Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/trunk]: src/crypto/external/bsd/openssl/dist merge our changes between 1...
details: https://anonhg.NetBSD.org/src/rev/d5f5031c5dc1
branches: trunk
changeset: 981895:d5f5031c5dc1
user: christos <christos%NetBSD.org@localhost>
date: Thu Mar 25 18:51:18 2021 +0000
description:
merge our changes between 1.1.1j and 1.1.1k
diffstat:
crypto/external/bsd/openssl/dist/CHANGES | 44 ++++++++++
crypto/external/bsd/openssl/dist/NEWS | 8 +
crypto/external/bsd/openssl/dist/README | 4 +-
crypto/external/bsd/openssl/dist/apps/s_time.c | 5 +-
crypto/external/bsd/openssl/dist/crypto/engine/eng_devcrypto.c | 17 +++-
crypto/external/bsd/openssl/dist/crypto/evp/evp_enc.c | 2 +-
crypto/external/bsd/openssl/dist/crypto/modes/gcm128.c | 6 +-
crypto/external/bsd/openssl/dist/crypto/x509/x509_vfy.c | 12 +-
crypto/external/bsd/openssl/dist/ssl/s3_lib.c | 7 +-
crypto/external/bsd/openssl/dist/ssl/ssl_lib.c | 16 ++-
crypto/external/bsd/openssl/dist/test/rsa_test.c | 4 +-
11 files changed, 103 insertions(+), 22 deletions(-)
diffs (truncated from 314 to 300 lines):
diff -r 64aef661aac7 -r d5f5031c5dc1 crypto/external/bsd/openssl/dist/CHANGES
--- a/crypto/external/bsd/openssl/dist/CHANGES Thu Mar 25 18:41:29 2021 +0000
+++ b/crypto/external/bsd/openssl/dist/CHANGES Thu Mar 25 18:51:18 2021 +0000
@@ -7,6 +7,50 @@
https://github.com/openssl/openssl/commits/ and pick the appropriate
release branch.
+ Changes between 1.1.1j and 1.1.1k [25 Mar 2021]
+
+ *) Fixed a problem with verifying a certificate chain when using the
+ X509_V_FLAG_X509_STRICT flag. This flag enables additional security checks
+ of the certificates present in a certificate chain. It is not set by
+ default.
+
+ Starting from OpenSSL version 1.1.1h a check to disallow certificates in
+ the chain that have explicitly encoded elliptic curve parameters was added
+ as an additional strict check.
+
+ An error in the implementation of this check meant that the result of a
+ previous check to confirm that certificates in the chain are valid CA
+ certificates was overwritten. This effectively bypasses the check
+ that non-CA certificates must not be able to issue other certificates.
+
+ If a "purpose" has been configured then there is a subsequent opportunity
+ for checks that the certificate is a valid CA. All of the named "purpose"
+ values implemented in libcrypto perform this check. Therefore, where
+ a purpose is set the certificate chain will still be rejected even when the
+ strict flag has been used. A purpose is set by default in libssl client and
+ server certificate verification routines, but it can be overridden or
+ removed by an application.
+
+ In order to be affected, an application must explicitly set the
+ X509_V_FLAG_X509_STRICT verification flag and either not set a purpose
+ for the certificate verification or, in the case of TLS client or server
+ applications, override the default purpose.
+ (CVE-2021-3450)
+ [Tomáš Mráz]
+
+ *) Fixed an issue where an OpenSSL TLS server may crash if sent a maliciously
+ crafted renegotiation ClientHello message from a client. If a TLSv1.2
+ renegotiation ClientHello omits the signature_algorithms extension (where
+ it was present in the initial ClientHello), but includes a
+ signature_algorithms_cert extension then a NULL pointer dereference will
+ result, leading to a crash and a denial of service attack.
+
+ A server is only vulnerable if it has TLSv1.2 and renegotiation enabled
+ (which is the default configuration). OpenSSL TLS clients are not impacted
+ by this issue.
+ (CVE-2021-3449)
+ [Peter Kästle and Samuel Sapalski]
+
Changes between 1.1.1i and 1.1.1j [16 Feb 2021]
*) Fixed the X509_issuer_and_serial_hash() function. It attempts to
diff -r 64aef661aac7 -r d5f5031c5dc1 crypto/external/bsd/openssl/dist/NEWS
--- a/crypto/external/bsd/openssl/dist/NEWS Thu Mar 25 18:41:29 2021 +0000
+++ b/crypto/external/bsd/openssl/dist/NEWS Thu Mar 25 18:51:18 2021 +0000
@@ -5,6 +5,14 @@
This file gives a brief overview of the major changes between each OpenSSL
release. For more details please read the CHANGES file.
+ Major changes between OpenSSL 1.1.1j and OpenSSL 1.1.1k [25 Mar 2021]
+
+ o Fixed a problem with verifying a certificate chain when using the
+ X509_V_FLAG_X509_STRICT flag (CVE-2021-3450)
+ o Fixed an issue where an OpenSSL TLS server may crash if sent a
+ maliciously crafted renegotiation ClientHello message from a client
+ (CVE-2021-3449)
+
Major changes between OpenSSL 1.1.1i and OpenSSL 1.1.1j [16 Feb 2021]
o Fixed a NULL pointer deref in the X509_issuer_and_serial_hash()
diff -r 64aef661aac7 -r d5f5031c5dc1 crypto/external/bsd/openssl/dist/README
--- a/crypto/external/bsd/openssl/dist/README Thu Mar 25 18:41:29 2021 +0000
+++ b/crypto/external/bsd/openssl/dist/README Thu Mar 25 18:51:18 2021 +0000
@@ -1,7 +1,7 @@
- OpenSSL 1.1.1j 16 Feb 2021
+ OpenSSL 1.1.1k 25 Mar 2021
- Copyright (c) 1998-2020 The OpenSSL Project
+ Copyright (c) 1998-2021 The OpenSSL Project
Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson
All rights reserved.
diff -r 64aef661aac7 -r d5f5031c5dc1 crypto/external/bsd/openssl/dist/apps/s_time.c
--- a/crypto/external/bsd/openssl/dist/apps/s_time.c Thu Mar 25 18:41:29 2021 +0000
+++ b/crypto/external/bsd/openssl/dist/apps/s_time.c Thu Mar 25 18:51:18 2021 +0000
@@ -1,5 +1,5 @@
/*
- * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -263,7 +263,8 @@
nConn, totalTime, ((double)nConn / totalTime), bytes_read);
printf
("%d connections in %ld real seconds, %ld bytes read per connection\n",
- nConn, (long)time(NULL) - finishtime + maxtime, bytes_read / nConn);
+ nConn, (long)time(NULL) - finishtime + maxtime,
+ nConn > 0 ? bytes_read / nConn : 0l);
/*
* Now loop and time connections using the same session id over and over
diff -r 64aef661aac7 -r d5f5031c5dc1 crypto/external/bsd/openssl/dist/crypto/engine/eng_devcrypto.c
--- a/crypto/external/bsd/openssl/dist/crypto/engine/eng_devcrypto.c Thu Mar 25 18:41:29 2021 +0000
+++ b/crypto/external/bsd/openssl/dist/crypto/engine/eng_devcrypto.c Thu Mar 25 18:51:18 2021 +0000
@@ -1,5 +1,5 @@
/*
- * Copyright 2017-2019 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2017-2021 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -758,8 +758,9 @@
void engine_load_devcrypto_int()
{
ENGINE *e = NULL;
+ int fd;
- if ((cfd = open("/dev/crypto", O_RDWR, 0)) < 0) {
+ if ((fd = open("/dev/crypto", O_RDWR, 0)) < 0) {
#ifndef ENGINE_DEVCRYPTO_DEBUG
if (errno != ENOENT && errno != ENXIO)
#endif
@@ -767,6 +768,18 @@
return;
}
+#ifdef CRIOGET
+ if (ioctl(fd, CRIOGET, &cfd) < 0) {
+ fprintf(stderr, "Could not create crypto fd: %s\n", strerror(errno));
+ close(fd);
+ cfd = -1;
+ return;
+ }
+ close(fd);
+#else
+ cfd = fd;
+#endif
+
if ((e = ENGINE_new()) == NULL
|| !ENGINE_set_destroy_function(e, devcrypto_unload)) {
ENGINE_free(e);
diff -r 64aef661aac7 -r d5f5031c5dc1 crypto/external/bsd/openssl/dist/crypto/evp/evp_enc.c
--- a/crypto/external/bsd/openssl/dist/crypto/evp/evp_enc.c Thu Mar 25 18:41:29 2021 +0000
+++ b/crypto/external/bsd/openssl/dist/crypto/evp/evp_enc.c Thu Mar 25 18:51:18 2021 +0000
@@ -1,5 +1,5 @@
/*
- * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
diff -r 64aef661aac7 -r d5f5031c5dc1 crypto/external/bsd/openssl/dist/crypto/modes/gcm128.c
--- a/crypto/external/bsd/openssl/dist/crypto/modes/gcm128.c Thu Mar 25 18:41:29 2021 +0000
+++ b/crypto/external/bsd/openssl/dist/crypto/modes/gcm128.c Thu Mar 25 18:51:18 2021 +0000
@@ -1,5 +1,5 @@
/*
- * Copyright 2010-2020 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2010-2021 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -1385,8 +1385,8 @@
else
ctx->Yi.d[3] = ctr;
for (i = 0; i < 16 / sizeof(size_t); ++i) {
- size_t c = in[i];
- out[i] = c ^ ctx->EKi.t[i];
+ size_t c = in_t[i];
+ out_t[i] = c ^ ctx->EKi.t[i];
ctx->Xi.t[i] ^= c;
}
GCM_MUL(ctx);
diff -r 64aef661aac7 -r d5f5031c5dc1 crypto/external/bsd/openssl/dist/crypto/x509/x509_vfy.c
--- a/crypto/external/bsd/openssl/dist/crypto/x509/x509_vfy.c Thu Mar 25 18:41:29 2021 +0000
+++ b/crypto/external/bsd/openssl/dist/crypto/x509/x509_vfy.c Thu Mar 25 18:51:18 2021 +0000
@@ -524,15 +524,19 @@
ret = 1;
break;
}
- if ((ctx->param->flags & X509_V_FLAG_X509_STRICT) && num > 1) {
+ if (ret > 0
+ && (ctx->param->flags & X509_V_FLAG_X509_STRICT) && num > 1) {
/* Check for presence of explicit elliptic curve parameters */
ret = check_curve(x);
- if (ret < 0)
+ if (ret < 0) {
ctx->error = X509_V_ERR_UNSPECIFIED;
- else if (ret == 0)
+ ret = 0;
+ } else if (ret == 0) {
ctx->error = X509_V_ERR_EC_KEY_EXPLICIT_PARAMS;
+ }
}
- if ((x->ex_flags & EXFLAG_CA) == 0
+ if (ret > 0
+ && (x->ex_flags & EXFLAG_CA) == 0
&& x->ex_pathlen != -1
&& (ctx->param->flags & X509_V_FLAG_X509_STRICT)) {
ctx->error = X509_V_ERR_INVALID_EXTENSION;
diff -r 64aef661aac7 -r d5f5031c5dc1 crypto/external/bsd/openssl/dist/ssl/s3_lib.c
--- a/crypto/external/bsd/openssl/dist/ssl/s3_lib.c Thu Mar 25 18:41:29 2021 +0000
+++ b/crypto/external/bsd/openssl/dist/ssl/s3_lib.c Thu Mar 25 18:51:18 2021 +0000
@@ -1,5 +1,5 @@
/*
- * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
* Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
* Copyright 2005 Nokia. All rights reserved.
*
@@ -4629,6 +4629,7 @@
OPENSSL_clear_free(s->s3->tmp.psk, psklen);
s->s3->tmp.psk = NULL;
+ s->s3->tmp.psklen = 0;
if (!s->method->ssl3_enc->generate_master_secret(s,
s->session->master_key, pskpms, pskpmslen,
&s->session->master_key_length)) {
@@ -4658,8 +4659,10 @@
else
OPENSSL_cleanse(pms, pmslen);
}
- if (s->server == 0)
+ if (s->server == 0) {
s->s3->tmp.pms = NULL;
+ s->s3->tmp.pmslen = 0;
+ }
return ret;
}
diff -r 64aef661aac7 -r d5f5031c5dc1 crypto/external/bsd/openssl/dist/ssl/ssl_lib.c
--- a/crypto/external/bsd/openssl/dist/ssl/ssl_lib.c Thu Mar 25 18:41:29 2021 +0000
+++ b/crypto/external/bsd/openssl/dist/ssl/ssl_lib.c Thu Mar 25 18:51:18 2021 +0000
@@ -1,5 +1,5 @@
/*
- * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
* Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
* Copyright 2005 Nokia. All rights reserved.
*
@@ -779,8 +779,10 @@
s->ext.ecpointformats =
OPENSSL_memdup(ctx->ext.ecpointformats,
ctx->ext.ecpointformats_len);
- if (!s->ext.ecpointformats)
+ if (!s->ext.ecpointformats) {
+ s->ext.ecpointformats_len = 0;
goto err;
+ }
s->ext.ecpointformats_len =
ctx->ext.ecpointformats_len;
}
@@ -789,8 +791,10 @@
OPENSSL_memdup(ctx->ext.supportedgroups,
ctx->ext.supportedgroups_len
* sizeof(*ctx->ext.supportedgroups));
- if (!s->ext.supportedgroups)
+ if (!s->ext.supportedgroups) {
+ s->ext.supportedgroups_len = 0;
goto err;
+ }
s->ext.supportedgroups_len = ctx->ext.supportedgroups_len;
}
#endif
@@ -800,8 +804,10 @@
if (s->ctx->ext.alpn) {
s->ext.alpn = OPENSSL_malloc(s->ctx->ext.alpn_len);
- if (s->ext.alpn == NULL)
+ if (s->ext.alpn == NULL) {
+ s->ext.alpn_len = 0;
goto err;
+ }
memcpy(s->ext.alpn, s->ctx->ext.alpn, s->ctx->ext.alpn_len);
s->ext.alpn_len = s->ctx->ext.alpn_len;
}
@@ -2834,6 +2840,7 @@
OPENSSL_free(ctx->ext.alpn);
ctx->ext.alpn = OPENSSL_memdup(protos, protos_len);
if (ctx->ext.alpn == NULL) {
+ ctx->ext.alpn_len = 0;
SSLerr(SSL_F_SSL_CTX_SET_ALPN_PROTOS, ERR_R_MALLOC_FAILURE);
return 1;
}
@@ -2853,6 +2860,7 @@
OPENSSL_free(ssl->ext.alpn);
ssl->ext.alpn = OPENSSL_memdup(protos, protos_len);
if (ssl->ext.alpn == NULL) {
+ ssl->ext.alpn_len = 0;
SSLerr(SSL_F_SSL_SET_ALPN_PROTOS, ERR_R_MALLOC_FAILURE);
return 1;
}
diff -r 64aef661aac7 -r d5f5031c5dc1 crypto/external/bsd/openssl/dist/test/rsa_test.c
--- a/crypto/external/bsd/openssl/dist/test/rsa_test.c Thu Mar 25 18:41:29 2021 +0000
+++ b/crypto/external/bsd/openssl/dist/test/rsa_test.c Thu Mar 25 18:51:18 2021 +0000
@@ -1,5 +1,5 @@
/*
Home |
Main Index |
Thread Index |
Old Index