packages/openssl
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

!29 backport some bugfix patches from OpenSSL community and reset the release

Browse Source 
From: @mkitgrt
Reviewed-by: @zhujianwei001
Signed-off-by: @zhujianwei001
This commit is contained in:
openeuler-ci-bot 2021-02-09 20:33:06 +08:00 committed by Gitee
commit 401b676e0c
63 changed files with 4453 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

52
AES-CTR-DRGB-do-not-leak-timing-information.patch Normal file
View File

@ -0,0 +1,52 @@
From 9cc834d966ea5afc38fb829bfe498aed4c5d498d Mon Sep 17 00:00:00 2001
From: Patrick Steuer <patrick.steuer@de.ibm.com>
Date: Sat, 22 Feb 2020 01:20:09 +0100
Subject: [PATCH 013/217] AES CTR-DRGB: do not leak timing information
Signed-off-by: Patrick Steuer <patrick.steuer@de.ibm.com>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/11147)
(cherry picked from commit 069165d10646a22000c596095cc04d43bbf1f807)
---
crypto/rand/drbg_ctr.c | 22 +++++++++-------------
1 file changed, 9 insertions(+), 13 deletions(-)
diff --git a/crypto/rand/drbg_ctr.c b/crypto/rand/drbg_ctr.c
index 93b82f3..f41484e 100644
--- a/crypto/rand/drbg_ctr.c
+++ b/crypto/rand/drbg_ctr.c
@@ -21,19 +21,15 @@
static void inc_128(RAND_DRBG_CTR *ctr)
{
- int i;
- unsigned char c;
- unsigned char *p = &ctr->V[15];
-
- for (i = 0; i < 16; i++, p--) {
- c = *p;
- c++;
- *p = c;
- if (c != 0) {
- /* If we didn't wrap around, we're done. */
- break;
- }
- }
+ unsigned char *p = &ctr->V[0];
+ u32 n = 16, c = 1;
+
+ do {
+ --n;
+ c += p[n];
+ p[n] = (u8)c;
+ c >>= 8;
+ } while (n);
}
static void ctr_XOR(RAND_DRBG_CTR *ctr, const unsigned char *in, size_t inlen)
--
1.8.3.1

104
Add-an-SSL_dup-test.patch Normal file
View File

@ -0,0 +1,104 @@
From 45f02e9095f30abefc799b34a612140a47aa9e27 Mon Sep 17 00:00:00 2001
From: Matt Caswell <matt@openssl.org>
Date: Tue, 16 Jun 2020 17:19:40 +0100
Subject: [PATCH 035/147] Add an SSL_dup test
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12245)
---
test/sslapitest.c | 72 +++++++++++++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 72 insertions(+)
diff --git a/test/sslapitest.c b/test/sslapitest.c
index 62d22e8..5220722 100644
--- a/test/sslapitest.c
+++ b/test/sslapitest.c
@@ -6578,6 +6578,75 @@ static int test_servername(int tst)
return testresult;
}
+#ifndef OPENSSL_NO_TLS1_2
+static int test_ssl_dup(void)
+{
+ SSL_CTX *cctx = NULL, *sctx = NULL;
+ SSL *clientssl = NULL, *serverssl = NULL, *client2ssl = NULL;
+ int testresult = 0;
+ BIO *rbio = NULL, *wbio = NULL;
+
+ if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
+ TLS_client_method(),
+ 0,
+ 0,
+ &sctx, &cctx, cert, privkey)))
+ goto end;
+
+ if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
+ NULL, NULL)))
+ goto end;
+
+ if (!TEST_true(SSL_set_min_proto_version(clientssl, TLS1_2_VERSION))
+ || !TEST_true(SSL_set_max_proto_version(clientssl, TLS1_2_VERSION)))
+ goto end;
+
+ client2ssl = SSL_dup(clientssl);
+ rbio = SSL_get_rbio(clientssl);
+ if (!TEST_ptr(rbio)
+ || !TEST_true(BIO_up_ref(rbio)))
+ goto end;
+ SSL_set0_rbio(client2ssl, rbio);
+ rbio = NULL;
+
+ wbio = SSL_get_wbio(clientssl);
+ if (!TEST_ptr(wbio) || !TEST_true(BIO_up_ref(wbio)))
+ goto end;
+ SSL_set0_wbio(client2ssl, wbio);
+ rbio = NULL;
+
+ if (!TEST_ptr(client2ssl)
+ /* Handshake not started so pointers should be different */
+ || !TEST_ptr_ne(clientssl, client2ssl))
+ goto end;
+
+ if (!TEST_int_eq(SSL_get_min_proto_version(client2ssl), TLS1_2_VERSION)
+ || !TEST_int_eq(SSL_get_max_proto_version(client2ssl), TLS1_2_VERSION))
+ goto end;
+
+ if (!TEST_true(create_ssl_connection(serverssl, client2ssl, SSL_ERROR_NONE)))
+ goto end;
+
+ SSL_free(clientssl);
+ clientssl = SSL_dup(client2ssl);
+ if (!TEST_ptr(clientssl)
+ /* Handshake has finished so pointers should be the same */
+ || !TEST_ptr_eq(clientssl, client2ssl))
+ goto end;
+
+ testresult = 1;
+
+ end:
+ SSL_free(serverssl);
+ SSL_free(clientssl);
+ SSL_free(client2ssl);
+ SSL_CTX_free(sctx);
+ SSL_CTX_free(cctx);
+
+ return testresult;
+}
+#endif
+
int setup_tests(void)
{
if (!TEST_ptr(certsdir = test_get_argument(0))
@@ -6698,6 +6767,9 @@ int setup_tests(void)
ADD_ALL_TESTS(test_client_cert_cb, 2);
ADD_ALL_TESTS(test_ca_names, 3);
ADD_ALL_TESTS(test_servername, 10);
+#ifndef OPENSSL_NO_TLS1_2
+ ADD_TEST(test_ssl_dup);
+#endif
return 1;
}
--
1.8.3.1

118
Add-test-for-CVE-2020-1967.patch Normal file
View File

@ -0,0 +1,118 @@
From 64eef86733fd40a5b7737dc586754c3fa3414b0c Mon Sep 17 00:00:00 2001
From: Benjamin Kaduk <kaduk@mit.edu>
Date: Fri, 10 Apr 2020 12:27:28 -0700
Subject: [PATCH 025/217] Add test for CVE-2020-1967
Add to test_sslsigalgs a TLSProxy test that injects a
"signature_algorithms_cert" extension that contains an unallocated
codepoint.
The test currently fails, since s_server segfaults instead of
ignoring the unrecognized value.
Since "signature_algorithms" and "signature_algorithms_cert" are very
similar, also add the analogous test for "signature_algorithms".
Reviewed-by: Matt Caswell <matt@openssl.org>
---
test/recipes/70-test_sslsigalgs.t | 66 +++++++++++++++++++++++++++++++++++++--
1 file changed, 64 insertions(+), 2 deletions(-)
diff --git a/test/recipes/70-test_sslsigalgs.t b/test/recipes/70-test_sslsigalgs.t
index b3339ff..9ea9d05 100644
--- a/test/recipes/70-test_sslsigalgs.t
+++ b/test/recipes/70-test_sslsigalgs.t
@@ -44,7 +44,9 @@ use constant {
COMPAT_SIGALGS => 6,
SIGALGS_CERT_ALL => 7,
SIGALGS_CERT_PKCS => 8,
- SIGALGS_CERT_INVALID => 9
+ SIGALGS_CERT_INVALID => 9,
+ UNRECOGNIZED_SIGALGS_CERT => 10,
+ UNRECOGNIZED_SIGALG => 11
};
#Note: Throughout this test we override the default ciphersuites where TLSv1.2
@@ -53,7 +55,7 @@ use constant {
#Test 1: Default sig algs should succeed
$proxy->start() or plan skip_all => "Unable to start up Proxy for tests";
-plan tests => 24;
+plan tests => 26;
ok(TLSProxy::Message->success, "Default sigalgs");
my $testtype;
@@ -282,6 +284,39 @@ SKIP: {
ok(TLSProxy::Message->fail, "No matching certificate for sigalgs_cert");
}
+SKIP: {
+ skip "TLS 1.3 disabled", 2 if disabled("tls1_3");
+ #Test 25: Send an unrecognized signature_algorithms_cert
+ # We should be able to skip over the unrecognized value and use a
+ # valid one that appears later in the list.
+ $proxy->clear();
+ $proxy->filter(\&inject_unrecognized_sigalg);
+ $proxy->clientflags("-tls1_3");
+ # Use -xcert to get SSL_check_chain() to run in the cert_cb. This is
+ # needed to trigger (e.g.) CVE-2020-1967
+ $proxy->serverflags("" .
+ " -xcert " . srctop_file("test", "certs", "servercert.pem") .
+ " -xkey " . srctop_file("test", "certs", "serverkey.pem") .
+ " -xchain " . srctop_file("test", "certs", "rootcert.pem"));
+ $testtype = UNRECOGNIZED_SIGALGS_CERT;
+ $proxy->start();
+ ok(TLSProxy::Message->success(), "Unrecognized sigalg_cert in ClientHello");
+
+ #Test 26: Send an unrecognized signature_algorithms
+ # We should be able to skip over the unrecognized value and use a
+ # valid one that appears later in the list.
+ $proxy->clear();
+ $proxy->filter(\&inject_unrecognized_sigalg);
+ $proxy->clientflags("-tls1_3");
+ $proxy->serverflags("" .
+ " -xcert " . srctop_file("test", "certs", "servercert.pem") .
+ " -xkey " . srctop_file("test", "certs", "serverkey.pem") .
+ " -xchain " . srctop_file("test", "certs", "rootcert.pem"));
+ $testtype = UNRECOGNIZED_SIGALG;
+ $proxy->start();
+ ok(TLSProxy::Message->success(), "Unrecognized sigalg in ClientHello");
+}
+
sub sigalgs_filter
@@ -427,3 +462,30 @@ sub modify_cert_verify_sigalg
}
}
}
+
+sub inject_unrecognized_sigalg
+{
+ my $proxy = shift;
+ my $type;
+
+ # We're only interested in the initial ClientHello
+ if ($proxy->flight != 0) {
+ return;
+ }
+ if ($testtype == UNRECOGNIZED_SIGALGS_CERT) {
+ $type = TLSProxy::Message::EXT_SIG_ALGS_CERT;
+ } elsif ($testtype == UNRECOGNIZED_SIGALG) {
+ $type = TLSProxy::Message::EXT_SIG_ALGS;
+ } else {
+ return;
+ }
+
+ my $ext = pack "C8",
+ 0x00, 0x06, #Extension length
+ 0xfe, 0x18, #private use
+ 0x04, 0x01, #rsa_pkcs1_sha256
+ 0x08, 0x04; #rsa_pss_rsae_sha256;
+ my $message = ${$proxy->message_list}[0];
+ $message->set_extension($type, $ext);
+ $message->repack;
+}
--
1.8.3.1

44
Allow-NULL-arg-to-OSSL_STORE_close.patch Normal file
View File

@ -0,0 +1,44 @@
From 767b86ee52227b1c8e5c783b9c3850fa65338058 Mon Sep 17 00:00:00 2001
From: "Dr. David von Oheimb" <David.von.Oheimb@siemens.com>
Date: Fri, 22 May 2020 14:56:06 +0200
Subject: [PATCH 066/217] Allow NULL arg to OSSL_STORE_close()
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/11912)
---
crypto/store/store_lib.c | 6 +++++-
doc/man3/OSSL_STORE_open.pod | 1 +
2 files changed, 6 insertions(+), 1 deletion(-)
diff --git a/crypto/store/store_lib.c b/crypto/store/store_lib.c
index fb8184d..637466c 100644
--- a/crypto/store/store_lib.c
+++ b/crypto/store/store_lib.c
@@ -218,7 +218,11 @@ int OSSL_STORE_eof(OSSL_STORE_CTX *ctx)
int OSSL_STORE_close(OSSL_STORE_CTX *ctx)
{
- int loader_ret = ctx->loader->close(ctx->loader_ctx);
+ int loader_ret;
+
+ if (ctx == NULL)
+ return 1;
+ loader_ret = ctx->loader->close(ctx->loader_ctx);
OPENSSL_free(ctx);
return loader_ret;
diff --git a/doc/man3/OSSL_STORE_open.pod b/doc/man3/OSSL_STORE_open.pod
index 1e8ebf7..309390e 100644
--- a/doc/man3/OSSL_STORE_open.pod
+++ b/doc/man3/OSSL_STORE_open.pod
@@ -94,6 +94,7 @@ OSSL_STORE_eof() shows that the end of data has been reached.
OSSL_STORE_close() takes a B<OSSL_STORE_CTX>, closes the channel that was opened
by OSSL_STORE_open() and frees all other information that was stored in the
B<OSSL_STORE_CTX>, as well as the B<OSSL_STORE_CTX> itself.
+If B<ctx> is NULL it does nothing.
=head1 SUPPORTED SCHEMES
--
1.8.3.1

219
Avoid-errors-with-a-priori-inapplicable-protocol-bou.patch Normal file
View File

@ -0,0 +1,219 @@
From c6c9f886ae118fffb0591ea0b5c3e4770b176552 Mon Sep 17 00:00:00 2001
From: Viktor Dukhovni <openssl-users@dukhovni.org>
Date: Thu, 16 Jul 2020 23:30:43 -0200
Subject: [PATCH 054/147] Avoid errors with a priori inapplicable protocol
bounds
The 'MinProtocol' and 'MaxProtocol' configuration commands now silently
ignore TLS protocol version bounds when configurign DTLS-based contexts,
and conversely, silently ignore DTLS protocol version bounds when
configuring TLS-based contexts. The commands can be repeated to set
bounds of both types. The same applies with the corresponding
"min_protocol" and "max_protocol" command-line switches, in case some
application uses both TLS and DTLS.
SSL_CTX instances that are created for a fixed protocol version (e.g.
TLSv1_server_method()) also silently ignore version bounds. Previously
attempts to apply bounds to these protocol versions would result in an
error. Now only the "version-flexible" SSL_CTX instances are subject to
limits in configuration files in command-line options.
Expected to resolve #12394
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
GH: #12507
---
doc/man3/SSL_CONF_cmd.pod | 29 ++++++++++++++++++++---------
doc/man5/config.pod | 15 +++++++++------
ssl/ssl_conf.c | 7 +++++++
ssl/statem/statem_lib.c | 34 +++++++++++++++++++---------------
4 files changed, 55 insertions(+), 30 deletions(-)
diff --git a/doc/man3/SSL_CONF_cmd.pod b/doc/man3/SSL_CONF_cmd.pod
index 7f2449e..c5fed8e 100644
--- a/doc/man3/SSL_CONF_cmd.pod
+++ b/doc/man3/SSL_CONF_cmd.pod
@@ -147,13 +147,16 @@ B<SSL_OP_NO_RENEGOTIATION>.
=item B<-min_protocol>, B<-max_protocol>
Sets the minimum and maximum supported protocol.
-Currently supported protocol values are B<SSLv3>, B<TLSv1>,
-B<TLSv1.1>, B<TLSv1.2>, B<TLSv1.3> for TLS and B<DTLSv1>, B<DTLSv1.2> for DTLS,
-and B<None> for no limit.
-If either bound is not specified then only the other bound applies,
-if specified.
-To restrict the supported protocol versions use these commands rather
-than the deprecated alternative commands below.
+Currently supported protocol values are B<SSLv3>, B<TLSv1>, B<TLSv1.1>,
+B<TLSv1.2>, B<TLSv1.3> for TLS; B<DTLSv1>, B<DTLSv1.2> for DTLS, and B<None>
+for no limit.
+If either the lower or upper bound is not specified then only the other bound
+applies, if specified.
+If your application supports both TLS and DTLS you can specify any of these
+options twice, once with a bound for TLS and again with an appropriate bound
+for DTLS.
+To restrict the supported protocol versions use these commands rather than the
+deprecated alternative commands below.
=item B<-no_ssl3>, B<-no_tls1>, B<-no_tls1_1>, B<-no_tls1_2>, B<-no_tls1_3>
@@ -370,7 +373,11 @@ This sets the minimum supported SSL, TLS or DTLS version.
Currently supported protocol values are B<SSLv3>, B<TLSv1>, B<TLSv1.1>,
B<TLSv1.2>, B<TLSv1.3>, B<DTLSv1> and B<DTLSv1.2>.
-The value B<None> will disable the limit.
+The SSL and TLS bounds apply only to TLS-based contexts, while the DTLS bounds
+apply only to DTLS-based contexts.
+The command can be repeated with one instance setting a TLS bound, and the
+other setting a DTLS bound.
+The value B<None> applies to both types of contexts and disables the limits.
=item B<MaxProtocol>
@@ -378,7 +385,11 @@ This sets the maximum supported SSL, TLS or DTLS version.
Currently supported protocol values are B<SSLv3>, B<TLSv1>, B<TLSv1.1>,
B<TLSv1.2>, B<TLSv1.3>, B<DTLSv1> and B<DTLSv1.2>.
-The value B<None> will disable the limit.
+The SSL and TLS bounds apply only to TLS-based contexts, while the DTLS bounds
+apply only to DTLS-based contexts.
+The command can be repeated with one instance setting a TLS bound, and the
+other setting a DTLS bound.
+The value B<None> applies to both types of contexts and disables the limits.
=item B<Protocol>
diff --git a/doc/man5/config.pod b/doc/man5/config.pod
index 7b50b09..7a0459d 100644
--- a/doc/man5/config.pod
+++ b/doc/man5/config.pod
@@ -262,13 +262,11 @@ Example of a configuration with the system default:
ssl_conf = ssl_sect
[ssl_sect]
-
system_default = system_default_sect
[system_default_sect]
-
MinProtocol = TLSv1.2
-
+ MinProtocol = DTLSv1.2
=head1 NOTES
@@ -355,8 +353,8 @@ Simple OpenSSL library configuration example to enter FIPS mode:
Note: in the above example you will get an error in non FIPS capable versions
of OpenSSL.
-Simple OpenSSL library configuration to make TLS 1.3 the system-default
-minimum TLS version:
+Simple OpenSSL library configuration to make TLS 1.2 and DTLS 1.2 the
+system-default minimum TLS and DTLS versions, respectively:
# Toplevel section for openssl (including libssl)
openssl_conf = default_conf_section
@@ -369,7 +367,12 @@ minimum TLS version:
system_default = system_default_section
[system_default_section]
- MinProtocol = TLSv1.3
+ MinProtocol = TLSv1.2
+ MinProtocol = DTLSv1.2
+
+The minimum TLS protocol is applied to B<SSL_CTX> objects that are TLS-based,
+and the minimum DTLS protocol to those are DTLS-based.
+The same applies also to maximum versions set with B<MaxProtocol>.
More complex OpenSSL library configuration. Add OID and don't enter FIPS mode:
diff --git a/ssl/ssl_conf.c b/ssl/ssl_conf.c
index 8ef29bb..3890d16 100644
--- a/ssl/ssl_conf.c
+++ b/ssl/ssl_conf.c
@@ -305,6 +305,13 @@ static int protocol_from_string(const char *value)
const char *name;
int version;
};
+ /*
+ * Note: To avoid breaking previously valid configurations, we must retain
+ * legacy entries in this table even if the underlying protocol is no
+ * longer supported. This also means that the constants SSL3_VERSION, ...
+ * need to be retained indefinitely. This table can only grow, never
+ * shrink.
+ */
static const struct protocol_versions versions[] = {
{"None", 0},
{"SSLv3", SSL3_VERSION},
diff --git a/ssl/statem/statem_lib.c b/ssl/statem/statem_lib.c
index 43d6fd5..0c5ba28 100644
--- a/ssl/statem/statem_lib.c
+++ b/ssl/statem/statem_lib.c
@@ -1656,11 +1656,22 @@ int ssl_check_version_downgrade(SSL *s)
*/
int ssl_set_version_bound(int method_version, int version, int *bound)
{
+ int valid_tls;
+ int valid_dtls;
+
if (version == 0) {
*bound = version;
return 1;
}
+ valid_tls = version >= SSL3_VERSION && version <= TLS_MAX_VERSION;
+ valid_dtls =
+ DTLS_VERSION_LE(version, DTLS_MAX_VERSION) &&
+ DTLS_VERSION_GE(version, DTLS1_BAD_VER);
+
+ if (!valid_tls && !valid_dtls)
+ return 0;
+
/*-
* Restrict TLS methods to TLS protocol versions.
* Restrict DTLS methods to DTLS protocol versions.
@@ -1671,31 +1682,24 @@ int ssl_set_version_bound(int method_version, int version, int *bound)
* configurations. If the MIN (supported) version ever rises, the user's
* "floor" remains valid even if no longer available. We don't expect the
* MAX ceiling to ever get lower, so making that variable makes sense.
+ *
+ * We ignore attempts to set bounds on version-inflexible methods,
+ * returning success.
*/
switch (method_version) {
default:
- /*
- * XXX For fixed version methods, should we always fail and not set any
- * bounds, always succeed and not set any bounds, or set the bounds and
- * arrange to fail later if they are not met? At present fixed-version
- * methods are not subject to controls that disable individual protocol
- * versions.
- */
- return 0;
+ break;
case TLS_ANY_VERSION:
- if (version < SSL3_VERSION || version > TLS_MAX_VERSION)
- return 0;
+ if (valid_tls)
+ *bound = version;
break;
case DTLS_ANY_VERSION:
- if (DTLS_VERSION_GT(version, DTLS_MAX_VERSION) ||
- DTLS_VERSION_LT(version, DTLS1_BAD_VER))
- return 0;
+ if (valid_dtls)
+ *bound = version;
break;
}
-
- *bound = version;
return 1;
}
--
1.8.3.1

38
Avoid-memory-leak-of-parent-on-allocation-failure-fo.patch Normal file
View File

@ -0,0 +1,38 @@
From 7455f247e6f9d621fa79ae3af1588df23078fb11 Mon Sep 17 00:00:00 2001
From: Benny Baumann <BenBE@geshi.org>
Date: Fri, 2 Oct 2020 01:06:12 +0200
Subject: [PATCH 079/147] Avoid memory leak of parent on allocation failure for
child structure
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/13055)
(cherry picked from commit a21db568bf3d0ab4194fd3e0917ee982f1fc8bfd)
---
apps/cms.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/apps/cms.c b/apps/cms.c
index 15edd67..60691f1 100644
--- a/apps/cms.c
+++ b/apps/cms.c
@@ -545,9 +545,11 @@ int cms_main(int argc, char **argv)
if (key_param == NULL || key_param->idx != keyidx) {
cms_key_param *nparam;
nparam = app_malloc(sizeof(*nparam), "key param buffer");
- nparam->idx = keyidx;
- if ((nparam->param = sk_OPENSSL_STRING_new_null()) == NULL)
+ if ((nparam->param = sk_OPENSSL_STRING_new_null()) == NULL) {
+ OPENSSL_free(nparam);
goto end;
+ }
+ nparam->idx = keyidx;
nparam->next = NULL;
if (key_first == NULL)
key_first = nparam;
--
1.8.3.1

29
Avoid-potential-doublefree-on-dh-object-assigned-to-.patch Normal file
View File

@ -0,0 +1,29 @@
From 7b324bb09f6313b370954fde8f2034a6055d8c2f Mon Sep 17 00:00:00 2001
From: Tomas Mraz <tmraz@fedoraproject.org>
Date: Tue, 20 Oct 2020 14:16:30 +0200
Subject: [PATCH 085/147] Avoid potential doublefree on dh object assigned to
EVP_PKEY
Fixes regression from 7844f3c784bfc93c9b94ae5a4082f9d01e82e0af
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13194)
---
ssl/statem/statem_clnt.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/ssl/statem/statem_clnt.c b/ssl/statem/statem_clnt.c
index 3bf8aac..fd3b79c 100644
--- a/ssl/statem/statem_clnt.c
+++ b/ssl/statem/statem_clnt.c
@@ -2150,6 +2150,7 @@ static int tls_process_ske_dhe(SSL *s, PACKET *pkt, EVP_PKEY **pkey)
ERR_R_EVP_LIB);
goto err;
}
+ dh = NULL;
if (!ssl_security(s, SSL_SECOP_TMP_DH, EVP_PKEY_security_bits(peer_tmp),
0, peer_tmp)) {
--
1.8.3.1

33
Avoid-potential-overflow-to-the-sign-bit-when-shifti.patch Normal file
View File

@ -0,0 +1,33 @@
From 5156ecbe691c964ae528c74f94d5b515aeb25542 Mon Sep 17 00:00:00 2001
From: Tomas Mraz <tmraz@fedoraproject.org>
Date: Tue, 19 May 2020 10:51:53 +0200
Subject: [PATCH 060/217] Avoid potential overflow to the sign bit when
shifting left 24 places
Although there are platforms where int is 64 bit, 2GiB large BIGNUMs
instead of 4GiB should be "big enough for everybody".
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11857)
(cherry picked from commit 1d05eb55caa8965a151360c2469c463ecd990987)
---
crypto/bn/bn_mpi.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/crypto/bn/bn_mpi.c b/crypto/bn/bn_mpi.c
index bdbe822..b6e35a8 100644
--- a/crypto/bn/bn_mpi.c
+++ b/crypto/bn/bn_mpi.c
@@ -45,7 +45,7 @@ BIGNUM *BN_mpi2bn(const unsigned char *d, int n, BIGNUM *ain)
int neg = 0;
BIGNUM *a = NULL;
- if (n < 4) {
+ if (n < 4 || (d[0] & 0x80) != 0) {
BNerr(BN_F_BN_MPI2BN, BN_R_INVALID_LENGTH);
return NULL;
}
--
1.8.3.1

33
Avoid-segfault-in-SSL_export_keying_material-if-ther.patch Normal file
View File

@ -0,0 +1,33 @@
From 925a9d0a8168bfd0b532bc6600ba3e7ab47a7592 Mon Sep 17 00:00:00 2001
From: Tomas Mraz <tmraz@fedoraproject.org>
Date: Thu, 6 Aug 2020 11:20:43 +0200
Subject: [PATCH 060/147] Avoid segfault in SSL_export_keying_material if there
is no session
Fixes #12588
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12594)
(cherry picked from commit dffeec1c10a874d7c7b83c221dbbce82f755edb1)
---
ssl/ssl_lib.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
index 433a537..b1df374 100644
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -2897,7 +2897,8 @@ int SSL_export_keying_material(SSL *s, unsigned char *out, size_t olen,
const unsigned char *context, size_t contextlen,
int use_context)
{
- if (s->version < TLS1_VERSION && s->version != DTLS1_BAD_VER)
+ if (s->session == NULL
+ || (s->version < TLS1_VERSION && s->version != DTLS1_BAD_VER))
return -1;
return s->method->ssl3_enc->export_keying_material(s, out, olen, label,
--
1.8.3.1

54
BIO_do_accept-correct-error-return-value.patch Normal file
View File

@ -0,0 +1,54 @@
From 5f62ff49a9fdc9079aa6e9aefaf2cee51d2f4455 Mon Sep 17 00:00:00 2001
From: scott <scott.morgan@hibiscus-plc.com>
Date: Thu, 9 Apr 2020 12:36:37 +0100
Subject: [PATCH 018/217] BIO_do_accept: correct error return value
`BIO_do_accept` was returning incorrect values when unable to bind to a port.
Fixes #7717
CLA: trivial
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/11505)
(cherry picked from commit 0437435a960123be1ced766d18d715f939698345)
---
crypto/bio/bss_acpt.c | 13 +++++++------
1 file changed, 7 insertions(+), 6 deletions(-)
diff --git a/crypto/bio/bss_acpt.c b/crypto/bio/bss_acpt.c
index b38e47a..5a2cb50 100644
--- a/crypto/bio/bss_acpt.c
+++ b/crypto/bio/bss_acpt.c
@@ -222,10 +222,10 @@ static int acpt_state(BIO *b, BIO_ACCEPT *c)
break;
case ACPT_S_CREATE_SOCKET:
- ret = BIO_socket(BIO_ADDRINFO_family(c->addr_iter),
- BIO_ADDRINFO_socktype(c->addr_iter),
- BIO_ADDRINFO_protocol(c->addr_iter), 0);
- if (ret == (int)INVALID_SOCKET) {
+ s = BIO_socket(BIO_ADDRINFO_family(c->addr_iter),
+ BIO_ADDRINFO_socktype(c->addr_iter),
+ BIO_ADDRINFO_protocol(c->addr_iter), 0);
+ if (s == (int)INVALID_SOCKET) {
SYSerr(SYS_F_SOCKET, get_last_socket_error());
ERR_add_error_data(4,
"hostname=", c->param_addr,
@@ -233,9 +233,10 @@ static int acpt_state(BIO *b, BIO_ACCEPT *c)
BIOerr(BIO_F_ACPT_STATE, BIO_R_UNABLE_TO_CREATE_SOCKET);
goto exit_loop;
}
- c->accept_sock = ret;
- b->num = ret;
+ c->accept_sock = s;
+ b->num = s;
c->state = ACPT_S_LISTEN;
+ s = -1;
break;
case ACPT_S_LISTEN:
--
1.8.3.1

58
BN-harden-BN_copy-against-leaks-from-memory-accesses.patch Normal file
View File

@ -0,0 +1,58 @@
From 3655e35b78df095b367b3334b6515f6d9436fd95 Mon Sep 17 00:00:00 2001
From: Nicola Tuveri <nic.tuv@gmail.com>
Date: Tue, 21 Jan 2020 17:08:16 +0200
Subject: [PATCH 033/217] [BN] harden `BN_copy()` against leaks from memory
accesses
`BN_copy()` (and indirectly `BN_dup()`) do not propagate the
`BN_FLG_CONSTTIME` flag: the propagation has been turned on and off a
few times in the past years, because in some conditions it has shown
unintended consequences in some code paths.
Without turning the propagation on once more, we can still improve
`BN_copy()` by avoiding to leak `src->top` in case `src` is flagged with
`BN_FLG_CONSTTIME`.
In this case we can instead use `src->dmax` as the number of words
allocated for `dst` and for the `memcpy` operation.
Barring compiler or runtime optimizations, if the caller provides `src`
flagged as const time and preallocated to a public size, no leak should
happen due to the copy operation.
(cherry picked from commit 2d9167ed0b588dacbdd0303fb6041ffe1d8b3a92)
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11127)
---
crypto/bn/bn_lib.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/crypto/bn/bn_lib.c b/crypto/bn/bn_lib.c
index 86d4956..759d4c7 100644
--- a/crypto/bn/bn_lib.c
+++ b/crypto/bn/bn_lib.c
@@ -322,15 +322,19 @@ BIGNUM *BN_dup(const BIGNUM *a)
BIGNUM *BN_copy(BIGNUM *a, const BIGNUM *b)
{
+ int bn_words;
+
bn_check_top(b);
+ bn_words = BN_get_flags(b, BN_FLG_CONSTTIME) ? b->dmax : b->top;
+
if (a == b)
return a;
- if (bn_wexpand(a, b->top) == NULL)
+ if (bn_wexpand(a, bn_words) == NULL)
return NULL;
if (b->top > 0)
- memcpy(a->d, b->d, sizeof(b->d[0]) * b->top);
+ memcpy(a->d, b->d, sizeof(b->d[0]) * bn_words);
a->neg = b->neg;
a->top = b->top;
--
1.8.3.1

32
CMS_get0_signers-description.patch Normal file
View File

@ -0,0 +1,32 @@
From 4151e303a488c53613f7b8c6eae4372759d7fa35 Mon Sep 17 00:00:00 2001
From: olszomal <Malgorzata.Olszowka@stunnel.org>
Date: Fri, 12 Jun 2020 12:09:02 +0200
Subject: [PATCH 021/147] CMS_get0_signers() description
CLA: trivial
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12055)
(cherry picked from commit 9ac916c7529a21cd01d1b539362abf8402719e30)
---
doc/man3/CMS_verify.pod | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/doc/man3/CMS_verify.pod b/doc/man3/CMS_verify.pod
index be68868..b6650fd 100644
--- a/doc/man3/CMS_verify.pod
+++ b/doc/man3/CMS_verify.pod
@@ -24,7 +24,7 @@ present in B<cms>. The content is written to B<out> if it is not NULL.
B<flags> is an optional set of flags, which can be used to modify the verify
operation.
-CMS_get0_signers() retrieves the signing certificate(s) from B<cms>, it must
+CMS_get0_signers() retrieves the signing certificate(s) from B<cms>, it may only
be called after a successful CMS_verify() operation.
=head1 VERIFY PROCESS
--
1.8.3.1

42
Cast-the-unsigned-char-to-unsigned-int-before-shifti.patch Normal file
View File

@ -0,0 +1,42 @@
From e11072908742e96a1067bb1b9609bfc27ab05835 Mon Sep 17 00:00:00 2001
From: Tomas Mraz <tmraz@fedoraproject.org>
Date: Tue, 19 May 2020 10:51:19 +0200
Subject: [PATCH 059/217] Cast the unsigned char to unsigned int before
shifting left
This is needed to avoid automatic promotion to signed int.
Fixes #11853
[extended tests]
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11857)
(cherry picked from commit cbeb0bfa961412eebfbdf1e72900f05527e81e15)
---
crypto/pem/pvkfmt.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/crypto/pem/pvkfmt.c b/crypto/pem/pvkfmt.c
index 46ed2ec..e6156df 100644
--- a/crypto/pem/pvkfmt.c
+++ b/crypto/pem/pvkfmt.c
@@ -29,10 +29,10 @@ static unsigned int read_ledword(const unsigned char **in)
{
const unsigned char *p = *in;
unsigned int ret;
- ret = *p++;
- ret |= (*p++ << 8);
- ret |= (*p++ << 16);
- ret |= (*p++ << 24);
+ ret = (unsigned int)*p++;
+ ret |= (unsigned int)*p++ << 8;
+ ret |= (unsigned int)*p++ << 16;
+ ret |= (unsigned int)*p++ << 24;
*in = p;
return ret;
}
--
1.8.3.1

46
Correct-alignment-calculation-in-ssl3_setup_write.patch Normal file
View File

@ -0,0 +1,46 @@
From df943912046aee2e5e541949dbdbafa38819f195 Mon Sep 17 00:00:00 2001
From: Matt Caswell <matt@openssl.org>
Date: Fri, 8 May 2020 11:12:10 +0100
Subject: [PATCH 050/217] Correct alignment calculation in ssl3_setup_write
The alignment calculation in ssl3_setup_write incorrectly results in an
alignment allowance of
(-SSL3_RT_HEADER_LENGTH) & (SSL3_ALIGN_PAYLOAD - 1) bytes. This equals 3
in almost all cases. The maximum alignment actually used in do_ssl3_write
is (SSL3_ALIGN_PAYLOAD - 1). This equals 7 bytes in almost all cases. So
there is a potential to overrun the buffer by up to 4 bytes.
Fortunately, the encryption overhead allowed for is 80 bytes which
consists of 16 bytes for the cipher block size and 64 bytes for the MAC
output. However the biggest MAC that we ever produce is HMAC-384 which is
48 bytes - so we have a headroom of 16 bytes (i.e. more than the 4 bytes
of potential overrun).
Thanks to Nagesh Hegde for reporting this.
Fixes #11766
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/11768)
(cherry picked from commit d30ef639647ad263d09740c931a5bfb5a8b6a5f6)
---
ssl/record/ssl3_buffer.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/ssl/record/ssl3_buffer.c b/ssl/record/ssl3_buffer.c
index 605f8f9..56c0d78 100644
--- a/ssl/record/ssl3_buffer.c
+++ b/ssl/record/ssl3_buffer.c
@@ -94,7 +94,7 @@ int ssl3_setup_write_buffer(SSL *s, size_t numwpipes, size_t len)
headerlen = SSL3_RT_HEADER_LENGTH;
#if defined(SSL3_ALIGN_PAYLOAD) && SSL3_ALIGN_PAYLOAD!=0
- align = (-SSL3_RT_HEADER_LENGTH) & (SSL3_ALIGN_PAYLOAD - 1);
+ align = SSL3_ALIGN_PAYLOAD - 1;
#endif
len = ssl_get_max_send_fragment(s)
--
1.8.3.1

50
Correctly-handle-the-return-value-from-EVP_Cipher-in.patch Normal file
View File

@ -0,0 +1,50 @@
From ce7bd71a428b0907958beb6dfa71681e751b33d1 Mon Sep 17 00:00:00 2001
From: Matt Caswell <matt@openssl.org>
Date: Wed, 27 May 2020 11:38:39 +0100
Subject: [PATCH 024/147] Correctly handle the return value from EVP_Cipher()
in the CMAC code
EVP_Cipher() is a very low level routine that directly calls the
underlying cipher function. It's return value semantics are very odd.
Depending on the type of cipher 0 or -1 is returned on error. We should
just check for <=0 for a failure.
Fixes #11957
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12107)
---
crypto/cmac/cmac.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/crypto/cmac/cmac.c b/crypto/cmac/cmac.c
index dbcc436..1a76486 100644
--- a/crypto/cmac/cmac.c
+++ b/crypto/cmac/cmac.c
@@ -135,7 +135,7 @@ int CMAC_Init(CMAC_CTX *ctx, const void *key, size_t keylen,
if (!EVP_EncryptInit_ex(ctx->cctx, NULL, NULL, key, zero_iv))
return 0;
bl = EVP_CIPHER_CTX_block_size(ctx->cctx);
- if (!EVP_Cipher(ctx->cctx, ctx->tbl, zero_iv, bl))
+ if (EVP_Cipher(ctx->cctx, ctx->tbl, zero_iv, bl) <= 0)
return 0;
make_kn(ctx->k1, ctx->tbl, bl);
make_kn(ctx->k2, ctx->k1, bl);
@@ -173,12 +173,12 @@ int CMAC_Update(CMAC_CTX *ctx, const void *in, size_t dlen)
return 1;
data += nleft;
/* Else not final block so encrypt it */
- if (!EVP_Cipher(ctx->cctx, ctx->tbl, ctx->last_block, bl))
+ if (EVP_Cipher(ctx->cctx, ctx->tbl, ctx->last_block, bl) <= 0)
return 0;
}
/* Encrypt all but one of the complete blocks left */
while (dlen > bl) {
- if (!EVP_Cipher(ctx->cctx, ctx->tbl, data, bl))
+ if (EVP_Cipher(ctx->cctx, ctx->tbl, data, bl) <= 0)
return 0;
dlen -= bl;
data += bl;
--
1.8.3.1

154
Coverity-Fixes.patch Normal file
View File

@ -0,0 +1,154 @@
From 309e73dfe067b3b774ef6f57bf665f41373a81ca Mon Sep 17 00:00:00 2001
From: Shane Lontis <shane.lontis@oracle.com>
Date: Mon, 7 Sep 2020 17:44:38 +1000
Subject: [PATCH 064/147] Coverity Fixes
x_algor.c: Explicit null dereferenced
cms_sd.c: Resource leak
ts_rsp_sign.c Resource Leak
extensions_srvr.c: Resourse Leak
v3_alt.c: Resourse Leak
pcy_data.c: Resource Leak
cms_lib.c: Resource Leak
drbg_lib.c: Unchecked return code
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12531)
---
crypto/cms/cms_lib.c | 3 ++-
crypto/cms/cms_sd.c | 4 +++-
crypto/rand/drbg_lib.c | 8 +++++---
crypto/ts/ts_rsp_sign.c | 2 ++
crypto/x509v3/pcy_data.c | 1 +
crypto/x509v3/v3_alt.c | 1 +
ssl/statem/extensions_srvr.c | 2 +-
7 files changed, 11 insertions(+), 10 deletions(-)
diff --git a/crypto/cms/cms_lib.c b/crypto/cms/cms_lib.c
index 57afba4..cdd794e 100644
--- a/crypto/cms/cms_lib.c
+++ b/crypto/cms/cms_lib.c
@@ -92,12 +92,13 @@ BIO *CMS_dataInit(CMS_ContentInfo *cms, BIO *icont)
default:
CMSerr(CMS_F_CMS_DATAINIT, CMS_R_UNSUPPORTED_TYPE);
- return NULL;
+ goto err;
}
if (cmsbio)
return BIO_push(cmsbio, cont);
+err:
if (!icont)
BIO_free(cont);
return NULL;
diff --git a/crypto/cms/cms_sd.c b/crypto/cms/cms_sd.c
index 29ba4c1..6030f07 100644
--- a/crypto/cms/cms_sd.c
+++ b/crypto/cms/cms_sd.c
@@ -897,8 +897,10 @@ int CMS_add_simple_smimecap(STACK_OF(X509_ALGOR) **algs,
ASN1_INTEGER *key = NULL;
if (keysize > 0) {
key = ASN1_INTEGER_new();
- if (key == NULL || !ASN1_INTEGER_set(key, keysize))
+ if (key == NULL || !ASN1_INTEGER_set(key, keysize)) {
+ ASN1_INTEGER_free(key);
return 0;
+ }
}
alg = X509_ALGOR_new();
if (alg == NULL) {
diff --git a/crypto/rand/drbg_lib.c b/crypto/rand/drbg_lib.c
index faf0590..73fd439 100644
--- a/crypto/rand/drbg_lib.c
+++ b/crypto/rand/drbg_lib.c
@@ -330,7 +330,7 @@ int RAND_DRBG_instantiate(RAND_DRBG *drbg,
drbg->reseed_next_counter = tsan_load(&drbg->reseed_prop_counter);
if (drbg->reseed_next_counter) {
drbg->reseed_next_counter++;
- if(!drbg->reseed_next_counter)
+ if (!drbg->reseed_next_counter)
drbg->reseed_next_counter = 1;
}
@@ -432,7 +432,7 @@ int RAND_DRBG_reseed(RAND_DRBG *drbg,
drbg->reseed_next_counter = tsan_load(&drbg->reseed_prop_counter);
if (drbg->reseed_next_counter) {
drbg->reseed_next_counter++;
- if(!drbg->reseed_next_counter)
+ if (!drbg->reseed_next_counter)
drbg->reseed_next_counter = 1;
}
@@ -554,7 +554,9 @@ int rand_drbg_restart(RAND_DRBG *drbg,
drbg->meth->reseed(drbg, adin, adinlen, NULL, 0);
} else if (reseeded == 0) {
/* do a full reseeding if it has not been done yet above */
- RAND_DRBG_reseed(drbg, NULL, 0, 0);
+ if (!RAND_DRBG_reseed(drbg, NULL, 0, 0)) {
+ RANDerr(RAND_F_RAND_DRBG_RESTART, RAND_R_RESEED_ERROR);
+ }
}
}
diff --git a/crypto/ts/ts_rsp_sign.c b/crypto/ts/ts_rsp_sign.c
index 041a187..342582f 100644
--- a/crypto/ts/ts_rsp_sign.c
+++ b/crypto/ts/ts_rsp_sign.c
@@ -57,12 +57,14 @@ static ASN1_INTEGER *def_serial_cb(struct TS_resp_ctx *ctx, void *data)
goto err;
if (!ASN1_INTEGER_set(serial, 1))
goto err;
+
return serial;
err:
TSerr(TS_F_DEF_SERIAL_CB, ERR_R_MALLOC_FAILURE);
TS_RESP_CTX_set_status_info(ctx, TS_STATUS_REJECTION,
"Error during serial number generation.");
+ ASN1_INTEGER_free(serial);
return NULL;
}
diff --git a/crypto/x509v3/pcy_data.c b/crypto/x509v3/pcy_data.c
index 0735059..62db3b4 100644
--- a/crypto/x509v3/pcy_data.c
+++ b/crypto/x509v3/pcy_data.c
@@ -52,6 +52,7 @@ X509_POLICY_DATA *policy_data_new(POLICYINFO *policy,
ret = OPENSSL_zalloc(sizeof(*ret));
if (ret == NULL) {
X509V3err(X509V3_F_POLICY_DATA_NEW, ERR_R_MALLOC_FAILURE);
+ ASN1_OBJECT_free(id);
return NULL;
}
ret->expected_policy_set = sk_ASN1_OBJECT_new_null();
diff --git a/crypto/x509v3/v3_alt.c b/crypto/x509v3/v3_alt.c
index 7ac2911..0bcee33 100644
--- a/crypto/x509v3/v3_alt.c
+++ b/crypto/x509v3/v3_alt.c
@@ -275,6 +275,7 @@ static int copy_issuer(X509V3_CTX *ctx, GENERAL_NAMES *gens)
num = sk_GENERAL_NAME_num(ialt);
if (!sk_GENERAL_NAME_reserve(gens, num)) {
X509V3err(X509V3_F_COPY_ISSUER, ERR_R_MALLOC_FAILURE);
+ sk_GENERAL_NAME_free(ialt);
goto err;
}
diff --git a/ssl/statem/extensions_srvr.c b/ssl/statem/extensions_srvr.c
index 3b07c6b..3c7395c 100644
--- a/ssl/statem/extensions_srvr.c
+++ b/ssl/statem/extensions_srvr.c
@@ -1151,7 +1151,7 @@ int tls_parse_ctos_psk(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
if (sesstmp == NULL) {
SSLfatal(s, SSL_AD_INTERNAL_ERROR,
SSL_F_TLS_PARSE_CTOS_PSK, ERR_R_INTERNAL_ERROR);
- return 0;
+ goto err;
}
SSL_SESSION_free(sess);
sess = sesstmp;
--
1.8.3.1

67
Do-not-allow-dropping-Extended-Master-Secret-extensi.patch Normal file
View File

@ -0,0 +1,67 @@
From 4b7097025305b219694dd8b04f84155cd12fb71d Mon Sep 17 00:00:00 2001
From: Tomas Mraz <tmraz@fedoraproject.org>
Date: Thu, 4 Jun 2020 11:40:29 +0200
Subject: [PATCH 018/147] Do not allow dropping Extended Master Secret
extension on renegotiaton
Abort renegotiation if server receives client hello with Extended Master
Secret extension dropped in comparison to the initial session.
Fixes #9754
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12099)
---
include/openssl/ssl3.h | 3 +++
ssl/statem/extensions.c | 14 +++++++++++++-
2 files changed, 16 insertions(+), 1 deletion(-)
diff --git a/include/openssl/ssl3.h b/include/openssl/ssl3.h
index 8d01fcc..407db0b 100644
--- a/include/openssl/ssl3.h
+++ b/include/openssl/ssl3.h
@@ -292,6 +292,9 @@ extern "C" {
# define TLS1_FLAGS_STATELESS 0x0800
+/* Set if extended master secret extension required on renegotiation */
+# define TLS1_FLAGS_REQUIRED_EXTMS 0x1000
+
# define SSL3_MT_HELLO_REQUEST 0
# define SSL3_MT_CLIENT_HELLO 1
# define SSL3_MT_SERVER_HELLO 2
diff --git a/ssl/statem/extensions.c b/ssl/statem/extensions.c
index 4ef8b41..c785ab7 100644
--- a/ssl/statem/extensions.c
+++ b/ssl/statem/extensions.c
@@ -1168,14 +1168,26 @@ static int init_etm(SSL *s, unsigned int context)
static int init_ems(SSL *s, unsigned int context)
{
- if (!s->server)
+ if (s->s3->flags & TLS1_FLAGS_RECEIVED_EXTMS) {
s->s3->flags &= ~TLS1_FLAGS_RECEIVED_EXTMS;
+ s->s3->flags |= TLS1_FLAGS_REQUIRED_EXTMS;
+ }
return 1;
}
static int final_ems(SSL *s, unsigned int context, int sent)
{
+ /*
+ * Check extended master secret extension is not dropped on
+ * renegotiation.
+ */
+ if (!(s->s3->flags & TLS1_FLAGS_RECEIVED_EXTMS)
+ && (s->s3->flags & TLS1_FLAGS_REQUIRED_EXTMS)) {
+ SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_FINAL_EMS,
+ SSL_R_INCONSISTENT_EXTMS);
+ return 0;
+ }
if (!s->server && s->hit) {
/*
* Check extended master secret extension is consistent with
--
1.8.3.1

59
Don-t-attempt-to-duplicate-the-BIO-state-in-SSL_dup.patch Normal file
View File

@ -0,0 +1,59 @@
From 4864a232ee7f901388532f65911866ca2478cfa9 Mon Sep 17 00:00:00 2001
From: Matt Caswell <matt@openssl.org>
Date: Tue, 16 Jun 2020 17:40:40 +0100
Subject: [PATCH 034/147] Don't attempt to duplicate the BIO state in SSL_dup
SSL_dup attempted to duplicate the BIO state if the source SSL had BIOs
configured for it. This did not work.
Firstly the SSL_dup code was passing a BIO ** as the destination
argument for BIO_dup_state. However BIO_dup_state expects a BIO * for that
parameter. Any attempt to use this will either (1) fail silently, (2) crash
or fail in some other strange way.
Secondly many BIOs do not implement the BIO_CTRL_DUP ctrl required to make
this work.
Thirdly, if rbio == wbio in the original SSL object, then an attempt is made
to up-ref the BIO in the new SSL object - even though it hasn't been set
yet and is NULL. This results in a crash.
This appears to have been broken for a very long time with at least some of
the problems described above coming from SSLeay. The simplest approach is
to just remove this capability from the function.
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12245)
---
ssl/ssl_lib.c | 15 ---------------
1 files changed, 15 deletions(-)
diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
index 1d96eb4..f6a4964 100644
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -3841,21 +3841,6 @@ SSL *SSL_dup(SSL *s)
if (!CRYPTO_dup_ex_data(CRYPTO_EX_INDEX_SSL, &ret->ex_data, &s->ex_data))
goto err;
- /* setup rbio, and wbio */
- if (s->rbio != NULL) {
- if (!BIO_dup_state(s->rbio, (char *)&ret->rbio))
- goto err;
- }
- if (s->wbio != NULL) {
- if (s->wbio != s->rbio) {
- if (!BIO_dup_state(s->wbio, (char *)&ret->wbio))
- goto err;
- } else {
- BIO_up_ref(ret->rbio);
- ret->wbio = ret->rbio;
- }
- }
-
ret->server = s->server;
if (s->handshake_func) {
if (s->server)
--
1.8.3.1

78
EC-Constify-internal-EC_KEY-pointer-usage.patch Normal file
View File

@ -0,0 +1,78 @@
From cd45a57aafddb908eb3a56e118b4c01899765d18 Mon Sep 17 00:00:00 2001
From: Nicola Tuveri <nic.tuv@gmail.com>
Date: Tue, 7 Jan 2020 01:19:13 +0200
Subject: [PATCH 031/217] [EC] Constify internal EC_KEY pointer usage
A pair of internal functions related to EC_KEY handling could benefit
from declaring `EC_KEY *` variables as `const`, providing clarity for
callers and readers of the code, in addition to enlisting the compiler
in preventing some mistakes.
(cherry picked from commit cd701de96a147260c2290d85af8a0656120a8ff8)
In master `id2_ECParameters` and most of the ASN1 public functions have
been properly constified in their signature.
Unfortunately this has been deemed not doable in a patch release for
1.1.1 as, in subtle ways, this would break API compatibility.
See the discussion at https://github.com/openssl/openssl/pull/9347 for
more details about this.
This constification commit should still be portable w.r.t. our criteria,
as the constification happens only on internal functions.
The fix here is to explicitly discard the const qualifier before the
call to `i2d_ECParameters`, which should be safe anyway because we can
expect `i2d_ECParameters()` to treat the first argument as if it was
const.
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11127)
---
crypto/ec/ec_ameth.c | 16 +++++++++++++---
1 file changed, 13 insertions(+), 3 deletions(-)
diff --git a/crypto/ec/ec_ameth.c b/crypto/ec/ec_ameth.c
index 2210383..b7b82e5 100644
--- a/crypto/ec/ec_ameth.c
+++ b/crypto/ec/ec_ameth.c
@@ -23,7 +23,7 @@ static int ecdh_cms_decrypt(CMS_RecipientInfo *ri);
static int ecdh_cms_encrypt(CMS_RecipientInfo *ri);
#endif
-static int eckey_param2type(int *pptype, void **ppval, EC_KEY *ec_key)
+static int eckey_param2type(int *pptype, void **ppval, const EC_KEY *ec_key)
{
const EC_GROUP *group;
int nid;
@@ -43,7 +43,17 @@ static int eckey_param2type(int *pptype, void **ppval, EC_KEY *ec_key)
pstr = ASN1_STRING_new();
if (pstr == NULL)
return 0;
- pstr->length = i2d_ECParameters(ec_key, &pstr->data);
+
+ /*
+ * The cast in the following line is intentional as the
+ * `i2d_ECParameters` signature can't be constified (see discussion at
+ * https://github.com/openssl/openssl/pull/9347 where related and
+ * required constification backports were rejected).
+ *
+ * This cast should be safe anyway, because we can expect
+ * `i2d_ECParameters()` to treat the first argument as if it was const.
+ */
+ pstr->length = i2d_ECParameters((EC_KEY *)ec_key, &pstr->data);
if (pstr->length <= 0) {
ASN1_STRING_free(pstr);
ECerr(EC_F_ECKEY_PARAM2TYPE, ERR_R_EC_LIB);
@@ -57,7 +67,7 @@ static int eckey_param2type(int *pptype, void **ppval, EC_KEY *ec_key)
static int eckey_pub_encode(X509_PUBKEY *pk, const EVP_PKEY *pkey)
{
- EC_KEY *ec_key = pkey->pkey.ec;
+ const EC_KEY *ec_key = pkey->pkey.ec;
void *pval = NULL;
int ptype;
unsigned char *penc = NULL, *p;
--
1.8.3.1

167
EC-harden-EC_KEY-against-leaks-from-memory-accesses.patch Normal file
View File

@ -0,0 +1,167 @@
From 6a01f6f4b41d045e2a3abcb10163633d769db76a Mon Sep 17 00:00:00 2001
From: Nicola Tuveri <nic.tuv@gmail.com>
Date: Tue, 21 Jan 2020 17:00:41 +0200
Subject: [PATCH 032/217] [EC] harden EC_KEY against leaks from memory accesses
We should never leak the bit length of the secret scalar in the key,
so we always set the `BN_FLG_CONSTTIME` flag on the internal `BIGNUM`
holding the secret scalar.
This is important also because `BN_dup()` (and `BN_copy()`) do not
propagate the `BN_FLG_CONSTTIME` flag from the source `BIGNUM`, and
this brings an extra risk of inadvertently losing the flag, even when
the called specifically set it.
The propagation has been turned on and off a few times in the past
years because in some conditions has shown unintended consequences in
some code paths, so at the moment we can't fix this in the BN layer.
In `EC_KEY_set_private_key()` we can work around the propagation by
manually setting the flag after `BN_dup()` as we know for sure that
inside the EC module the `BN_FLG_CONSTTIME` is always treated
correctly and should not generate unintended consequences.
Setting the `BN_FLG_CONSTTIME` flag alone is never enough, we also have
to preallocate the `BIGNUM` internal buffer to a fixed public size big
enough that operations performed during the processing never trigger
a realloc which would leak the size of the scalar through memory
accesses.
Fixed Length
------------
The order of the large prime subgroup of the curve is our choice for
a fixed public size, as that is generally the upper bound for
generating a private key in EC cryptosystems and should fit all valid
secret scalars.
For preallocating the `BIGNUM` storage we look at the number of "words"
required for the internal representation of the order, and we
preallocate 2 extra "words" in case any of the subsequent processing
might temporarily overflow the order length.
Future work
-----------
A separate commit addresses further hardening of `BN_copy()` (and
indirectly `BN_dup()`).
(cherry picked from commit 0401d766afcd022748763f5614188301c9856c6e)
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11127)
---
crypto/ec/ec_key.c | 76 +++++++++++++++++++++++++++++++++++++++++++++++++++---
1 file changed, 73 insertions(+), 3 deletions(-)
diff --git a/crypto/ec/ec_key.c b/crypto/ec/ec_key.c
index 08aaac5..90698b9 100644
--- a/crypto/ec/ec_key.c
+++ b/crypto/ec/ec_key.c
@@ -1,5 +1,5 @@
/*
- * Copyright 2002-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2002-2020 The OpenSSL Project Authors. All Rights Reserved.
* Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
*
* Licensed under the OpenSSL license (the "License"). You may not use
@@ -14,6 +14,7 @@
#include "internal/refcount.h"
#include <openssl/err.h>
#include <openssl/engine.h>
+#include "crypto/bn.h"
EC_KEY *EC_KEY_new(void)
{
@@ -416,17 +417,86 @@ const BIGNUM *EC_KEY_get0_private_key(const EC_KEY *key)
int EC_KEY_set_private_key(EC_KEY *key, const BIGNUM *priv_key)
{
+ int fixed_top;
+ const BIGNUM *order = NULL;
+ BIGNUM *tmp_key = NULL;
+
if (key->group == NULL || key->group->meth == NULL)
return 0;
+
+ /*
+ * Not only should key->group be set, but it should also be in a valid
+ * fully initialized state.
+ *
+ * Specifically, to operate in constant time, we need that the group order
+ * is set, as we use its length as the fixed public size of any scalar used
+ * as an EC private key.
+ */
+ order = EC_GROUP_get0_order(key->group);
+ if (order == NULL || BN_is_zero(order))
+ return 0; /* This should never happen */
+
if (key->group->meth->set_private != NULL
&& key->group->meth->set_private(key, priv_key) == 0)
return 0;
if (key->meth->set_private != NULL
&& key->meth->set_private(key, priv_key) == 0)
return 0;
+
+ /*
+ * We should never leak the bit length of the secret scalar in the key,
+ * so we always set the `BN_FLG_CONSTTIME` flag on the internal `BIGNUM`
+ * holding the secret scalar.
+ *
+ * This is important also because `BN_dup()` (and `BN_copy()`) do not
+ * propagate the `BN_FLG_CONSTTIME` flag from the source `BIGNUM`, and
+ * this brings an extra risk of inadvertently losing the flag, even when
+ * the called specifically set it.
+ *
+ * The propagation has been turned on and off a few times in the past
+ * years because in some conditions has shown unintended consequences in
+ * some code paths, so at the moment we can't fix this in the BN layer.
+ *
+ * In `EC_KEY_set_private_key()` we can work around the propagation by
+ * manually setting the flag after `BN_dup()` as we know for sure that
+ * inside the EC module the `BN_FLG_CONSTTIME` is always treated
+ * correctly and should not generate unintended consequences.
+ *
+ * Setting the BN_FLG_CONSTTIME flag alone is never enough, we also have
+ * to preallocate the BIGNUM internal buffer to a fixed public size big
+ * enough that operations performed during the processing never trigger
+ * a realloc which would leak the size of the scalar through memory
+ * accesses.
+ *
+ * Fixed Length
+ * ------------
+ *
+ * The order of the large prime subgroup of the curve is our choice for
+ * a fixed public size, as that is generally the upper bound for
+ * generating a private key in EC cryptosystems and should fit all valid
+ * secret scalars.
+ *
+ * For preallocating the BIGNUM storage we look at the number of "words"
+ * required for the internal representation of the order, and we
+ * preallocate 2 extra "words" in case any of the subsequent processing
+ * might temporarily overflow the order length.
+ */
+ tmp_key = BN_dup(priv_key);
+ if (tmp_key == NULL)
+ return 0;
+
+ BN_set_flags(tmp_key, BN_FLG_CONSTTIME);
+
+ fixed_top = bn_get_top(order) + 2;
+ if (bn_wexpand(tmp_key, fixed_top) == NULL) {
+ BN_clear_free(tmp_key);
+ return 0;
+ }
+
BN_clear_free(key->priv_key);
- key->priv_key = BN_dup(priv_key);
- return (key->priv_key == NULL) ? 0 : 1;
+ key->priv_key = tmp_key;
+
+ return 1;
}
const EC_POINT *EC_KEY_get0_public_key(const EC_KEY *key)
--
1.8.3.1

34
EVP-allow-empty-strings-to-EVP_Decode-functions.patch Normal file
View File

@ -0,0 +1,34 @@
From 92cef3f186c20e702b7751c5ef959b4fe816a189 Mon Sep 17 00:00:00 2001
From: Richard Levitte <levitte@openssl.org>
Date: Sat, 13 Jun 2020 22:16:14 +0200
Subject: [PATCH 020/147] EVP: allow empty strings to EVP_Decode* functions
This is a simple check order correction.
Fixes #12143
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12144)
(cherry picked from commit 0800288e6e1d9f44d471043a970ba57743ca8f4c)
---
crypto/evp/encode.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/crypto/evp/encode.c b/crypto/evp/encode.c
index 9307ff0..b178be0 100644
--- a/crypto/evp/encode.c
+++ b/crypto/evp/encode.c
@@ -423,7 +423,7 @@ static int evp_decodeblock_int(EVP_ENCODE_CTX *ctx, unsigned char *t,
table = data_ascii2bin;
/* trim white space from the start of the line. */
- while ((conv_ascii2bin(*f, table) == B64_WS) && (n > 0)) {
+ while ((n > 0) && (conv_ascii2bin(*f, table) == B64_WS)) {
f++;
n--;
}
--
1.8.3.1

32
EVP_EncryptInit.pod-fix-example.patch Normal file
View File

@ -0,0 +1,32 @@
From 3c09a5b0ba78a15311252ab8b7fb3ce16e7109ca Mon Sep 17 00:00:00 2001
From: Patrick Steuer <patrick.steuer@de.ibm.com>
Date: Wed, 27 May 2020 16:32:43 +0200
Subject: [PATCH 003/147] EVP_EncryptInit.pod: fix example
Signed-off-by: Patrick Steuer <patrick.steuer@de.ibm.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11976)
(cherry picked from commit d561b84143f5e7956454090e15de0c5e1425ceac)
---
doc/man3/EVP_EncryptInit.pod | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/doc/man3/EVP_EncryptInit.pod b/doc/man3/EVP_EncryptInit.pod
index aaf9975..2828bca 100644
--- a/doc/man3/EVP_EncryptInit.pod
+++ b/doc/man3/EVP_EncryptInit.pod
@@ -591,7 +591,7 @@ with a 128-bit key:
/* Don't set key or IV right away; we want to check lengths */
ctx = EVP_CIPHER_CTX_new();
- EVP_CipherInit_ex(&ctx, EVP_aes_128_cbc(), NULL, NULL, NULL,
+ EVP_CipherInit_ex(ctx, EVP_aes_128_cbc(), NULL, NULL, NULL,
do_encrypt);
OPENSSL_assert(EVP_CIPHER_CTX_key_length(ctx) == 16);
OPENSSL_assert(EVP_CIPHER_CTX_iv_length(ctx) == 16);
--
1.8.3.1

32
Ensure-ECDSA_size-always-returns-0.patch Normal file
View File

@ -0,0 +1,32 @@
From f9f2e609db4de8d1f2022189a99c8277c3f6289d Mon Sep 17 00:00:00 2001
From: William Brawner <me@wbrawner.com>
Date: Sun, 5 Apr 2020 09:39:41 -0700
Subject: [PATCH 009/217] Ensure ECDSA_size always returns >= 0
Fixes #10484
Signed-off-by: William Brawner <me@wbrawner.com>
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/11472)
---
crypto/ec/ec_asn1.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/crypto/ec/ec_asn1.c b/crypto/ec/ec_asn1.c
index 336afc9..831b74c 100644
--- a/crypto/ec/ec_asn1.c
+++ b/crypto/ec/ec_asn1.c
@@ -1297,5 +1297,7 @@ int ECDSA_size(const EC_KEY *r)
i = i2d_ASN1_INTEGER(&bs, NULL);
i += i; /* r and s */
ret = ASN1_object_size(1, i, V_ASN1_SEQUENCE);
+ if (ret < 0)
+ return 0;
return ret;
}
--
1.8.3.1

30
Ensure-that-SSL_dup-copies-the-min-max-protocol-vers.patch Normal file
View File

@ -0,0 +1,30 @@
From 32d738c9a2abeea5a709de9c33e4e6d6b87938bd Mon Sep 17 00:00:00 2001
From: Matt Caswell <matt@openssl.org>
Date: Fri, 12 Jun 2020 10:52:41 +0100
Subject: [PATCH 032/147] Ensure that SSL_dup copies the min/max protocol
version
With thanks to Rebekah Johnson for reporting this issue.
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12245)
---
ssl/ssl_lib.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
index 7c7e597..1d96eb4 100644
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -3824,6 +3824,8 @@ SSL *SSL_dup(SSL *s)
goto err;
ret->version = s->version;
ret->options = s->options;
+ ret->min_proto_version = s->min_proto_version;
+ ret->max_proto_version = s->max_proto_version;
ret->mode = s->mode;
SSL_set_max_cert_list(ret, SSL_get_max_cert_list(s));
SSL_set_read_ahead(ret, SSL_get_read_ahead(s));
--
1.8.3.1

44
Ensure-we-never-use-a-partially-initialised-CMAC_CTX.patch Normal file
View File

@ -0,0 +1,44 @@
From 86863f2ddc4200e5048e28c40ed6521495010699 Mon Sep 17 00:00:00 2001
From: Matt Caswell <matt@openssl.org>
Date: Wed, 27 May 2020 11:37:39 +0100
Subject: [PATCH 023/147] Ensure we never use a partially initialised CMAC_CTX
If the CMAC_CTX is partially initialised then we make a note of this so
that future operations will fail if the initialisation has not been
completed.
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12107)
---
crypto/cmac/cmac.c | 13 ++++++++++---
1 file changed, 10 insertions(+), 3 deletions(-)
diff --git a/crypto/cmac/cmac.c b/crypto/cmac/cmac.c
index 6989c32..dbcc436 100644
--- a/crypto/cmac/cmac.c
+++ b/crypto/cmac/cmac.c
@@ -116,11 +116,18 @@ int CMAC_Init(CMAC_CTX *ctx, const void *key, size_t keylen,
return 1;
}
/* Initialise context */
- if (cipher && !EVP_EncryptInit_ex(ctx->cctx, cipher, impl, NULL, NULL))
- return 0;
+ if (cipher != NULL) {
+ /* Ensure we can't use this ctx until we also have a key */
+ ctx->nlast_block = -1;
+ if (!EVP_EncryptInit_ex(ctx->cctx, cipher, impl, NULL, NULL))
+ return 0;
+ }
/* Non-NULL key means initialisation complete */
- if (key) {
+ if (key != NULL) {
int bl;
+
+ /* If anything fails then ensure we can't use this ctx */
+ ctx->nlast_block = -1;
if (!EVP_CIPHER_CTX_cipher(ctx->cctx))
return 0;
if (!EVP_CIPHER_CTX_set_key_length(ctx->cctx, keylen))
--
1.8.3.1

44
Fix-AES-CTR_DRBG-on-1.1.1.patch Normal file
View File

@ -0,0 +1,44 @@
From 0d011f540400b425aba1c3e59624ad9dbabe83cb Mon Sep 17 00:00:00 2001
From: Pauli <paul.dale@oracle.com>
Date: Wed, 8 Apr 2020 12:33:47 +1000
Subject: [PATCH 014/217] Fix AES-CTR_DRBG on 1.1.1.
The backport of the timing information leak fix uses u32 which is defined
in crypto/modes/modes_local.h in 1.1.1 and include/crypto/modes.h for 3.0.
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11489)
---
crypto/rand/build.info | 2 ++
crypto/rand/drbg_ctr.c | 3 ++-
2 files changed, 4 insertions(+), 1 deletion(-)
diff --git a/crypto/rand/build.info b/crypto/rand/build.info
index df9bac6..a4e7900 100644
--- a/crypto/rand/build.info
+++ b/crypto/rand/build.info
@@ -2,3 +2,5 @@ LIBS=../../libcrypto
SOURCE[../../libcrypto]=\
randfile.c rand_lib.c rand_err.c rand_egd.c \
rand_win.c rand_unix.c rand_vms.c drbg_lib.c drbg_ctr.c
+
+INCLUDE[drbg_ctr.o]=../modes
diff --git a/crypto/rand/drbg_ctr.c b/crypto/rand/drbg_ctr.c
index f41484e..af20197 100644
--- a/crypto/rand/drbg_ctr.c
+++ b/crypto/rand/drbg_ctr.c
@@ -12,9 +12,10 @@
#include <openssl/crypto.h>
#include <openssl/err.h>
#include <openssl/rand.h>
-#include "internal/thread_once.h"
+#include "modes_local.h"
#include "internal/thread_once.h"
#include "rand_local.h"
+
/*
* Implementation of NIST SP 800-90A CTR DRBG.
*/
--
1.8.3.1

77
Fix-AES-GCM-bug-on-aarch64-BigEndian.patch Normal file
View File

@ -0,0 +1,77 @@
From b11aa831cfe09befe3fb3229ca46a4a59352de34 Mon Sep 17 00:00:00 2001
From: simplelins <a735862152@163.com>
Date: Fri, 3 Jan 2020 22:56:18 +0800
Subject: [PATCH 087/147] Fix AES-GCM bug on aarch64 BigEndian
Fixes #10638
Fixes #13188
Fixes a bug for aarch64 bigendian with instructions 'st1' and 'ld1' on AES-GCM mode.
CLA: trivial
(cherry picked from commit bc8b648f744566031ce84d77333dbbcb9689e975)
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13193)
---
crypto/aes/asm/aesv8-armx.pl | 10 +++++++++-
crypto/modes/modes_local.h | 7 +++++--
2 files changed, 14 insertions(+), 3 deletions(-)
diff --git a/crypto/aes/asm/aesv8-armx.pl b/crypto/aes/asm/aesv8-armx.pl
index d6068db..f42f7bd 100755
--- a/crypto/aes/asm/aesv8-armx.pl
+++ b/crypto/aes/asm/aesv8-armx.pl
@@ -183,7 +183,12 @@ $code.=<<___;
.Loop192:
vtbl.8 $key,{$in1},$mask
vext.8 $tmp,$zero,$in0,#12
+#ifdef __ARMEB__
+ vst1.32 {$in1},[$out],#16
+ sub $out,$out,#8
+#else
vst1.32 {$in1},[$out],#8
+#endif
aese $key,$zero
subs $bits,$bits,#1
@@ -715,8 +720,11 @@ $code.=<<___;
ldr $rounds,[$key,#240]
ldr $ctr, [$ivp, #12]
+#ifdef __ARMEB__
+ vld1.8 {$dat0},[$ivp]
+#else
vld1.32 {$dat0},[$ivp]
-
+#endif
vld1.32 {q8-q9},[$key] // load key schedule...
sub $rounds,$rounds,#4
mov $step,#16
diff --git a/crypto/modes/modes_local.h b/crypto/modes/modes_local.h
index 28c32c0..8881416 100644
--- a/crypto/modes/modes_local.h
+++ b/crypto/modes/modes_local.h
@@ -63,12 +63,15 @@ typedef u32 u32_a1;
asm ("bswapl %0" \
: "+r"(ret_)); ret_; })
# elif defined(__aarch64__)
-# define BSWAP8(x) ({ u64 ret_; \
+# if defined(__BYTE_ORDER__) && defined(__ORDER_LITTLE_ENDIAN__) && \
+ __BYTE_ORDER__==__ORDER_LITTLE_ENDIAN__
+# define BSWAP8(x) ({ u64 ret_; \
asm ("rev %0,%1" \
: "=r"(ret_) : "r"(x)); ret_; })
-# define BSWAP4(x) ({ u32 ret_; \
+# define BSWAP4(x) ({ u32 ret_; \
asm ("rev %w0,%w1" \
: "=r"(ret_) : "r"(x)); ret_; })
+# endif
# elif (defined(__arm__) || defined(__arm)) && !defined(STRICT_ALIGNMENT)
# define BSWAP8(x) ({ u32 lo_=(u64)(x)>>32,hi_=(x); \
asm ("rev %0,%0; rev %1,%1" \
--
1.8.3.1

142
Fix-PEM-certificate-loading-that-sometimes-fails.patch Normal file
View File

@ -0,0 +1,142 @@
From 69296e264e58334620f541d09a4e381ee45542d4 Mon Sep 17 00:00:00 2001
From: Maximilian Blenk <Maximilian.Blenk@bmw.de>
Date: Tue, 7 Apr 2020 19:33:39 +0200
Subject: [PATCH 046/217] Fix PEM certificate loading that sometimes fails
As described in https://github.com/openssl/openssl/issues/9187, the
loading of PEM certificates sometimes fails if a line of base64
content has the length of a multiple of 254.
The problem is in get_header_and_data(). When such a line with a
length of 254 (or a multiple) has been read, the next read will
only read a newline. Due to this get_header_and_data() expects to be
in the header not in the data area. This commit fixes that by checking
if lines have been read completely or only partially. In case of a
previous partial read, a newline will be ignored.
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/11741)
(cherry picked from commit 0324ffc5d5d393111288eca2c9d67f2141ed65f5)
---
crypto/pem/pem_lib.c | 28 ++++++++++++++++------
test/recipes/04-test_pem.t | 3 +++
.../04-test_pem_data/cert-254-chars-at-the-end.pem | 6 +++++
.../cert-254-chars-in-the-middle.pem | 5 ++++
.../cert-oneline-multiple-of-254.pem | 3 +++
5 files changed, 38 insertions(+), 7 deletions(-)
create mode 100644 test/recipes/04-test_pem_data/cert-254-chars-at-the-end.pem
create mode 100644 test/recipes/04-test_pem_data/cert-254-chars-in-the-middle.pem
create mode 100644 test/recipes/04-test_pem_data/cert-oneline-multiple-of-254.pem
diff --git a/crypto/pem/pem_lib.c b/crypto/pem/pem_lib.c
index 64baf71..0d79f4a 100644
--- a/crypto/pem/pem_lib.c
+++ b/crypto/pem/pem_lib.c
@@ -791,7 +791,7 @@ static int get_header_and_data(BIO *bp, BIO **header, BIO **data, char *name,
{
BIO *tmp = *header;
char *linebuf, *p;
- int len, line, ret = 0, end = 0;
+ int len, line, ret = 0, end = 0, prev_partial_line_read = 0, partial_line_read = 0;
/* 0 if not seen (yet), 1 if reading header, 2 if finished header */
enum header_status got_header = MAYBE_HEADER;
unsigned int flags_mask;
@@ -813,6 +813,14 @@ static int get_header_and_data(BIO *bp, BIO **header, BIO **data, char *name,
goto err;
}
+ /*
+ * Check if line has been read completely or if only part of the line
+ * has been read. Keep the previous value to ignore newlines that
+ * appear due to reading a line up until the char before the newline.
+ */
+ prev_partial_line_read = partial_line_read;
+ partial_line_read = len == LINESIZE-1 && linebuf[LINESIZE-2] != '\n';
+
if (got_header == MAYBE_HEADER) {
if (memchr(linebuf, ':', len) != NULL)
got_header = IN_HEADER;
@@ -823,13 +831,19 @@ static int get_header_and_data(BIO *bp, BIO **header, BIO **data, char *name,
/* Check for end of header. */
if (linebuf[0] == '\n') {
- if (got_header == POST_HEADER) {
- /* Another blank line is an error. */
- PEMerr(PEM_F_GET_HEADER_AND_DATA, PEM_R_BAD_END_LINE);
- goto err;
+ /*
+ * If previous line has been read only partially this newline is a
+ * regular newline at the end of a line and not an empty line.
+ */
+ if (!prev_partial_line_read) {
+ if (got_header == POST_HEADER) {
+ /* Another blank line is an error. */
+ PEMerr(PEM_F_GET_HEADER_AND_DATA, PEM_R_BAD_END_LINE);
+ goto err;
+ }
+ got_header = POST_HEADER;
+ tmp = *data;
}
- got_header = POST_HEADER;
- tmp = *data;
continue;
}
diff --git a/test/recipes/04-test_pem.t b/test/recipes/04-test_pem.t
index c321611..e261275 100644
--- a/test/recipes/04-test_pem.t
+++ b/test/recipes/04-test_pem.t
@@ -28,6 +28,8 @@ my %cert_expected = (
"cert-1023line.pem" => 1,
"cert-1024line.pem" => 1,
"cert-1025line.pem" => 1,
+ "cert-254-chars-at-the-end.pem" => 1,
+ "cert-254-chars-in-the-middle.pem" => 1,
"cert-255line.pem" => 1,
"cert-256line.pem" => 1,
"cert-257line.pem" => 1,
@@ -42,6 +44,7 @@ my %cert_expected = (
"cert-misalignedpad.pem" => 0,
"cert-onecolumn.pem" => 1,
"cert-oneline.pem" => 1,
+ "cert-oneline-multiple-of-254.pem" => 1,
"cert-shortandlongline.pem" => 1,
"cert-shortline.pem" => 1,
"cert-threecolumn.pem" => 1,
diff --git a/test/recipes/04-test_pem_data/cert-254-chars-at-the-end.pem b/test/recipes/04-test_pem_data/cert-254-chars-at-the-end.pem
new file mode 100644
index 0000000..0b6a3ba
--- /dev/null
+++ b/test/recipes/04-test_pem_data/cert-254-chars-at-the-end.pem
@@ -0,0 +1,6 @@
+-----BEGIN CERTIFICATE-----
+MIIEcjCCAyegAwIBAgIUPLgYY73GEwkikNCKRJrcbCR+TbQwDQYJKoZIhvcNAQELBQAwgZUxCzAJBgNVBAYTAkFVMWMwYQYDVQQIDFpUaGUgR3JlYXQgU3RhdGUgb2YgTG9uZy1XaW5kZWQgQ2VydGlmaWNhdGUgRmllbGQgTmFtZXMgV2hlcmVieSB0byBJbmNyZWFzZSB0aGUgT3V0cHV0IFNpemUxITAfBgNVBAoMGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDAeFw0yMDA0MDcwMDAwNDJaFw0zMDA0MDUwMDAwNDJaMIGVMQswCQYDVQQGEwJBVTFjMGEGA1UECAxaVGhlIEdyZWF0IFN0YXRlIG9mIExvbmctV2luZGVkIENlcnRpZmljYXRlIEZpZWxkIE5hbWVzIFdoZXJlYnkgdG8gSW5jcmVhc2UgdGhlIE91dHB1dCBTaXplMSEwHwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwggFUMA0GCSqGSIb3DQEBAQUAA4IBQQAwggE8AoIBMwLf
+mipKB41NPXrbp/T5eu+fndvZq72N/Tq0vZp2dRoz89NEFC3jYVBjp4pmVwCS9F/fGX1tnVfhb9k/4fqiI/y9lBVzxaHyMG/pt0D2nTS8iaMTM7uBeRvB5rUZlEbU8uvv4GXu3CeP/NnVceXruGbPb4IpjfoUbGLvn5oK35h8a+LNY5f7QRBlAXtUwYrdxVzT+CqQ4wIAuqoIVXgRIweveS1ArbS8hOtsVnu1bUAQVKqORHx8gtbOyiA4heTCEOkwh45YV6KW+uLI1wTeE4E9erlI4RwZ7umbBnQai/hYL//AUfQKQhpGbgfyJrS0UYY7WEP/mcFQh0U2EBTXtAy/e4XPiftViR3+pd+G2TJ/JFofDDzJRrceeo
+9tUnMr0pKtU7oB77lSKgsruKKkhn6lLH8CAwEAAaNTMFEwHQYDVR0OBBYEFIkawSiFUdL6G3jw8qg1WQI8Xi4rMB8GA1UdIwQYMBaAFIkawSiFUdL6G3jw8qg1WQI8Xi4rMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggE0AAHe/+71vykcq9BQ5h2X7MpnkE5n0Yn0Xi24uuCpv59JjABmOdaeT6XBQ5UJN8WfidawgzbJ6WiWgjflaMfRfjsdCJRgvdw0gfXXXrsseJMeMYnw1hQTGuB83BKjXBdL6zb45qGf2Fgjm3aNW2NUVM+Q2QfMjo
+Kx13hTyDh9l5nOhMv/Rkygcx1Row2WbkvrhxvCLxY0VhL7RuPV8K0ogKicv8VJgQriOUVTTkqBP1xUimKSTaNaZ8KAnC7thxxZHxsNa45a6AouPSzyAOPZQgCJW83OIFxvWsdYU1KvP1wmoi1XC9giSQ/5sLPu/eAYTzmY+Xd6Sq8dF8uyodeI2gFu3AzC28PVKeUriIGfxaqEUn+aXx5W+r8JTE6fQ9mBo9YxJBXG+OTIFgHR27q2dJwqK9c=
+-----END CERTIFICATE-----
diff --git a/test/recipes/04-test_pem_data/cert-254-chars-in-the-middle.pem b/test/recipes/04-test_pem_data/cert-254-chars-in-the-middle.pem
new file mode 100644
index 0000000..cc9076b
--- /dev/null
+++ b/test/recipes/04-test_pem_data/cert-254-chars-in-the-middle.pem
@@ -0,0 +1,5 @@
+-----BEGIN CERTIFICATE-----
+MIIEcjCCAyegAwIBAgIUPLgYY73GEwkikNCKRJrcbCR+TbQwDQYJKoZIhvcNAQELBQAwgZUxCzAJBgNVBAYTAkFVMWMwYQYDVQQIDFpUaGUgR3JlYXQgU3RhdGUgb2YgTG9uZy1XaW5kZWQgQ2VydGlmaWNhdGUgRmllbGQgTmFtZXMgV2hlcmVieSB0byBJbmNyZWFzZSB0aGUgT
+3V0cHV0IFNpemUxITAfBgNVBAoMGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDAeFw0yMDA0MDcwMDAwNDJaFw0zMDA0MDUwMDAwNDJaMIGVMQswCQYDVQQGEwJBVTFjMGEGA1UECAxaVGhlIEdyZWF0IFN0YXRlIG9mIExvbmctV2luZGVkIENlcnRpZmljYXRlIEZpZWxkIE5hbWVzIFdoZXJlYnkgdG8gSW5jcmVhc2UgdGhlIE91dHB1dCB
+TaXplMSEwHwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwggFUMA0GCSqGSIb3DQEBAQUAA4IBQQAwggE8AoIBMwLfmipKB41NPXrbp/T5eu+fndvZq72N/Tq0vZp2dRoz89NEFC3jYVBjp4pmVwCS9F/fGX1tnVfhb9k/4fqiI/y9lBVzxaHyMG/pt0D2nTS8iaMTM7uBeRvB5rUZlEbU8uvv4GXu3CeP/NnVceXruGbPb4IpjfoUbGLvn5oK35h8a+LNY5f7QRBlAXtUwYrdxVzT+CqQ4wIAuqoIVXgRIweveS1ArbS8hOtsVnu1bUAQVKqORHx8gtbOyiA4heTCEOkwh45YV6KW+uLI1wTeE4E9erlI4RwZ7umbBnQai/hYL//AUfQKQhpGbgfyJrS0UYY7WEP/mcFQh0U2EBTXtAy/e4XPiftViR3+pd+G2TJ/JFofDDzJRrceeo9tUnMr0pKtU7oB77lSKgsruKKkhn6lLH8CAwEAAaNTMFEwHQYDVR0OBBYEFIkawSiFUdL6G3jw8qg1WQI8Xi4rMB8GA1UdIwQYMBaAFIkawSiFUdL6G3jw8qg1WQI8Xi4rMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggE0AAHe/+71vykcq9BQ5h2X7MpnkE5n0Yn0Xi24uuCpv59JjABmOdaeT6XBQ5UJN8WfidawgzbJ6WiWgjflaMfRfjsdCJRgvdw0gfXXXrsseJMeMYnw1hQTGuB83BKjXBdL6zb45qGf2Fgjm3aNW2NUVM+Q2QfMjoKx13hTyDh9l5nOhMv/Rkygcx1Row2WbkvrhxvCLxY0VhL7RuPV8K0ogKicv8VJgQriOUVTTkqBP1xUimKSTaNaZ8KAnC7thxxZHxsNa45a6AouPSzyAOPZQgCJW83OIFxvWsdYU1KvP1wmoi1XC9giSQ/5sLPu/eAYTzmY+Xd6Sq8dF8uyodeI2gFu3AzC28PVKeUriIGfxaqEUn+aXx5W+r8JTE6fQ9mBo9YxJBXG+OTIFgHR27q2dJwqK9c=
+-----END CERTIFICATE-----
diff --git a/test/recipes/04-test_pem_data/cert-oneline-multiple-of-254.pem b/test/recipes/04-test_pem_data/cert-oneline-multiple-of-254.pem
new file mode 100644
index 0000000..e0af859
--- /dev/null
+++ b/test/recipes/04-test_pem_data/cert-oneline-multiple-of-254.pem
@@ -0,0 +1,3 @@
+-----BEGIN CERTIFICATE-----
+MIIEcjCCAyegAwIBAgIUPLgYY73GEwkikNCKRJrcbCR+TbQwDQYJKoZIhvcNAQELBQAwgZUxCzAJBgNVBAYTAkFVMWMwYQYDVQQIDFpUaGUgR3JlYXQgU3RhdGUgb2YgTG9uZy1XaW5kZWQgQ2VydGlmaWNhdGUgRmllbGQgTmFtZXMgV2hlcmVieSB0byBJbmNyZWFzZSB0aGUgT3V0cHV0IFNpemUxITAfBgNVBAoMGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDAeFw0yMDA0MDcwMDAwNDJaFw0zMDA0MDUwMDAwNDJaMIGVMQswCQYDVQQGEwJBVTFjMGEGA1UECAxaVGhlIEdyZWF0IFN0YXRlIG9mIExvbmctV2luZGVkIENlcnRpZmljYXRlIEZpZWxkIE5hbWVzIFdoZXJlYnkgdG8gSW5jcmVhc2UgdGhlIE91dHB1dCBTaXplMSEwHwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwggFUMA0GCSqGSIb3DQEBAQUAA4IBQQAwggE8AoIBMwLfmipKB41NPXrbp/T5eu+fndvZq72N/Tq0vZp2dRoz89NEFC3jYVBjp4pmVwCS9F/fGX1tnVfhb9k/4fqiI/y9lBVzxaHyMG/pt0D2nTS8iaMTM7uBeRvB5rUZlEbU8uvv4GXu3CeP/NnVceXruGbPb4IpjfoUbGLvn5oK35h8a+LNY5f7QRBlAXtUwYrdxVzT+CqQ4wIAuqoIVXgRIweveS1ArbS8hOtsVnu1bUAQVKqORHx8gtbOyiA4heTCEOkwh45YV6KW+uLI1wTeE4E9erlI4RwZ7umbBnQai/hYL//AUfQKQhpGbgfyJrS0UYY7WEP/mcFQh0U2EBTXtAy/e4XPiftViR3+pd+G2TJ/JFofDDzJRrceeo9tUnMr0pKtU7oB77lSKgsruKKkhn6lLH8CAwEAAaNTMFEwHQYDVR0OBBYEFIkawSiFUdL6G3jw8qg1WQI8Xi4rMB8GA1UdIwQYMBaAFIkawSiFUdL6G3jw8qg1WQI8Xi4rMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggE0AAHe/+71vykcq9BQ5h2X7MpnkE5n0Yn0Xi24uuCpv59JjABmOdaeT6XBQ5UJN8WfidawgzbJ6WiWgjflaMfRfjsdCJRgvdw0gfXXXrsseJMeMYnw1hQTGuB83BKjXBdL6zb45qGf2Fgjm3aNW2NUVM+Q2QfMjoKx13hTyDh9l5nOhMv/Rkygcx1Row2WbkvrhxvCLxY0VhL7RuPV8K0ogKicv8VJgQriOUVTTkqBP1xUimKSTaNaZ8KAnC7thxxZHxsNa45a6AouPSzyAOPZQgCJW83OIFxvWsdYU1KvP1wmoi1XC9giSQ/5sLPu/eAYTzmY+Xd6Sq8dF8uyodeI2gFu3AzC28PVKeUriIGfxaqEUn+aXx5W+r8JTE6fQ9mBo9YxJBXG+OTIFgHR27q2dJwqK9c=
+-----END CERTIFICATE-----
--
1.8.3.1

126
Fix-PEM_write_bio_PrivateKey_traditional-to-not-outp.patch Normal file
View File

@ -0,0 +1,126 @@
From 56456c3404b0ec27f93816d951ff7a58827481f0 Mon Sep 17 00:00:00 2001
From: Richard Levitte <levitte@openssl.org>
Date: Thu, 27 Aug 2020 07:18:55 +0200
Subject: [PATCH 063/147] Fix PEM_write_bio_PrivateKey_traditional() to not
output PKCS#8
PEM_write_bio_PrivateKey_traditional() uses i2d_PrivateKey() to do the
actual encoding to DER. However, i2d_PrivateKey() is a generic
function that will do what it can to produce output according to what
the associated EVP_PKEY_ASN1_METHOD offers. If that method offers a
function 'old_priv_encode', which is expected to produce the
"traditional" encoded form, then i2d_PrivateKey() uses that. If not,
i2d_PrivateKey() will go on and used more modern methods, which are
all expected to produce PKCS#8.
To ensure that PEM_write_bio_PrivateKey_traditional() never produces
more modern encoded forms, an extra check that 'old_priv_encode' is
non-NULL is added. If it is NULL, an error is returned.
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12729)
---
crypto/err/openssl.txt | 3 +++
crypto/pem/pem_err.c | 6 +++++-
crypto/pem/pem_pkey.c | 6 ++++++
include/openssl/pemerr.h | 4 +++-
4 files changed, 17 insertions(+), 2 deletions(-)
diff --git a/crypto/err/openssl.txt b/crypto/err/openssl.txt
index 3ca271b..0b5873e 100644
--- a/crypto/err/openssl.txt
+++ b/crypto/err/openssl.txt
@@ -934,6 +934,8 @@ PEM_F_PEM_READ_PRIVATEKEY:124:PEM_read_PrivateKey
PEM_F_PEM_SIGNFINAL:112:PEM_SignFinal
PEM_F_PEM_WRITE:113:PEM_write
PEM_F_PEM_WRITE_BIO:114:PEM_write_bio
+PEM_F_PEM_WRITE_BIO_PRIVATEKEY_TRADITIONAL:147:\
+ PEM_write_bio_PrivateKey_traditional
PEM_F_PEM_WRITE_PRIVATEKEY:139:PEM_write_PrivateKey
PEM_F_PEM_X509_INFO_READ:115:PEM_X509_INFO_read
PEM_F_PEM_X509_INFO_READ_BIO:116:PEM_X509_INFO_read_bio
@@ -2400,6 +2402,7 @@ PEM_R_UNEXPECTED_DEK_IV:130:unexpected dek iv
PEM_R_UNSUPPORTED_CIPHER:113:unsupported cipher
PEM_R_UNSUPPORTED_ENCRYPTION:114:unsupported encryption
PEM_R_UNSUPPORTED_KEY_COMPONENTS:126:unsupported key components
+PEM_R_UNSUPPORTED_PUBLIC_KEY_TYPE:110:unsupported public key type
PKCS12_R_CANT_PACK_STRUCTURE:100:cant pack structure
PKCS12_R_CONTENT_TYPE_NOT_DATA:121:content type not data
PKCS12_R_DECODE_ERROR:101:decode error
diff --git a/crypto/pem/pem_err.c b/crypto/pem/pem_err.c
index f642030..0f3cb02 100644
--- a/crypto/pem/pem_err.c
+++ b/crypto/pem/pem_err.c
@@ -1,6 +1,6 @@
/*
* Generated by util/mkerr.pl DO NOT EDIT
- * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -60,6 +60,8 @@ static const ERR_STRING_DATA PEM_str_functs[] = {
{ERR_PACK(ERR_LIB_PEM, PEM_F_PEM_SIGNFINAL, 0), "PEM_SignFinal"},
{ERR_PACK(ERR_LIB_PEM, PEM_F_PEM_WRITE, 0), "PEM_write"},
{ERR_PACK(ERR_LIB_PEM, PEM_F_PEM_WRITE_BIO, 0), "PEM_write_bio"},
+ {ERR_PACK(ERR_LIB_PEM, PEM_F_PEM_WRITE_BIO_PRIVATEKEY_TRADITIONAL, 0),
+ "PEM_write_bio_PrivateKey_traditional"},
{ERR_PACK(ERR_LIB_PEM, PEM_F_PEM_WRITE_PRIVATEKEY, 0),
"PEM_write_PrivateKey"},
{ERR_PACK(ERR_LIB_PEM, PEM_F_PEM_X509_INFO_READ, 0), "PEM_X509_INFO_read"},
@@ -109,6 +111,8 @@ static const ERR_STRING_DATA PEM_str_reasons[] = {
"unsupported encryption"},
{ERR_PACK(ERR_LIB_PEM, 0, PEM_R_UNSUPPORTED_KEY_COMPONENTS),
"unsupported key components"},
+ {ERR_PACK(ERR_LIB_PEM, 0, PEM_R_UNSUPPORTED_PUBLIC_KEY_TYPE),
+ "unsupported public key type"},
{0, NULL}
};
diff --git a/crypto/pem/pem_pkey.c b/crypto/pem/pem_pkey.c
index e58cdf4..7bd9aa0 100644
--- a/crypto/pem/pem_pkey.c
+++ b/crypto/pem/pem_pkey.c
@@ -108,6 +108,12 @@ int PEM_write_bio_PrivateKey_traditional(BIO *bp, EVP_PKEY *x,
pem_password_cb *cb, void *u)
{
char pem_str[80];
+
+ if (x->ameth == NULL || x->ameth->old_priv_encode == NULL) {
+ PEMerr(PEM_F_PEM_WRITE_BIO_PRIVATEKEY_TRADITIONAL,
+ PEM_R_UNSUPPORTED_PUBLIC_KEY_TYPE);
+ return 0;
+ }
BIO_snprintf(pem_str, 80, "%s PRIVATE KEY", x->ameth->pem_str);
return PEM_ASN1_write_bio((i2d_of_void *)i2d_PrivateKey,
pem_str, bp, x, enc, kstr, klen, cb, u);
diff --git a/include/openssl/pemerr.h b/include/openssl/pemerr.h
index 0c45918..4f7e357 100644
--- a/include/openssl/pemerr.h
+++ b/include/openssl/pemerr.h
@@ -1,6 +1,6 @@
/*
* Generated by util/mkerr.pl DO NOT EDIT
- * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -61,6 +61,7 @@ int ERR_load_PEM_strings(void);
# define PEM_F_PEM_SIGNFINAL 112
# define PEM_F_PEM_WRITE 113
# define PEM_F_PEM_WRITE_BIO 114
+# define PEM_F_PEM_WRITE_BIO_PRIVATEKEY_TRADITIONAL 147
# define PEM_F_PEM_WRITE_PRIVATEKEY 139
# define PEM_F_PEM_X509_INFO_READ 115
# define PEM_F_PEM_X509_INFO_READ_BIO 116
@@ -99,5 +100,6 @@ int ERR_load_PEM_strings(void);
# define PEM_R_UNSUPPORTED_CIPHER 113
# define PEM_R_UNSUPPORTED_ENCRYPTION 114
# define PEM_R_UNSUPPORTED_KEY_COMPONENTS 126
+# define PEM_R_UNSUPPORTED_PUBLIC_KEY_TYPE 110
#endif
--
1.8.3.1

41
Fix-crash-in-early-data-send-with-out-of-band-PSK-us.patch Normal file
View File

@ -0,0 +1,41 @@
From dea4e33a92a8c6a49bfabda4e78afa3d0e2e0d61 Mon Sep 17 00:00:00 2001
From: raja-ashok <rashok.svks@gmail.com>
Date: Fri, 8 May 2020 19:17:21 +0530
Subject: [PATCH 052/217] Fix crash in early data send with out-of-band PSK
using AES CCM
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/11809)
---
ssl/tls13_enc.c | 11 +++++++++--
1 file changed, 9 insertions(+), 2 deletions(-)
diff --git a/ssl/tls13_enc.c b/ssl/tls13_enc.c
index 86754dc..b8fb07f 100644
--- a/ssl/tls13_enc.c
+++ b/ssl/tls13_enc.c
@@ -390,11 +390,18 @@ static int derive_secret_key_and_iv(SSL *s, int sending, const EVP_MD *md,
uint32_t algenc;
ivlen = EVP_CCM_TLS_IV_LEN;
- if (s->s3->tmp.new_cipher == NULL) {
+ if (s->s3->tmp.new_cipher != NULL) {
+ algenc = s->s3->tmp.new_cipher->algorithm_enc;
+ } else if (s->session->cipher != NULL) {
/* We've not selected a cipher yet - we must be doing early data */
algenc = s->session->cipher->algorithm_enc;
+ } else if (s->psksession != NULL && s->psksession->cipher != NULL) {
+ /* We must be doing early data with out-of-band PSK */
+ algenc = s->psksession->cipher->algorithm_enc;
} else {
- algenc = s->s3->tmp.new_cipher->algorithm_enc;
+ SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_DERIVE_SECRET_KEY_AND_IV,
+ ERR_R_EVP_LIB);
+ goto err;
}
if (algenc & (SSL_AES128CCM8 | SSL_AES256CCM8))
taglen = EVP_CCM8_TLS_TAG_LEN;
--
1.8.3.1

39
Fix-d2i_PrivateKey-to-work-as-documented.patch Normal file
View File

@ -0,0 +1,39 @@
From 176eb406691f14d560cf7619365830a4d033ee28 Mon Sep 17 00:00:00 2001
From: Richard Levitte <levitte@openssl.org>
Date: Mon, 11 May 2020 09:14:11 +0200
Subject: [PATCH 062/217] Fix d2i_PrivateKey() to work as documented
d2i_PrivateKey() is documented to return keys of the type given as
first argument |type|, unconditionally. Most specifically, the manual
says this:
> An error occurs if the decoded key does not match type.
However, when faced of a PKCS#8 wrapped key, |type| was ignored, which
may lead to unexpected results.
(cherry picked from commit b2952366dd0248bf35c83e1736cd203033a22378)
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/11888)
---
crypto/asn1/d2i_pr.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/crypto/asn1/d2i_pr.c b/crypto/asn1/d2i_pr.c
index 6ec0107..ac1a8c4 100644
--- a/crypto/asn1/d2i_pr.c
+++ b/crypto/asn1/d2i_pr.c
@@ -56,6 +56,8 @@ EVP_PKEY *d2i_PrivateKey(int type, EVP_PKEY **a, const unsigned char **pp,
goto err;
EVP_PKEY_free(ret);
ret = tmp;
+ if (EVP_PKEY_type(type) != EVP_PKEY_base_id(ret))
+ goto err;
} else {
ASN1err(ASN1_F_D2I_PRIVATEKEY, ERR_R_ASN1_LIB);
goto err;
--
1.8.3.1

71
Fix-err-checking-and-mem-leaks-of-BIO_set_conn_port-.patch Normal file
View File

@ -0,0 +1,71 @@
From 7f699cb663741a73cfe95214d4a39a1078c94294 Mon Sep 17 00:00:00 2001
From: "Dr. David von Oheimb" <David.von.Oheimb@siemens.com>
Date: Wed, 3 Jun 2020 07:49:27 +0200
Subject: [PATCH 014/147] Fix err checking and mem leaks of BIO_set_conn_port
and BIO_set_conn_address
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12036)
---
crypto/bio/bss_conn.c | 25 ++++++++++++++++++-------
1 file changed, 18 insertions(+), 7 deletions(-)
diff --git a/crypto/bio/bss_conn.c b/crypto/bio/bss_conn.c
index f4c6b85..807a82b 100644
--- a/crypto/bio/bss_conn.c
+++ b/crypto/bio/bss_conn.c
@@ -416,12 +416,13 @@ static long conn_ctrl(BIO *b, int cmd, long num, void *ptr)
case BIO_C_SET_CONNECT:
if (ptr != NULL) {
b->init = 1;
- if (num == 0) {
+ if (num == 0) { /* BIO_set_conn_hostname */
char *hold_service = data->param_service;
/* We affect the hostname regardless. However, the input
* string might contain a host:service spec, so we must
* parse it, which might or might not affect the service
*/
+
OPENSSL_free(data->param_hostname);
data->param_hostname = NULL;
ret = BIO_parse_hostserv(ptr,
@@ -430,19 +431,29 @@ static long conn_ctrl(BIO *b, int cmd, long num, void *ptr)
BIO_PARSE_PRIO_HOST);
if (hold_service != data->param_service)
OPENSSL_free(hold_service);
- } else if (num == 1) {
+ } else if (num == 1) { /* BIO_set_conn_port */
OPENSSL_free(data->param_service);
- data->param_service = BUF_strdup(ptr);
- } else if (num == 2) {
+ if ((data->param_service = OPENSSL_strdup(ptr)) == NULL)
+ ret = 0;
+ } else if (num == 2) { /* BIO_set_conn_address */
const BIO_ADDR *addr = (const BIO_ADDR *)ptr;
+ char *host = BIO_ADDR_hostname_string(addr, 1);
+ char *service = BIO_ADDR_service_string(addr, 1);
+
+ ret = host != NULL && service != NULL;
if (ret) {
- data->param_hostname = BIO_ADDR_hostname_string(addr, 1);
- data->param_service = BIO_ADDR_service_string(addr, 1);
+ OPENSSL_free(data->param_hostname);
+ data->param_hostname = host;
+ OPENSSL_free(data->param_service);
+ data->param_service = service;
BIO_ADDRINFO_free(data->addr_first);
data->addr_first = NULL;
data->addr_iter = NULL;
+ } else {
+ OPENSSL_free(host);
+ OPENSSL_free(service);
}
- } else if (num == 3) {
+ } else if (num == 3) { /* BIO_set_conn_ip_family */
data->connect_family = *(int *)ptr;
} else {
ret = 0;
--
1.8.3.1

377
Fix-issue-1418-by-moving-check-of-KU_KEY_CERT_SIGN-a.patch Normal file
View File

@ -0,0 +1,377 @@
From e2590c3a162eb118c36b09c2168164283aa099b4 Mon Sep 17 00:00:00 2001
From: "Dr. David von Oheimb" <David.von.Oheimb@siemens.com>
Date: Tue, 24 Dec 2019 11:25:15 +0100
Subject: [PATCH 050/147] Fix issue 1418 by moving check of KU_KEY_CERT_SIGN
and weakening check_issued()
Move check that cert signing is allowed from x509v3_cache_extensions() to
where it belongs: internal_verify(), generalize it for proxy cert signing.
Correct and simplify check_issued(), now checking self-issued (not: self-signed).
Add test case to 25-test_verify.t that demonstrates successful fix.
As prerequisites, this adds the static function check_sig_alg_match()
and the internal functions x509_likely_issued() and x509_signing_allowed().
This is a backport of the core of PR #10587.
Fixes #1418
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12357)
---
crypto/x509/x509_local.h | 2 +
crypto/x509/x509_vfy.c | 52 +++++++++++++-----------
crypto/x509v3/v3_purp.c | 64 ++++++++++++++++++++++++------
doc/man3/X509_STORE_set_verify_cb_func.pod | 4 +-
doc/man3/X509_check_issued.pod | 17 ++++----
include/openssl/x509_vfy.h | 3 ++
test/certs/ee-self-signed.pem | 18 +++++++++
test/certs/setup.sh | 3 ++
test/recipes/25-test_verify.t | 5 ++-
9 files changed, 123 insertions(+), 45 deletions(-)
create mode 100644 test/certs/ee-self-signed.pem
diff --git a/crypto/x509/x509_local.h b/crypto/x509/x509_local.h
index c517a77..6ac3c7e 100644
--- a/crypto/x509/x509_local.h
+++ b/crypto/x509/x509_local.h
@@ -145,3 +145,5 @@ DEFINE_STACK_OF(STACK_OF_X509_NAME_ENTRY)
void x509_set_signature_info(X509_SIG_INFO *siginf, const X509_ALGOR *alg,
const ASN1_STRING *sig);
+int x509_likely_issued(X509 *issuer, X509 *subject);
+int x509_signing_allowed(const X509 *issuer, const X509 *subject);
diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c
index 5bd3c4c..87b51e9 100644
--- a/crypto/x509/x509_vfy.c
+++ b/crypto/x509/x509_vfy.c
@@ -104,7 +104,12 @@ static int null_callback(int ok, X509_STORE_CTX *e)
return ok;
}
-/* Return 1 is a certificate is self signed */
+/*
+ * Return 1 if given cert is considered self-signed, 0 if not or on error.
+ * This does not verify self-signedness but relies on x509v3_cache_extensions()
+ * matching issuer and subject names (i.e., the cert being self-issued) and any
+ * present authority key identifier matching the subject key identifier, etc.
+ */
static int cert_self_signed(X509 *x)
{
if (X509_check_purpose(x, -1, 0) != 1)
@@ -325,30 +330,26 @@ static X509 *find_issuer(X509_STORE_CTX *ctx, STACK_OF(X509) *sk, X509 *x)
return rv;
}
-/* Given a possible certificate and issuer check them */
-
+/*
+ * Check that the given certificate 'x' is issued by the certificate 'issuer'
+ * and the issuer is not yet in ctx->chain, where the exceptional case
+ * that 'x' is self-issued and ctx->chain has just one element is allowed.
+ */
static int check_issued(X509_STORE_CTX *ctx, X509 *x, X509 *issuer)
{
- int ret;
- if (x == issuer)
- return cert_self_signed(x);
- ret = X509_check_issued(issuer, x);
- if (ret == X509_V_OK) {
+ if (x509_likely_issued(issuer, x) != X509_V_OK)
+ return 0;
+ if ((x->ex_flags & EXFLAG_SI) == 0 || sk_X509_num(ctx->chain) != 1) {
int i;
X509 *ch;
- /* Special case: single self signed certificate */
- if (cert_self_signed(x) && sk_X509_num(ctx->chain) == 1)
- return 1;
+
for (i = 0; i < sk_X509_num(ctx->chain); i++) {
ch = sk_X509_value(ctx->chain, i);
- if (ch == issuer || !X509_cmp(ch, issuer)) {
- ret = X509_V_ERR_PATH_LOOP;
- break;
- }
+ if (ch == issuer || X509_cmp(ch, issuer) == 0)
+ return 0;
}
}
-
- return (ret == X509_V_OK);
+ return 1;
}
/* Alternative lookup method: look from a STACK stored in other_ctx */
@@ -1752,18 +1753,23 @@ static int internal_verify(X509_STORE_CTX *ctx)
* is allowed to reset errors (at its own peril).
*/
while (n >= 0) {
- EVP_PKEY *pkey;
-
/*
- * Skip signature check for self signed certificates unless explicitly
- * asked for. It doesn't add any security and just wastes time. If
- * the issuer's public key is unusable, report the issuer certificate
+ * Skip signature check for self-issued certificates unless explicitly
+ * asked for because it does not add any security and just wastes time.
+ * If the issuer's public key is not available or its key usage does
+ * not support issuing the subject cert, report the issuer certificate
* and its depth (rather than the depth of the subject).
*/
if (xs != xi || (ctx->param->flags & X509_V_FLAG_CHECK_SS_SIGNATURE)) {
+ EVP_PKEY *pkey;
+ int issuer_depth = n + (xs == xi ? 0 : 1);
+ int ret = x509_signing_allowed(xi, xs);
+
+ if (ret != X509_V_OK && !verify_cb_cert(ctx, xi, issuer_depth, ret))
+ return 0;
if ((pkey = X509_get0_pubkey(xi)) == NULL) {
if (!verify_cb_cert(ctx, xi, xi != xs ? n+1 : n,
- X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY))
+ X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY))
return 0;
} else if (X509_verify(xs, pkey) <= 0) {
if (!verify_cb_cert(ctx, xs, n,
diff --git a/crypto/x509v3/v3_purp.c b/crypto/x509v3/v3_purp.c
index f023c64..2b06dba 100644
--- a/crypto/x509v3/v3_purp.c
+++ b/crypto/x509v3/v3_purp.c
@@ -13,6 +13,7 @@
#include <openssl/x509v3.h>
#include <openssl/x509_vfy.h>
#include "crypto/x509.h"
+#include "../x509/x509_local.h" /* for x509_signing_allowed() */
#include "internal/tsan_assist.h"
static void x509v3_cache_extensions(X509 *x);
@@ -344,6 +345,21 @@ static int setup_crldp(X509 *x)
return 1;
}
+/* Check that issuer public key algorithm matches subject signature algorithm */
+static int check_sig_alg_match(const EVP_PKEY *pkey, const X509 *subject)
+{
+ int pkey_nid;
+
+ if (pkey == NULL)
+ return X509_V_ERR_NO_ISSUER_PUBLIC_KEY;
+ if (OBJ_find_sigid_algs(OBJ_obj2nid(subject->cert_info.signature.algorithm),
+ NULL, &pkey_nid) == 0)
+ return X509_V_ERR_UNSUPPORTED_SIGNATURE_ALGORITHM;
+ if (EVP_PKEY_type(pkey_nid) != EVP_PKEY_base_id(pkey))
+ return X509_V_ERR_SIGNATURE_ALGORITHM_MISMATCH;
+ return X509_V_OK;
+}
+
#define V1_ROOT (EXFLAG_V1|EXFLAG_SS)
#define ku_reject(x, usage) \
(((x)->ex_flags & EXFLAG_KUSAGE) && !((x)->ex_kusage & (usage)))
@@ -496,11 +512,11 @@ static void x509v3_cache_extensions(X509 *x)
x->ex_flags |= EXFLAG_INVALID;
/* Does subject name match issuer ? */
if (!X509_NAME_cmp(X509_get_subject_name(x), X509_get_issuer_name(x))) {
- x->ex_flags |= EXFLAG_SI;
- /* If SKID matches AKID also indicate self signed */
- if (X509_check_akid(x, x->akid) == X509_V_OK &&
- !ku_reject(x, KU_KEY_CERT_SIGN))
- x->ex_flags |= EXFLAG_SS;
+ x->ex_flags |= EXFLAG_SI; /* cert is self-issued */
+ if (X509_check_akid(x, x->akid) == X509_V_OK /* SKID matches AKID */
+ /* .. and the signature alg matches the PUBKEY alg: */
+ && check_sig_alg_match(X509_get0_pubkey(x), x) == X509_V_OK)
+ x->ex_flags |= EXFLAG_SS; /* indicate self-signed */
}
x->altname = X509_get_ext_d2i(x, NID_subject_alt_name, &i, NULL);
if (x->altname == NULL && i != -1)
@@ -793,6 +809,23 @@ static int no_check(const X509_PURPOSE *xp, const X509 *x, int ca)
}
/*-
+ * Check if certificate I<issuer> is allowed to issue certificate I<subject>
+ * according to the B<keyUsage> field of I<issuer> if present
+ * depending on any proxyCertInfo extension of I<subject>.
+ * Returns 0 for OK, or positive for reason for rejection
+ * where reason codes match those for X509_verify_cert().
+ */
+int x509_signing_allowed(const X509 *issuer, const X509 *subject)
+{
+ if (subject->ex_flags & EXFLAG_PROXY) {
+ if (ku_reject(issuer, KU_DIGITAL_SIGNATURE))
+ return X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE;
+ } else if (ku_reject(issuer, KU_KEY_CERT_SIGN))
+ return X509_V_ERR_KEYUSAGE_NO_CERTSIGN;
+ return X509_V_OK;
+}
+
+/*-
* Various checks to see if one certificate issued the second.
* This can be used to prune a set of possible issuer certificates
* which have been looked up using some simple method such as by
@@ -800,13 +833,24 @@ static int no_check(const X509_PURPOSE *xp, const X509 *x, int ca)
* These are:
* 1. Check issuer_name(subject) == subject_name(issuer)
* 2. If akid(subject) exists check it matches issuer
- * 3. If key_usage(issuer) exists check it supports certificate signing
+ * 3. Check that issuer public key algorithm matches subject signature algorithm
+ * 4. If key_usage(issuer) exists check it supports certificate signing
* returns 0 for OK, positive for reason for mismatch, reasons match
* codes for X509_verify_cert()
*/
int X509_check_issued(X509 *issuer, X509 *subject)
{
+ int ret;
+
+ if ((ret = x509_likely_issued(issuer, subject)) != X509_V_OK)
+ return ret;
+ return x509_signing_allowed(issuer, subject);
+}
+
+/* do the checks 1., 2., and 3. as described above for X509_check_issued() */
+int x509_likely_issued(X509 *issuer, X509 *subject)
+{
if (X509_NAME_cmp(X509_get_subject_name(issuer),
X509_get_issuer_name(subject)))
return X509_V_ERR_SUBJECT_ISSUER_MISMATCH;
@@ -824,12 +868,8 @@ int X509_check_issued(X509 *issuer, X509 *subject)
return ret;
}
- if (subject->ex_flags & EXFLAG_PROXY) {
- if (ku_reject(issuer, KU_DIGITAL_SIGNATURE))
- return X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE;
- } else if (ku_reject(issuer, KU_KEY_CERT_SIGN))
- return X509_V_ERR_KEYUSAGE_NO_CERTSIGN;
- return X509_V_OK;
+ /* check if the subject signature alg matches the issuer's PUBKEY alg */
+ return check_sig_alg_match(X509_get0_pubkey(issuer), subject);
}
int X509_check_akid(X509 *issuer, AUTHORITY_KEYID *akid)
diff --git a/doc/man3/X509_STORE_set_verify_cb_func.pod b/doc/man3/X509_STORE_set_verify_cb_func.pod
index d16881e..47de27d 100644
--- a/doc/man3/X509_STORE_set_verify_cb_func.pod
+++ b/doc/man3/X509_STORE_set_verify_cb_func.pod
@@ -137,7 +137,9 @@ I<If no function to get the issuer is provided, the internal default
function will be used instead.>
X509_STORE_set_check_issued() sets the function to check that a given
-certificate B<x> is issued with the issuer certificate B<issuer>.
+certificate B<x> is issued by the issuer certificate B<issuer> and
+the issuer is not yet in the chain contained in <ctx>, where the exceptional
+case that B<x> is self-issued and ctx->chain has just one element is allowed.
This function must return 0 on failure (among others if B<x> hasn't
been issued with B<issuer>) and 1 on success.
I<If no function to get the issuer is provided, the internal default
diff --git a/doc/man3/X509_check_issued.pod b/doc/man3/X509_check_issued.pod
index f9a541e..5071986 100644
--- a/doc/man3/X509_check_issued.pod
+++ b/doc/man3/X509_check_issued.pod
@@ -2,7 +2,7 @@
=head1 NAME
-X509_check_issued - checks if certificate is issued by another
+X509_check_issued - checks if certificate is apparently issued by another
certificate
=head1 SYNOPSIS
@@ -14,13 +14,14 @@ certificate
=head1 DESCRIPTION
-This function checks if certificate I<subject> was issued using CA
-certificate I<issuer>. This function takes into account not only
-matching of issuer field of I<subject> with subject field of I<issuer>,
-but also compares B<authorityKeyIdentifier> extension of I<subject> with
-B<subjectKeyIdentifier> of I<issuer> if B<authorityKeyIdentifier>
-present in the I<subject> certificate and checks B<keyUsage> field of
-I<issuer>.
+X509_check_issued() checks if certificate I<subject> was apparently issued
+using (CA) certificate I<issuer>. This function takes into account not only
+matching of the issuer field of I<subject> with the subject field of I<issuer>,
+but also compares all sub-fields of the B<authorityKeyIdentifier> extension of
+I<subject>, as far as present, with the respective B<subjectKeyIdentifier>,
+serial number, and issuer fields of I<issuer>, as far as present. It also checks
+if the B<keyUsage> field (if present) of I<issuer> allows certificate signing.
+It does not check the certificate signature.
=head1 RETURN VALUES
diff --git a/include/openssl/x509_vfy.h b/include/openssl/x509_vfy.h
index adb8bce..0f13739 100644
--- a/include/openssl/x509_vfy.h
+++ b/include/openssl/x509_vfy.h
@@ -184,6 +184,9 @@ void X509_STORE_CTX_set_depth(X509_STORE_CTX *ctx, int depth);
# define X509_V_ERR_OCSP_VERIFY_NEEDED 73 /* Need OCSP verification */
# define X509_V_ERR_OCSP_VERIFY_FAILED 74 /* Couldn't verify cert through OCSP */
# define X509_V_ERR_OCSP_CERT_UNKNOWN 75 /* Certificate wasn't recognized by the OCSP responder */
+# define X509_V_ERR_SIGNATURE_ALGORITHM_MISMATCH 76
+# define X509_V_ERR_NO_ISSUER_PUBLIC_KEY 77
+# define X509_V_ERR_UNSUPPORTED_SIGNATURE_ALGORITHM 78
/* Certificate verify flags */
diff --git a/test/certs/ee-self-signed.pem b/test/certs/ee-self-signed.pem
new file mode 100644
index 0000000..ad1e37b
--- /dev/null
+++ b/test/certs/ee-self-signed.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIICzzCCAbegAwIBAgIUBP7iEKPlKuinZGQNFxSY3IBIb0swDQYJKoZIhvcNAQEL
+BQAwGTEXMBUGA1UEAwwOZWUtc2VsZi1zaWduZWQwHhcNMjAwNjI4MTA1MTQ1WhcN
+MjAwNzI4MTA1MTQ1WjAZMRcwFQYDVQQDDA5lZS1zZWxmLXNpZ25lZDCCASIwDQYJ
+KoZIhvcNAQEBBQADggEPADCCAQoCggEBAKj/iVhhha7e2ywP1XP74reoG3p1YCvU
+fTxzdrWu3pMvfySQbckc9Io4zZ+igBZWy7Qsu5PlFx//DcZD/jE0+CjYdemju4iC
+76Ny4lNiBUVN4DGX76qdENJYDZ4GnjK7GwhWXWUPP2aOwjagEf/AWTX9SRzdHEIz
+BniuBDgj5ed1Z9OUrVqpQB+sWRD1DMFkrUrExjVTs5ZqghsVi9GZq+Seb5Sq0pbl
+V/uMkWSKPCQWxtIZvoJgEztisO0+HbPK+WvfMbl6nktHaKcpxz9K4iIntO+QY9fv
+0HJJPlutuRvUK2+GaN3VcxK4Q8ncQQ+io0ZPi2eIhA9h/nk0H0qJH7cCAwEAAaMP
+MA0wCwYDVR0PBAQDAgeAMA0GCSqGSIb3DQEBCwUAA4IBAQBiLmIUCGb+hmRGbmpO
+lDqEwiRVdxHBs4OSb3IA9QgU1QKUDRqn7q27RRelmzTXllubZZcX3K6o+dunRW5G
+d3f3FVr+3Z7wnmkQtC2y3NWtGuWNczss+6rMLzKvla5CjRiNPlSvluMNpcs7BJxI
+ppk1LxlaiYlQkDW32OPyxzXWDNv1ZkphcOcoCkHAagnq9x1SszvLTjAlo5XpYrm5
+CPgBOEnVwFCgne5Ab4QPTgkxPh/Ta508I/FKaPLJqci1EfGKipZkS7mMGTUJEeVK
+wZrn4z7RiTfJ4PdqO5iv8eOpt03fqdPEXQWe8DrKyfGM6/e369FaXMFhcd2ZxZy2
+WHoc
+-----END CERTIFICATE-----
diff --git a/test/certs/setup.sh b/test/certs/setup.sh
index bbe4842..7e40f65 100755
--- a/test/certs/setup.sh
+++ b/test/certs/setup.sh
@@ -185,6 +185,9 @@ OPENSSL_SIGALG=md5 \
OPENSSL_KEYBITS=768 \
./mkcert.sh genee server.example ee-key-768 ee-cert-768 ca-key ca-cert
+# self-signed end-entity cert with explicit keyUsage not including KeyCertSign
+openssl req -new -x509 -key ee-key.pem -subj /CN=ee-self-signed -out ee-self-signed.pem -addext keyUsage=digitalSignature
+
# Proxy certificates, off of ee-client
# Start with some good ones
./mkcert.sh req pc1-key "0.CN = server.example" "1.CN = proxy 1" | \
diff --git a/test/recipes/25-test_verify.t b/test/recipes/25-test_verify.t
index cf7842c..0c643e5 100644
--- a/test/recipes/25-test_verify.t
+++ b/test/recipes/25-test_verify.t
@@ -27,7 +27,7 @@ sub verify {
run(app([@args]));
}
-plan tests => 135;
+plan tests => 136;
# Canonical success
ok(verify("ee-cert", "sslserver", ["root-cert"], ["ca-cert"]),
@@ -368,6 +368,9 @@ ok(verify("some-names2", "sslserver", ["many-constraints"], ["many-constraints"]
ok(verify("root-cert-rsa2", "sslserver", ["root-cert-rsa2"], [], "-check_ss_sig"),
"Public Key Algorithm rsa instead of rsaEncryption");
+ ok(verify("ee-self-signed", "sslserver", ["ee-self-signed"], []),
+ "accept trusted self-signed EE cert excluding key usage keyCertSign");
+
SKIP: {
skip "Ed25519 is not supported by this OpenSSL build", 1
if disabled("ec");
--
1.8.3.1

39
Fix-memory-leaks-in-conf_def.c.patch Normal file
View File

@ -0,0 +1,39 @@
From 526cf60408e1a356ec712b6c88a88864fdbe73af Mon Sep 17 00:00:00 2001
From: luxinyou <luxinyou@uniontech.com>
Date: Mon, 7 Sep 2020 18:06:45 +1000
Subject: [PATCH 065/147] Fix memory leaks in conf_def.c
Fixes #12471
CLA: trivial
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12533)
(cherry picked from commit 4348995b0d818203f37ffa51c9bdf4488cf24bad)
---
crypto/conf/conf_def.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/crypto/conf/conf_def.c b/crypto/conf/conf_def.c
index ca76fa3..72669b1 100644
--- a/crypto/conf/conf_def.c
+++ b/crypto/conf/conf_def.c
@@ -376,11 +376,13 @@ static int def_load_bio(CONF *conf, BIO *in, long *line)
if (biosk == NULL) {
if ((biosk = sk_BIO_new_null()) == NULL) {
CONFerr(CONF_F_DEF_LOAD_BIO, ERR_R_MALLOC_FAILURE);
+ BIO_free(next);
goto err;
}
}
if (!sk_BIO_push(biosk, in)) {
CONFerr(CONF_F_DEF_LOAD_BIO, ERR_R_MALLOC_FAILURE);
+ BIO_free(next);
goto err;
}
/* continue with reading from the included BIO */
--
1.8.3.1

266
Fix-rsa8192.pem.patch Normal file
View File

@ -0,0 +1,266 @@
From 024035b6e018405d7c29bce2e10e884066203601 Mon Sep 17 00:00:00 2001
From: Bernd Edlinger <bernd.edlinger@hotmail.de>
Date: Sun, 10 May 2020 06:37:12 +0200
Subject: [PATCH 048/217] Fix rsa8192.pem
Q: How did I do that?
A: That's a long story.
Precondition: I used sage 8.1 for the math, it could probably
done with simple python as well but I did not try.
First I extract numbers from rsa8192.pem:
openssl rsa -in rsa8192.pem -noout -text | sed "s/://g; s/ //g;"
cut&paste the numbers into sage:
modulus
00890d9fd57e81b5ed43283d0ea020
4a1229333d6fb9c37a179375b09c4f
7b5b1cf2eb025979b6d90b709928a0
6725e04caf2b0f7fe94afbdf9f3fa5
66f1ba75c2f6dc488039f410eb5fa8
ab152b8cfdb76791bb853059438edf
ae56bc70a32a9f3e2d883e8b751d08
3797999dc81a9c4d6bdb3a75362fd1
d9c497cf5028dfcdd4cc3eb318e79f
c0db45cbeed955da8a447f0872dee5
65bde4013340e767731441fae4fa54
51356bfbc84e1271b39f111f5f8ef3
a6c8973765b39addef80306194f4ea
89fdfc8e9744866323f6936de89b2f
e2741578b8eb3c41676702fabc50ec
c376e6b7b6e7f94e7d7b5c1bab3c9f
23bb0c8f04d8aca64c309fc063c406
553e1c1421cc45060df7f48c49f5c5
b459d572e273402d6a3ff008657fe9
1936714d1823c5cad53d80630b3216
9bf70feb2ebc1af6a35ee0bf059aed
49c4e367d567e130e2846859b271fd
a8949b182e050819866b8e762ed29f
fb3f7ca14cebfc2488662be4b3980f
c8d31890a05f38ae9690cc7d9d3efc
4808e03da104a8c28bb480bb814995
a6e8b8978ab8350d90b3894e3abf7d
c4ad0956335752c8d6944b38a1715e
7d9950f49e6cdba171fbe651a2ca26
65a7c70b6e8cf3a02c2f93dad8aa95
06481cdb032d04082a5a6c6a733b65
20fa80e2ef57b9cf858ca5ea11e084
bc31a386fc6b099f069786207f80d6
1f2bef294400d59394ad1006431366
a54ae09b0ecd3377dcd8af8fde9b94
fd559b0b7adc5113ba66fc4b3dc842
ee562cfcfd39b4ffc31576635873fc
59535b7aa98605772436c251834e23
4fb2347cc970a49818cac2a9ee95eb
b55fa2da66edd53e11245c6732140a
ae41491288cbf462eef8a807b46d0d
affa38d9ccfe8033d2d4a3cf5c5b82
9df12183f7a05d3650153cd317a017
083ac641c2c3ad11305de0a032be45
c439bd7bbbe3cb97850f9d2c66f72a
4a66e9d434544fc6d294ca3c92627b
e518bfa44e3017ac8ad9c0a26a227d
2e8677da0a4de8edb53ac9530adb63
83c72dbf562dc4d0fea4e492f09eb1
74548381a8686db3aeaaa3a9960cff
25e8c64701115da54fa7a1fb2c566a
fcb4b2a63268d818c3391a62885d13
41b3492c4f0167291b3d026a44e68c
02f2d4d255d4c0906b92a2ced0c0bb
f2bcdceaec1189895af4232dc386c9
75bf3477e5a70d3ab0ac0e5dc37024
0e34a276b155d5e290f77416a1986d
ec47f8c78236ac7df249df9ba21a80
2e6bd75b4fb1c6ffe0f4cf548761a5
6a1fcccee156523a718987f3fdaedc
7171c9050db89a83f24c5a283695b9
c28de6d3b69fc1714b0add335a0ce6
fbbdbd0bbdb01e44969d775105bba3
d2947dca2f291250f9b851e76f514d
dc5a3aa4498e6521314991568860eb
ff1258d8b4aee9ee4159153684c0c0
16c60b17537a50b53cd59aad60678b
d73f0714ab4ccae7416bab417b4907
36d59b2e9f
I used echo `echo "<paste>" ` | sed "s/ //g"
to get everything in one line, put that again
into the clipboard and
then start sage, type N=0x<paste><CR>
sage: N=0x00890d9fd57e81b5ed43283d0ea0204a1229333d6fb9c37a179375b09c4f7b5b1cf2eb025979b6d90b709928a06725e04caf2b0f7fe94afbdf9f3fa566f1ba75c2f6dc488039f410eb5fa8ab152b8cfdb76791bb853059438edfae56bc70a32a9f3e2d883e8b751d083797999dc81a9c4d6bdb3a75362fd1d9c497cf5028dfcdd4cc3eb318e79fc0db45cbeed955da8a447f0872dee565bde4013340e767731441fae4fa5451356bfbc84e1271b39f111f5f8ef3a6c8973765b39addef80306194f4ea89fdfc8e9744866323f6936de89b2fe2741578b8eb3c41676702fabc50ecc376e6b7b6e7f94e7d7b5c1bab3c9f23bb0c8f04d8aca64c309fc063c406553e1c1421cc45060df7f48c49f5c5b459d572e273402d6a3ff008657fe91936714d1823c5cad53d80630b32169bf70feb2ebc1af6a35ee0bf059aed49c4e367d567e130e2846859b271fda8949b182e050819866b8e762ed29ffb3f7ca14cebfc2488662be4b3980fc8d31890a05f38ae9690cc7d9d3efc4808e03da104a8c28bb480bb814995a6e8b8978ab8350d90b3894e3abf7dc4ad0956335752c8d6944b38a1715e7d9950f49e6cdba171fbe651a2ca2665a7c70b6e8cf3a02c2f93dad8aa9506481cdb032d04082a5a6c6a733b6520fa80e2ef57b9cf858ca5ea11e084bc31a386fc6b099f069786207f80d61f2bef294400d59394ad1006431366a54ae09b0ecd3377dcd8af8fde9b94fd559b0b7adc5113ba66fc4b3dc842ee562cfcfd39b4ffc31576635873fc59535b7aa98605772436c251834e234fb2347cc970a49818cac2a9ee95ebb55fa2da66edd53e11245c6732140aae41491288cbf462eef8a807b46d0daffa38d9ccfe8033d2d4a3cf5c5b829df12183f7a05d3650153cd317a017083ac641c2c3ad11305de0a032be45c439bd7bbbe3cb97850f9d2c66f72a4a66e9d434544fc6d294ca3c92627be518bfa44e3017ac8ad9c0a26a227d2e8677da0a4de8edb53ac9530adb6383c72dbf562dc4d0fea4e492f09eb174548381a8686db3aeaaa3a9960cff25e8c64701115da54fa7a1fb2c566afcb4b2a63268d818c3391a62885d1341b3492c4f0167291b3d026a44e68c02f2d4d255d4c0906b92a2ced0c0bbf2bcdceaec1189895af4232dc386c975bf3477e5a70d3ab0ac0e5dc370240e34a276b155d5e290f77416a1986dec47f8c78236ac7df249df9ba21a802e6bd75b4fb1c6ffe0f4cf548761a56a1fcccee156523a718987f3fdaedc7171c9050db89a83f24c5a283695b9c28de6d3b69fc1714b0add335a0ce6fbbdbd0bbdb01e44969d775105bba3d2947dca2f291250f9b851e76f514ddc5a3aa4498e6521314991568860ebff1258d8b4aee9ee4159153684c0c016c60b17537a50b53cd59aad60678bd73f0714ab4ccae7416bab417b490736d59b2e9f
likewise for prime1 (P), prime2 (Q) and
privateExponent (D) and publicExponent (E)
sage: P=0x00c6d6eb9c0f93f8b8de74b2799798c1c1ed47549426a0d76af61f04f0b455184acfeec354c1703709e8727ea0213001738e395b5ca5ed4deec30f8b1ae0e54a516777c5ae897a5562e77dfe378dbba32ee30bcdb275ab7f87f8b9af02712d371a6aa671b44e0f667a6f2d406e5099d942f592ff5c517d452d58cf3f51120062a878fb77066650275b897caf078a5353f1d714963ff90818b6b87c6db438681b4b315c4fd256c1bd383fcf8e67b49a3ee077373a66d77e4c02eebe9350478a51cdfa395d60d905c1189ed7041373f1609075faf9d9f39d3d7b0e7fc8b1d36cb8c5c48731ef5cd87e11f480cdfa4b3ee6cf7eebd3e13f4244647396d52030b82c39d69a3a4075ee90531d1ddb5f1284dc7ab09a3892de5c0ddeed115c7c9ee5fc008658830b0e6f7f366a72f215192498474ade046fc10e92591dfa133e4beff98758e0e92c05f999504a486e3f71c15b73adf7fe0d311f0d0dc1a8e2aff92572475a92e60f970174c80c4948a0cb86635cb438519b18c260ff9f212925e684ef151cc91fa1c4c8dbbc337c9b46f9a93c88cce49e49a670762186e8858051f93ebff7b0b50caadd9b32f93e396b5a6d1cd7f77b2e50e83fae5f3928433268f6cc28810071ce334025a24c7ebf92e631df0d26e99923018946de4ea5e30e868c33ea3d408d8c58815ecf9892fa3afa5f6fbef9a1dfda2da51b6f01f3dae588bdf17b
sage: Q=0x00b073b35a3bba0954b242961630e8e0af8d3ea8aad80d55669e9e79c388983363d96fe471205743001b4798b81de1be3fb06353fd0c9c4fd43f91f9cb2162b00583cc94ff791a615348d01977ca05f4796d5bff41d94dda1cb3ef2433ff4f6500d15ab290a14e651efa91b7df5d5e50f8356188d9842dcdd67c89eb7d40baa78f045969b804f7a985d35a8a8ac32715cb212a34fb89e85e538275e53663fe675944d2b5dba77b7b7abfacd8fbddee4427db6460b728952af882992750c2542d2122247d7f431ec2fe64c0311b0de5290eb619c6ab476308d59f3efff7255d07ebb51fe64ac5967c0b79bae07d36283cf768c8eee2054349cefe90876da66a52e9e0ff20cc00a40fb0c69524e7a01e5c2f07239831a0fa2f56ad405b3a25537907d990e8f5a3e4f3df99dda6afc30d4565aa5881f64adcc6f6be4077893c7e7710623e6158359c3facfef5036779903065fd0d0a2ed8bf2e53a46758dbff06284670bf10bd2e13cba4323ce50fa43df373bd0940011c424f41c5035a10b8095f420ddb67189f6dad62f1257b0f46e353a90eacc145c7db74998a5d0d8772ba1286eb582504465290171e4db87f2e89564214a2317953a7307b1b4c8dad5920866087d7ae80845478813bdf5f6740d0f3b975a344272804b036e4fef09e91d60d1a730fda2f5c222f7636bbe252f9a6caa86d5e8be7e7db2cf912817a0898a4742d
sage: D=0x3b900240c4a416aeb09b123e02f5457bb31023c9249081c5313edaac741686388492020964ce4471a653c9c63c4dc7b74c0188d0ec50bc3a29797da6c9b3616e83dea45ba5d41e6e4cba7eefca6791f45d3c86a491a899a5c42c7e61930a3681d281f34e4b49707e9bba74f68f7a91274c92904b546b5fe6267c5b8ad8d8bb199a523d7fbb5a40748b56dfccf074f3d664e705153dd903b7cd95bac556be3ab59a165d7cbb765e21a4a1d97e34b412baf1caacb57543d2bd8e5ae5cd2a86dc41e256f3f5c0073052859d1c8a12f4973caa88de2e5eb2eef8d6ebdb66fe154d8e383cba74693753affaf4dbc8e2988c08f947b1f8473a7163775656448572c325250ad2cd75c9f5d42721b91ae8fb427773605afa2f4297daf7ab34f5d71144185f3f5cbc94041081fae19fd5d47fc49421080edc5d658b5f223fb1e9b172f4da1a92263fa922225d4c0231e35d94d276fcb0e0999f5f26068528c83f49b0dd79fb157c49fe8b3d80e7cd2b3da76478ebd2ae2c8164583bee2f96591e2f41ad799ae0e2855a5699996fb2c7efb69f86874bca58628e512d579b247e43ee8db04b424e84e44cf753f86e12dd8d2e0ea0b800e6c313317c14658993b8e04c7fb5de1cba0829123dc518957be2a46f76f8ff305fee17b2310bfdd66a93c8b050451f8ceb26c518b7abb72faf08fca0bf6df8a80de511ffc00dc350cd87e52c9cf5771892300e420929da698b6b973da849c89410f089e9b39de79fc1a01a27d2f879ce5cd80ca0a3899d9f480c68d7a5f8c8b3c74936b19f0c7174987df437658046adaffdaddc3540be7fc06a1d2290f58ad9a2992d32e9ecbadf2eed961b4e68c8a89a5709a334082ad297348c4c31c54a3dadccb93afaa9f1786c4167021d4a16dd78afb41131bdd651357bd44f42cfee5d03fdfae087255d18a6a41c03aa6408b6097d8a6848cbbf05a7f20207d5673ea5e6dc849d5d3009c6e8a6c41285cd64f71b536d8345d61f404079278facde0d6e2264cbe655e877468bd3e76380d91f282f26ae17e41a1bac76c148c4c75dd22656816ab259e2c79920e27e6bcfa83732ac6e0a245dcd9cc82f69e45019cf53ac39bebca3ddea0f55ef97b6d8f7b7eadaae792fb1b55c73cf2ed644e651a22c60ed9c0bb063c50fadda6beccbf6c88c41ef1546bab5f21dbe4fbeeb11f3c5c40fa1cc3df2c11bfe7910d1d36a5ec6e66462c7e216481008931039299d23f2be4d838fb010b661a8541a8b7f7bf7d6c8032895e82133e24c835e5a3491249ec69f28e22cf9b0fab9be9ea17026fbadd470eee4676d7ac79976a1c6807e89b5dabab815ffa076caeaeb53f505a31129dac1e9f0b5d919f17aced63574c8524000022b6bc6cb9c8d6a06e44c72e055a1e2706e736af241ab3084fa56cf942aa139440f74e230be31cd8dd4bf0cbdd657f1
sage: E=0x10001
check:
sage: is_pseudoprime(P)
True
sage: gcd(N,P)
811194519730394220204949383061971492284209477134487451053533919242408334468793875483685418435472924384137737409878754330061341487239404629370463160720071782806016579636145456953095810661706004899017496722730291178259805745059054744795252171022091469940626116746608128441399036310378334222880519662696558703165249434265697658704322903051581598088400258377253583825209022558177374913570364047051007093402547387492492645729748176160840842076964161794363721255756097675823463557162877865622894488049720201680509519072521257128596878592149455958732762099800396648453225220977153025222265023206761554302369499402146842619059859650958489842850140873473393484632985863967898676228674751576699965523367097641503814266418957281198265955430221973482931544501209059788536033857660452959160612655542331433647351037413298986228798018950712662579341162832440884265576141868775326408627532047094505284395403786932363148262901839514736964209136867574532808481484592060405175685831168554790879720280778881035860464184791941816702480873202940903024652495084770128062224279875598826600084633389722629461385386069921483006677287847102371176994910369378323222717613076771700378608286670543729473076010314569999636269167049088093674649352610884381826740603
sage: N%P
0
>> P seems to be a prime, and is indeed a factor of N.
sage: is_pseudoprime(Q)
False
sage: gcd(N,Q)
1
sage: ecm(Q)
Found composite factor of 3 digits: 675
Composite cofactor ... has 1231 digits.
Q has a small factor. The large cofactor
is way too large to be factorized (today).
>> Q must be wrong.
sage: pow(pow(2,E,N),D,N)
2
sage: pow(pow(3,E,N),D,N)
3
sage: pow(pow(5,E,N),D,N)
5
sage: pow(pow(7,E,N),D,N)
7
sage: pow(pow(11,E,N),D,N)
11
sage: pow(pow(1000,E,N),D,N)
1000
>> x^D mod N is indeed the inverse of x^E mod N
>> D seems to be correct.
>> now compute
sage: Qcorrect = N/P
sage: is_prime(Qcorrect)
False
sage: is_pseudoprime(Qcorrect)
True
>> surprise, this is a sage artefact.
>> is_prime is supposed to tell if Qcorrect
>> is a provable prime, but these numbers are
>> too large for a proof.
sage: help(Qcorrect)
class Rational
...
>> oops, it is of course not a rational number.
sage: Qcorrect = Integer(N/P)
class Integer
...
>> okay now it is an integer.
sage: is_prime(Qcorrect)
>> takes way too long: press CTRL-C
sage: is_pseudoprime(Qcorrect)
True
>> so the correct Q seems to be a prime.
sage: Q-Qcorrect
4468358315186607582623830645994123175323958284313904132666602205502546750542721902065776801908141680869902222733839989940221831332787838985874881107673910358472026239723185949529735314601712865712198736991916521419325287976337589177915143787138292689484229106140251936135768934015263941567159094923493376
sage: hex(Q-Qcorrect)
'1a10400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000'
>> interesting, now figure out the bits that are flipped in Q:
Q ...20ddb67189f6dad...
Qcorrect ...20dd9c6149f6dad...
$ openssl rsa -in rsa8192.pem -outform der -out rsa8192.der
writing RSA key
$ xxd -ps < rsa8192.der > rsa8192.hex
$ sed "s/20ddb67189f6dad/20dd9c6149f6dad/" < rsa8192.hex > rsa8192.out
$ diff rsa8192.hex rsa8192.out
100c100
< 10b8095f420ddb67189f6dad62f1257b0f46e353a90eacc145c7db74998a
---
> 10b8095f420dd9c6149f6dad62f1257b0f46e353a90eacc145c7db74998a
>> et voila
$ xxd -ps -r < rsa8192.out > rsa8192.der
$ openssl rsa -inform der -in rsa8192.der -out rsa8192.pem
writing RSA key
$ openssl rsa -check -noout -in rsa8192.pem
RSA key ok
#$ git diff
#diff --git a/apps/rsa8192.pem b/apps/rsa8192.pem
#index 946a6e5..83d962f 100644
#--- a/apps/rsa8192.pem
#+++ b/apps/rsa8192.pem
#@@ -1,5 +1,4 @@
# -----BEGIN RSA PRIVATE KEY-----
#-
# MIISKAIBAAKCBAEAiQ2f1X6Bte1DKD0OoCBKEikzPW+5w3oXk3WwnE97Wxzy6wJZ
# ebbZC3CZKKBnJeBMrysPf+lK+9+fP6Vm8bp1wvbcSIA59BDrX6irFSuM/bdnkbuF
# MFlDjt+uVrxwoyqfPi2IPot1HQg3l5mdyBqcTWvbOnU2L9HZxJfPUCjfzdTMPrMY
#@@ -62,7 +61,7 @@ JH1/Qx7C/mTAMRsN5SkOthnGq0djCNWfPv/3JV0H67Uf5krFlnwLebrgfTYoPPdo
# yO7iBUNJzv6Qh22malLp4P8gzACkD7DGlSTnoB5cLwcjmDGg+i9WrUBbOiVTeQfZ
# kOj1o+Tz35ndpq/DDUVlqliB9krcxva+QHeJPH53EGI+YVg1nD+s/vUDZ3mQMGX9
# DQou2L8uU6RnWNv/BihGcL8QvS4Ty6QyPOUPpD3zc70JQAEcQk9BxQNaELgJX0IN
#-22cYn22tYvElew9G41OpDqzBRcfbdJmKXQ2HcroShutYJQRGUpAXHk24fy6JVkIU
#+2cYUn22tYvElew9G41OpDqzBRcfbdJmKXQ2HcroShutYJQRGUpAXHk24fy6JVkIU
# ojF5U6cwextMja1ZIIZgh9eugIRUeIE7319nQNDzuXWjRCcoBLA25P7wnpHWDRpz
# D9ovXCIvdja74lL5psqobV6L5+fbLPkSgXoImKR0LQKCAgAIC9Jk8kxumCyIVGCP
# PeM5Uby9M3GMuKrfYsn0Y5e97+kSJF1dpojTodBgR2KQar6eVrvXt+8uZCcIjfx8
#@@ -98,4 +97,3 @@ TwEgE67iOb2iIoUpon/NyP4LesMzvdpsu2JFlfz13PmmQ34mFI7tWvOb3NA5DP3c
# rMlMLtKfp2w8HlMZpsUlToNCx6CI+tJrohzcs3BAVAbjFAXRKWGijB1rxwyDdHPv
# I+/wJTNaRNPQ1M0SwtEL/zJd21y3KSPn4eL+GP3efhlDSjtlDvZqkdAUsU8=
# -----END RSA PRIVATE KEY-----
#-
>> DONE.
Fixes #11776
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/11783)
(cherry picked from commit 7ef43790617cb08b4bb4141df716dfb37385fe5c)
---
apps/rsa8192.pem | 4 +---
1 file changed, 1 insertion(+), 3 deletions(-)
diff --git a/apps/rsa8192.pem b/apps/rsa8192.pem
index 946a6e5..83d962f 100644
--- a/apps/rsa8192.pem
+++ b/apps/rsa8192.pem
@@ -1,5 +1,4 @@
-----BEGIN RSA PRIVATE KEY-----
-
MIISKAIBAAKCBAEAiQ2f1X6Bte1DKD0OoCBKEikzPW+5w3oXk3WwnE97Wxzy6wJZ
ebbZC3CZKKBnJeBMrysPf+lK+9+fP6Vm8bp1wvbcSIA59BDrX6irFSuM/bdnkbuF
MFlDjt+uVrxwoyqfPi2IPot1HQg3l5mdyBqcTWvbOnU2L9HZxJfPUCjfzdTMPrMY
@@ -62,7 +61,7 @@ JH1/Qx7C/mTAMRsN5SkOthnGq0djCNWfPv/3JV0H67Uf5krFlnwLebrgfTYoPPdo
yO7iBUNJzv6Qh22malLp4P8gzACkD7DGlSTnoB5cLwcjmDGg+i9WrUBbOiVTeQfZ
kOj1o+Tz35ndpq/DDUVlqliB9krcxva+QHeJPH53EGI+YVg1nD+s/vUDZ3mQMGX9
DQou2L8uU6RnWNv/BihGcL8QvS4Ty6QyPOUPpD3zc70JQAEcQk9BxQNaELgJX0IN
-22cYn22tYvElew9G41OpDqzBRcfbdJmKXQ2HcroShutYJQRGUpAXHk24fy6JVkIU
+2cYUn22tYvElew9G41OpDqzBRcfbdJmKXQ2HcroShutYJQRGUpAXHk24fy6JVkIU
ojF5U6cwextMja1ZIIZgh9eugIRUeIE7319nQNDzuXWjRCcoBLA25P7wnpHWDRpz
D9ovXCIvdja74lL5psqobV6L5+fbLPkSgXoImKR0LQKCAgAIC9Jk8kxumCyIVGCP
PeM5Uby9M3GMuKrfYsn0Y5e97+kSJF1dpojTodBgR2KQar6eVrvXt+8uZCcIjfx8
@@ -98,4 +97,3 @@ TwEgE67iOb2iIoUpon/NyP4LesMzvdpsu2JFlfz13PmmQ34mFI7tWvOb3NA5DP3c
rMlMLtKfp2w8HlMZpsUlToNCx6CI+tJrohzcs3BAVAbjFAXRKWGijB1rxwyDdHPv
I+/wJTNaRNPQ1M0SwtEL/zJd21y3KSPn4eL+GP3efhlDSjtlDvZqkdAUsU8=
-----END RSA PRIVATE KEY-----
-
--
1.8.3.1

49
Fix-the-error-handling-in-EC_POINTs_mul.patch Normal file
View File

@ -0,0 +1,49 @@
From 5dc91f44a90b72f5c0a79ab9a19d0f2fa0bbac1f Mon Sep 17 00:00:00 2001
From: Bernd Edlinger <bernd.edlinger@hotmail.de>
Date: Mon, 6 Apr 2020 10:41:36 +0200
Subject: [PATCH 010/217] Fix the error handling in EC_POINTs_mul
This was pointed out by a false-positive
-fsanitizer warning ;-)
However from the cryptographical POV the
code is wrong:
A point R^0 on the wrong curve
is infinity on the wrong curve.
[extended tests]
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/11475)
(cherry picked from commit 1eb9b54af7e00fa12196411964ce742ea8677766)
---
crypto/ec/ec_lib.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/crypto/ec/ec_lib.c b/crypto/ec/ec_lib.c
index 3554ada..22b00e2 100644
--- a/crypto/ec/ec_lib.c
+++ b/crypto/ec/ec_lib.c
@@ -1007,14 +1007,14 @@ int EC_POINTs_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar,
size_t i = 0;
BN_CTX *new_ctx = NULL;
- if ((scalar == NULL) && (num == 0)) {
- return EC_POINT_set_to_infinity(group, r);
- }
-
if (!ec_point_is_compat(r, group)) {
ECerr(EC_F_EC_POINTS_MUL, EC_R_INCOMPATIBLE_OBJECTS);
return 0;
}
+
+ if (scalar == NULL && num == 0)
+ return EC_POINT_set_to_infinity(group, r);
+
for (i = 0; i < num; i++) {
if (!ec_point_is_compat(points[i], group)) {
ECerr(EC_F_EC_POINTS_MUL, EC_R_INCOMPATIBLE_OBJECTS);
--
1.8.3.1

40
Fix-type-cast-in-SSL_CTX_set1_groups-macro.patch Normal file
View File

@ -0,0 +1,40 @@
From 7d66cb360c448361654a8ffff73e790c474ba302 Mon Sep 17 00:00:00 2001
From: Arne Schwabe <arne@rfc2549.org>
Date: Thu, 23 Apr 2020 12:42:51 +0200
Subject: [PATCH 035/217] Fix type cast in SSL_CTX_set1_groups macro
The macro casts the glist parameter to char*
instead of (int *) like the documentation of the function suggest.
Also the function tls1_set_groups that is called from SSL_CTX_ctrl
takes an int * argument. This looks like a copy&paste error from
SSL_CTX_set1_groups_list function.
CLA: trivial
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/11614)
(cherry picked from commit 7ffce852372799b6cd856b711db21332f0048314)
---
include/openssl/ssl.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h
index 6724ccf..b2cd11f 100644
--- a/include/openssl/ssl.h
+++ b/include/openssl/ssl.h
@@ -1393,7 +1393,7 @@ DECLARE_PEM_rw(SSL_SESSION, SSL_SESSION)
# define SSL_get1_groups(s, glist) \
SSL_ctrl(s,SSL_CTRL_GET_GROUPS,0,(int*)(glist))
# define SSL_CTX_set1_groups(ctx, glist, glistlen) \
- SSL_CTX_ctrl(ctx,SSL_CTRL_SET_GROUPS,glistlen,(char *)(glist))
+ SSL_CTX_ctrl(ctx,SSL_CTRL_SET_GROUPS,glistlen,(int *)(glist))
# define SSL_CTX_set1_groups_list(ctx, s) \
SSL_CTX_ctrl(ctx,SSL_CTRL_SET_GROUPS_LIST,0,(char *)(s))
# define SSL_set1_groups(s, glist, glistlen) \
--
1.8.3.1

35
Fix-use-after-free-in-BIO_C_SET_SSL-callback.patch Normal file
View File

@ -0,0 +1,35 @@
From d07e8b0ae66e96cda9c803de36e977fb7dfe941a Mon Sep 17 00:00:00 2001
From: "Dr. Matthias St. Pierre" <matthias.st.pierre@ncp-e.com>
Date: Wed, 6 May 2020 17:24:13 +0200
Subject: [PATCH 044/217] Fix use-after-free in BIO_C_SET_SSL callback
Since the BIO_SSL structure was renewed by `ssl_free(b)/ssl_new(b)`,
the `bs` pointer needs to be updated before assigning to `bs->ssl`.
Thanks to @suishixingkong for reporting the issue and providing a fix.
Closes #10539
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/11746)
(cherry picked from commit 73d6b4efe6835a6c97ce61df6bf339b0903e5b7a)
---
ssl/bio_ssl.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/ssl/bio_ssl.c b/ssl/bio_ssl.c
index ab9e666..efa23bf 100644
--- a/ssl/bio_ssl.c
+++ b/ssl/bio_ssl.c
@@ -284,6 +284,7 @@ static long ssl_ctrl(BIO *b, int cmd, long num, void *ptr)
ssl_free(b);
if (!ssl_new(b))
return 0;
+ bs = BIO_get_data(b);
}
BIO_set_shutdown(b, num);
ssl = (SSL *)ptr;
--
1.8.3.1

34
Fix-wrong-return-value-check-of-mmap-function.patch Normal file
View File

@ -0,0 +1,34 @@
From b295a4dca17f00d412043b74393b86a16655fac0 Mon Sep 17 00:00:00 2001
From: Tristan Bauer <67098820+trisbauer@users.noreply.github.com>
Date: Thu, 18 Jun 2020 11:45:24 +0200
Subject: [PATCH 028/147] Fix wrong return value check of mmap function
The mmap function never returns NULL. If an error occurs, the function returns MAP_FAILED.
CLA: trivial
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12187)
(cherry picked from commit 1d78129dd205e3e85083a91c33540a70c51b0a23)
---
crypto/mem_sec.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/crypto/mem_sec.c b/crypto/mem_sec.c
index 9e0f670..8bcb050 100644
--- a/crypto/mem_sec.c
+++ b/crypto/mem_sec.c
@@ -502,7 +502,7 @@ static void sh_done(void)
OPENSSL_free(sh.freelist);
OPENSSL_free(sh.bittable);
OPENSSL_free(sh.bitmalloc);
- if (sh.map_result != NULL && sh.map_size)
+ if (sh.map_result != MAP_FAILED && sh.map_size)
munmap(sh.map_result, sh.map_size);
memset(&sh, 0, sizeof(sh));
}
--
1.8.3.1

39
Free-pre_proc_exts-in-SSL_free.patch Normal file
View File

@ -0,0 +1,39 @@
From bfbf06c4d29086f1c67ed38324a2c4a9f642d291 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Mi=C5=82osz=20Kaniewski?= <milosz.kaniewski@gmail.com>
Date: Tue, 30 Jun 2020 21:46:38 +0200
Subject: [PATCH 038/147] Free pre_proc_exts in SSL_free()
Usually it will be freed in tls_early_post_process_client_hello().
However if a ClientHello callback will be used and will return
SSL_CLIENT_HELLO_RETRY then tls_early_post_process_client_hello()
may never come to the point where pre_proc_exts is freed.
Fixes #12194
CLA: trivial
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/12330)
(cherry picked from commit 94941cada25433a7dca35b5b9f8cbb751ab65ab3)
---
ssl/ssl_lib.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
index f6a4964..433a537 100644
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -1200,6 +1200,8 @@ void SSL_free(SSL *s)
OPENSSL_free(s->ext.ocsp.resp);
OPENSSL_free(s->ext.alpn);
OPENSSL_free(s->ext.tls13_cookie);
+ if (s->clienthello != NULL)
+ OPENSSL_free(s->clienthello->pre_proc_exts);
OPENSSL_free(s->clienthello);
OPENSSL_free(s->pha_context);
EVP_MD_CTX_free(s->pha_dgst);
--
1.8.3.1

57
Integer-overflow-in-ASN1_STRING_set.patch Normal file
View File

@ -0,0 +1,57 @@
From 163897267fab6d29dff1a4bf8247f8e02e158be8 Mon Sep 17 00:00:00 2001
From: Pauli <paul.dale@oracle.com>
Date: Mon, 6 Apr 2020 09:23:00 +1000
Subject: [PATCH 012/217] Integer overflow in ASN1_STRING_set.
Addressing a potential integer overflow condition.
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/11473)
(cherry picked from commit 96218269f4c2da82f143727fb7697d572c190bc5)
---
crypto/asn1/asn1_lib.c | 21 ++++++++++++++++-----
1 file changed, 16 insertions(+), 5 deletions(-)
diff --git a/crypto/asn1/asn1_lib.c b/crypto/asn1/asn1_lib.c
index a7d32ae..5cd0e16 100644
--- a/crypto/asn1/asn1_lib.c
+++ b/crypto/asn1/asn1_lib.c
@@ -268,18 +268,29 @@ ASN1_STRING *ASN1_STRING_dup(const ASN1_STRING *str)
return ret;
}
-int ASN1_STRING_set(ASN1_STRING *str, const void *_data, int len)
+int ASN1_STRING_set(ASN1_STRING *str, const void *_data, int len_in)
{
unsigned char *c;
const char *data = _data;
+ size_t len;
- if (len < 0) {
+ if (len_in < 0) {
if (data == NULL)
return 0;
- else
- len = strlen(data);
+ len = strlen(data);
+ } else {
+ len = (size_t)len_in;
+ }
+ /*
+ * Verify that the length fits within an integer for assignment to
+ * str->length below. The additional 1 is subtracted to allow for the
+ * '\0' terminator even though this isn't strictly necessary.
+ */
+ if (len > INT_MAX - 1) {
+ ASN1err(0, ASN1_R_TOO_LARGE);
+ return 0;
}
- if ((str->length <= len) || (str->data == NULL)) {
+ if ((size_t)str->length <= len || str->data == NULL) {
c = str->data;
str->data = OPENSSL_realloc(c, len + 1);
if (str->data == NULL) {
--
1.8.3.1

41
Make-BIO_do_connect-and-friends-handle-multiple-IP-a.patch Normal file
View File

@ -0,0 +1,41 @@
From ec5aad1ca26599bcaddc3a03708fb925b21f3b6c Mon Sep 17 00:00:00 2001
From: "Dr. David von Oheimb" <David.von.Oheimb@siemens.com>
Date: Thu, 28 May 2020 19:03:37 +0200
Subject: [PATCH 005/147] Make BIO_do_connect() and friends handle multiple IP
addresses
Backport of #11971
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/11989)
---
crypto/bio/bss_conn.c | 11 ++++++++++-
1 file changed, 10 insertions(+), 1 deletion(-)
diff --git a/crypto/bio/bss_conn.c b/crypto/bio/bss_conn.c
index dd43a40..f4c6b85 100644
--- a/crypto/bio/bss_conn.c
+++ b/crypto/bio/bss_conn.c
@@ -186,8 +186,17 @@ static int conn_state(BIO *b, BIO_CONNECT *c)
case BIO_CONN_S_BLOCKED_CONNECT:
i = BIO_sock_error(b->num);
- if (i) {
+ if (i != 0) {
BIO_clear_retry_flags(b);
+ if ((c->addr_iter = BIO_ADDRINFO_next(c->addr_iter)) != NULL) {
+ /*
+ * if there are more addresses to try, do that first
+ */
+ BIO_closesocket(b->num);
+ c->state = BIO_CONN_S_CREATE_SOCKET;
+ ERR_clear_error();
+ break;
+ }
SYSerr(SYS_F_CONNECT, i);
ERR_add_error_data(4,
"hostname=", c->param_hostname,
--
1.8.3.1

65
Pass-an-EVP_PKEY-for-SSL_SECOP_TMP_DH-in-the-securit.patch Normal file
View File

@ -0,0 +1,65 @@
From 7844f3c784bfc93c9b94ae5a4082f9d01e82e0af Mon Sep 17 00:00:00 2001
From: Matt Caswell <matt@openssl.org>
Date: Wed, 14 Oct 2020 15:13:28 +0100
Subject: [PATCH 083/147] Pass an EVP_PKEY for SSL_SECOP_TMP_DH in the security
callback
The security operation SSL_SECOP_TMP_DH is defined to take an EVP_PKEY
in the "other" parameter:
/* Temporary DH key */
# define SSL_SECOP_TMP_DH (7 | SSL_SECOP_OTHER_PKEY)
In most places this is what is passed. All these places occur server side.
However there is one client side call of this security operation and it
passes a DH object instead. This is incorrect according to the
definition of SSL_SECOP_TMP_DH, and is inconsistent with all of the other
locations.
Our own default security callback, and the debug callback in the apps,
never look at this value and therefore this issue was never noticed
previously. In theory a client side application could be relying on this
behaviour and could be broken by this change. This is probably fairly
unlikely but can't be ruled out.
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/13136)
---
ssl/statem/statem_clnt.c | 13 +++++++------
1 file changed, 7 insertions(+), 6 deletions(-)
diff --git a/ssl/statem/statem_clnt.c b/ssl/statem/statem_clnt.c
index 64e392c..3bf8aac 100644
--- a/ssl/statem/statem_clnt.c
+++ b/ssl/statem/statem_clnt.c
@@ -2145,18 +2145,19 @@ static int tls_process_ske_dhe(SSL *s, PACKET *pkt, EVP_PKEY **pkey)
}
bnpub_key = NULL;
- if (!ssl_security(s, SSL_SECOP_TMP_DH, DH_security_bits(dh), 0, dh)) {
- SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_TLS_PROCESS_SKE_DHE,
- SSL_R_DH_KEY_TOO_SMALL);
- goto err;
- }
-
if (EVP_PKEY_assign_DH(peer_tmp, dh) == 0) {
SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_SKE_DHE,
ERR_R_EVP_LIB);
goto err;
}
+ if (!ssl_security(s, SSL_SECOP_TMP_DH, EVP_PKEY_security_bits(peer_tmp),
+ 0, peer_tmp)) {
+ SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_TLS_PROCESS_SKE_DHE,
+ SSL_R_DH_KEY_TOO_SMALL);
+ goto err;
+ }
+
s->s3->peer_tmp = peer_tmp;
/*
--
1.8.3.1

35
Prevent-use-after-free-of-global_engine_lock.patch Normal file
View File

@ -0,0 +1,35 @@
From e512efe0894481679a5d3c57d10bf4ea97046c2a Mon Sep 17 00:00:00 2001
From: Tomas Mraz <tmraz@fedoraproject.org>
Date: Thu, 21 May 2020 13:16:57 +0200
Subject: [PATCH 064/217] Prevent use after free of global_engine_lock
If buggy application calls engine functions after cleanup of engines
already happened the global_engine_lock will be used although
already freed.
See for example:
https://bugzilla.redhat.com/show_bug.cgi?id=1831086
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/11896)
(cherry picked from commit e12813d0d31f4f7be2ccc592d382ef3e94bdb842)
---
crypto/engine/eng_lib.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/crypto/engine/eng_lib.c b/crypto/engine/eng_lib.c
index b851ff6..dd87eba 100644
--- a/crypto/engine/eng_lib.c
+++ b/crypto/engine/eng_lib.c
@@ -171,6 +171,7 @@ void engine_cleanup_int(void)
cleanup_stack = NULL;
}
CRYPTO_THREAD_lock_free(global_engine_lock);
+ global_engine_lock = NULL;
}
/* Now the "ex_data" support */
--
1.8.3.1

35
Replace-BUF_strdup-call-by-OPENSSL_strdup-adding-fai.patch Normal file
View File

@ -0,0 +1,35 @@
From 46fe1c7caee1442ead1f7c780e5c50045a00f76e Mon Sep 17 00:00:00 2001
From: "Dr. David von Oheimb" <David.von.Oheimb@siemens.com>
Date: Wed, 3 Jun 2020 21:38:20 +0200
Subject: [PATCH 013/147] Replace BUF_strdup() call by OPENSSL_strdup() adding
failure check in bss_acpt.c
Add OPENSSL_strdup failure check to cpt_ctrl() in bss_acpt.c
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12036)
---
crypto/bio/bss_acpt.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/crypto/bio/bss_acpt.c b/crypto/bio/bss_acpt.c
index 5a2cb50..4461eae 100644
--- a/crypto/bio/bss_acpt.c
+++ b/crypto/bio/bss_acpt.c
@@ -434,8 +434,10 @@ static long acpt_ctrl(BIO *b, int cmd, long num, void *ptr)
b->init = 1;
} else if (num == 1) {
OPENSSL_free(data->param_serv);
- data->param_serv = BUF_strdup(ptr);
- b->init = 1;
+ if ((data->param_serv = OPENSSL_strdup(ptr)) == NULL)
+ ret = 0;
+ else
+ b->init = 1;
} else if (num == 2) {
data->bind_mode |= BIO_SOCK_NONBLOCK;
} else if (num == 3) {
--
1.8.3.1

90
Revert-the-check-for-NaN-in-f-format.patch Normal file
View File

@ -0,0 +1,90 @@
From 3fc83feae0bc3fcfbb7cfc8a927bb4a888a7663b Mon Sep 17 00:00:00 2001
From: Bernd Edlinger <bernd.edlinger@hotmail.de>
Date: Sun, 31 May 2020 07:51:23 +0200
Subject: [PATCH 006/147] Revert the check for NaN in %f format
Unfortunately -Ofast seems to break that check.
Fixes #11994
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12003)
(cherry picked from commit 41dccd68b9b9b7622b26d264c5fa190aa5bd4201)
---
crypto/bio/b_print.c | 4 +---
test/bioprinttest.c | 33 ---------------------------------
2 files changed, 1 insertion(+), 36 deletions(-)
diff --git a/crypto/bio/b_print.c b/crypto/bio/b_print.c
index 48556f7..2f68fe7 100644
--- a/crypto/bio/b_print.c
+++ b/crypto/bio/b_print.c
@@ -638,10 +638,8 @@ fmtfp(char **sbuffer,
/*
* By subtracting 65535 (2^16-1) we cancel the low order 15 bits
* of ULONG_MAX to avoid using imprecise floating point values.
- * The second condition is necessary to catch NaN values.
*/
- if (ufvalue >= (double)(ULONG_MAX - 65535) + 65536.0
- || !(ufvalue == ufvalue) /* NaN */) {
+ if (ufvalue >= (double)(ULONG_MAX - 65535) + 65536.0) {
/* Number too big */
return 0;
}
diff --git a/test/bioprinttest.c b/test/bioprinttest.c
index e37b854..e97de03 100644
--- a/test/bioprinttest.c
+++ b/test/bioprinttest.c
@@ -241,48 +241,15 @@ static int test_fp(int i)
return r;
}
-extern double zero_value;
-double zero_value = 0.0;
-
static int test_big(void)
{
char buf[80];
- double d, z, inf, nan;
/* Test excessively big number. Should fail */
if (!TEST_int_eq(BIO_snprintf(buf, sizeof(buf),
"%f\n", 2 * (double)ULONG_MAX), -1))
return 0;
- d = 1.0;
- z = zero_value;
- inf = d / z;
- nan = z / z;
-
- /*
- * Test +/-inf, nan. Should fail.
- * Test +/-1.0, +/-0.0. Should work.
- */
- if (!TEST_int_eq(BIO_snprintf(buf, sizeof(buf),
- "%f", inf), -1)
- || !TEST_int_eq(BIO_snprintf(buf, sizeof(buf),
- "%f", -inf), -1)
- || !TEST_int_eq(BIO_snprintf(buf, sizeof(buf),
- "%f", nan), -1)
- || !TEST_int_eq(BIO_snprintf(buf, sizeof(buf),
- "%f", d), 8)
- || !TEST_str_eq(buf, "1.000000")
- || !TEST_int_eq(BIO_snprintf(buf, sizeof(buf),
- "%f", z), 8)
- || !TEST_str_eq(buf, "0.000000")
- || !TEST_int_eq(BIO_snprintf(buf, sizeof(buf),
- "%f", -d), 9)
- || !TEST_str_eq(buf, "-1.000000")
- || !TEST_int_eq(BIO_snprintf(buf, sizeof(buf),
- "%f", -z), 8)
- || !TEST_str_eq(buf, "0.000000"))
- return 0;
-
return 1;
}
--
1.8.3.1

96
Support-keys-with-RSA_METHOD_FLAG_NO_CHECK-with-OCSP.patch Normal file
View File

@ -0,0 +1,96 @@
From 56e8fe0b4efbf582e40ae91319727c9d176c5e1e Mon Sep 17 00:00:00 2001
From: Norman Ashley <nashley@cisco.com>
Date: Fri, 10 Jul 2020 19:01:32 -0400
Subject: [PATCH 071/147] Support keys with RSA_METHOD_FLAG_NO_CHECK with OCSP
sign
OCSP_basic_sign_ctx() in ocsp_srv.c , does not check for RSA_METHOD_FLAG_NO_CHECK.
If a key has RSA_METHOD_FLAG_NO_CHECK set, OCSP sign operations can fail
because the X509_check_private_key() can fail.
The check for the RSA_METHOD_FLAG_NO_CHECK was moved to crypto/rsa/rsa_ameth.c
as a common place to check. Checks in ssl_rsa.c were removed.
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12419)
---
crypto/rsa/rsa_ameth.c | 9 +++++++++
ssl/ssl_rsa.c | 26 --------------------------
2 files changed, 9 insertions(+), 26 deletions(-)
diff --git a/crypto/rsa/rsa_ameth.c b/crypto/rsa/rsa_ameth.c
index 6692a51..cc686fc 100644
--- a/crypto/rsa/rsa_ameth.c
+++ b/crypto/rsa/rsa_ameth.c
@@ -118,6 +118,15 @@ static int rsa_pub_decode(EVP_PKEY *pkey, X509_PUBKEY *pubkey)
static int rsa_pub_cmp(const EVP_PKEY *a, const EVP_PKEY *b)
{
+ /*
+ * Don't check the public/private key, this is mostly for smart
+ * cards.
+ */
+ if (((RSA_flags(a->pkey.rsa) & RSA_METHOD_FLAG_NO_CHECK))
+ || (RSA_flags(b->pkey.rsa) & RSA_METHOD_FLAG_NO_CHECK)) {
+ return 1;
+ }
+
if (BN_cmp(b->pkey.rsa->n, a->pkey.rsa->n) != 0
|| BN_cmp(b->pkey.rsa->e, a->pkey.rsa->e) != 0)
return 0;
diff --git a/ssl/ssl_rsa.c b/ssl/ssl_rsa.c
index b969352..51abd27 100644
--- a/ssl/ssl_rsa.c
+++ b/ssl/ssl_rsa.c
@@ -148,15 +148,6 @@ static int ssl_set_pkey(CERT *c, EVP_PKEY *pkey)
EVP_PKEY_copy_parameters(pktmp, pkey);
ERR_clear_error();
-#ifndef OPENSSL_NO_RSA
- /*
- * Don't check the public/private key, this is mostly for smart
- * cards.
- */
- if (EVP_PKEY_id(pkey) == EVP_PKEY_RSA
- && RSA_flags(EVP_PKEY_get0_RSA(pkey)) & RSA_METHOD_FLAG_NO_CHECK) ;
- else
-#endif
if (!X509_check_private_key(c->pkeys[i].x509, pkey)) {
X509_free(c->pkeys[i].x509);
c->pkeys[i].x509 = NULL;
@@ -342,16 +333,6 @@ static int ssl_set_cert(CERT *c, X509 *x)
EVP_PKEY_copy_parameters(pkey, c->pkeys[i].privatekey);
ERR_clear_error();
-#ifndef OPENSSL_NO_RSA
- /*
- * Don't check the public/private key, this is mostly for smart
- * cards.
- */
- if (EVP_PKEY_id(c->pkeys[i].privatekey) == EVP_PKEY_RSA
- && RSA_flags(EVP_PKEY_get0_RSA(c->pkeys[i].privatekey)) &
- RSA_METHOD_FLAG_NO_CHECK) ;
- else
-#endif /* OPENSSL_NO_RSA */
if (!X509_check_private_key(x, c->pkeys[i].privatekey)) {
/*
* don't fail for a cert/key mismatch, just free current private
@@ -1082,13 +1063,6 @@ static int ssl_set_cert_and_key(SSL *ssl, SSL_CTX *ctx, X509 *x509, EVP_PKEY *pr
EVP_PKEY_copy_parameters(pubkey, privatekey);
} /* else both have parameters */
- /* Copied from ssl_set_cert/pkey */
-#ifndef OPENSSL_NO_RSA
- if ((EVP_PKEY_id(privatekey) == EVP_PKEY_RSA) &&
- ((RSA_flags(EVP_PKEY_get0_RSA(privatekey)) & RSA_METHOD_FLAG_NO_CHECK)))
- /* no-op */ ;
- else
-#endif
/* check that key <-> cert match */
if (EVP_PKEY_cmp(pubkey, privatekey) != 1) {
SSLerr(SSL_F_SSL_SET_CERT_AND_KEY, SSL_R_PRIVATE_KEY_MISMATCH);
--
1.8.3.1

151
Test-TLSv1.3-out-of-band-PSK-with-all-5-ciphersuites.patch Normal file
View File

@ -0,0 +1,151 @@
From 6b4b92d7f212caf4c525af4bf0c35fbbf5f38a3b Mon Sep 17 00:00:00 2001
From: raja-ashok <rashok.svks@gmail.com>
Date: Sun, 10 May 2020 22:47:00 +0530
Subject: [PATCH 053/217] Test TLSv1.3 out-of-band PSK with all 5 ciphersuites
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/11809)
---
test/sslapitest.c | 110 +++++++++++++++++++++++++++++++++++++++++++++++++++++-
1 file changed, 109 insertions(+), 1 deletion(-)
diff --git a/test/sslapitest.c b/test/sslapitest.c
index b3cd30d..62d22e8 100644
--- a/test/sslapitest.c
+++ b/test/sslapitest.c
@@ -2129,8 +2129,11 @@ static unsigned int psk_server_cb(SSL *ssl, const char *identity,
#define MSG6 "test"
#define MSG7 "message."
-#define TLS13_AES_256_GCM_SHA384_BYTES ((const unsigned char *)"\x13\x02")
#define TLS13_AES_128_GCM_SHA256_BYTES ((const unsigned char *)"\x13\x01")
+#define TLS13_AES_256_GCM_SHA384_BYTES ((const unsigned char *)"\x13\x02")
+#define TLS13_CHACHA20_POLY1305_SHA256_BYTES ((const unsigned char *)"\x13\x03")
+#define TLS13_AES_128_CCM_SHA256_BYTES ((const unsigned char *)"\x13\x04")
+#define TLS13_AES_128_CCM_8_SHA256_BYTES ((const unsigned char *)"\x13\05")
static SSL_SESSION *create_a_psk(SSL *ssl)
@@ -3059,6 +3062,110 @@ static int test_early_data_psk(int idx)
}
/*
+ * Test TLSv1.3 PSK can be used to send early_data with all 5 ciphersuites
+ * idx == 0: Test with TLS1_3_RFC_AES_128_GCM_SHA256
+ * idx == 1: Test with TLS1_3_RFC_AES_256_GCM_SHA384
+ * idx == 2: Test with TLS1_3_RFC_CHACHA20_POLY1305_SHA256,
+ * idx == 3: Test with TLS1_3_RFC_AES_128_CCM_SHA256
+ * idx == 4: Test with TLS1_3_RFC_AES_128_CCM_8_SHA256
+ */
+static int test_early_data_psk_with_all_ciphers(int idx)
+{
+ SSL_CTX *cctx = NULL, *sctx = NULL;
+ SSL *clientssl = NULL, *serverssl = NULL;
+ int testresult = 0;
+ SSL_SESSION *sess = NULL;
+ unsigned char buf[20];
+ size_t readbytes, written;
+ const SSL_CIPHER *cipher;
+ const char *cipher_str[] = {
+ TLS1_3_RFC_AES_128_GCM_SHA256,
+ TLS1_3_RFC_AES_256_GCM_SHA384,
+# if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
+ TLS1_3_RFC_CHACHA20_POLY1305_SHA256,
+# else
+ NULL,
+# endif
+ TLS1_3_RFC_AES_128_CCM_SHA256,
+ TLS1_3_RFC_AES_128_CCM_8_SHA256
+ };
+ const unsigned char *cipher_bytes[] = {
+ TLS13_AES_128_GCM_SHA256_BYTES,
+ TLS13_AES_256_GCM_SHA384_BYTES,
+# if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
+ TLS13_CHACHA20_POLY1305_SHA256_BYTES,
+# else
+ NULL,
+# endif
+ TLS13_AES_128_CCM_SHA256_BYTES,
+ TLS13_AES_128_CCM_8_SHA256_BYTES
+ };
+
+ if (cipher_str[idx] == NULL)
+ return 1;
+
+ /* We always set this up with a final parameter of "2" for PSK */
+ if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
+ &serverssl, &sess, 2)))
+ goto end;
+
+ if (!TEST_true(SSL_set_ciphersuites(clientssl, cipher_str[idx]))
+ || !TEST_true(SSL_set_ciphersuites(serverssl, cipher_str[idx])))
+ goto end;
+
+ /*
+ * 'setupearly_data_test' creates only one instance of SSL_SESSION
+ * and assigns to both client and server with incremented reference
+ * and the same instance is updated in 'sess'.
+ * So updating ciphersuite in 'sess' which will get reflected in
+ * PSK handshake using psk use sess and find sess cb.
+ */
+ cipher = SSL_CIPHER_find(clientssl, cipher_bytes[idx]);
+ if (!TEST_ptr(cipher) || !TEST_true(SSL_SESSION_set_cipher(sess, cipher)))
+ goto end;
+
+ SSL_set_connect_state(clientssl);
+ if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
+ &written)))
+ goto end;
+
+ if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
+ &readbytes),
+ SSL_READ_EARLY_DATA_SUCCESS)
+ || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
+ || !TEST_int_eq(SSL_get_early_data_status(serverssl),
+ SSL_EARLY_DATA_ACCEPTED)
+ || !TEST_int_eq(SSL_connect(clientssl), 1)
+ || !TEST_int_eq(SSL_accept(serverssl), 1))
+ goto end;
+
+ /* Send some normal data from client to server */
+ if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
+ || !TEST_size_t_eq(written, strlen(MSG2)))
+ goto end;
+
+ if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
+ || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
+ goto end;
+
+ testresult = 1;
+ end:
+ SSL_SESSION_free(sess);
+ SSL_SESSION_free(clientpsk);
+ SSL_SESSION_free(serverpsk);
+ clientpsk = serverpsk = NULL;
+ if (clientssl != NULL)
+ SSL_shutdown(clientssl);
+ if (serverssl != NULL)
+ SSL_shutdown(serverssl);
+ SSL_free(serverssl);
+ SSL_free(clientssl);
+ SSL_CTX_free(sctx);
+ SSL_CTX_free(cctx);
+ return testresult;
+}
+
+/*
* Test that a server that doesn't try to read early data can handle a
* client sending some.
*/
@@ -6549,6 +6656,7 @@ int setup_tests(void)
ADD_ALL_TESTS(test_early_data_skip_abort, 3);
ADD_ALL_TESTS(test_early_data_not_sent, 3);
ADD_ALL_TESTS(test_early_data_psk, 8);
+ ADD_ALL_TESTS(test_early_data_psk_with_all_ciphers, 5);
ADD_ALL_TESTS(test_early_data_not_expected, 3);
# ifndef OPENSSL_NO_TLS1_2
ADD_ALL_TESTS(test_early_data_tls1_2, 3);
--
1.8.3.1

36
Update-EVP_EncodeInit.pod.patch Normal file
View File

@ -0,0 +1,36 @@
From 7a989af7386e97add7c759fda688c5d2e79e812e Mon Sep 17 00:00:00 2001
From: Read Hughes <hughes.read@gmail.com>
Date: Thu, 23 Jul 2020 10:25:28 -0400
Subject: [PATCH 057/147] Update EVP_EncodeInit.pod
Fix EVP_EncodeBlock description using incorrect parameter name for encoding length
CLA: trivial
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/12518)
(cherry picked from commit 1660c8fa6be2d7c4587e490c88a44a870e9b4298)
---
doc/man3/EVP_EncodeInit.pod | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/doc/man3/EVP_EncodeInit.pod b/doc/man3/EVP_EncodeInit.pod
index 8055b10..2589254 100644
--- a/doc/man3/EVP_EncodeInit.pod
+++ b/doc/man3/EVP_EncodeInit.pod
@@ -83,8 +83,8 @@ EVP_ENCODE_CTX_num() will return the number of as yet unprocessed bytes still to
be encoded or decoded that are pending in the B<ctx> object.
EVP_EncodeBlock() encodes a full block of input data in B<f> and of length
-B<dlen> and stores it in B<t>. For every 3 bytes of input provided 4 bytes of
-output data will be produced. If B<dlen> is not divisible by 3 then the block is
+B<n> and stores it in B<t>. For every 3 bytes of input provided 4 bytes of
+output data will be produced. If B<n> is not divisible by 3 then the block is
encoded as a final block of data and the output is padded such that it is always
divisible by 4. Additionally a NUL terminator character will be added. For
example if 16 bytes of input data is provided then 24 bytes of encoded data is
--
1.8.3.1

32
Use-size-of-target-buffer-for-allocation.patch Normal file
View File

@ -0,0 +1,32 @@
From ae9bcce2ab57d19119a85788eb48f8e8ba8ed3ee Mon Sep 17 00:00:00 2001
From: Benny Baumann <BenBE@geshi.org>
Date: Fri, 2 Oct 2020 01:04:06 +0200
Subject: [PATCH 078/147] Use size of target buffer for allocation
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/13055)
(cherry picked from commit 8ad369171fc2b435c0ca427111481da4d4c3c1ce)
---
ssl/ssl_sess.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/ssl/ssl_sess.c b/ssl/ssl_sess.c
index 40c157b..423bb4d 100644
--- a/ssl/ssl_sess.c
+++ b/ssl/ssl_sess.c
@@ -107,7 +107,7 @@ SSL_SESSION *ssl_session_dup(SSL_SESSION *src, int ticket)
{
SSL_SESSION *dest;
- dest = OPENSSL_malloc(sizeof(*src));
+ dest = OPENSSL_malloc(sizeof(*dest));
if (dest == NULL) {
goto err;
}
--
1.8.3.1

43
Verification-zero-length-content-in-S-MIME-format.patch Normal file
View File

@ -0,0 +1,43 @@
From 6f1bee08cf80b9473496991b51f1f4a0decd96de Mon Sep 17 00:00:00 2001
From: Dmitry Belyavskiy <beldmit@gmail.com>
Date: Fri, 9 Oct 2020 20:04:05 +0300
Subject: [PATCH 095/147] Verification zero-length content in S/MIME format
Fixes #13082
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/13106)
---
crypto/cms/cms_smime.c | 2 +-
crypto/pkcs7/pk7_smime.c | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/crypto/cms/cms_smime.c b/crypto/cms/cms_smime.c
index 652e97b..2c475ea 100644
--- a/crypto/cms/cms_smime.c
+++ b/crypto/cms/cms_smime.c
@@ -341,7 +341,7 @@ int CMS_verify(CMS_ContentInfo *cms, STACK_OF(X509) *certs,
char *ptr;
long len;
len = BIO_get_mem_data(dcont, &ptr);
- tmpin = BIO_new_mem_buf(ptr, len);
+ tmpin = (len == 0) ? dcont : BIO_new_mem_buf(ptr, len);
if (tmpin == NULL) {
CMSerr(CMS_F_CMS_VERIFY, ERR_R_MALLOC_FAILURE);
goto err2;
diff --git a/crypto/pkcs7/pk7_smime.c b/crypto/pkcs7/pk7_smime.c
index 4418723..4ce44d8 100644
--- a/crypto/pkcs7/pk7_smime.c
+++ b/crypto/pkcs7/pk7_smime.c
@@ -301,7 +301,7 @@ int PKCS7_verify(PKCS7 *p7, STACK_OF(X509) *certs, X509_STORE *store,
char *ptr;
long len;
len = BIO_get_mem_data(indata, &ptr);
- tmpin = BIO_new_mem_buf(ptr, len);
+ tmpin = (len == 0) ? indata : BIO_new_mem_buf(ptr, len);
if (tmpin == NULL) {
PKCS7err(PKCS7_F_PKCS7_VERIFY, ERR_R_MALLOC_FAILURE);
goto err;
--
1.8.3.1

103
bio-printf-Avoid-using-rounding-errors-in-range-chec.patch Normal file
View File

@ -0,0 +1,103 @@
From 7d76c1fa0d6cd085419cb4cfadad8cfdfd24ce1f Mon Sep 17 00:00:00 2001
From: Bernd Edlinger <bernd.edlinger@hotmail.de>
Date: Mon, 25 May 2020 20:13:47 +0200
Subject: [PATCH 004/147] bio printf: Avoid using rounding errors in range
check
There is a problem casting ULONG_MAX to double which clang-10 is warning about.
ULONG_MAX typically cannot be exactly represented as a double. ULONG_MAX + 1
can be and this fix uses the latter, however since ULONG_MAX cannot be
represented exactly as a double number we subtract 65535 from this number,
and the result has at most 48 leading one bits, and can therefore be
represented as a double integer without rounding error. By adding
65536.0 to this number we achive the correct result, which should avoid the
warning.
The addresses a symptom of the underlying problem: we print doubles via an
unsigned long integer. Doubles have a far greater range and should be printed
better.
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/11955)
(cherry picked from commit 082c041b4233b17b80129d4ac6b33a28014442b0)
---
crypto/bio/b_print.c | 8 +++++++-
test/bioprinttest.c | 34 ++++++++++++++++++++++++++++++++++
2 files changed, 41 insertions(+), 1 deletion(-)
diff --git a/crypto/bio/b_print.c b/crypto/bio/b_print.c
index 8ef90ac..48556f7 100644
--- a/crypto/bio/b_print.c
+++ b/crypto/bio/b_print.c
@@ -635,7 +635,13 @@ fmtfp(char **sbuffer,
fvalue = tmpvalue;
}
ufvalue = abs_val(fvalue);
- if (ufvalue > ULONG_MAX) {
+ /*
+ * By subtracting 65535 (2^16-1) we cancel the low order 15 bits
+ * of ULONG_MAX to avoid using imprecise floating point values.
+ * The second condition is necessary to catch NaN values.
+ */
+ if (ufvalue >= (double)(ULONG_MAX - 65535) + 65536.0
+ || !(ufvalue == ufvalue) /* NaN */) {
/* Number too big */
return 0;
}
diff --git a/test/bioprinttest.c b/test/bioprinttest.c
index 680391e..e37b854 100644
--- a/test/bioprinttest.c
+++ b/test/bioprinttest.c
@@ -241,14 +241,48 @@ static int test_fp(int i)
return r;
}
+extern double zero_value;
+double zero_value = 0.0;
+
static int test_big(void)
{
char buf[80];
+ double d, z, inf, nan;
/* Test excessively big number. Should fail */
if (!TEST_int_eq(BIO_snprintf(buf, sizeof(buf),
"%f\n", 2 * (double)ULONG_MAX), -1))
return 0;
+
+ d = 1.0;
+ z = zero_value;
+ inf = d / z;
+ nan = z / z;
+
+ /*
+ * Test +/-inf, nan. Should fail.
+ * Test +/-1.0, +/-0.0. Should work.
+ */
+ if (!TEST_int_eq(BIO_snprintf(buf, sizeof(buf),
+ "%f", inf), -1)
+ || !TEST_int_eq(BIO_snprintf(buf, sizeof(buf),
+ "%f", -inf), -1)
+ || !TEST_int_eq(BIO_snprintf(buf, sizeof(buf),
+ "%f", nan), -1)
+ || !TEST_int_eq(BIO_snprintf(buf, sizeof(buf),
+ "%f", d), 8)
+ || !TEST_str_eq(buf, "1.000000")
+ || !TEST_int_eq(BIO_snprintf(buf, sizeof(buf),
+ "%f", z), 8)
+ || !TEST_str_eq(buf, "0.000000")
+ || !TEST_int_eq(BIO_snprintf(buf, sizeof(buf),
+ "%f", -d), 9)
+ || !TEST_str_eq(buf, "-1.000000")
+ || !TEST_int_eq(BIO_snprintf(buf, sizeof(buf),
+ "%f", -z), 8)
+ || !TEST_str_eq(buf, "0.000000"))
+ return 0;
+
return 1;
}
--
1.8.3.1

38
crypto-poly1305-asm-fix-armv8-pointer-authentication.patch Normal file
View File

@ -0,0 +1,38 @@
From 5795acffd8706e1cb584284ee5bb3a30986d0e75 Mon Sep 17 00:00:00 2001
From: Ard Biesheuvel <ard.biesheuvel@arm.com>
Date: Tue, 27 Oct 2020 18:02:40 +0100
Subject: [PATCH 091/147] crypto/poly1305/asm: fix armv8 pointer authentication
PAC pointer authentication signs the return address against the value
of the stack pointer, to prevent stack overrun exploits from corrupting
the control flow. However, this requires that the AUTIASP is issued with
SP holding the same value as it held when the PAC value was generated.
The Poly1305 armv8 code got this wrong, resulting in crashes on PAC
capable hardware.
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13256)
(cherry picked from commit fcf6e9d056162d5af64c6f7209388a5c3be2ce57)
---
crypto/poly1305/asm/poly1305-armv8.pl | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/crypto/poly1305/asm/poly1305-armv8.pl b/crypto/poly1305/asm/poly1305-armv8.pl
index d07494b..2a42b64 100755
--- a/crypto/poly1305/asm/poly1305-armv8.pl
+++ b/crypto/poly1305/asm/poly1305-armv8.pl
@@ -864,8 +864,8 @@ poly1305_blocks_neon:
st1 {$ACC4}[0],[$ctx]
.Lno_data_neon:
- .inst 0xd50323bf // autiasp
ldr x29,[sp],#80
+ .inst 0xd50323bf // autiasp
ret
.size poly1305_blocks_neon,.-poly1305_blocks_neon
--
1.8.3.1

42
doc-Fix-documentation-of-EVP_EncryptUpdate.patch Normal file
View File

@ -0,0 +1,42 @@
From a47dd08d6cacc64536c2f57e0f0aee03dcfaab3d Mon Sep 17 00:00:00 2001
From: Pauli <paul.dale@oracle.com>
Date: Tue, 14 Jul 2020 08:39:32 +1000
Subject: [PATCH 052/147] doc: Fix documentation of EVP_EncryptUpdate().
The documentation was off by one for the length this function could return.
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12435)
(cherry picked from commit 3fc164e8d18dcdef57d297956debf8d966e7fbef)
---
doc/man3/EVP_EncryptInit.pod | 13 +++++++++----
1 file changed, 9 insertions(+), 4 deletions(-)
diff --git a/doc/man3/EVP_EncryptInit.pod b/doc/man3/EVP_EncryptInit.pod
index 2828bca..23ddf91 100644
--- a/doc/man3/EVP_EncryptInit.pod
+++ b/doc/man3/EVP_EncryptInit.pod
@@ -146,10 +146,15 @@ appropriate.
EVP_EncryptUpdate() encrypts B<inl> bytes from the buffer B<in> and
writes the encrypted version to B<out>. This function can be called
multiple times to encrypt successive blocks of data. The amount
-of data written depends on the block alignment of the encrypted data:
-as a result the amount of data written may be anything from zero bytes
-to (inl + cipher_block_size - 1) so B<out> should contain sufficient
-room. The actual number of bytes written is placed in B<outl>. It also
+of data written depends on the block alignment of the encrypted data.
+For most ciphers and modes, the amount of data written can be anything
+from zero bytes to (inl + cipher_block_size - 1) bytes.
+For wrap cipher modes, the amount of data written can be anything
+from zero bytes to (inl + cipher_block_size) bytes.
+For stream ciphers, the amount of data written can be anything from zero
+bytes to inl bytes.
+Thus, B<out> should contain sufficient room for the operation being performed.
+The actual number of bytes written is placed in B<outl>. It also
checks if B<in> and B<out> are partially overlapping, and if they are
0 is returned to indicate failure.
--
1.8.3.1

43
doc-man3-fix-types-taken-by-HMAC-HMAC_Update.patch Normal file
View File

@ -0,0 +1,43 @@
From 7bdf1ee8ccb69a743e29e3d1a72194c30e8583ae Mon Sep 17 00:00:00 2001
From: pedro martelletto <pedro@ambientworks.net>
Date: Wed, 24 Jun 2020 17:48:00 +0200
Subject: [PATCH 029/147] doc/man3: fix types taken by HMAC(), HMAC_Update()
HMAC() and HMAC_Update() take size_t for 'n' and 'len' respectively.
CLA: trivial
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12264)
(cherry picked from commit cc63865f336e0144f8501aa0a862ba0247a50622)
---
doc/man3/HMAC.pod | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/doc/man3/HMAC.pod b/doc/man3/HMAC.pod
index 30c0e6b..cc0d470 100644
--- a/doc/man3/HMAC.pod
+++ b/doc/man3/HMAC.pod
@@ -21,7 +21,7 @@ HMAC_size
#include <openssl/hmac.h>
unsigned char *HMAC(const EVP_MD *evp_md, const void *key,
- int key_len, const unsigned char *d, int n,
+ int key_len, const unsigned char *d, size_t n,
unsigned char *md, unsigned int *md_len);
HMAC_CTX *HMAC_CTX_new(void);
@@ -29,7 +29,7 @@ HMAC_size
int HMAC_Init_ex(HMAC_CTX *ctx, const void *key, int key_len,
const EVP_MD *md, ENGINE *impl);
- int HMAC_Update(HMAC_CTX *ctx, const unsigned char *data, int len);
+ int HMAC_Update(HMAC_CTX *ctx, const unsigned char *data, size_t len);
int HMAC_Final(HMAC_CTX *ctx, unsigned char *md, unsigned int *len);
void HMAC_CTX_free(HMAC_CTX *ctx);
--
1.8.3.1

34
fix-a-docs-typo.patch Normal file
View File

@ -0,0 +1,34 @@
From 315170f662b3053aa9fe817639e1b78f74f75077 Mon Sep 17 00:00:00 2001
From: Jack O'Connor <oconnor663@gmail.com>
Date: Thu, 28 May 2020 12:42:15 -0400
Subject: [PATCH 008/147] fix a docs typo
Correct "EC_KEY_point2buf" to "EC_POINT_point2buf". The former does not exist.
CLA: trivial
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/11988)
(cherry picked from commit a5a87011baeef71c86938a2bae54f89fbe99e5dc)
---
doc/man3/EC_KEY_new.pod | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/doc/man3/EC_KEY_new.pod b/doc/man3/EC_KEY_new.pod
index 9d32d78..21663a0 100644
--- a/doc/man3/EC_KEY_new.pod
+++ b/doc/man3/EC_KEY_new.pod
@@ -122,7 +122,7 @@ EC_KEY_precompute_mult() stores multiples of the underlying EC_GROUP generator
for faster point multiplication. See also L<EC_POINT_add(3)>.
EC_KEY_oct2key() and EC_KEY_key2buf() are identical to the functions
-EC_POINT_oct2point() and EC_KEY_point2buf() except they use the public key
+EC_POINT_oct2point() and EC_POINT_point2buf() except they use the public key
EC_POINT in B<eckey>.
EC_KEY_oct2priv() and EC_KEY_priv2oct() convert between the private key
--
1.8.3.1

33
fixed-swapped-parameters-descriptions-for-x509.patch Normal file
View File

@ -0,0 +1,33 @@
From 48fc6cd59c6d4a8f6ecd57d85d6ef4e6373ff147 Mon Sep 17 00:00:00 2001
From: Nihal Jere <nihal@nihaljere.xyz>
Date: Tue, 21 Jul 2020 11:31:01 -0500
Subject: [PATCH 055/147] fixed swapped parameters descriptions for x509
CLA: trivial
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/12505)
---
apps/x509.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/apps/x509.c b/apps/x509.c
index 5bb110f..1043eba 100644
--- a/apps/x509.c
+++ b/apps/x509.c
@@ -140,9 +140,9 @@ const OPTIONS x509_options[] = {
{"", OPT_MD, '-', "Any supported digest"},
#ifndef OPENSSL_NO_MD5
{"subject_hash_old", OPT_SUBJECT_HASH_OLD, '-',
- "Print old-style (MD5) issuer hash value"},
- {"issuer_hash_old", OPT_ISSUER_HASH_OLD, '-',
"Print old-style (MD5) subject hash value"},
+ {"issuer_hash_old", OPT_ISSUER_HASH_OLD, '-',
+ "Print old-style (MD5) issuer hash value"},
#endif
#ifndef OPENSSL_NO_ENGINE
{"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"},
--
1.8.3.1

33
fuzz-asn1.c-Add-missing-include.patch Normal file
View File

@ -0,0 +1,33 @@
From 1ab9298e43b6023f4083609493f20e354aa7faab Mon Sep 17 00:00:00 2001
From: Richard Levitte <levitte@openssl.org>
Date: Sat, 25 Apr 2020 04:11:09 +0200
Subject: [PATCH 037/217] fuzz/asn1.c: Add missing #include
<openssl/dsa.h> gets included via ts.h... except when 'no-ts' has been
configured.
Fixes #11597
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/11640)
(cherry picked from commit 60ebc0ca5a829e2ae939a9ab13658af202b6dfc7)
---
fuzz/asn1.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/fuzz/asn1.c b/fuzz/asn1.c
index fd2271b..d3148c0 100644
--- a/fuzz/asn1.c
+++ b/fuzz/asn1.c
@@ -20,6 +20,7 @@
#include <openssl/asn1.h>
#include <openssl/asn1t.h>
#include <openssl/dh.h>
+#include <openssl/dsa.h>
#include <openssl/ec.h>
#include <openssl/ocsp.h>
#include <openssl/pkcs12.h>
--
1.8.3.1

38
i2b_PVK_bio-don-t-set-PEM_R_BIO_WRITE_FAILURE-in-cas.patch Normal file
View File

@ -0,0 +1,38 @@
From a5ae257ed2d046105cff99d72d2d1335091a3515 Mon Sep 17 00:00:00 2001
From: Christian Hohnstaedt <christian@hohnstaedt.de>
Date: Sun, 22 Mar 2020 09:41:30 +0100
Subject: [PATCH 036/217] i2b_PVK_bio: don't set PEM_R_BIO_WRITE_FAILURE in
case of success
but in case of an error
CLA: trivial
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/11380)
(cherry picked from commit 80b94a5adb461f94629d36db351a051b0a890856)
---
crypto/pem/pvkfmt.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/crypto/pem/pvkfmt.c b/crypto/pem/pvkfmt.c
index 1fc19c1..46ed2ec 100644
--- a/crypto/pem/pvkfmt.c
+++ b/crypto/pem/pvkfmt.c
@@ -875,9 +875,9 @@ int i2b_PVK_bio(BIO *out, EVP_PKEY *pk, int enclevel,
wrlen = BIO_write(out, tmp, outlen);
OPENSSL_free(tmp);
if (wrlen == outlen) {
- PEMerr(PEM_F_I2B_PVK_BIO, PEM_R_BIO_WRITE_FAILURE);
return outlen;
}
+ PEMerr(PEM_F_I2B_PVK_BIO, PEM_R_BIO_WRITE_FAILURE);
return -1;
}
--
1.8.3.1

79
openssl.spec
View File

@ -2,7 +2,7 @@
Name: openssl
Epoch: 1
Version: 1.1.1f
Release: 3
Release: 8
Summary: Cryptography and SSL/TLS Toolkit
License: OpenSSL and SSLeay
URL: https://www.openssl.org/
@ -11,12 +11,74 @@ Source1: Makefile.certificate
Patch1: openssl-1.1.1-build.patch
Patch2: openssl-1.1.1-fips.patch
Patch3: CVE-2020-1967.patch
Patch4: CVE-2020-1971-0001-DirectoryString-is-a-CHOICE-type-and-therefore-uses-.patch
Patch5: CVE-2020-1971-0002-Correctly-compare-EdiPartyName-in-GENERAL_NAME_cmp.patch
Patch6: CVE-2020-1971-0003-Check-that-multi-strings-CHOICE-types-don-t-use-impl.patch
Patch7: CVE-2020-1971-0004-Complain-if-we-are-attempting-to-encode-with-an-inva.patch
Patch8: CVE-2020-1971-0005-Add-a-test-for-GENERAL_NAME_cmp.patch
Patch9: CVE-2020-1971-0006-Add-a-test-for-encoding-decoding-using-an-invalid-AS.patch
Patch4: Ensure-ECDSA_size-always-returns-0.patch
Patch5: Fix-the-error-handling-in-EC_POINTs_mul.patch
Patch6: Integer-overflow-in-ASN1_STRING_set.patch
Patch7: AES-CTR-DRGB-do-not-leak-timing-information.patch
Patch8: Fix-AES-CTR_DRBG-on-1.1.1.patch
Patch9: BIO_do_accept-correct-error-return-value.patch
Patch10: Add-test-for-CVE-2020-1967.patch
Patch11: EC-Constify-internal-EC_KEY-pointer-usage.patch
Patch12: EC-harden-EC_KEY-against-leaks-from-memory-accesses.patch
Patch13: BN-harden-BN_copy-against-leaks-from-memory-accesses.patch
Patch14: Fix-type-cast-in-SSL_CTX_set1_groups-macro.patch
Patch15: i2b_PVK_bio-don-t-set-PEM_R_BIO_WRITE_FAILURE-in-cas.patch
Patch16: fuzz-asn1.c-Add-missing-include.patch
Patch17: Fix-use-after-free-in-BIO_C_SET_SSL-callback.patch
Patch18: Fix-PEM-certificate-loading-that-sometimes-fails.patch
Patch19: Fix-rsa8192.pem.patch
Patch20: Correct-alignment-calculation-in-ssl3_setup_write.patch
Patch21: Fix-crash-in-early-data-send-with-out-of-band-PSK-us.patch
Patch22: Test-TLSv1.3-out-of-band-PSK-with-all-5-ciphersuites.patch
Patch23: Cast-the-unsigned-char-to-unsigned-int-before-shifti.patch
Patch24: Avoid-potential-overflow-to-the-sign-bit-when-shifti.patch
Patch25: t1_trce-Fix-remaining-places-where-the-24-bit-shift-.patch
Patch26: Fix-d2i_PrivateKey-to-work-as-documented.patch
Patch27: Prevent-use-after-free-of-global_engine_lock.patch
Patch28: Allow-NULL-arg-to-OSSL_STORE_close.patch
Patch29: EVP_EncryptInit.pod-fix-example.patch
Patch30: bio-printf-Avoid-using-rounding-errors-in-range-chec.patch
Patch31: Make-BIO_do_connect-and-friends-handle-multiple-IP-a.patch
Patch32: Revert-the-check-for-NaN-in-f-format.patch
Patch33: fix-a-docs-typo.patch
Patch34: Replace-BUF_strdup-call-by-OPENSSL_strdup-adding-fai.patch
Patch35: Fix-err-checking-and-mem-leaks-of-BIO_set_conn_port-.patch
Patch36: Do-not-allow-dropping-Extended-Master-Secret-extensi.patch
Patch37: EVP-allow-empty-strings-to-EVP_Decode-functions.patch
Patch38: CMS_get0_signers-description.patch
Patch39: Ensure-we-never-use-a-partially-initialised-CMAC_CTX.patch
Patch40: Correctly-handle-the-return-value-from-EVP_Cipher-in.patch
Patch41: Fix-wrong-return-value-check-of-mmap-function.patch
Patch42: doc-man3-fix-types-taken-by-HMAC-HMAC_Update.patch
Patch43: Ensure-that-SSL_dup-copies-the-min-max-protocol-vers.patch
Patch44: Don-t-attempt-to-duplicate-the-BIO-state-in-SSL_dup.patch
Patch45: Add-an-SSL_dup-test.patch
Patch46: Free-pre_proc_exts-in-SSL_free.patch
Patch47: Fix-issue-1418-by-moving-check-of-KU_KEY_CERT_SIGN-a.patch
Patch48: x509_vfy.c-Improve-key-usage-checks-in-internal_veri.patch
Patch49: doc-Fix-documentation-of-EVP_EncryptUpdate.patch
Patch50: Avoid-errors-with-a-priori-inapplicable-protocol-bou.patch
Patch51: fixed-swapped-parameters-descriptions-for-x509.patch
Patch52: Update-EVP_EncodeInit.pod.patch
Patch53: Avoid-segfault-in-SSL_export_keying_material-if-ther.patch
Patch54: sslapitest-Add-test-for-premature-call-of-SSL_export.patch
Patch55: Fix-PEM_write_bio_PrivateKey_traditional-to-not-outp.patch
Patch56: Coverity-Fixes.patch
Patch57: Fix-memory-leaks-in-conf_def.c.patch
Patch58: Support-keys-with-RSA_METHOD_FLAG_NO_CHECK-with-OCSP.patch
Patch59: Use-size-of-target-buffer-for-allocation.patch
Patch60: Avoid-memory-leak-of-parent-on-allocation-failure-fo.patch
Patch61: Pass-an-EVP_PKEY-for-SSL_SECOP_TMP_DH-in-the-securit.patch
Patch62: Avoid-potential-doublefree-on-dh-object-assigned-to-.patch
Patch63: Fix-AES-GCM-bug-on-aarch64-BigEndian.patch
Patch64: crypto-poly1305-asm-fix-armv8-pointer-authentication.patch
Patch65: Verification-zero-length-content-in-S-MIME-format.patch
Patch66: CVE-2020-1971-0001-DirectoryString-is-a-CHOICE-type-and-therefore-uses-.patch
Patch67: CVE-2020-1971-0002-Correctly-compare-EdiPartyName-in-GENERAL_NAME_cmp.patch
Patch68: CVE-2020-1971-0003-Check-that-multi-strings-CHOICE-types-don-t-use-impl.patch
Patch69: CVE-2020-1971-0004-Complain-if-we-are-attempting-to-encode-with-an-inva.patch
Patch70: CVE-2020-1971-0005-Add-a-test-for-GENERAL_NAME_cmp.patch
Patch71: CVE-2020-1971-0006-Add-a-test-for-encoding-decoding-using-an-invalid-AS.patch
BuildRequires: gcc make lksctp-tools-devel coreutils util-linux zlib-devel
@ -193,6 +255,9 @@ make test || :
%{_pkgdocdir}/html/
%changelog
* Tue Feb 09 2021 Liufeng <liufeng111@huawei.com> - 1:1.1.1f-8
- backport some bugfix patches from OpenSSL community and reset the release
* Mon Jan 19 2021 openEuler Buildteam <buildteam@openeuler.org> - 1:1.1.1f-3
- fix CVE-2020-1971

45
sslapitest-Add-test-for-premature-call-of-SSL_export.patch Normal file
View File

@ -0,0 +1,45 @@
From 46a9ee8c796c8b5f8d95290676119b4f3d72be91 Mon Sep 17 00:00:00 2001
From: Tomas Mraz <tmraz@fedoraproject.org>
Date: Thu, 6 Aug 2020 15:14:29 +0200
Subject: [PATCH 061/147] sslapitest: Add test for premature call of
SSL_export_keying_material
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12594)
(cherry picked from commit ea9f6890eb54e4b9e8b81cc1318ca3a6fc0c8356)
---
test/sslapitest.c | 17 ++++++++++++++---
1 file changed, 14 insertions(+), 3 deletions(-)
diff --git a/test/sslapitest.c b/test/sslapitest.c
index 5220722..ad1824c 100644
--- a/test/sslapitest.c
+++ b/test/sslapitest.c
@@ -4432,9 +4432,20 @@ static int test_export_key_mat(int tst)
SSL_CTX_set_min_proto_version(cctx, protocols[tst]);
if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
- NULL))
- || !TEST_true(create_ssl_connection(serverssl, clientssl,
- SSL_ERROR_NONE)))
+ NULL)))
+ goto end;
+
+ /*
+ * Premature call of SSL_export_keying_material should just fail.
+ */
+ if (!TEST_int_le(SSL_export_keying_material(clientssl, ckeymat1,
+ sizeof(ckeymat1), label,
+ SMALL_LABEL_LEN + 1, context,
+ sizeof(context) - 1, 1), 0))
+ goto end;
+
+ if (!TEST_true(create_ssl_connection(serverssl, clientssl,
+ SSL_ERROR_NONE)))
goto end;
if (tst == 5) {
--
1.8.3.1

72
t1_trce-Fix-remaining-places-where-the-24-bit-shift-.patch Normal file
View File

@ -0,0 +1,72 @@
From cf94e8430f3cd7c17f62b74443d16347b4b97ac8 Mon Sep 17 00:00:00 2001
From: Tomas Mraz <tmraz@fedoraproject.org>
Date: Tue, 19 May 2020 10:52:53 +0200
Subject: [PATCH 061/217] t1_trce: Fix remaining places where the 24 bit shift
overflow happens
[extended tests]
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11857)
(cherry picked from commit 7486c718e54cc762edc5f1c7c526ab83d0f97ef7)
---
ssl/t1_trce.c | 21 ++++++++++++++++-----
1 file changed, 16 insertions(+), 5 deletions(-)
diff --git a/ssl/t1_trce.c b/ssl/t1_trce.c
index 5c84339..edd839a 100644
--- a/ssl/t1_trce.c
+++ b/ssl/t1_trce.c
@@ -656,7 +656,10 @@ static int ssl_print_random(BIO *bio, int indent,
if (*pmsglen < 32)
return 0;
- tm = (p[0] << 24) | (p[1] << 16) | (p[2] << 8) | p[3];
+ tm = ((unsigned int)p[0] << 24)
+ | ((unsigned int)p[1] << 16)
+ | ((unsigned int)p[2] << 8)
+ | (unsigned int)p[3];
p += 4;
BIO_indent(bio, indent, 80);
BIO_puts(bio, "Random:\n");
@@ -864,8 +867,10 @@ static int ssl_print_extension(BIO *bio, int indent, int server,
break;
if (extlen != 4)
return 0;
- max_early_data = (ext[0] << 24) | (ext[1] << 16) | (ext[2] << 8)
- | ext[3];
+ max_early_data = ((unsigned int)ext[0] << 24)
+ | ((unsigned int)ext[1] << 16)
+ | ((unsigned int)ext[2] << 8)
+ | (unsigned int)ext[3];
BIO_indent(bio, indent + 2, 80);
BIO_printf(bio, "max_early_data=%u\n", max_early_data);
break;
@@ -1356,7 +1361,10 @@ static int ssl_print_ticket(BIO *bio, int indent, const SSL *ssl,
}
if (msglen < 4)
return 0;
- tick_life = (msg[0] << 24) | (msg[1] << 16) | (msg[2] << 8) | msg[3];
+ tick_life = ((unsigned int)msg[0] << 24)
+ | ((unsigned int)msg[1] << 16)
+ | ((unsigned int)msg[2] << 8)
+ | (unsigned int)msg[3];
msglen -= 4;
msg += 4;
BIO_indent(bio, indent + 2, 80);
@@ -1367,7 +1375,10 @@ static int ssl_print_ticket(BIO *bio, int indent, const SSL *ssl,
if (msglen < 4)
return 0;
ticket_age_add =
- (msg[0] << 24) | (msg[1] << 16) | (msg[2] << 8) | msg[3];
+ ((unsigned int)msg[0] << 24)
+ | ((unsigned int)msg[1] << 16)
+ | ((unsigned int)msg[2] << 8)
+ | (unsigned int)msg[3];
msglen -= 4;
msg += 4;
BIO_indent(bio, indent + 2, 80);
--
1.8.3.1

151
x509_vfy.c-Improve-key-usage-checks-in-internal_veri.patch Normal file
View File

@ -0,0 +1,151 @@
From 42bb51e59308b3ebc5cc1c35ff4822fba6b52d79 Mon Sep 17 00:00:00 2001
From: "Dr. David von Oheimb" <David.von.Oheimb@siemens.com>
Date: Fri, 3 Jul 2020 21:19:55 +0200
Subject: [PATCH 051/147] x509_vfy.c: Improve key usage checks in
internal_verify() of cert chains
If a presumably self-signed cert is last in chain we verify its signature
only if X509_V_FLAG_CHECK_SS_SIGNATURE is set. Upon this request we do the
signature verification, but not in case it is a (non-conforming) self-issued
CA certificate with a key usage extension that does not include keyCertSign.
Make clear when we must verify the signature of a certificate
and when we must adhere to key usage restrictions of the 'issuing' cert.
Add some comments for making internal_verify() easier to understand.
Update the documentation of X509_V_FLAG_CHECK_SS_SIGNATURE accordingly.
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12357)
---
crypto/x509/x509_vfy.c | 46 ++++++++++++++++++++++++--------
doc/man1/verify.pod | 7 +++--
doc/man3/X509_VERIFY_PARAM_set_flags.pod | 13 +++++----
3 files changed, 48 insertions(+), 18 deletions(-)
diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c
index 87b51e9..f30c0f8 100644
--- a/crypto/x509/x509_vfy.c
+++ b/crypto/x509/x509_vfy.c
@@ -1716,6 +1716,7 @@ int x509_check_cert_time(X509_STORE_CTX *ctx, X509 *x, int depth)
return 1;
}
+/* verify the issuer signatures and cert times of ctx->chain */
static int internal_verify(X509_STORE_CTX *ctx)
{
int n = sk_X509_num(ctx->chain) - 1;
@@ -1734,7 +1735,7 @@ static int internal_verify(X509_STORE_CTX *ctx)
}
if (ctx->check_issued(ctx, xi, xi))
- xs = xi;
+ xs = xi; /* the typical case: last cert in the chain is self-issued */
else {
if (ctx->param->flags & X509_V_FLAG_PARTIAL_CHAIN) {
xs = xi;
@@ -1754,26 +1755,49 @@ static int internal_verify(X509_STORE_CTX *ctx)
*/
while (n >= 0) {
/*
- * Skip signature check for self-issued certificates unless explicitly
+ * For each iteration of this loop:
+ * n is the subject depth
+ * xs is the subject cert, for which the signature is to be checked
+ * xi is the supposed issuer cert containing the public key to use
+ * Initially xs == xi if the last cert in the chain is self-issued.
+ *
+ * Skip signature check for self-signed certificates unless explicitly
* asked for because it does not add any security and just wastes time.
- * If the issuer's public key is not available or its key usage does
- * not support issuing the subject cert, report the issuer certificate
- * and its depth (rather than the depth of the subject).
*/
- if (xs != xi || (ctx->param->flags & X509_V_FLAG_CHECK_SS_SIGNATURE)) {
+ if (xs != xi || ((ctx->param->flags & X509_V_FLAG_CHECK_SS_SIGNATURE)
+ && (xi->ex_flags & EXFLAG_SS) != 0)) {
EVP_PKEY *pkey;
+ /*
+ * If the issuer's public key is not available or its key usage
+ * does not support issuing the subject cert, report the issuer
+ * cert and its depth (rather than n, the depth of the subject).
+ */
int issuer_depth = n + (xs == xi ? 0 : 1);
- int ret = x509_signing_allowed(xi, xs);
+ /*
+ * According to https://tools.ietf.org/html/rfc5280#section-6.1.4
+ * step (n) we must check any given key usage extension in a CA cert
+ * when preparing the verification of a certificate issued by it.
+ * According to https://tools.ietf.org/html/rfc5280#section-4.2.1.3
+ * we must not verify a certifiate signature if the key usage of the
+ * CA certificate that issued the certificate prohibits signing.
+ * In case the 'issuing' certificate is the last in the chain and is
+ * not a CA certificate but a 'self-issued' end-entity cert (i.e.,
+ * xs == xi && !(xi->ex_flags & EXFLAG_CA)) RFC 5280 does not apply
+ * (see https://tools.ietf.org/html/rfc6818#section-2) and thus
+ * we are free to ignore any key usage restrictions on such certs.
+ */
+ int ret = xs == xi && (xi->ex_flags & EXFLAG_CA) == 0
+ ? X509_V_OK : x509_signing_allowed(xi, xs);
if (ret != X509_V_OK && !verify_cb_cert(ctx, xi, issuer_depth, ret))
return 0;
if ((pkey = X509_get0_pubkey(xi)) == NULL) {
- if (!verify_cb_cert(ctx, xi, xi != xs ? n+1 : n,
- X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY))
+ ret = X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY;
+ if (!verify_cb_cert(ctx, xi, issuer_depth, ret))
return 0;
} else if (X509_verify(xs, pkey) <= 0) {
- if (!verify_cb_cert(ctx, xs, n,
- X509_V_ERR_CERT_SIGNATURE_FAILURE))
+ ret = X509_V_ERR_CERT_SIGNATURE_FAILURE;
+ if (!verify_cb_cert(ctx, xs, n, ret))
return 0;
}
}
diff --git a/doc/man1/verify.pod b/doc/man1/verify.pod
index 63ba850..18e803c 100644
--- a/doc/man1/verify.pod
+++ b/doc/man1/verify.pod
@@ -98,8 +98,11 @@ current system time. B<timestamp> is the number of seconds since
=item B<-check_ss_sig>
-Verify the signature on the self-signed root CA. This is disabled by default
-because it doesn't add any security.
+Verify the signature of
+the last certificate in a chain if the certificate is supposedly self-signed.
+This is prohibited and will result in an error if it is a non-conforming CA
+certificate with key usage restrictions not including the keyCertSign bit.
+This verification is disabled by default because it doesn't add any security.
=item B<-CRLfile file>
diff --git a/doc/man3/X509_VERIFY_PARAM_set_flags.pod b/doc/man3/X509_VERIFY_PARAM_set_flags.pod
index 7593dea..a87b71d 100644
--- a/doc/man3/X509_VERIFY_PARAM_set_flags.pod
+++ b/doc/man3/X509_VERIFY_PARAM_set_flags.pod
@@ -264,12 +264,15 @@ they are enabled.
If B<X509_V_FLAG_USE_DELTAS> is set delta CRLs (if present) are used to
determine certificate status. If not set deltas are ignored.
-B<X509_V_FLAG_CHECK_SS_SIGNATURE> enables checking of the root CA self signed
-certificate signature. By default this check is disabled because it doesn't
+B<X509_V_FLAG_CHECK_SS_SIGNATURE> requests checking the signature of
+the last certificate in a chain if the certificate is supposedly self-signed.
+This is prohibited and will result in an error if it is a non-conforming CA
+certificate with key usage restrictions not including the keyCertSign bit.
+By default this check is disabled because it doesn't
add any additional security but in some cases applications might want to
-check the signature anyway. A side effect of not checking the root CA
-signature is that disabled or unsupported message digests on the root CA
-are not treated as fatal errors.
+check the signature anyway. A side effect of not checking the self-signature
+of such a certificate is that disabled or unsupported message digests used for
+the signature are not treated as fatal errors.
When B<X509_V_FLAG_TRUSTED_FIRST> is set, construction of the certificate chain
in L<X509_verify_cert(3)> will search the trust store for issuer certificates
--
1.8.3.1