Source-Changes-HG archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

[src/trunk]: src/crypto/external/bsd/openssl/dist merge conflicts



details:   https://anonhg.NetBSD.org/src/rev/4d6c14e1eafd
branches:  trunk
changeset: 1018860:4d6c14e1eafd
user:      christos <christos%NetBSD.org@localhost>
date:      Sat Feb 20 03:22:13 2021 +0000

description:
merge conflicts

diffstat:

 crypto/external/bsd/openssl/dist/CHANGES                |   37 +++++
 crypto/external/bsd/openssl/dist/Configure              |   29 ++-
 crypto/external/bsd/openssl/dist/NEWS                   |   10 +
 crypto/external/bsd/openssl/dist/README                 |    2 +-
 crypto/external/bsd/openssl/dist/apps/ca.c              |   53 +++----
 crypto/external/bsd/openssl/dist/crypto/armcap.c        |   19 ++-
 crypto/external/bsd/openssl/dist/crypto/conf/conf_def.c |   16 ++-
 crypto/external/bsd/openssl/dist/crypto/evp/evp_enc.c   |   27 ++++
 crypto/external/bsd/openssl/dist/crypto/ppccap.c        |   20 ++-
 crypto/external/bsd/openssl/dist/crypto/x509/x509_vfy.c |   15 +-
 crypto/external/bsd/openssl/dist/ssl/d1_lib.c           |   11 +-
 crypto/external/bsd/openssl/dist/test/rsa_test.c        |  105 +++++++--------
 12 files changed, 223 insertions(+), 121 deletions(-)

diffs (truncated from 623 to 300 lines):

diff -r 1dd6c3725523 -r 4d6c14e1eafd crypto/external/bsd/openssl/dist/CHANGES
--- a/crypto/external/bsd/openssl/dist/CHANGES  Sat Feb 20 03:12:10 2021 +0000
+++ b/crypto/external/bsd/openssl/dist/CHANGES  Sat Feb 20 03:22:13 2021 +0000
@@ -7,6 +7,43 @@
  https://github.com/openssl/openssl/commits/ and pick the appropriate
  release branch.
 
+ Changes between 1.1.1i and 1.1.1j [16 Feb 2021]
+
+  *) Fixed the X509_issuer_and_serial_hash() function. It attempts to
+     create a unique hash value based on the issuer and serial number data
+     contained within an X509 certificate. However it was failing to correctly
+     handle any errors that may occur while parsing the issuer field (which might
+     occur if the issuer field is maliciously constructed). This may subsequently
+     result in a NULL pointer deref and a crash leading to a potential denial of
+     service attack.
+     (CVE-2021-23841)
+     [Matt Caswell]
+
+  *) Fixed the RSA_padding_check_SSLv23() function and the RSA_SSLV23_PADDING
+     padding mode to correctly check for rollback attacks. This is considered a
+     bug in OpenSSL 1.1.1 because it does not support SSLv2. In 1.0.2 this is
+     CVE-2021-23839.
+     [Matt Caswell]
+
+  *) Fixed the EVP_CipherUpdate, EVP_EncryptUpdate and EVP_DecryptUpdate
+     functions. Previously they could overflow the output length argument in some
+     cases where the input length is close to the maximum permissable length for
+     an integer on the platform. In such cases the return value from the function
+     call would be 1 (indicating success), but the output length value would be
+     negative. This could cause applications to behave incorrectly or crash.
+     (CVE-2021-23840)
+     [Matt Caswell]
+
+  *) Fixed SRP_Calc_client_key so that it runs in constant time. The previous
+     implementation called BN_mod_exp without setting BN_FLG_CONSTTIME. This
+     could be exploited in a side channel attack to recover the password. Since
+     the attack is local host only this is outside of the current OpenSSL
+     threat model and therefore no CVE is assigned.
+
+     Thanks to Mohammed Sabt and Daniel De Almeida Braga for reporting this
+     issue.
+     [Matt Caswell]
+
  Changes between 1.1.1h and 1.1.1i [8 Dec 2020]
 
   *) Fixed NULL pointer deref in the GENERAL_NAME_cmp function
diff -r 1dd6c3725523 -r 4d6c14e1eafd crypto/external/bsd/openssl/dist/Configure
--- a/crypto/external/bsd/openssl/dist/Configure        Sat Feb 20 03:12:10 2021 +0000
+++ b/crypto/external/bsd/openssl/dist/Configure        Sat Feb 20 03:22:13 2021 +0000
@@ -1,6 +1,6 @@
 #! /usr/bin/env perl
 # -*- mode: perl; -*-
-# Copyright 2016-2020 The OpenSSL Project Authors. All Rights Reserved.
+# Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved.
 #
 # Licensed under the OpenSSL license (the "License").  You may not use
 # this file except in compliance with the License.  You can obtain a copy
@@ -1201,6 +1201,10 @@
 # At this point, we can forget everything about %user and %useradd,
 # because it's now all been merged into the corresponding $config entry
 
+if (grep { $_ eq '-static' } @{$config{LDFLAGS}}) {
+    disable('static', 'pic', 'threads');
+}
+
 # Allow overriding the build file name
 $config{build_file} = env('BUILDFILE') || $target{build_file} || "Makefile";
 
@@ -1521,10 +1525,6 @@
                 }
         }
 
-if (grep { $_ eq '-static' } @{$config{LDFLAGS}}) {
-    disable('static', 'pic', 'threads');
-}
-
 $config{CFLAGS} = [ map { $_ eq '--ossl-strict-warnings'
                               ? @strict_warnings_collection
                               : ( $_ ) }
@@ -2611,19 +2611,22 @@
         }
         print "\nEnabled features:\n\n";
         foreach my $what (@disablables) {
-            print "    $what\n" unless $disabled{$what};
+            print "    $what\n"
+                unless grep { $_ =~ /^${what}$/ } keys %disabled;
         }
         print "\nDisabled features:\n\n";
         foreach my $what (@disablables) {
-            if ($disabled{$what}) {
-                print "    $what", ' ' x ($longest - length($what) + 1),
-                    "[$disabled{$what}]", ' ' x ($longest2 - length($disabled{$what}) + 1);
-                print $disabled_info{$what}->{macro}
-                    if $disabled_info{$what}->{macro};
+            my @what2 = grep { $_ =~ /^${what}$/ } keys %disabled;
+            my $what3 = $what2[0];
+            if ($what3) {
+                print "    $what3", ' ' x ($longest - length($what3) + 1),
+                    "[$disabled{$what3}]", ' ' x ($longest2 - length($disabled{$what3}) + 1);
+                print $disabled_info{$what3}->{macro}
+                    if $disabled_info{$what3}->{macro};
                 print ' (skip ',
-                    join(', ', @{$disabled_info{$what}->{skipped}}),
+                    join(', ', @{$disabled_info{$what3}->{skipped}}),
                     ')'
-                    if $disabled_info{$what}->{skipped};
+                    if $disabled_info{$what3}->{skipped};
                 print "\n";
             }
         }
diff -r 1dd6c3725523 -r 4d6c14e1eafd crypto/external/bsd/openssl/dist/NEWS
--- a/crypto/external/bsd/openssl/dist/NEWS     Sat Feb 20 03:12:10 2021 +0000
+++ b/crypto/external/bsd/openssl/dist/NEWS     Sat Feb 20 03:22:13 2021 +0000
@@ -5,6 +5,16 @@
   This file gives a brief overview of the major changes between each OpenSSL
   release. For more details please read the CHANGES file.
 
+  Major changes between OpenSSL 1.1.1i and OpenSSL 1.1.1j [16 Feb 2021]
+
+      o Fixed a NULL pointer deref in the X509_issuer_and_serial_hash()
+        function (CVE-2021-23841)
+      o Fixed the RSA_padding_check_SSLv23() function and the RSA_SSLV23_PADDING
+        padding mode to correctly check for rollback attacks
+      o Fixed an overflow in the EVP_CipherUpdate, EVP_EncryptUpdate and
+        EVP_DecryptUpdate functions (CVE-2021-23840)
+      o Fixed SRP_Calc_client_key so that it runs in constant time
+
   Major changes between OpenSSL 1.1.1h and OpenSSL 1.1.1i [8 Dec 2020]
 
       o Fixed NULL pointer deref in GENERAL_NAME_cmp (CVE-2020-1971)
diff -r 1dd6c3725523 -r 4d6c14e1eafd crypto/external/bsd/openssl/dist/README
--- a/crypto/external/bsd/openssl/dist/README   Sat Feb 20 03:12:10 2021 +0000
+++ b/crypto/external/bsd/openssl/dist/README   Sat Feb 20 03:22:13 2021 +0000
@@ -1,5 +1,5 @@
 
- OpenSSL 1.1.1i 8 Dec 2020
+ OpenSSL 1.1.1j 16 Feb 2021
 
  Copyright (c) 1998-2020 The OpenSSL Project
  Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson
diff -r 1dd6c3725523 -r 4d6c14e1eafd crypto/external/bsd/openssl/dist/apps/ca.c
--- a/crypto/external/bsd/openssl/dist/apps/ca.c        Sat Feb 20 03:12:10 2021 +0000
+++ b/crypto/external/bsd/openssl/dist/apps/ca.c        Sat Feb 20 03:22:13 2021 +0000
@@ -1,5 +1,5 @@
 /*
- * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the OpenSSL license (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
@@ -2223,62 +2223,51 @@
 
 static int do_updatedb(CA_DB *db)
 {
-    ASN1_UTCTIME *a_tm = NULL;
+    ASN1_TIME *a_tm = NULL;
     int i, cnt = 0;
-    int db_y2k, a_y2k;          /* flags = 1 if y >= 2000 */
-    char **rrow, *a_tm_s;
+    char **rrow;
 
-    a_tm = ASN1_UTCTIME_new();
+    a_tm = ASN1_TIME_new();
     if (a_tm == NULL)
         return -1;
 
-    /* get actual time and make a string */
+    /* get actual time */
     if (X509_gmtime_adj(a_tm, 0) == NULL) {
-        ASN1_UTCTIME_free(a_tm);
+        ASN1_TIME_free(a_tm);
         return -1;
     }
-    a_tm_s = app_malloc(a_tm->length + 1, "time string");
-
-    memcpy(a_tm_s, a_tm->data, a_tm->length);
-    a_tm_s[a_tm->length] = '\0';
-
-    if (strncmp(a_tm_s, "49", 2) <= 0)
-        a_y2k = 1;
-    else
-        a_y2k = 0;
 
     for (i = 0; i < sk_OPENSSL_PSTRING_num(db->db->data); i++) {
         rrow = sk_OPENSSL_PSTRING_value(db->db->data, i);
 
         if (rrow[DB_type][0] == DB_TYPE_VAL) {
             /* ignore entries that are not valid */
-            if (strncmp(rrow[DB_exp_date], "49", 2) <= 0)
-                db_y2k = 1;
-            else
-                db_y2k = 0;
+            ASN1_TIME *exp_date = NULL;
+
+            exp_date = ASN1_TIME_new();
+            if (exp_date == NULL) {
+                ASN1_TIME_free(a_tm);
+                return -1;
+            }
 
-            if (db_y2k == a_y2k) {
-                /* all on the same y2k side */
-                if (strcmp(rrow[DB_exp_date], a_tm_s) <= 0) {
-                    rrow[DB_type][0] = DB_TYPE_EXP;
-                    rrow[DB_type][1] = '\0';
-                    cnt++;
+            if (!ASN1_TIME_set_string(exp_date, rrow[DB_exp_date])) {
+                ASN1_TIME_free(a_tm);
+                ASN1_TIME_free(exp_date);
+                return -1;
+            }
 
-                    BIO_printf(bio_err, "%s=Expired\n", rrow[DB_serial]);
-                }
-            } else if (db_y2k < a_y2k) {
+            if (ASN1_TIME_compare(exp_date, a_tm) <= 0) {
                 rrow[DB_type][0] = DB_TYPE_EXP;
                 rrow[DB_type][1] = '\0';
                 cnt++;
 
                 BIO_printf(bio_err, "%s=Expired\n", rrow[DB_serial]);
             }
-
+            ASN1_TIME_free(exp_date);
         }
     }
 
-    ASN1_UTCTIME_free(a_tm);
-    OPENSSL_free(a_tm_s);
+    ASN1_TIME_free(a_tm);
     return cnt;
 }
 
diff -r 1dd6c3725523 -r 4d6c14e1eafd crypto/external/bsd/openssl/dist/crypto/armcap.c
--- a/crypto/external/bsd/openssl/dist/crypto/armcap.c  Sat Feb 20 03:12:10 2021 +0000
+++ b/crypto/external/bsd/openssl/dist/crypto/armcap.c  Sat Feb 20 03:22:13 2021 +0000
@@ -1,5 +1,5 @@
 /*
- * Copyright 2011-2019 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2011-2021 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the OpenSSL license (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
@@ -69,6 +69,23 @@
 #   define OSSL_IMPLEMENT_GETAUXVAL
 #  endif
 # endif
+# if defined(__FreeBSD__)
+#  include <sys/param.h>
+#  if __FreeBSD_version >= 1200000
+#   include <sys/auxv.h>
+#   define OSSL_IMPLEMENT_GETAUXVAL
+
+static unsigned long getauxval(unsigned long key)
+{
+  unsigned long val = 0ul;
+
+  if (elf_aux_info((int)key, &val, sizeof(val)) != 0)
+    return 0ul;
+
+  return val;
+}
+#  endif
+# endif
 
 /*
  * ARM puts the feature bits for Crypto Extensions in AT_HWCAP2, whereas
diff -r 1dd6c3725523 -r 4d6c14e1eafd crypto/external/bsd/openssl/dist/crypto/conf/conf_def.c
--- a/crypto/external/bsd/openssl/dist/crypto/conf/conf_def.c   Sat Feb 20 03:12:10 2021 +0000
+++ b/crypto/external/bsd/openssl/dist/crypto/conf/conf_def.c   Sat Feb 20 03:22:13 2021 +0000
@@ -1,5 +1,5 @@
 /*
- * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the OpenSSL license (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
@@ -185,6 +185,7 @@
     BUF_MEM *buff = NULL;
     char *s, *p, *end;
     int again;
+    int first_call = 1;
     long eline = 0;
     char btmp[DECIMAL_SIZE(eline) + 1];
     CONF_VALUE *v = NULL, *tv;
@@ -233,6 +234,19 @@
         BIO_gets(in, p, CONFBUFSIZE - 1);
         p[CONFBUFSIZE - 1] = '\0';
         ii = i = strlen(p);
+        if (first_call) {
+            /* Other BOMs imply unsupported multibyte encoding,
+             * so don't strip them and let the error raise */
+            const unsigned char utf8_bom[3] = {0xEF, 0xBB, 0xBF};
+
+            if (i >= 3 && memcmp(p, utf8_bom, 3) == 0) {
+                memmove(p, p + 3, i - 3);
+                p[i - 3] = 0;
+                i -= 3;
+                ii -= 3;



Home | Main Index | Thread Index | Old Index