Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/trunk]: src/crypto/external/bsd/openssl/dist merge OpenSSL-1.1.1m and Op...
details: https://anonhg.NetBSD.org/src/rev/e7ac568cd719
branches: trunk
changeset: 363920:e7ac568cd719
user: christos <christos%NetBSD.org@localhost>
date: Tue Mar 15 20:51:12 2022 +0000
description:
merge OpenSSL-1.1.1m and OpenSSL-1.1.1n
diffstat:
crypto/external/bsd/openssl/dist/CHANGES | 37 ++++
crypto/external/bsd/openssl/dist/Configure | 22 +-
crypto/external/bsd/openssl/dist/NEWS | 5 +
crypto/external/bsd/openssl/dist/README | 2 +-
crypto/external/bsd/openssl/dist/apps/openssl.c | 6 +-
crypto/external/bsd/openssl/dist/apps/s_client.c | 11 +
crypto/external/bsd/openssl/dist/crypto/bn/bn_print.c | 2 +-
crypto/external/bsd/openssl/dist/crypto/engine/eng_all.c | 5 +-
crypto/external/bsd/openssl/dist/crypto/lhash/lhash.c | 8 +-
crypto/external/bsd/openssl/dist/crypto/ui/ui_openssl.c | 8 +-
crypto/external/bsd/openssl/dist/crypto/x509/x509_vfy.c | 13 +-
crypto/external/bsd/openssl/dist/ssl/s3_lib.c | 14 +-
crypto/external/bsd/openssl/dist/test/bntest.c | 58 +++++++-
crypto/external/bsd/openssl/dist/test/evp_extra_test.c | 80 +++++++++-
crypto/external/bsd/openssl/dist/test/recipes/30-test_evp_data/evpkdf.txt | 9 +-
15 files changed, 232 insertions(+), 48 deletions(-)
diffs (truncated from 594 to 300 lines):
diff -r 464dade28043 -r e7ac568cd719 crypto/external/bsd/openssl/dist/CHANGES
--- a/crypto/external/bsd/openssl/dist/CHANGES Tue Mar 15 20:47:08 2022 +0000
+++ b/crypto/external/bsd/openssl/dist/CHANGES Tue Mar 15 20:51:12 2022 +0000
@@ -7,6 +7,43 @@
https://github.com/openssl/openssl/commits/ and pick the appropriate
release branch.
+ Changes between 1.1.1m and 1.1.1n [15 Mar 2022]
+
+ *) Fixed a bug in the BN_mod_sqrt() function that can cause it to loop forever
+ for non-prime moduli.
+
+ Internally this function is used when parsing certificates that contain
+ elliptic curve public keys in compressed form or explicit elliptic curve
+ parameters with a base point encoded in compressed form.
+
+ It is possible to trigger the infinite loop by crafting a certificate that
+ has invalid explicit curve parameters.
+
+ Since certificate parsing happens prior to verification of the certificate
+ signature, any process that parses an externally supplied certificate may
+ thus be subject to a denial of service attack. The infinite loop can also
+ be reached when parsing crafted private keys as they can contain explicit
+ elliptic curve parameters.
+
+ Thus vulnerable situations include:
+
+ - TLS clients consuming server certificates
+ - TLS servers consuming client certificates
+ - Hosting providers taking certificates or private keys from customers
+ - Certificate authorities parsing certification requests from subscribers
+ - Anything else which parses ASN.1 elliptic curve parameters
+
+ Also any other applications that use the BN_mod_sqrt() where the attacker
+ can control the parameter values are vulnerable to this DoS issue.
+ (CVE-2022-0778)
+ [Tomáš Mráz]
+
+ *) Add ciphersuites based on DHE_PSK (RFC 4279) and ECDHE_PSK (RFC 5489)
+ to the list of ciphersuites providing Perfect Forward Secrecy as
+ required by SECLEVEL >= 3.
+
+ [Dmitry Belyavskiy, Nicola Tuveri]
+
Changes between 1.1.1l and 1.1.1m [14 Dec 2021]
*) Avoid loading of a dynamic engine twice.
diff -r 464dade28043 -r e7ac568cd719 crypto/external/bsd/openssl/dist/Configure
--- a/crypto/external/bsd/openssl/dist/Configure Tue Mar 15 20:47:08 2022 +0000
+++ b/crypto/external/bsd/openssl/dist/Configure Tue Mar 15 20:51:12 2022 +0000
@@ -3161,25 +3161,25 @@
}
}
- foreach (sort keys %all_keys) {
- my $previous = $combined_inheritance{$_};
+ foreach my $key (sort keys %all_keys) {
+ my $previous = $combined_inheritance{$key};
# Current target doesn't have a value for the current key?
# Assign it the default combiner, the rest of this loop body
# will handle it just like any other coderef.
- if (!exists $table{$target}->{$_}) {
- $table{$target}->{$_} = $default_combiner;
+ if (!exists $table{$target}->{$key}) {
+ $table{$target}->{$key} = $default_combiner;
}
- $table{$target}->{$_} = process_values($table{$target}->{$_},
- $combined_inheritance{$_},
- $target, $_);
- unless(defined($table{$target}->{$_})) {
- delete $table{$target}->{$_};
+ $table{$target}->{$key} = process_values($table{$target}->{$key},
+ $combined_inheritance{$key},
+ $target, $key);
+ unless(defined($table{$target}->{$key})) {
+ delete $table{$target}->{$key};
}
# if ($extra_checks &&
-# $previous && !($add_called || $previous ~~ $table{$target}->{$_})) {
-# warn "$_ got replaced in $target\n";
+# $previous && !($add_called || $previous ~~ $table{$target}->{$key})) {
+# warn "$key got replaced in $target\n";
# }
}
diff -r 464dade28043 -r e7ac568cd719 crypto/external/bsd/openssl/dist/NEWS
--- a/crypto/external/bsd/openssl/dist/NEWS Tue Mar 15 20:47:08 2022 +0000
+++ b/crypto/external/bsd/openssl/dist/NEWS Tue Mar 15 20:51:12 2022 +0000
@@ -5,6 +5,11 @@
This file gives a brief overview of the major changes between each OpenSSL
release. For more details please read the CHANGES file.
+ Major changes between OpenSSL 1.1.1m and OpenSSL 1.1.1n [15 Mar 2022]
+
+ o Fixed a bug in the BN_mod_sqrt() function that can cause it to loop
+ forever for non-prime moduli ([CVE-2022-0778])
+
Major changes between OpenSSL 1.1.1l and OpenSSL 1.1.1m [14 Dec 2021]
o None
diff -r 464dade28043 -r e7ac568cd719 crypto/external/bsd/openssl/dist/README
--- a/crypto/external/bsd/openssl/dist/README Tue Mar 15 20:47:08 2022 +0000
+++ b/crypto/external/bsd/openssl/dist/README Tue Mar 15 20:51:12 2022 +0000
@@ -1,5 +1,5 @@
- OpenSSL 1.1.1m 14 Dec 2021
+ OpenSSL 1.1.1n 15 Mar 2022
Copyright (c) 1998-2021 The OpenSSL Project
Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson
diff -r 464dade28043 -r e7ac568cd719 crypto/external/bsd/openssl/dist/apps/openssl.c
--- a/crypto/external/bsd/openssl/dist/apps/openssl.c Tue Mar 15 20:47:08 2022 +0000
+++ b/crypto/external/bsd/openssl/dist/apps/openssl.c Tue Mar 15 20:51:12 2022 +0000
@@ -1,5 +1,5 @@
/*
- * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -120,7 +120,6 @@
{
FUNCTION f, *fp;
LHASH_OF(FUNCTION) *prog = NULL;
- char **copied_argv = NULL;
char *p, *pname;
char buf[1024];
const char *prompt;
@@ -137,7 +136,7 @@
bio_err = dup_bio_err(FORMAT_TEXT);
#if defined(OPENSSL_SYS_VMS) && defined(__DECC)
- copied_argv = argv = copy_argv(&argc, argv);
+ argv = copy_argv(&argc, argv);
#elif defined(_WIN32)
/*
* Replace argv[] with UTF-8 encoded strings.
@@ -258,7 +257,6 @@
}
ret = 1;
end:
- OPENSSL_free(copied_argv);
OPENSSL_free(default_config_file);
lh_FUNCTION_free(prog);
OPENSSL_free(arg.argv);
diff -r 464dade28043 -r e7ac568cd719 crypto/external/bsd/openssl/dist/apps/s_client.c
--- a/crypto/external/bsd/openssl/dist/apps/s_client.c Tue Mar 15 20:47:08 2022 +0000
+++ b/crypto/external/bsd/openssl/dist/apps/s_client.c Tue Mar 15 20:51:12 2022 +0000
@@ -938,6 +938,7 @@
struct timeval tv;
#endif
const char *servername = NULL;
+ char *sname_alloc = NULL;
int noservername = 0;
const char *alpn_in = NULL;
tlsextctx tlsextcbp = { NULL, 0 };
@@ -1588,6 +1589,15 @@
"%s: -proxy argument malformed or ambiguous\n", prog);
goto end;
}
+ if (servername == NULL && !noservername) {
+ res = BIO_parse_hostserv(connectstr, &sname_alloc, NULL, BIO_PARSE_PRIO_HOST);
+ if (!res) {
+ BIO_printf(bio_err,
+ "%s: -connect argument malformed or ambiguous\n", prog);
+ goto end;
+ }
+ servername = sname_alloc;
+ }
} else {
int res = 1;
char *tmp_host = host, *tmp_port = port;
@@ -3159,6 +3169,7 @@
#ifndef OPENSSL_NO_SRP
OPENSSL_free(srp_arg.srppassin);
#endif
+ OPENSSL_free(sname_alloc);
OPENSSL_free(connectstr);
OPENSSL_free(bindstr);
OPENSSL_free(bindhost);
diff -r 464dade28043 -r e7ac568cd719 crypto/external/bsd/openssl/dist/crypto/bn/bn_print.c
--- a/crypto/external/bsd/openssl/dist/crypto/bn/bn_print.c Tue Mar 15 20:47:08 2022 +0000
+++ b/crypto/external/bsd/openssl/dist/crypto/bn/bn_print.c Tue Mar 15 20:51:12 2022 +0000
@@ -142,7 +142,7 @@
continue;
if (i == 0 || i > INT_MAX / 4)
- goto err;
+ return 0;
num = i + neg;
if (bn == NULL)
diff -r 464dade28043 -r e7ac568cd719 crypto/external/bsd/openssl/dist/crypto/engine/eng_all.c
--- a/crypto/external/bsd/openssl/dist/crypto/engine/eng_all.c Tue Mar 15 20:47:08 2022 +0000
+++ b/crypto/external/bsd/openssl/dist/crypto/engine/eng_all.c Tue Mar 15 20:51:12 2022 +0000
@@ -1,5 +1,5 @@
/*
- * Copyright 2001-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2001-2022 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -12,9 +12,6 @@
void ENGINE_load_builtin_engines(void)
{
- /* Some ENGINEs need this */
- OPENSSL_cpuid_setup();
-
OPENSSL_init_crypto(OPENSSL_INIT_ENGINE_ALL_BUILTIN, NULL);
}
diff -r 464dade28043 -r e7ac568cd719 crypto/external/bsd/openssl/dist/crypto/lhash/lhash.c
--- a/crypto/external/bsd/openssl/dist/crypto/lhash/lhash.c Tue Mar 15 20:47:08 2022 +0000
+++ b/crypto/external/bsd/openssl/dist/crypto/lhash/lhash.c Tue Mar 15 20:51:12 2022 +0000
@@ -1,5 +1,5 @@
/*
- * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -343,7 +343,8 @@
v = n | (*c);
n += 0x100;
r = (int)((v >> 2) ^ v) & 0x0f;
- ret = (ret << r) | (ret >> (32 - r));
+ /* cast to uint64_t to avoid 32 bit shift of 32 bit value */
+ ret = (ret << r) | (unsigned long)((uint64_t)ret >> (32 - r));
ret &= 0xFFFFFFFFL;
ret ^= v * v;
c++;
@@ -364,7 +365,8 @@
for (n = 0x100; *c != '\0'; n += 0x100) {
v = n | ossl_tolower(*c);
r = (int)((v >> 2) ^ v) & 0x0f;
- ret = (ret << r) | (ret >> (32 - r));
+ /* cast to uint64_t to avoid 32 bit shift of 32 bit value */
+ ret = (ret << r) | (unsigned long)((uint64_t)ret >> (32 - r));
ret &= 0xFFFFFFFFL;
ret ^= v * v;
c++;
diff -r 464dade28043 -r e7ac568cd719 crypto/external/bsd/openssl/dist/crypto/ui/ui_openssl.c
--- a/crypto/external/bsd/openssl/dist/crypto/ui/ui_openssl.c Tue Mar 15 20:47:08 2022 +0000
+++ b/crypto/external/bsd/openssl/dist/crypto/ui/ui_openssl.c Tue Mar 15 20:51:12 2022 +0000
@@ -1,5 +1,5 @@
/*
- * Copyright 2001-2020 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2001-2022 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -572,6 +572,8 @@
static int close_console(UI *ui)
{
+ int ret = 1;
+
if (tty_in != stdin)
fclose(tty_in);
if (tty_out != stderr)
@@ -584,12 +586,12 @@
BIO_snprintf(tmp_num, sizeof(tmp_num) - 1, "%%X%08X", status);
UIerr(UI_F_CLOSE_CONSOLE, UI_R_SYSDASSGN_ERROR);
ERR_add_error_data(2, "status=", tmp_num);
- return 0;
+ ret = 0;
}
# endif
CRYPTO_THREAD_unlock(ui->lock);
- return 1;
+ return ret;
}
# if !defined(OPENSSL_SYS_WINCE)
diff -r 464dade28043 -r e7ac568cd719 crypto/external/bsd/openssl/dist/crypto/x509/x509_vfy.c
--- a/crypto/external/bsd/openssl/dist/crypto/x509/x509_vfy.c Tue Mar 15 20:47:08 2022 +0000
+++ b/crypto/external/bsd/openssl/dist/crypto/x509/x509_vfy.c Tue Mar 15 20:51:12 2022 +0000
@@ -1,5 +1,5 @@
/*
- * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -2201,6 +2201,12 @@
/* If purpose not set use default */
if (!purpose)
purpose = def_purpose;
+ /*
+ * If purpose is set but we don't have a default then set the default to
+ * the current purpose
+ */
+ else if (def_purpose == 0)
+ def_purpose = purpose;
/* If we have a purpose then check it is valid */
if (purpose) {
Home |
Main Index |
Thread Index |
Old Index