,8 @@
 
 static int close_console(UI *ui)
 {
+    int ret = 1;
+
     if (tty_in != stdin)
         fclose(tty_in);
     if (tty_out != stderr)
@@ -584,12 +586,12 @@
         BIO_snprintf(tmp_num, sizeof(tmp_num) - 1, "%%X%08X", status);
         UIerr(UI_F_CLOSE_CONSOLE, UI_R_SYSDASSGN_ERROR);
         ERR_add_error_data(2, "status=", tmp_num);
-        return 0;
+        ret = 0;
     }
 # endif
     CRYPTO_THREAD_unlock(ui->lock);
 
-    return 1;
+    return ret;
 }
 
 # if !defined(OPENSSL_SYS_WINCE)
diff -r 464dade28043 -r e7ac568cd719 crypto/external/bsd/openssl/dist/crypto/x509/x509_vfy.c
--- a/crypto/external/bsd/openssl/dist/crypto/x509/x509_vfy.c   Tue Mar 15 20:47:08 2022 +0000
+++ b/crypto/external/bsd/openssl/dist/crypto/x509/x509_vfy.c   Tue Mar 15 20:51:12 2022 +0000
@@ -1,5 +1,5 @@
 /*
- * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the OpenSSL license (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
@@ -2201,6 +2201,12 @@
     /* If purpose not set use default */
     if (!purpose)
         purpose = def_purpose;
+    /*
+     * If purpose is set but we don't have a default then set the default to
+     * the current purpose
+     */
+    else if (def_purpose == 0)
+        def_purpose = purpose;
     /* If we have a purpose then check it is valid */
     if (purpose) {


Home | Main Index | Thread Index | Old Index