From c1d1798abd60f12527b70443cb7d0b9cd78ef7b1 Mon Sep 17 00:00:00 2001 From: Jung-uk Kim Date: Tue, 31 Aug 2021 22:23:22 -0400 Subject: Import OpenSSL 1.1.1l --- CHANGES | 65 +++++++++++++ NEWS | 5 + README | 2 +- apps/crl2p7.c | 18 ++-- apps/enc.c | 4 +- apps/s_server.c | 13 ++- apps/s_socket.c | 12 ++- crypto/armcap.c | 15 +++ crypto/asn1/a_object.c | 15 +-- crypto/asn1/a_strex.c | 4 +- crypto/asn1/asn1_lib.c | 14 ++- crypto/asn1/bio_asn1.c | 7 +- crypto/asn1/bio_ndef.c | 3 + crypto/asn1/d2i_pr.c | 73 +++++++++----- crypto/asn1/t_spki.c | 4 +- crypto/bio/b_addr.c | 4 +- crypto/bio/b_sock2.c | 5 +- crypto/bn/bn_div.c | 9 +- crypto/chacha/asm/chacha-x86_64.pl | 54 ++++++++--- crypto/dsa/dsa_prn.c | 14 ++- crypto/ec/ec2_oct.c | 43 +++++++-- crypto/ec/ec_asn1.c | 7 +- crypto/err/openssl.txt | 5 + crypto/evp/e_aes.c | 192 ++++++++++++++++++------------------- crypto/evp/e_camellia.c | 10 +- crypto/hmac/hm_ameth.c | 5 +- crypto/pkcs12/p12_key.c | 4 +- crypto/poly1305/poly1305_ameth.c | 4 +- crypto/ppccap.c | 6 ++ crypto/rand/rand_unix.c | 10 +- crypto/rsa/rsa_prn.c | 8 +- crypto/siphash/siphash_ameth.c | 4 +- crypto/sm2/sm2_crypt.c | 29 +++--- crypto/sm2/sm2_pmeth.c | 4 +- crypto/sparcv9cap.c | 3 +- crypto/srp/srp_vfy.c | 13 +-- crypto/store/loader_file.c | 3 +- crypto/ts/ts_rsp_verify.c | 3 +- crypto/ts/ts_verify_ctx.c | 4 +- crypto/uid.c | 8 +- crypto/x509/t_x509.c | 6 +- crypto/x509/x509_vpm.c | 6 +- crypto/x509v3/v3_akey.c | 40 ++++++-- crypto/x509v3/v3_alt.c | 12 ++- crypto/x509v3/v3_cpols.c | 11 ++- crypto/x509v3/v3_ncons.c | 79 ++++++++++----- crypto/x509v3/v3_pci.c | 5 +- crypto/x509v3/v3_utl.c | 60 +++++++++--- crypto/x509v3/v3err.c | 6 +- doc/man1/enc.pod | 4 +- doc/man1/s_client.pod | 2 +- doc/man1/s_server.pod | 2 +- doc/man3/BIO_f_ssl.pod | 7 +- doc/man3/BIO_push.pod | 6 +- doc/man3/BN_cmp.pod | 41 ++++---- doc/man3/d2i_PrivateKey.pod | 6 +- doc/man7/x509.pod | 6 +- include/crypto/sm2.h | 5 +- include/crypto/x509.h | 7 +- include/openssl/e_os2.h | 5 +- include/openssl/opensslv.h | 4 +- include/openssl/sslerr.h | 5 +- include/openssl/x509v3err.h | 4 +- ssl/bio_ssl.c | 3 +- ssl/d1_lib.c | 3 +- ssl/record/rec_layer_s3.c | 8 +- ssl/record/ssl3_buffer.c | 3 +- ssl/record/ssl3_record.c | 36 +++---- ssl/s3_msg.c | 4 +- ssl/ssl_cert.c | 35 +++++-- ssl/ssl_err.c | 7 +- ssl/ssl_lib.c | 59 ++++++++++-- ssl/ssl_local.h | 2 +- ssl/statem/extensions.c | 31 +++++- ssl/statem/extensions_srvr.c | 9 +- ssl/statem/statem_clnt.c | 5 +- ssl/statem/statem_local.h | 4 +- ssl/statem/statem_srvr.c | 9 +- ssl/t1_lib.c | 11 ++- 79 files changed, 869 insertions(+), 394 deletions(-) diff --git a/CHANGES b/CHANGES index 7d0129e68765..824f421b8d33 100644 --- a/CHANGES +++ b/CHANGES @@ -7,6 +7,71 @@ https://github.com/openssl/openssl/commits/ and pick the appropriate release branch. + Changes between 1.1.1k and 1.1.1l [24 Aug 2021] + + *) Fixed an SM2 Decryption Buffer Overflow. + + In order to decrypt SM2 encrypted data an application is expected to call the + API function EVP_PKEY_decrypt(). Typically an application will call this + function twice. The first time, on entry, the "out" parameter can be NULL and, + on exit, the "outlen" parameter is populated with the buffer size required to + hold the decrypted plaintext. The application can then allocate a sufficiently + sized buffer and call EVP_PKEY_decrypt() again, but this time passing a non-NULL + value for the "out" parameter. + + A bug in the implementation of the SM2 decryption code means that the + calculation of the buffer size required to hold the plaintext returned by the + first call to EVP_PKEY_decrypt() can be smaller than the actual size required by + the second call. This can lead to a buffer overflow when EVP_PKEY_decrypt() is + called by the application a second time with a buffer that is too small. + + A malicious attacker who is able present SM2 content for decryption to an + application could cause attacker chosen data to overflow the buffer by up to a + maximum of 62 bytes altering the contents of other data held after the + buffer, possibly changing application behaviour or causing the application to + crash. The location of the buffer is application dependent but is typically + heap allocated. + (CVE-2021-3711) + [Matt Caswell] + + *) Fixed various read buffer overruns processing ASN.1 strings + + ASN.1 strings are represented internally within OpenSSL as an ASN1_STRING + structure which contains a buffer holding the string data and a field holding + the buffer length. This contrasts with normal C strings which are repesented as + a buffer for the string data which is terminated with a NUL (0) byte. + + Although not a strict requirement, ASN.1 strings that are parsed using OpenSSL's + own "d2i" functions (and other similar parsing functions) as well as any string + whose value has been set with the ASN1_STRING_set() function will additionally + NUL terminate the byte array in the ASN1_STRING structure. + + However, it is possible for applications to directly construct valid ASN1_STRING + structures which do not NUL terminate the byte array by directly setting the + "data" and "length" fields in the ASN1_STRING array. This can also happen by + using the ASN1_STRING_set0() function. + + Numerous OpenSSL functions that print ASN.1 data have been found to assume that + the ASN1_STRING byte array will be NUL terminated, even though this is not + guaranteed for strings that have been directly constructed. Where an application + requests an ASN.1 structure to be printed, and where that ASN.1 structure + contains ASN1_STRINGs that have been directly constructed by the application + without NUL terminating the "data" field, then a read buffer overrun can occur. + + The same thing can also occur during name constraints processing of certificates + (for example if a certificate has been directly constructed by the application + instead of loading it via the OpenSSL parsing functions, and the certificate + contains non NUL terminated ASN1_STRING structures). It can also occur in the + X509_get1_email(), X509_REQ_get1_email() and X509_get1_ocsp() functions. + + If a malicious actor can cause an application to directly construct an + ASN1_STRING and then process it through one of the affected OpenSSL functions + then this issue could be hit. This might result in a crash (causing a Denial of + Service attack). It could also result in the disclosure of private memory + contents (such as private keys, or sensitive plaintext). + (CVE-2021-3712) + [Matt Caswell] + Changes between 1.1.1j and 1.1.1k [25 Mar 2021] *) Fixed a problem with verifying a certificate chain when using the diff --git a/NEWS b/NEWS index 05991a0c214a..5a1207c66ed4 100644 --- a/NEWS +++ b/NEWS @@ -5,6 +5,11 @@ This file gives a brief overview of the major changes between each OpenSSL release. For more details please read the CHANGES file. + Major changes between OpenSSL 1.1.1k and OpenSSL 1.1.1l [24 Aug 2021] + + o Fixed an SM2 Decryption Buffer Overflow (CVE-2021-3711) + o Fixed various read buffer overruns processing ASN.1 strings (CVE-2021-3712) + Major changes between OpenSSL 1.1.1j and OpenSSL 1.1.1k [25 Mar 2021] o Fixed a problem with verifying a certificate chain when using the diff --git a/README b/README index b92a8bd3a4b5..7dc4e6790c34 100644 --- a/README +++ b/README @@ -1,5 +1,5 @@ - OpenSSL 1.1.1k 25 Mar 2021 + OpenSSL 1.1.1l 24 Aug 2021 Copyright (c) 1998-2021 The OpenSSL Project Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson diff --git a/apps/crl2p7.c b/apps/crl2p7.c index 88fabcb22c36..3f619bf5278e 100644 --- a/apps/crl2p7.c +++ b/apps/crl2p7.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -120,19 +120,20 @@ int crl2pkcs7_main(int argc, char **argv) if (!ASN1_INTEGER_set(p7s->version, 1)) goto end; - if ((crl_stack = sk_X509_CRL_new_null()) == NULL) - goto end; - p7s->crl = crl_stack; + if (crl != NULL) { + if ((crl_stack = sk_X509_CRL_new_null()) == NULL) + goto end; + p7s->crl = crl_stack; sk_X509_CRL_push(crl_stack, crl); crl = NULL; /* now part of p7 for OPENSSL_freeing */ } - if ((cert_stack = sk_X509_new_null()) == NULL) - goto end; - p7s->cert = cert_stack; + if (certflst != NULL) { + if ((cert_stack = sk_X509_new_null()) == NULL) + goto end; + p7s->cert = cert_stack; - if (certflst != NULL) for (i = 0; i < sk_OPENSSL_STRING_num(certflst); i++) { certfile = sk_OPENSSL_STRING_value(certflst, i); if (add_certs_from_file(cert_stack, certfile) < 0) { @@ -141,6 +142,7 @@ int crl2pkcs7_main(int argc, char **argv) goto end; } } + } out = bio_open_default(outfile, 'w', outformat); if (out == NULL) diff --git a/apps/enc.c b/apps/enc.c index ddf51e0dba15..65710771a089 100644 --- a/apps/enc.c +++ b/apps/enc.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -81,7 +81,7 @@ const OPTIONS enc_options[] = { {"", OPT_CIPHER, '-', "Any supported cipher"}, OPT_R_OPTIONS, #ifdef ZLIB - {"z", OPT_Z, '-', "Use zlib as the 'encryption'"}, + {"z", OPT_Z, '-', "Compress or decompress encrypted data using zlib"}, #endif #ifndef OPENSSL_NO_ENGINE {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"}, diff --git a/apps/s_server.c b/apps/s_server.c index 0ba75999fd28..938e244222d8 100644 --- a/apps/s_server.c +++ b/apps/s_server.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved * Copyright 2005 Nokia. All rights reserved. * @@ -133,6 +133,17 @@ static unsigned int psk_server_cb(SSL *ssl, const char *identity, if (s_debug) BIO_printf(bio_s_out, "psk_server_cb\n"); + + if (SSL_version(ssl) >= TLS1_3_VERSION) { + /* + * This callback is designed for use in TLSv1.2. It is possible to use + * a single callback for all protocol versions - but it is preferred to + * use a dedicated callback for TLSv1.3. For TLSv1.3 we have + * psk_find_session_cb. + */ + return 0; + } + if (identity == NULL) { BIO_printf(bio_err, "Error: client did not send PSK identity\n"); goto out_err; diff --git a/apps/s_socket.c b/apps/s_socket.c index 76f928900207..aee366d5f457 100644 --- a/apps/s_socket.c +++ b/apps/s_socket.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -214,6 +214,8 @@ int do_server(int *accept_sock, const char *host, const char *port, const BIO_ADDRINFO *next; int sock_family, sock_type, sock_protocol, sock_port; const BIO_ADDR *sock_address; + int sock_family_fallback = AF_UNSPEC; + const BIO_ADDR *sock_address_fallback = NULL; int sock_options = BIO_SOCK_REUSEADDR; int ret = 0; @@ -244,6 +246,10 @@ int do_server(int *accept_sock, const char *host, const char *port, && BIO_ADDRINFO_protocol(next) == sock_protocol) { if (sock_family == AF_INET && BIO_ADDRINFO_family(next) == AF_INET6) { + /* In case AF_INET6 is returned but not supported by the + * kernel, retry with the first detected address family */ + sock_family_fallback = sock_family; + sock_address_fallback = sock_address; sock_family = AF_INET6; sock_address = BIO_ADDRINFO_address(next); } else if (sock_family == AF_INET6 @@ -253,6 +259,10 @@ int do_server(int *accept_sock, const char *host, const char *port, } asock = BIO_socket(sock_family, sock_type, sock_protocol, 0); + if (asock == INVALID_SOCKET && sock_family_fallback != AF_UNSPEC) { + asock = BIO_socket(sock_family_fallback, sock_type, sock_protocol, 0); + sock_address = sock_address_fallback; + } if (asock == INVALID_SOCKET || !BIO_listen(asock, sock_address, sock_options)) { BIO_ADDRINFO_free(res); diff --git a/crypto/armcap.c b/crypto/armcap.c index 8bf96f10214f..c5685bde5891 100644 --- a/crypto/armcap.c +++ b/crypto/armcap.c @@ -68,6 +68,12 @@ void OPENSSL_cpuid_setup(void) __attribute__ ((constructor)); # include # define OSSL_IMPLEMENT_GETAUXVAL # endif +# elif defined(__ANDROID_API__) +/* see https://developer.android.google.cn/ndk/guides/cpu-features */ +# if __ANDROID_API__ >= 18 +# include +# define OSSL_IMPLEMENT_GETAUXVAL +# endif # endif # if defined(__FreeBSD__) # include @@ -87,6 +93,15 @@ static unsigned long getauxval(unsigned long key) # endif # endif +/* + * Android: according to https://developer.android.com/ndk/guides/cpu-features, + * getauxval is supported starting with API level 18 + */ +# if defined(__ANDROID__) && defined(__ANDROID_API__) && __ANDROID_API__ >= 18 +# include +# define OSSL_IMPLEMENT_GETAUXVAL +# endif + /* * ARM puts the feature bits for Crypto Extensions in AT_HWCAP2, whereas * AArch64 used AT_HWCAP. diff --git a/crypto/asn1/a_object.c b/crypto/asn1/a_object.c index d67a723c9611..8ade9e50a7cb 100644 --- a/crypto/asn1/a_object.c +++ b/crypto/asn1/a_object.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -286,16 +286,13 @@ ASN1_OBJECT *c2i_ASN1_OBJECT(ASN1_OBJECT **a, const unsigned char **pp, } } - /* - * only the ASN1_OBJECTs from the 'table' will have values for ->sn or - * ->ln - */ if ((a == NULL) || ((*a) == NULL) || !((*a)->flags & ASN1_OBJECT_FLAG_DYNAMIC)) { if ((ret = ASN1_OBJECT_new()) == NULL) return NULL; - } else + } else { ret = (*a); + } p = *pp; /* detach data from object */ @@ -313,6 +310,12 @@ ASN1_OBJECT *c2i_ASN1_OBJECT(ASN1_OBJECT **a, const unsigned char **pp, ret->flags |= ASN1_OBJECT_FLAG_DYNAMIC_DATA; } memcpy(data, p, length); + /* If there are dynamic strings, free them here, and clear the flag */ + if ((ret->flags & ASN1_OBJECT_FLAG_DYNAMIC_STRINGS) != 0) { + OPENSSL_free((char *)ret->sn); + OPENSSL_free((char *)ret->ln); + ret->flags &= ~ASN1_OBJECT_FLAG_DYNAMIC_STRINGS; + } /* reattach data to object, after which it remains const */ ret->data = data; ret->length = length; diff --git a/crypto/asn1/a_strex.c b/crypto/asn1/a_strex.c index 4879b33785e9..284dde274c9f 100644 --- a/crypto/asn1/a_strex.c +++ b/crypto/asn1/a_strex.c @@ -1,5 +1,5 @@ /* - * Copyright 2000-2018 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -280,6 +280,8 @@ static int do_dump(unsigned long lflags, char_io *io_ch, void *arg, t.type = str->type; t.value.ptr = (char *)str; der_len = i2d_ASN1_TYPE(&t, NULL); + if (der_len <= 0) + return -1; if ((der_buf = OPENSSL_malloc(der_len)) == NULL) { ASN1err(ASN1_F_DO_DUMP, ERR_R_MALLOC_FAILURE); return -1; diff --git a/crypto/asn1/asn1_lib.c b/crypto/asn1/asn1_lib.c index 366afc5f6c6b..3d99d1383d42 100644 --- a/crypto/asn1/asn1_lib.c +++ b/crypto/asn1/asn1_lib.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -292,7 +292,12 @@ int ASN1_STRING_set(ASN1_STRING *str, const void *_data, int len_in) } if ((size_t)str->length <= len || str->data == NULL) { c = str->data; +#ifdef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION + /* No NUL terminator in fuzzing builds */ + str->data = OPENSSL_realloc(c, len); +#else str->data = OPENSSL_realloc(c, len + 1); +#endif if (str->data == NULL) { ASN1err(ASN1_F_ASN1_STRING_SET, ERR_R_MALLOC_FAILURE); str->data = c; @@ -302,8 +307,13 @@ int ASN1_STRING_set(ASN1_STRING *str, const void *_data, int len_in) str->length = len; if (data != NULL) { memcpy(str->data, data, len); - /* an allowance for strings :-) */ +#ifndef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION + /* + * Add a NUL terminator. This should not be necessary - but we add it as + * a safety precaution + */ str->data[len] = '\0'; +#endif } return 1; } diff --git a/crypto/asn1/bio_asn1.c b/crypto/asn1/bio_asn1.c index 86ee56632305..914d77c866c6 100644 --- a/crypto/asn1/bio_asn1.c +++ b/crypto/asn1/bio_asn1.c @@ -1,5 +1,5 @@ /* - * Copyright 2006-2018 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2006-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -138,6 +138,11 @@ static int asn1_bio_free(BIO *b) if (ctx == NULL) return 0; + if (ctx->prefix_free != NULL) + ctx->prefix_free(b, &ctx->ex_buf, &ctx->ex_len, &ctx->ex_arg); + if (ctx->suffix_free != NULL) + ctx->suffix_free(b, &ctx->ex_buf, &ctx->ex_len, &ctx->ex_arg); + OPENSSL_free(ctx->buf); OPENSSL_free(ctx); BIO_set_data(b, NULL); diff --git a/crypto/asn1/bio_ndef.c b/crypto/asn1/bio_ndef.c index d7d7d80eea91..760e4846a474 100644 --- a/crypto/asn1/bio_ndef.c +++ b/crypto/asn1/bio_ndef.c @@ -142,6 +142,9 @@ static int ndef_prefix_free(BIO *b, unsigned char **pbuf, int *plen, ndef_aux = *(NDEF_SUPPORT **)parg; + if (ndef_aux == NULL) + return 0; + OPENSSL_free(ndef_aux->derbuf); ndef_aux->derbuf = NULL; diff --git a/crypto/asn1/d2i_pr.c b/crypto/asn1/d2i_pr.c index 7b127d2092fa..2094963036fe 100644 --- a/crypto/asn1/d2i_pr.c +++ b/crypto/asn1/d2i_pr.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -78,13 +78,53 @@ EVP_PKEY *d2i_PrivateKey(int type, EVP_PKEY **a, const unsigned char **pp, * type */ +static EVP_PKEY *key_as_pkcs8(const unsigned char **pp, long length, int *carry_on) +{ + const unsigned char *p = *pp; + PKCS8_PRIV_KEY_INFO *p8 = d2i_PKCS8_PRIV_KEY_INFO(NULL, &p, length); + EVP_PKEY *ret; + + if (p8 == NULL) + return NULL; + + ret = EVP_PKCS82PKEY(p8); + if (ret == NULL) + *carry_on = 0; + + PKCS8_PRIV_KEY_INFO_free(p8); + + if (ret != NULL) + *pp = p; + + return ret; +} + EVP_PKEY *d2i_AutoPrivateKey(EVP_PKEY **a, const unsigned char **pp, long length) { STACK_OF(ASN1_TYPE) *inkey; const unsigned char *p; int keytype; + EVP_PKEY *ret = NULL; + int carry_on = 1; + + ERR_set_mark(); + ret = key_as_pkcs8(pp, length, &carry_on); + if (ret != NULL) { + ERR_clear_last_mark(); + if (a != NULL) + *a = ret; + return ret; + } + + if (carry_on == 0) { + ERR_clear_last_mark(); + ASN1err(ASN1_F_D2I_AUTOPRIVATEKEY, + ASN1_R_UNSUPPORTED_PUBLIC_KEY_TYPE); + return NULL; + } p = *pp; + /* * Dirty trick: read in the ASN1 data into a STACK_OF(ASN1_TYPE): by * analyzing it we can determine the passed structure: this assumes the @@ -100,28 +140,15 @@ EVP_PKEY *d2i_AutoPrivateKey(EVP_PKEY **a, const unsigned char **pp, keytype = EVP_PKEY_DSA; else if (sk_ASN1_TYPE_num(inkey) == 4) keytype = EVP_PKEY_EC; - else if (sk_ASN1_TYPE_num(inkey) == 3) { /* This seems to be PKCS8, not - * traditional format */ - PKCS8_PRIV_KEY_INFO *p8 = d2i_PKCS8_PRIV_KEY_INFO(NULL, &p, length); - EVP_PKEY *ret; - - sk_ASN1_TYPE_pop_free(inkey, ASN1_TYPE_free); - if (!p8) { - ASN1err(ASN1_F_D2I_AUTOPRIVATEKEY, - ASN1_R_UNSUPPORTED_PUBLIC_KEY_TYPE); - return NULL; - } - ret = EVP_PKCS82PKEY(p8); - PKCS8_PRIV_KEY_INFO_free(p8); - if (ret == NULL) - return NULL; - *pp = p; - if (a) { - *a = ret; - } - return ret; - } else + else keytype = EVP_PKEY_RSA; sk_ASN1_TYPE_pop_free(inkey, ASN1_TYPE_free); - return d2i_PrivateKey(keytype, a, pp, length); + + ret = d2i_PrivateKey(keytype, a, pp, length); + if (ret != NULL) + ERR_pop_to_mark(); + else + ERR_clear_last_mark(); + + return ret; } diff --git a/crypto/asn1/t_spki.c b/crypto/asn1/t_spki.c index 51b56d0aa9f7..3d4aea8ad9a4 100644 --- a/crypto/asn1/t_spki.c +++ b/crypto/asn1/t_spki.c @@ -1,5 +1,5 @@ /* - * Copyright 1999-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1999-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -38,7 +38,7 @@ int NETSCAPE_SPKI_print(BIO *out, NETSCAPE_SPKI *spki) } chal = spki->spkac->challenge; if (chal->length) - BIO_printf(out, " Challenge String: %s\n", chal->data); + BIO_printf(out, " Challenge String: %.*s\n", chal->length, chal->data); i = OBJ_obj2nid(spki->sig_algor.algorithm); BIO_printf(out, " Signature Algorithm: %s", (i == NID_undef) ? "UNKNOWN" : OBJ_nid2ln(i)); diff --git a/crypto/bio/b_addr.c b/crypto/bio/b_addr.c index b023bbda406b..8ea32bce401b 100644 --- a/crypto/bio/b_addr.c +++ b/crypto/bio/b_addr.c @@ -1,5 +1,5 @@ /* - * Copyright 2016-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -689,7 +689,7 @@ int BIO_lookup_ex(const char *host, const char *service, int lookup_type, hints.ai_protocol = protocol; # ifdef AI_ADDRCONFIG # ifdef AF_UNSPEC - if (family == AF_UNSPEC) + if (host != NULL && family == AF_UNSPEC) # endif hints.ai_flags |= AI_ADDRCONFIG; # endif diff --git a/crypto/bio/b_sock2.c b/crypto/bio/b_sock2.c index 335dfabc6180..104ff31b0d2e 100644 --- a/crypto/bio/b_sock2.c +++ b/crypto/bio/b_sock2.c @@ -1,5 +1,5 @@ /* - * Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -243,7 +243,8 @@ int BIO_listen(int sock, const BIO_ADDR *addr, int options) } } -# ifdef IPV6_V6ONLY + /* On OpenBSD it is always ipv6 only with ipv6 sockets thus read-only */ +# if defined(IPV6_V6ONLY) && !defined(__OpenBSD__) if (BIO_ADDR_family(addr) == AF_INET6) { /* * Note: Windows default of IPV6_V6ONLY is ON, and Linux is OFF. diff --git a/crypto/bn/bn_div.c b/crypto/bn/bn_div.c index 286d69c895fd..0da9f39b31a9 100644 --- a/crypto/bn/bn_div.c +++ b/crypto/bn/bn_div.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -268,7 +268,7 @@ int bn_div_fixed_top(BIGNUM *dv, BIGNUM *rm, const BIGNUM *num, BIGNUM *tmp, *snum, *sdiv, *res; BN_ULONG *resp, *wnum, *wnumtop; BN_ULONG d0, d1; - int num_n, div_n; + int num_n, div_n, num_neg; assert(divisor->top > 0 && divisor->d[divisor->top - 1] != 0); @@ -326,7 +326,8 @@ int bn_div_fixed_top(BIGNUM *dv, BIGNUM *rm, const BIGNUM *num, /* Setup quotient */ if (!bn_wexpand(res, loop)) goto err; - res->neg = (num->neg ^ divisor->neg); + num_neg = num->neg; + res->neg = (num_neg ^ divisor->neg); res->top = loop; res->flags |= BN_FLG_FIXED_TOP; resp = &(res->d[loop]); @@ -442,7 +443,7 @@ int bn_div_fixed_top(BIGNUM *dv, BIGNUM *rm, const BIGNUM *num, *--resp = q; } /* snum holds remainder, it's as wide as divisor */ - snum->neg = num->neg; + snum->neg = num_neg; snum->top = div_n; snum->flags |= BN_FLG_FIXED_TOP; if (rm != NULL) diff --git a/crypto/chacha/asm/chacha-x86_64.pl b/crypto/chacha/asm/chacha-x86_64.pl index 227ee59ff2ba..c0e5d863dcb2 100755 --- a/crypto/chacha/asm/chacha-x86_64.pl +++ b/crypto/chacha/asm/chacha-x86_64.pl @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2016-2020 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the OpenSSL license (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy @@ -471,7 +471,7 @@ sub SSSE3ROUND { # critical path is 20 "SIMD ticks" per round &por ($b,$t); } -my $xframe = $win64 ? 32+8 : 8; +my $xframe = $win64 ? 160+8 : 8; $code.=<<___; .type ChaCha20_ssse3,\@function,5 @@ -2499,7 +2499,7 @@ sub AVX512ROUND { # critical path is 14 "SIMD ticks" per round &vprold ($b,$b,7); } -my $xframe = $win64 ? 32+8 : 8; +my $xframe = $win64 ? 160+8 : 8; $code.=<<___; .type ChaCha20_avx512,\@function,5 @@ -2515,8 +2515,16 @@ ChaCha20_avx512: sub \$64+$xframe,%rsp ___ $code.=<<___ if ($win64); - movaps %xmm6,-0x28(%r9) - movaps %xmm7,-0x18(%r9) + movaps %xmm6,-0xa8(%r9) + movaps %xmm7,-0x98(%r9) + movaps %xmm8,-0x88(%r9) + movaps %xmm9,-0x78(%r9) + movaps %xmm10,-0x68(%r9) + movaps %xmm11,-0x58(%r9) + movaps %xmm12,-0x48(%r9) + movaps %xmm13,-0x38(%r9) + movaps %xmm14,-0x28(%r9) + movaps %xmm15,-0x18(%r9) .Lavx512_body: ___ $code.=<<___; @@ -2683,8 +2691,16 @@ $code.=<<___; vzeroall ___ $code.=<<___ if ($win64); - movaps -0x28(%r9),%xmm6 - movaps -0x18(%r9),%xmm7 + movaps -0xa8(%r9),%xmm6 + movaps -0x98(%r9),%xmm7 + movaps -0x88(%r9),%xmm8 + movaps -0x78(%r9),%xmm9 + movaps -0x68(%r9),%xmm10 + movaps -0x58(%r9),%xmm11 + movaps -0x48(%r9),%xmm12 + movaps -0x38(%r9),%xmm13 + movaps -0x28(%r9),%xmm14 + movaps -0x18(%r9),%xmm15 ___ $code.=<<___; lea (%r9),%rsp @@ -2711,8 +2727,16 @@ ChaCha20_avx512vl: sub \$64+$xframe,%rsp ___ $code.=<<___ if ($win64); - movaps %xmm6,-0x28(%r9) - movaps %xmm7,-0x18(%r9) + movaps %xmm6,-0xa8(%r9) + movaps %xmm7,-0x98(%r9) + movaps %xmm8,-0x88(%r9) + movaps %xmm9,-0x78(%r9) + movaps %xmm10,-0x68(%r9) + movaps %xmm11,-0x58(%r9) + movaps %xmm12,-0x48(%r9) + movaps %xmm13,-0x38(%r9) + movaps %xmm14,-0x28(%r9) + movaps %xmm15,-0x18(%r9) .Lavx512vl_body: ___ $code.=<<___; @@ -2836,8 +2860,16 @@ $code.=<<___; vzeroall ___ $code.=<<___ if ($win64); - movaps -0x28(%r9),%xmm6 - movaps -0x18(%r9),%xmm7 + movaps -0xa8(%r9),%xmm6 + movaps -0x98(%r9),%xmm7 + movaps -0x88(%r9),%xmm8 + movaps -0x78(%r9),%xmm9 + movaps -0x68(%r9),%xmm10 + movaps -0x58(%r9),%xmm11 + movaps -0x48(%r9),%xmm12 + movaps -0x38(%r9),%xmm13 + movaps -0x28(%r9),%xmm14 + movaps -0x18(%r9),%xmm15 ___ $code.=<<___; lea (%r9),%rsp diff --git a/crypto/dsa/dsa_prn.c b/crypto/dsa/dsa_prn.c index a4a1fd5650e4..070b881e1fae 100644 --- a/crypto/dsa/dsa_prn.c +++ b/crypto/dsa/dsa_prn.c @@ -1,5 +1,5 @@ /* - * Copyright 2006-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2006-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -49,9 +49,11 @@ int DSA_print(BIO *bp, const DSA *x, int off) EVP_PKEY *pk; int ret; pk = EVP_PKEY_new(); - if (pk == NULL || !EVP_PKEY_set1_DSA(pk, (DSA *)x)) + if (pk == NULL) return 0; - ret = EVP_PKEY_print_private(bp, pk, off, NULL); + ret = EVP_PKEY_set1_DSA(pk, (DSA *)x); + if (ret) + ret = EVP_PKEY_print_private(bp, pk, off, NULL); EVP_PKEY_free(pk); return ret; } @@ -61,9 +63,11 @@ int DSAparams_print(BIO *bp, const DSA *x) EVP_PKEY *pk; int ret; pk = EVP_PKEY_new(); - if (pk == NULL || !EVP_PKEY_set1_DSA(pk, (DSA *)x)) + if (pk == NULL) return 0; - ret = EVP_PKEY_print_params(bp, pk, 4, NULL); + ret = EVP_PKEY_set1_DSA(pk, (DSA *)x); + if (ret) + ret = EVP_PKEY_print_params(bp, pk, 4, NULL); EVP_PKEY_free(pk); return ret; } diff --git a/crypto/ec/ec2_oct.c b/crypto/ec/ec2_oct.c index 48543265eeab..788e6501fbcd 100644 --- a/crypto/ec/ec2_oct.c +++ b/crypto/ec/ec2_oct.c @@ -1,5 +1,5 @@ /* - * Copyright 2011-2019 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2011-2021 The OpenSSL Project Authors. All Rights Reserved. * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved * * Licensed under the OpenSSL license (the "License"). You may not use @@ -247,9 +247,21 @@ int ec_GF2m_simple_oct2point(const EC_GROUP *group, EC_POINT *point, ECerr(EC_F_EC_GF2M_SIMPLE_OCT2POINT, EC_R_BUFFER_TOO_SMALL); return 0; } - form = buf[0]; - y_bit = form & 1; - form = form & ~1U; + + /* + * The first octet is the point converison octet PC, see X9.62, page 4 + * and section 4.4.2. It must be: + * 0x00 for the point at infinity + * 0x02 or 0x03 for compressed form + * 0x04 for uncompressed form + * 0x06 or 0x07 for hybrid form. + * For compressed or hybrid forms, we store the last bit of buf[0] as + * y_bit and clear it from buf[0] so as to obtain a POINT_CONVERSION_*. + * We error if buf[0] contains any but the above values. + */ + y_bit = buf[0] & 1; + form = buf[0] & ~1U; + if ((form != 0) && (form != POINT_CONVERSION_COMPRESSED) && (form != POINT_CONVERSION_UNCOMPRESSED) && (form != POINT_CONVERSION_HYBRID)) { @@ -261,6 +273,7 @@ int ec_GF2m_simple_oct2point(const EC_GROUP *group, EC_POINT *point, return 0; } + /* The point at infinity is represented by a single zero octet. */ if (form == 0) { if (len != 1) { ECerr(EC_F_EC_GF2M_SIMPLE_OCT2POINT, EC_R_INVALID_ENCODING); @@ -312,11 +325,23 @@ int ec_GF2m_simple_oct2point(const EC_GROUP *group, EC_POINT *point, goto err; } if (form == POINT_CONVERSION_HYBRID) { - if (!group->meth->field_div(group, yxi, y, x, ctx)) - goto err; - if (y_bit != BN_is_odd(yxi)) { - ECerr(EC_F_EC_GF2M_SIMPLE_OCT2POINT, EC_R_INVALID_ENCODING); - goto err; + /* + * Check that the form in the encoding was set correctly + * according to X9.62 4.4.2.a, 4(c), see also first paragraph + * of X9.62, 4.4.1.b. + */ + if (BN_is_zero(x)) { + if (y_bit != 0) { + ECerr(ERR_LIB_EC, EC_R_INVALID_ENCODING); + goto err; + } + } else { + if (!group->meth->field_div(group, yxi, y, x, ctx)) + goto err; + if (y_bit != BN_is_odd(yxi)) { + ECerr(ERR_LIB_EC, EC_R_INVALID_ENCODING); + goto err; + } } } diff --git a/crypto/ec/ec_asn1.c b/crypto/ec/ec_asn1.c index 7b7c75ce8443..c8ee1e6f1762 100644 --- a/crypto/ec/ec_asn1.c +++ b/crypto/ec/ec_asn1.c @@ -1,5 +1,5 @@ /* - * Copyright 2002-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2002-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -761,7 +761,10 @@ EC_GROUP *EC_GROUP_new_from_ecparameters(const ECPARAMETERS *params) ret->seed_len = params->curve->seed->length; } - if (!params->order || !params->base || !params->base->data) { + if (params->order == NULL + || params->base == NULL + || params->base->data == NULL + || params->base->length == 0) { ECerr(EC_F_EC_GROUP_NEW_FROM_ECPARAMETERS, EC_R_ASN1_ERROR); goto err; } diff --git a/crypto/err/openssl.txt b/crypto/err/openssl.txt index 7e1776375df7..902e97b84355 100644 --- a/crypto/err/openssl.txt +++ b/crypto/err/openssl.txt @@ -1160,6 +1160,7 @@ SSL_F_FINAL_EC_PT_FORMATS:485:final_ec_pt_formats SSL_F_FINAL_EMS:486:final_ems SSL_F_FINAL_KEY_SHARE:503:final_key_share SSL_F_FINAL_MAXFRAGMENTLEN:557:final_maxfragmentlen +SSL_F_FINAL_PSK:639:final_psk SSL_F_FINAL_RENEGOTIATE:483:final_renegotiate SSL_F_FINAL_SERVER_NAME:558:final_server_name SSL_F_FINAL_SIG_ALGS:497:final_sig_algs @@ -1652,6 +1653,7 @@ X509V3_F_I2S_ASN1_ENUMERATED:121:i2s_ASN1_ENUMERATED X509V3_F_I2S_ASN1_IA5STRING:149:i2s_ASN1_IA5STRING X509V3_F_I2S_ASN1_INTEGER:120:i2s_ASN1_INTEGER X509V3_F_I2V_AUTHORITY_INFO_ACCESS:138:i2v_AUTHORITY_INFO_ACCESS +X509V3_F_I2V_AUTHORITY_KEYID:173:i2v_AUTHORITY_KEYID X509V3_F_LEVEL_ADD_NODE:168:level_add_node X509V3_F_NOTICE_SECTION:132:notice_section X509V3_F_NREF_NOS:133:nref_nos @@ -1692,6 +1694,7 @@ X509V3_F_V2I_SUBJECT_ALT:154:v2i_subject_alt X509V3_F_V2I_TLS_FEATURE:165:v2i_TLS_FEATURE X509V3_F_V3_GENERIC_EXTENSION:116:v3_generic_extension X509V3_F_X509V3_ADD1_I2D:140:X509V3_add1_i2d +X509V3_F_X509V3_ADD_LEN_VALUE:174:x509v3_add_len_value X509V3_F_X509V3_ADD_VALUE:105:X509V3_add_value X509V3_F_X509V3_EXT_ADD:104:X509V3_EXT_add X509V3_F_X509V3_EXT_ADD_ALIAS:106:X509V3_EXT_add_alias @@ -2741,6 +2744,7 @@ SSL_R_MISSING_DSA_SIGNING_CERT:165:missing dsa signing cert SSL_R_MISSING_ECDSA_SIGNING_CERT:381:missing ecdsa signing cert SSL_R_MISSING_FATAL:256:missing fatal SSL_R_MISSING_PARAMETERS:290:missing parameters +SSL_R_MISSING_PSK_KEX_MODES_EXTENSION:310:missing psk kex modes extension SSL_R_MISSING_RSA_CERTIFICATE:168:missing rsa certificate SSL_R_MISSING_RSA_ENCRYPTING_CERT:169:missing rsa encrypting cert SSL_R_MISSING_RSA_SIGNING_CERT:170:missing rsa signing cert @@ -2784,6 +2788,7 @@ SSL_R_NO_VALID_SCTS:216:no valid scts SSL_R_NO_VERIFY_COOKIE_CALLBACK:403:no verify cookie callback SSL_R_NULL_SSL_CTX:195:null ssl ctx SSL_R_NULL_SSL_METHOD_PASSED:196:null ssl method passed +SSL_R_OCSP_CALLBACK_FAILURE:294:ocsp callback failure SSL_R_OLD_SESSION_CIPHER_NOT_RETURNED:197:old session cipher not returned SSL_R_OLD_SESSION_COMPRESSION_ALGORITHM_NOT_RETURNED:344:\ old session compression algorithm not returned diff --git a/crypto/evp/e_aes.c b/crypto/evp/e_aes.c index 405ddbf9bf09..a1d3ab90fa61 100644 --- a/crypto/evp/e_aes.c +++ b/crypto/evp/e_aes.c @@ -1,5 +1,5 @@ /* - * Copyright 2001-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2001-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -611,22 +611,22 @@ void aes_t4_decrypt(const unsigned char *in, unsigned char *out, */ void aes128_t4_cbc_encrypt(const unsigned char *in, unsigned char *out, size_t len, const AES_KEY *key, - unsigned char *ivec); + unsigned char *ivec, int /*unused*/); void aes128_t4_cbc_decrypt(const unsigned char *in, unsigned char *out, size_t len, const AES_KEY *key, - unsigned char *ivec); + unsigned char *ivec, int /*unused*/); void aes192_t4_cbc_encrypt(const unsigned char *in, unsigned char *out, size_t len, const AES_KEY *key, - unsigned char *ivec); + unsigned char *ivec, int /*unused*/); void aes192_t4_cbc_decrypt(const unsigned char *in, unsigned char *out, size_t len, const AES_KEY *key, - unsigned char *ivec); + unsigned char *ivec, int /*unused*/); void aes256_t4_cbc_encrypt(const unsigned char *in, unsigned char *out, size_t len, const AES_KEY *key, - unsigned char *ivec); + unsigned char *ivec, int /*unused*/); void aes256_t4_cbc_decrypt(const unsigned char *in, unsigned char *out, size_t len, const AES_KEY *key, - unsigned char *ivec); + unsigned char *ivec, int /*unused*/); void aes128_t4_ctr32_encrypt(const unsigned char *in, unsigned char *out, size_t blocks, const AES_KEY *key, unsigned char *ivec); @@ -1168,9 +1168,9 @@ typedef struct { static int s390x_aes_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, const unsigned char *iv, int enc); -# define S390X_aes_128_cbc_CAPABLE 1 /* checked by callee */ -# define S390X_aes_192_cbc_CAPABLE 1 -# define S390X_aes_256_cbc_CAPABLE 1 +# define S390X_aes_128_cbc_CAPABLE 0 /* checked by callee */ +# define S390X_aes_192_cbc_CAPABLE 0 +# define S390X_aes_256_cbc_CAPABLE 0 # define S390X_AES_CBC_CTX EVP_AES_KEY # define s390x_aes_cbc_init_key aes_init_key @@ -1190,11 +1190,11 @@ static int s390x_aes_ecb_init_key(EVP_CIPHER_CTX *ctx, S390X_AES_ECB_CTX *cctx = EVP_C_DATA(S390X_AES_ECB_CTX, ctx); const int keylen = EVP_CIPHER_CTX_key_length(ctx); - cctx->fc = S390X_AES_FC(keylen); - if (!enc) - cctx->fc |= S390X_DECRYPT; + cctx->fc = S390X_AES_FC(keylen) | (enc ? 0 : S390X_DECRYPT); + + if (key != NULL) + memcpy(cctx->km.param.k, key, keylen); - memcpy(cctx->km.param.k, key, keylen); return 1; } @@ -1222,14 +1222,17 @@ static int s390x_aes_ofb_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *ivec, int enc) { S390X_AES_OFB_CTX *cctx = EVP_C_DATA(S390X_AES_OFB_CTX, ctx); - const unsigned char *iv = EVP_CIPHER_CTX_original_iv(ctx); + const unsigned char *oiv = EVP_CIPHER_CTX_original_iv(ctx); const int keylen = EVP_CIPHER_CTX_key_length(ctx); const int ivlen = EVP_CIPHER_CTX_iv_length(ctx); - memcpy(cctx->kmo.param.cv, iv, ivlen); - memcpy(cctx->kmo.param.k, key, keylen); cctx->fc = S390X_AES_FC(keylen); + + if (key != NULL) + memcpy(cctx->kmo.param.k, key, keylen); + cctx->res = 0; + memcpy(cctx->kmo.param.cv, oiv, ivlen); return 1; } @@ -1237,9 +1240,12 @@ static int s390x_aes_ofb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, const unsigned char *in, size_t len) { S390X_AES_OFB_CTX *cctx = EVP_C_DATA(S390X_AES_OFB_CTX, ctx); + const int ivlen = EVP_CIPHER_CTX_iv_length(ctx); + unsigned char *iv = EVP_CIPHER_CTX_iv_noconst(ctx); int n = cctx->res; int rem; + memcpy(cctx->kmo.param.cv, iv, ivlen); while (n && len) { *out = *in ^ cctx->kmo.param.cv[n]; n = (n + 1) & 0xf; @@ -1268,6 +1274,7 @@ static int s390x_aes_ofb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, } } + memcpy(iv, cctx->kmo.param.cv, ivlen); cctx->res = n; return 1; } @@ -1287,18 +1294,18 @@ static int s390x_aes_cfb_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *ivec, int enc) { S390X_AES_CFB_CTX *cctx = EVP_C_DATA(S390X_AES_CFB_CTX, ctx); - const unsigned char *iv = EVP_CIPHER_CTX_original_iv(ctx); + const unsigned char *oiv = EVP_CIPHER_CTX_original_iv(ctx); const int keylen = EVP_CIPHER_CTX_key_length(ctx); const int ivlen = EVP_CIPHER_CTX_iv_length(ctx); - cctx->fc = S390X_AES_FC(keylen); - cctx->fc |= 16 << 24; /* 16 bytes cipher feedback */ - if (!enc) - cctx->fc |= S390X_DECRYPT; + cctx->fc = S390X_AES_FC(keylen) | (enc ? 0 : S390X_DECRYPT) + | (16 << 24); /* 16 bytes cipher feedback */ + + if (key != NULL) + memcpy(cctx->kmf.param.k, key, keylen); cctx->res = 0; - memcpy(cctx->kmf.param.cv, iv, ivlen); - memcpy(cctx->kmf.param.k, key, keylen); + memcpy(cctx->kmf.param.cv, oiv, ivlen); return 1; } @@ -1308,10 +1315,13 @@ static int s390x_aes_cfb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, S390X_AES_CFB_CTX *cctx = EVP_C_DATA(S390X_AES_CFB_CTX, ctx); const int keylen = EVP_CIPHER_CTX_key_length(ctx); const int enc = EVP_CIPHER_CTX_encrypting(ctx); + const int ivlen = EVP_CIPHER_CTX_iv_length(ctx); + unsigned char *iv = EVP_CIPHER_CTX_iv_noconst(ctx); int n = cctx->res; int rem; unsigned char tmp; + memcpy(cctx->kmf.param.cv, iv, ivlen); while (n && len) { tmp = *in; *out = cctx->kmf.param.cv[n] ^ tmp; @@ -1344,6 +1354,7 @@ static int s390x_aes_cfb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, } } + memcpy(iv, cctx->kmf.param.cv, ivlen); cctx->res = n; return 1; } @@ -1360,17 +1371,18 @@ static int s390x_aes_cfb8_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *ivec, int enc) { S390X_AES_CFB_CTX *cctx = EVP_C_DATA(S390X_AES_CFB_CTX, ctx); - const unsigned char *iv = EVP_CIPHER_CTX_original_iv(ctx); + const unsigned char *oiv = EVP_CIPHER_CTX_original_iv(ctx); const int keylen = EVP_CIPHER_CTX_key_length(ctx); const int ivlen = EVP_CIPHER_CTX_iv_length(ctx); - cctx->fc = S390X_AES_FC(keylen); - cctx->fc |= 1 << 24; /* 1 byte cipher feedback */ - if (!enc) - cctx->fc |= S390X_DECRYPT; + cctx->fc = S390X_AES_FC(keylen) | (enc ? 0 : S390X_DECRYPT) + | (1 << 24); /* 1 byte cipher feedback flag */ - memcpy(cctx->kmf.param.cv, iv, ivlen); - memcpy(cctx->kmf.param.k, key, keylen); + if (key != NULL) + memcpy(cctx->kmf.param.k, key, keylen); + + cctx->res = 0; + memcpy(cctx->kmf.param.cv, oiv, ivlen); return 1; } @@ -1378,8 +1390,12 @@ static int s390x_aes_cfb8_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, const unsigned char *in, size_t len) { S390X_AES_CFB_CTX *cctx = EVP_C_DATA(S390X_AES_CFB_CTX, ctx); + const int ivlen = EVP_CIPHER_CTX_iv_length(ctx); + unsigned char *iv = EVP_CIPHER_CTX_iv_noconst(ctx); + memcpy(cctx->kmf.param.cv, iv, ivlen); s390x_kmf(in, len, out, cctx->fc, &cctx->kmf.param); + memcpy(iv, cctx->kmf.param.cv, ivlen); return 1; } @@ -1393,9 +1409,9 @@ static int s390x_aes_cfb8_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, static int s390x_aes_cfb1_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, const unsigned char *in, size_t len); -# define S390X_aes_128_ctr_CAPABLE 1 /* checked by callee */ -# define S390X_aes_192_ctr_CAPABLE 1 -# define S390X_aes_256_ctr_CAPABLE 1 +# define S390X_aes_128_ctr_CAPABLE 0 /* checked by callee */ +# define S390X_aes_192_ctr_CAPABLE 0 +# define S390X_aes_256_ctr_CAPABLE 0 # define S390X_AES_CTR_CTX EVP_AES_KEY # define s390x_aes_ctr_init_key aes_init_key @@ -1563,8 +1579,7 @@ static int s390x_aes_gcm(S390X_AES_GCM_CTX *ctx, const unsigned char *in, /*- * Initialize context structure. Code is big-endian. */ -static void s390x_aes_gcm_setiv(S390X_AES_GCM_CTX *ctx, - const unsigned char *iv) +static void s390x_aes_gcm_setiv(S390X_AES_GCM_CTX *ctx) { ctx->kma.param.t.g[0] = 0; ctx->kma.param.t.g[1] = 0; @@ -1575,12 +1590,11 @@ static void s390x_aes_gcm_setiv(S390X_AES_GCM_CTX *ctx, ctx->kreslen = 0; if (ctx->ivlen == 12) { - memcpy(&ctx->kma.param.j0, iv, ctx->ivlen); + memcpy(&ctx->kma.param.j0, ctx->iv, ctx->ivlen); ctx->kma.param.j0.w[3] = 1; ctx->kma.param.cv.w = 1; } else { /* ctx->iv has the right size and is already padded. */ - memcpy(ctx->iv, iv, ctx->ivlen); s390x_kma(ctx->iv, S390X_gcm_ivpadlen(ctx->ivlen), NULL, 0, NULL, ctx->fc, &ctx->kma.param); ctx->fc |= S390X_KMA_HS; @@ -1694,7 +1708,7 @@ static int s390x_aes_gcm_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr) if (gctx->iv_gen == 0 || gctx->key_set == 0) return 0; - s390x_aes_gcm_setiv(gctx, gctx->iv); + s390x_aes_gcm_setiv(gctx); if (arg <= 0 || arg > gctx->ivlen) arg = gctx->ivlen; @@ -1714,7 +1728,7 @@ static int s390x_aes_gcm_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr) return 0; memcpy(gctx->iv + gctx->ivlen - arg, ptr, arg); - s390x_aes_gcm_setiv(gctx, gctx->iv); + s390x_aes_gcm_setiv(gctx); gctx->iv_set = 1; return 1; @@ -1770,43 +1784,36 @@ static int s390x_aes_gcm_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr) } /*- - * Set key and/or iv. Returns 1 on success. Otherwise 0 is returned. + * Set key or iv or enc/dec. Returns 1 on success. Otherwise 0 is returned. */ static int s390x_aes_gcm_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, const unsigned char *iv, int enc) { S390X_AES_GCM_CTX *gctx = EVP_C_DATA(S390X_AES_GCM_CTX, ctx); - int keylen; + const int keylen = EVP_CIPHER_CTX_key_length(ctx); - if (iv == NULL && key == NULL) - return 1; + gctx->fc = S390X_AES_FC(keylen) | (enc ? 0 : S390X_DECRYPT); if (key != NULL) { - keylen = EVP_CIPHER_CTX_key_length(ctx); + gctx->fc &= ~S390X_KMA_HS; memcpy(&gctx->kma.param.k, key, keylen); - - gctx->fc = S390X_AES_FC(keylen); - if (!enc) - gctx->fc |= S390X_DECRYPT; - - if (iv == NULL && gctx->iv_set) - iv = gctx->iv; - - if (iv != NULL) { - s390x_aes_gcm_setiv(gctx, iv); - gctx->iv_set = 1; - } gctx->key_set = 1; - } else { - if (gctx->key_set) - s390x_aes_gcm_setiv(gctx, iv); - else - memcpy(gctx->iv, iv, gctx->ivlen); + } - gctx->iv_set = 1; + if (iv != NULL) { + memcpy(gctx->iv, iv, gctx->ivlen); gctx->iv_gen = 0; + gctx->iv_set = 1; } + + if (gctx->key_set && gctx->iv_set) + s390x_aes_gcm_setiv(gctx); + + gctx->fc &= ~(S390X_KMA_LPC | S390X_KMA_LAAD); + gctx->areslen = 0; + gctx->mreslen = 0; + gctx->kreslen = 0; return 1; } @@ -1895,7 +1902,6 @@ static int s390x_aes_gcm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, /* recall that we already did en-/decrypt gctx->mres * and returned it to caller... */ OPENSSL_cleanse(tmp, gctx->mreslen); - gctx->iv_set = 0; enc = EVP_CIPHER_CTX_encrypting(ctx); if (enc) { @@ -1929,8 +1935,8 @@ static int s390x_aes_gcm_cleanup(EVP_CIPHER_CTX *c) } # define S390X_AES_XTS_CTX EVP_AES_XTS_CTX -# define S390X_aes_128_xts_CAPABLE 1 /* checked by callee */ -# define S390X_aes_256_xts_CAPABLE 1 +# define S390X_aes_128_xts_CAPABLE 0 /* checked by callee */ +# define S390X_aes_256_xts_CAPABLE 0 # define s390x_aes_xts_init_key aes_xts_init_key static int s390x_aes_xts_init_key(EVP_CIPHER_CTX *ctx, @@ -2134,9 +2140,10 @@ static int s390x_aes_ccm_tls_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, const unsigned char *in, size_t len) { S390X_AES_CCM_CTX *cctx = EVP_C_DATA(S390X_AES_CCM_CTX, ctx); - unsigned char *ivec = EVP_CIPHER_CTX_iv_noconst(ctx); + const unsigned char *ivec = EVP_CIPHER_CTX_iv(ctx); unsigned char *buf = EVP_CIPHER_CTX_buf_noconst(ctx); const int enc = EVP_CIPHER_CTX_encrypting(ctx); + unsigned char iv[EVP_MAX_IV_LENGTH]; if (out != in || len < (EVP_CCM_TLS_EXPLICIT_IV_LEN + (size_t)cctx->aes.ccm.m)) @@ -2152,8 +2159,9 @@ static int s390x_aes_ccm_tls_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, * Get explicit iv (sequence number). We already have fixed iv * (server/client_write_iv) here. */ - memcpy(ivec + EVP_CCM_TLS_FIXED_IV_LEN, in, EVP_CCM_TLS_EXPLICIT_IV_LEN); - s390x_aes_ccm_setiv(cctx, ivec, len); + memcpy(iv, ivec, sizeof(iv)); + memcpy(iv + EVP_CCM_TLS_FIXED_IV_LEN, in, EVP_CCM_TLS_EXPLICIT_IV_LEN); + s390x_aes_ccm_setiv(cctx, iv, len); /* Process aad (sequence number|type|version|length) */ s390x_aes_ccm_aad(cctx, buf, cctx->aes.ccm.tls_aad_len); @@ -2180,42 +2188,35 @@ static int s390x_aes_ccm_tls_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, } /*- - * Set key and flag field and/or iv. Returns 1 if successful. Otherwise 0 is - * returned. + * Set key or iv or enc/dec. Returns 1 if successful. + * Otherwise 0 is returned. */ static int s390x_aes_ccm_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, const unsigned char *iv, int enc) { S390X_AES_CCM_CTX *cctx = EVP_C_DATA(S390X_AES_CCM_CTX, ctx); - unsigned char *ivec; - int keylen; + const int keylen = EVP_CIPHER_CTX_key_length(ctx); + unsigned char *ivec = EVP_CIPHER_CTX_iv_noconst(ctx); - if (iv == NULL && key == NULL) - return 1; + cctx->aes.ccm.fc = S390X_AES_FC(keylen); if (key != NULL) { - keylen = EVP_CIPHER_CTX_key_length(ctx); - cctx->aes.ccm.fc = S390X_AES_FC(keylen); memcpy(cctx->aes.ccm.kmac_param.k, key, keylen); - - /* Store encoded m and l. */ - cctx->aes.ccm.nonce.b[0] = ((cctx->aes.ccm.l - 1) & 0x7) - | (((cctx->aes.ccm.m - 2) >> 1) & 0x7) << 3; - memset(cctx->aes.ccm.nonce.b + 1, 0, - sizeof(cctx->aes.ccm.nonce.b)); - cctx->aes.ccm.blocks = 0; - cctx->aes.ccm.key_set = 1; } - if (iv != NULL) { - ivec = EVP_CIPHER_CTX_iv_noconst(ctx); memcpy(ivec, iv, 15 - cctx->aes.ccm.l); - cctx->aes.ccm.iv_set = 1; } + /* Store encoded m and l. */ + cctx->aes.ccm.nonce.b[0] = ((cctx->aes.ccm.l - 1) & 0x7) + | (((cctx->aes.ccm.m - 2) >> 1) & 0x7) << 3; + memset(cctx->aes.ccm.nonce.b + 1, 0, sizeof(cctx->aes.ccm.nonce.b) - 1); + + cctx->aes.ccm.blocks = 0; + cctx->aes.ccm.len_set = 0; return 1; } @@ -2230,8 +2231,9 @@ static int s390x_aes_ccm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, { S390X_AES_CCM_CTX *cctx = EVP_C_DATA(S390X_AES_CCM_CTX, ctx); const int enc = EVP_CIPHER_CTX_encrypting(ctx); + const unsigned char *ivec = EVP_CIPHER_CTX_iv(ctx); + unsigned char *buf; int rv; - unsigned char *buf, *ivec; if (!cctx->aes.ccm.key_set) return -1; @@ -2253,7 +2255,6 @@ static int s390x_aes_ccm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, if (out == NULL) { /* Update(): Pass message length. */ if (in == NULL) { - ivec = EVP_CIPHER_CTX_iv_noconst(ctx); s390x_aes_ccm_setiv(cctx, ivec, len); cctx->aes.ccm.len_set = 1; @@ -2279,7 +2280,6 @@ static int s390x_aes_ccm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, * In case message length was not previously set explicitly via * Update(), set it now. */ - ivec = EVP_CIPHER_CTX_iv_noconst(ctx); s390x_aes_ccm_setiv(cctx, ivec, len); cctx->aes.ccm.len_set = 1; @@ -2304,9 +2304,6 @@ static int s390x_aes_ccm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, if (rv == -1) OPENSSL_cleanse(out, len); - cctx->aes.ccm.iv_set = 0; - cctx->aes.ccm.tag_set = 0; - cctx->aes.ccm.len_set = 0; return rv; } } @@ -2414,9 +2411,6 @@ static int s390x_aes_ccm_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr) return 0; memcpy(ptr, cctx->aes.ccm.kmac_param.icv.b, cctx->aes.ccm.m); - cctx->aes.ccm.tag_set = 0; - cctx->aes.ccm.iv_set = 0; - cctx->aes.ccm.len_set = 0; return 1; case EVP_CTRL_COPY: @@ -2453,7 +2447,7 @@ static const EVP_CIPHER s390x_aes_##keylen##_##mode = { \ nid##_##keylen##_##nmode,blocksize, \ keylen / 8, \ ivlen, \ - flags | EVP_CIPH_##MODE##_MODE, \ + flags | EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_##MODE##_MODE, \ s390x_aes_##mode##_init_key, \ s390x_aes_##mode##_cipher, \ NULL, \ @@ -2490,7 +2484,7 @@ static const EVP_CIPHER s390x_aes_##keylen##_##mode = { \ blocksize, \ (EVP_CIPH_##MODE##_MODE == EVP_CIPH_XTS_MODE ? 2 : 1) * keylen / 8, \ ivlen, \ - flags | EVP_CIPH_##MODE##_MODE, \ + flags | EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_##MODE##_MODE, \ s390x_aes_##mode##_init_key, \ s390x_aes_##mode##_cipher, \ s390x_aes_##mode##_cleanup, \ diff --git a/crypto/evp/e_camellia.c b/crypto/evp/e_camellia.c index 502d6936cc13..f8c019801267 100644 --- a/crypto/evp/e_camellia.c +++ b/crypto/evp/e_camellia.c @@ -1,5 +1,5 @@ /* - * Copyright 2006-2018 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2006-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -55,16 +55,16 @@ void cmll_t4_decrypt(const unsigned char *in, unsigned char *out, void cmll128_t4_cbc_encrypt(const unsigned char *in, unsigned char *out, size_t len, const CAMELLIA_KEY *key, - unsigned char *ivec); + unsigned char *ivec, int /*unused*/); void cmll128_t4_cbc_decrypt(const unsigned char *in, unsigned char *out, size_t len, const CAMELLIA_KEY *key, - unsigned char *ivec); + unsigned char *ivec, int /*unused*/); void cmll256_t4_cbc_encrypt(const unsigned char *in, unsigned char *out, size_t len, const CAMELLIA_KEY *key, - unsigned char *ivec); + unsigned char *ivec, int /*unused*/); void cmll256_t4_cbc_decrypt(const unsigned char *in, unsigned char *out, size_t len, const CAMELLIA_KEY *key, - unsigned char *ivec); + unsigned char *ivec, int /*unused*/); void cmll128_t4_ctr32_encrypt(const unsigned char *in, unsigned char *out, size_t blocks, const CAMELLIA_KEY *key, unsigned char *ivec); diff --git a/crypto/hmac/hm_ameth.c b/crypto/hmac/hm_ameth.c index 638f61b5863a..f871e4fe71e5 100644 --- a/crypto/hmac/hm_ameth.c +++ b/crypto/hmac/hm_ameth.c @@ -1,5 +1,5 @@ /* - * Copyright 2007-2018 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2007-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -47,7 +47,8 @@ static int hmac_pkey_ctrl(EVP_PKEY *pkey, int op, long arg1, void *arg2) static int hmac_pkey_public_cmp(const EVP_PKEY *a, const EVP_PKEY *b) { - return ASN1_OCTET_STRING_cmp(EVP_PKEY_get0(a), EVP_PKEY_get0(b)); + /* the ameth pub_cmp must return 1 on match, 0 on mismatch */ + return ASN1_OCTET_STRING_cmp(EVP_PKEY_get0(a), EVP_PKEY_get0(b)) == 0; } static int hmac_set_priv_key(EVP_PKEY *pkey, const unsigned char *priv, diff --git a/crypto/pkcs12/p12_key.c b/crypto/pkcs12/p12_key.c index ab31a6129500..03eda2664251 100644 --- a/crypto/pkcs12/p12_key.c +++ b/crypto/pkcs12/p12_key.c @@ -1,5 +1,5 @@ /* - * Copyright 1999-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1999-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -101,7 +101,7 @@ int PKCS12_key_gen_uni(unsigned char *pass, int passlen, unsigned char *salt, #endif v = EVP_MD_block_size(md_type); u = EVP_MD_size(md_type); - if (u < 0 || v <= 0) + if (u <= 0 || v <= 0) goto err; D = OPENSSL_malloc(v); Ai = OPENSSL_malloc(u); diff --git a/crypto/poly1305/poly1305_ameth.c b/crypto/poly1305/poly1305_ameth.c index 0c8a91dc79dc..0dddf79626e3 100644 --- a/crypto/poly1305/poly1305_ameth.c +++ b/crypto/poly1305/poly1305_ameth.c @@ -1,5 +1,5 @@ /* - * Copyright 2007-2018 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2007-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -43,7 +43,7 @@ static int poly1305_pkey_ctrl(EVP_PKEY *pkey, int op, long arg1, void *arg2) static int poly1305_pkey_public_cmp(const EVP_PKEY *a, const EVP_PKEY *b) { - return ASN1_OCTET_STRING_cmp(EVP_PKEY_get0(a), EVP_PKEY_get0(b)); + return ASN1_OCTET_STRING_cmp(EVP_PKEY_get0(a), EVP_PKEY_get0(b)) == 0; } static int poly1305_set_priv_key(EVP_PKEY *pkey, const unsigned char *priv, diff --git a/crypto/ppccap.c b/crypto/ppccap.c index e51156468ae5..eeaa47cc6b41 100644 --- a/crypto/ppccap.c +++ b/crypto/ppccap.c @@ -211,6 +211,12 @@ size_t OPENSSL_instrument_bus2(unsigned int *out, size_t cnt, size_t max) # if __GLIBC_PREREQ(2, 16) # include # define OSSL_IMPLEMENT_GETAUXVAL +# elif defined(__ANDROID_API__) +/* see https://developer.android.google.cn/ndk/guides/cpu-features */ +# if __ANDROID_API__ >= 18 +# include +# define OSSL_IMPLEMENT_GETAUXVAL +# endif # endif #endif diff --git a/crypto/rand/rand_unix.c b/crypto/rand/rand_unix.c index ec6be791b37f..43f1069d151d 100644 --- a/crypto/rand/rand_unix.c +++ b/crypto/rand/rand_unix.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -34,6 +34,9 @@ #if defined(__OpenBSD__) # include #endif +#if defined(__APPLE__) +# include +#endif #if defined(OPENSSL_SYS_UNIX) || defined(__DJGPP__) # include @@ -378,6 +381,11 @@ static ssize_t syscall_random(void *buf, size_t buflen) if (errno != ENOSYS) return -1; } +# elif defined(__APPLE__) + if (CCRandomGenerateBytes(buf, buflen) == kCCSuccess) + return (ssize_t)buflen; + + return -1; # else union { void *p; diff --git a/crypto/rsa/rsa_prn.c b/crypto/rsa/rsa_prn.c index b5f4bce2a3e6..23df448a5212 100644 --- a/crypto/rsa/rsa_prn.c +++ b/crypto/rsa/rsa_prn.c @@ -1,5 +1,5 @@ /* - * Copyright 2006-2017 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2006-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -34,9 +34,11 @@ int RSA_print(BIO *bp, const RSA *x, int off) EVP_PKEY *pk; int ret; pk = EVP_PKEY_new(); - if (pk == NULL || !EVP_PKEY_set1_RSA(pk, (RSA *)x)) + if (pk == NULL) return 0; - ret = EVP_PKEY_print_private(bp, pk, off, NULL); + ret = EVP_PKEY_set1_RSA(pk, (RSA *)x); + if (ret) + ret = EVP_PKEY_print_private(bp, pk, off, NULL); EVP_PKEY_free(pk); return ret; } diff --git a/crypto/siphash/siphash_ameth.c b/crypto/siphash/siphash_ameth.c index 2da6dfec8025..7fce76390ef4 100644 --- a/crypto/siphash/siphash_ameth.c +++ b/crypto/siphash/siphash_ameth.c @@ -1,5 +1,5 @@ /* - * Copyright 2007-2018 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2007-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -44,7 +44,7 @@ static int siphash_pkey_ctrl(EVP_PKEY *pkey, int op, long arg1, void *arg2) static int siphash_pkey_public_cmp(const EVP_PKEY *a, const EVP_PKEY *b) { - return ASN1_OCTET_STRING_cmp(EVP_PKEY_get0(a), EVP_PKEY_get0(b)); + return ASN1_OCTET_STRING_cmp(EVP_PKEY_get0(a), EVP_PKEY_get0(b)) == 0; } static int siphash_set_priv_key(EVP_PKEY *pkey, const unsigned char *priv, diff --git a/crypto/sm2/sm2_crypt.c b/crypto/sm2/sm2_crypt.c index ef505f64412b..83b97f4edc88 100644 --- a/crypto/sm2/sm2_crypt.c +++ b/crypto/sm2/sm2_crypt.c @@ -1,5 +1,5 @@ /* - * Copyright 2017-2018 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2017-2021 The OpenSSL Project Authors. All Rights Reserved. * Copyright 2017 Ribose Inc. All Rights Reserved. * Ported from Ribose contributions from Botan. * @@ -61,29 +61,20 @@ static size_t ec_field_size(const EC_GROUP *group) return field_size; } -int sm2_plaintext_size(const EC_KEY *key, const EVP_MD *digest, size_t msg_len, - size_t *pt_size) +int sm2_plaintext_size(const unsigned char *ct, size_t ct_size, size_t *pt_size) { - const size_t field_size = ec_field_size(EC_KEY_get0_group(key)); - const int md_size = EVP_MD_size(digest); - size_t overhead; + struct SM2_Ciphertext_st *sm2_ctext = NULL; - if (md_size < 0) { - SM2err(SM2_F_SM2_PLAINTEXT_SIZE, SM2_R_INVALID_DIGEST); - return 0; - } - if (field_size == 0) { - SM2err(SM2_F_SM2_PLAINTEXT_SIZE, SM2_R_INVALID_FIELD); - return 0; - } + sm2_ctext = d2i_SM2_Ciphertext(NULL, &ct, ct_size); - overhead = 10 + 2 * field_size + (size_t)md_size; - if (msg_len <= overhead) { + if (sm2_ctext == NULL) { SM2err(SM2_F_SM2_PLAINTEXT_SIZE, SM2_R_INVALID_ENCODING); return 0; } - *pt_size = msg_len - overhead; + *pt_size = sm2_ctext->C2->length; + SM2_Ciphertext_free(sm2_ctext); + return 1; } @@ -303,6 +294,10 @@ int sm2_decrypt(const EC_KEY *key, C2 = sm2_ctext->C2->data; C3 = sm2_ctext->C3->data; msg_len = sm2_ctext->C2->length; + if (*ptext_len < (size_t)msg_len) { + SM2err(SM2_F_SM2_DECRYPT, SM2_R_BUFFER_TOO_SMALL); + goto done; + } ctx = BN_CTX_new(); if (ctx == NULL) { diff --git a/crypto/sm2/sm2_pmeth.c b/crypto/sm2/sm2_pmeth.c index b42a14c32f26..0e722b910b57 100644 --- a/crypto/sm2/sm2_pmeth.c +++ b/crypto/sm2/sm2_pmeth.c @@ -1,5 +1,5 @@ /* - * Copyright 2006-2018 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2006-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -151,7 +151,7 @@ static int pkey_sm2_decrypt(EVP_PKEY_CTX *ctx, const EVP_MD *md = (dctx->md == NULL) ? EVP_sm3() : dctx->md; if (out == NULL) { - if (!sm2_plaintext_size(ec, md, inlen, outlen)) + if (!sm2_plaintext_size(in, inlen, outlen)) return -1; else return 1; diff --git a/crypto/sparcv9cap.c b/crypto/sparcv9cap.c index ff1a983ac98b..b3cb3d4be958 100644 --- a/crypto/sparcv9cap.c +++ b/crypto/sparcv9cap.c @@ -1,5 +1,5 @@ /* - * Copyright 2005-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2005-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -16,6 +16,7 @@ #include #include #include "internal/cryptlib.h" +#include "bn/bn_local.h" /* for definition of bn_mul_mont */ #include "sparc_arch.h" diff --git a/crypto/srp/srp_vfy.c b/crypto/srp/srp_vfy.c index 3dd2ab050757..394e1180dfa4 100644 --- a/crypto/srp/srp_vfy.c +++ b/crypto/srp/srp_vfy.c @@ -1,5 +1,5 @@ /* - * Copyright 2004-2019 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2004-2021 The OpenSSL Project Authors. All Rights Reserved. * Copyright (c) 2004, EdelKey Project. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use @@ -684,7 +684,7 @@ int SRP_create_verifier_BN(const char *user, const char *pass, BIGNUM **salt, BIGNUM *x = NULL; BN_CTX *bn_ctx = BN_CTX_new(); unsigned char tmp2[MAX_LEN]; - BIGNUM *salttmp = NULL; + BIGNUM *salttmp = NULL, *verif; if ((user == NULL) || (pass == NULL) || @@ -707,17 +707,18 @@ int SRP_create_verifier_BN(const char *user, const char *pass, BIGNUM **salt, if (x == NULL) goto err; - *verifier = BN_new(); - if (*verifier == NULL) + verif = BN_new(); + if (verif == NULL) goto err; - if (!BN_mod_exp(*verifier, g, x, N, bn_ctx)) { - BN_clear_free(*verifier); + if (!BN_mod_exp(verif, g, x, N, bn_ctx)) { + BN_clear_free(verif); goto err; } result = 1; *salt = salttmp; + *verifier = verif; err: if (salt != NULL && *salt != salttmp) diff --git a/crypto/store/loader_file.c b/crypto/store/loader_file.c index 9c9e3bd08506..32e7b9f65a41 100644 --- a/crypto/store/loader_file.c +++ b/crypto/store/loader_file.c @@ -1,5 +1,5 @@ /* - * Copyright 2016-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -370,6 +370,7 @@ static OSSL_STORE_INFO *try_decode_PKCS8Encrypted(const char *pem_name, mem->data = (char *)new_data; mem->max = mem->length = (size_t)new_data_len; X509_SIG_free(p8); + p8 = NULL; store_info = ossl_store_info_new_EMBEDDED(PEM_STRING_PKCS8INF, mem); if (store_info == NULL) { diff --git a/crypto/ts/ts_rsp_verify.c b/crypto/ts/ts_rsp_verify.c index c2e7abd67f50..7fe3d27e74a2 100644 --- a/crypto/ts/ts_rsp_verify.c +++ b/crypto/ts/ts_rsp_verify.c @@ -1,5 +1,5 @@ /* - * Copyright 2006-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2006-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -612,6 +612,7 @@ static int ts_compute_imprint(BIO *data, TS_TST_INFO *tst_info, err: EVP_MD_CTX_free(md_ctx); X509_ALGOR_free(*md_alg); + *md_alg = NULL; OPENSSL_free(*imprint); *imprint_len = 0; *imprint = 0; diff --git a/crypto/ts/ts_verify_ctx.c b/crypto/ts/ts_verify_ctx.c index 1e80e0d37029..32cd2f542bb7 100644 --- a/crypto/ts/ts_verify_ctx.c +++ b/crypto/ts/ts_verify_ctx.c @@ -1,5 +1,5 @@ /* - * Copyright 2006-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2006-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -126,6 +126,8 @@ TS_VERIFY_CTX *TS_REQ_to_TS_VERIFY_CTX(TS_REQ *req, TS_VERIFY_CTX *ctx) goto err; msg = imprint->hashed_msg; ret->imprint_len = ASN1_STRING_length(msg); + if (ret->imprint_len <= 0) + goto err; if ((ret->imprint = OPENSSL_malloc(ret->imprint_len)) == NULL) goto err; memcpy(ret->imprint, ASN1_STRING_get0_data(msg), ret->imprint_len); diff --git a/crypto/uid.c b/crypto/uid.c index 65b1171039fe..5e3315eeb2e3 100644 --- a/crypto/uid.c +++ b/crypto/uid.c @@ -1,5 +1,5 @@ /* - * Copyright 2001-2019 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2001-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -36,6 +36,12 @@ int OPENSSL_issetugid(void) # include # define OSSL_IMPLEMENT_GETAUXVAL # endif +# elif defined(__ANDROID_API__) +/* see https://developer.android.google.cn/ndk/guides/cpu-features */ +# if __ANDROID_API__ >= 18 +# include +# define OSSL_IMPLEMENT_GETAUXVAL +# endif # endif int OPENSSL_issetugid(void) diff --git a/crypto/x509/t_x509.c b/crypto/x509/t_x509.c index 12d807f705ed..ece987a6bdbe 100644 --- a/crypto/x509/t_x509.c +++ b/crypto/x509/t_x509.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -365,9 +365,9 @@ int X509_aux_print(BIO *out, X509 *x, int indent) BIO_puts(out, "\n"); } else BIO_printf(out, "%*sNo Rejected Uses.\n", indent, ""); - alias = X509_alias_get0(x, NULL); + alias = X509_alias_get0(x, &i); if (alias) - BIO_printf(out, "%*sAlias: %s\n", indent, "", alias); + BIO_printf(out, "%*sAlias: %.*s\n", indent, "", i, alias); keyid = X509_keyid_get0(x, &keyidlen); if (keyid) { BIO_printf(out, "%*sKey Id: ", indent, ""); diff --git a/crypto/x509/x509_vpm.c b/crypto/x509/x509_vpm.c index 68b681d5ee85..535f169a29e7 100644 --- a/crypto/x509/x509_vpm.c +++ b/crypto/x509/x509_vpm.c @@ -1,5 +1,5 @@ /* - * Copyright 2004-2018 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2004-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -199,7 +199,8 @@ int X509_VERIFY_PARAM_inherit(X509_VERIFY_PARAM *dest, return 0; } - /* Copy the host flags if and only if we're copying the host list */ + x509_verify_param_copy(hostflags, 0); + if (test_x509_verify_param_copy(hosts, NULL)) { sk_OPENSSL_STRING_pop_free(dest->hosts, str_free); dest->hosts = NULL; @@ -208,7 +209,6 @@ int X509_VERIFY_PARAM_inherit(X509_VERIFY_PARAM *dest, sk_OPENSSL_STRING_deep_copy(src->hosts, str_copy, str_free); if (dest->hosts == NULL) return 0; - dest->hostflags = src->hostflags; } } diff --git a/crypto/x509v3/v3_akey.c b/crypto/x509v3/v3_akey.c index d9f770433cfb..33b1933d7228 100644 --- a/crypto/x509v3/v3_akey.c +++ b/crypto/x509v3/v3_akey.c @@ -1,5 +1,5 @@ /* - * Copyright 1999-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1999-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -39,20 +39,48 @@ static STACK_OF(CONF_VALUE) *i2v_AUTHORITY_KEYID(X509V3_EXT_METHOD *method, STACK_OF(CONF_VALUE) *extlist) { - char *tmp; + char *tmp = NULL; + STACK_OF(CONF_VALUE) *origextlist = extlist, *tmpextlist; + if (akeyid->keyid) { tmp = OPENSSL_buf2hexstr(akeyid->keyid->data, akeyid->keyid->length); - X509V3_add_value("keyid", tmp, &extlist); + if (tmp == NULL) { + X509V3err(X509V3_F_I2V_AUTHORITY_KEYID, ERR_R_MALLOC_FAILURE); + return NULL; + } + if (!X509V3_add_value("keyid", tmp, &extlist)) { + OPENSSL_free(tmp); + X509V3err(X509V3_F_I2V_AUTHORITY_KEYID, ERR_R_X509_LIB); + goto err; + } OPENSSL_free(tmp); } - if (akeyid->issuer) - extlist = i2v_GENERAL_NAMES(NULL, akeyid->issuer, extlist); + if (akeyid->issuer) { + tmpextlist = i2v_GENERAL_NAMES(NULL, akeyid->issuer, extlist); + if (tmpextlist == NULL) { + X509V3err(X509V3_F_I2V_AUTHORITY_KEYID, ERR_R_X509_LIB); + goto err; + } + extlist = tmpextlist; + } if (akeyid->serial) { tmp = OPENSSL_buf2hexstr(akeyid->serial->data, akeyid->serial->length); - X509V3_add_value("serial", tmp, &extlist); + if (tmp == NULL) { + X509V3err(X509V3_F_I2V_AUTHORITY_KEYID, ERR_R_MALLOC_FAILURE); + goto err; + } + if (!X509V3_add_value("serial", tmp, &extlist)) { + OPENSSL_free(tmp); + X509V3err(X509V3_F_I2V_AUTHORITY_KEYID, ERR_R_X509_LIB); + goto err; + } OPENSSL_free(tmp); } return extlist; + err: + if (origextlist == NULL) + sk_CONF_VALUE_pop_free(extlist, X509V3_conf_free); + return NULL; } /*- diff --git a/crypto/x509v3/v3_alt.c b/crypto/x509v3/v3_alt.c index 4dce0041012e..7c32d4031d11 100644 --- a/crypto/x509v3/v3_alt.c +++ b/crypto/x509v3/v3_alt.c @@ -1,5 +1,5 @@ /* - * Copyright 1999-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1999-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -9,6 +9,7 @@ #include #include "internal/cryptlib.h" +#include "crypto/x509.h" #include #include #include "ext_dat.h" @@ -99,17 +100,20 @@ STACK_OF(CONF_VALUE) *i2v_GENERAL_NAME(X509V3_EXT_METHOD *method, break; case GEN_EMAIL: - if (!X509V3_add_value_uchar("email", gen->d.ia5->data, &ret)) + if (!x509v3_add_len_value_uchar("email", gen->d.ia5->data, + gen->d.ia5->length, &ret)) return NULL; break; case GEN_DNS: - if (!X509V3_add_value_uchar("DNS", gen->d.ia5->data, &ret)) + if (!x509v3_add_len_value_uchar("DNS", gen->d.ia5->data, + gen->d.ia5->length, &ret)) return NULL; break; case GEN_URI: - if (!X509V3_add_value_uchar("URI", gen->d.ia5->data, &ret)) + if (!x509v3_add_len_value_uchar("URI", gen->d.ia5->data, + gen->d.ia5->length, &ret)) return NULL; break; diff --git a/crypto/x509v3/v3_cpols.c b/crypto/x509v3/v3_cpols.c index 1d12c899125c..09804b58482c 100644 --- a/crypto/x509v3/v3_cpols.c +++ b/crypto/x509v3/v3_cpols.c @@ -1,5 +1,5 @@ /* - * Copyright 1999-2018 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1999-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -422,7 +422,8 @@ static void print_qualifiers(BIO *out, STACK_OF(POLICYQUALINFO) *quals, qualinfo = sk_POLICYQUALINFO_value(quals, i); switch (OBJ_obj2nid(qualinfo->pqualid)) { case NID_id_qt_cps: - BIO_printf(out, "%*sCPS: %s\n", indent, "", + BIO_printf(out, "%*sCPS: %.*s\n", indent, "", + qualinfo->d.cpsuri->length, qualinfo->d.cpsuri->data); break; @@ -447,7 +448,8 @@ static void print_notice(BIO *out, USERNOTICE *notice, int indent) if (notice->noticeref) { NOTICEREF *ref; ref = notice->noticeref; - BIO_printf(out, "%*sOrganization: %s\n", indent, "", + BIO_printf(out, "%*sOrganization: %.*s\n", indent, "", + ref->organization->length, ref->organization->data); BIO_printf(out, "%*sNumber%s: ", indent, "", sk_ASN1_INTEGER_num(ref->noticenos) > 1 ? "s" : ""); @@ -470,7 +472,8 @@ static void print_notice(BIO *out, USERNOTICE *notice, int indent) BIO_puts(out, "\n"); } if (notice->exptext) - BIO_printf(out, "%*sExplicit Text: %s\n", indent, "", + BIO_printf(out, "%*sExplicit Text: %.*s\n", indent, "", + notice->exptext->length, notice->exptext->data); } diff --git a/crypto/x509v3/v3_ncons.c b/crypto/x509v3/v3_ncons.c index 2a7b4f0992a8..d985aa91dacd 100644 --- a/crypto/x509v3/v3_ncons.c +++ b/crypto/x509v3/v3_ncons.c @@ -1,5 +1,5 @@ /* - * Copyright 2003-2018 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2003-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -63,8 +63,31 @@ ASN1_SEQUENCE(NAME_CONSTRAINTS) = { IMPLEMENT_ASN1_ALLOC_FUNCTIONS(GENERAL_SUBTREE) IMPLEMENT_ASN1_ALLOC_FUNCTIONS(NAME_CONSTRAINTS) + +#define IA5_OFFSET_LEN(ia5base, offset) \ + ((ia5base)->length - ((unsigned char *)(offset) - (ia5base)->data)) + +/* Like memchr but for ASN1_IA5STRING. Additionally you can specify the + * starting point to search from + */ +# define ia5memchr(str, start, c) memchr(start, c, IA5_OFFSET_LEN(str, start)) + +/* Like memrrchr but for ASN1_IA5STRING */ +static char *ia5memrchr(ASN1_IA5STRING *str, int c) +{ + int i; + + for (i = str->length; i > 0 && str->data[i - 1] != c; i--); + + if (i == 0) + return NULL; + + return (char *)&str->data[i - 1]; +} + /* - * We cannot use strncasecmp here because that applies locale specific rules. + * We cannot use strncasecmp here because that applies locale specific rules. It + * also doesn't work with ASN1_STRINGs that may have embedded NUL characters. * For example in Turkish 'I' is not the uppercase character for 'i'. We need to * do a simple ASCII case comparison ignoring the locale (that is why we use * numeric constants below). @@ -89,20 +112,12 @@ static int ia5ncasecmp(const char *s1, const char *s2, size_t n) /* c1 > c2 */ return 1; - } else if (*s1 == 0) { - /* If we get here we know that *s2 == 0 too */ - return 0; } } return 0; } -static int ia5casecmp(const char *s1, const char *s2) -{ - return ia5ncasecmp(s1, s2, SIZE_MAX); -} - static void *v2i_NAME_CONSTRAINTS(const X509V3_EXT_METHOD *method, X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval) { @@ -337,7 +352,7 @@ static int cn2dnsid(ASN1_STRING *cn, unsigned char **dnsid, size_t *idlen) --utf8_length; /* Reject *embedded* NULs */ - if ((size_t)utf8_length != strlen((char *)utf8_value)) { + if (memchr(utf8_value, 0, utf8_length) != NULL) { OPENSSL_free(utf8_value); return X509_V_ERR_UNSUPPORTED_NAME_SYNTAX; } @@ -536,9 +551,14 @@ static int nc_dns(ASN1_IA5STRING *dns, ASN1_IA5STRING *base) { char *baseptr = (char *)base->data; char *dnsptr = (char *)dns->data; + /* Empty matches everything */ - if (!*baseptr) + if (base->length == 0) return X509_V_OK; + + if (dns->length < base->length) + return X509_V_ERR_PERMITTED_VIOLATION; + /* * Otherwise can add zero or more components on the left so compare RHS * and if dns is longer and expect '.' as preceding character. @@ -549,7 +569,7 @@ static int nc_dns(ASN1_IA5STRING *dns, ASN1_IA5STRING *base) return X509_V_ERR_PERMITTED_VIOLATION; } - if (ia5casecmp(baseptr, dnsptr)) + if (ia5ncasecmp(baseptr, dnsptr, base->length)) return X509_V_ERR_PERMITTED_VIOLATION; return X509_V_OK; @@ -560,16 +580,17 @@ static int nc_email(ASN1_IA5STRING *eml, ASN1_IA5STRING *base) { const char *baseptr = (char *)base->data; const char *emlptr = (char *)eml->data; + const char *baseat = ia5memrchr(base, '@'); + const char *emlat = ia5memrchr(eml, '@'); + size_t basehostlen, emlhostlen; - const char *baseat = strchr(baseptr, '@'); - const char *emlat = strchr(emlptr, '@'); if (!emlat) return X509_V_ERR_UNSUPPORTED_NAME_SYNTAX; /* Special case: initial '.' is RHS match */ - if (!baseat && (*baseptr == '.')) { + if (!baseat && base->length > 0 && (*baseptr == '.')) { if (eml->length > base->length) { emlptr += eml->length - base->length; - if (ia5casecmp(baseptr, emlptr) == 0) + if (ia5ncasecmp(baseptr, emlptr, base->length) == 0) return X509_V_OK; } return X509_V_ERR_PERMITTED_VIOLATION; @@ -589,8 +610,10 @@ static int nc_email(ASN1_IA5STRING *eml, ASN1_IA5STRING *base) baseptr = baseat + 1; } emlptr = emlat + 1; + basehostlen = IA5_OFFSET_LEN(base, baseptr); + emlhostlen = IA5_OFFSET_LEN(eml, emlptr); /* Just have hostname left to match: case insensitive */ - if (ia5casecmp(baseptr, emlptr)) + if (basehostlen != emlhostlen || ia5ncasecmp(baseptr, emlptr, emlhostlen)) return X509_V_ERR_PERMITTED_VIOLATION; return X509_V_OK; @@ -601,10 +624,14 @@ static int nc_uri(ASN1_IA5STRING *uri, ASN1_IA5STRING *base) { const char *baseptr = (char *)base->data; const char *hostptr = (char *)uri->data; - const char *p = strchr(hostptr, ':'); + const char *p = ia5memchr(uri, (char *)uri->data, ':'); int hostlen; + /* Check for foo:// and skip past it */ - if (!p || (p[1] != '/') || (p[2] != '/')) + if (p == NULL + || IA5_OFFSET_LEN(uri, p) < 3 + || p[1] != '/' + || p[2] != '/') return X509_V_ERR_UNSUPPORTED_NAME_SYNTAX; hostptr = p + 3; @@ -612,13 +639,13 @@ static int nc_uri(ASN1_IA5STRING *uri, ASN1_IA5STRING *base) /* Look for a port indicator as end of hostname first */ - p = strchr(hostptr, ':'); + p = ia5memchr(uri, hostptr, ':'); /* Otherwise look for trailing slash */ - if (!p) - p = strchr(hostptr, '/'); + if (p == NULL) + p = ia5memchr(uri, hostptr, '/'); - if (!p) - hostlen = strlen(hostptr); + if (p == NULL) + hostlen = IA5_OFFSET_LEN(uri, hostptr); else hostlen = p - hostptr; @@ -626,7 +653,7 @@ static int nc_uri(ASN1_IA5STRING *uri, ASN1_IA5STRING *base) return X509_V_ERR_UNSUPPORTED_NAME_SYNTAX; /* Special case: initial '.' is RHS match */ - if (*baseptr == '.') { + if (base->length > 0 && *baseptr == '.') { if (hostlen > base->length) { p = hostptr + hostlen - base->length; if (ia5ncasecmp(p, baseptr, base->length) == 0) diff --git a/crypto/x509v3/v3_pci.c b/crypto/x509v3/v3_pci.c index 3d124fa6d95d..532d4e192fec 100644 --- a/crypto/x509v3/v3_pci.c +++ b/crypto/x509v3/v3_pci.c @@ -1,5 +1,5 @@ /* - * Copyright 2004-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2004-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -77,7 +77,8 @@ static int i2r_pci(X509V3_EXT_METHOD *method, PROXY_CERT_INFO_EXTENSION *pci, i2a_ASN1_OBJECT(out, pci->proxyPolicy->policyLanguage); BIO_puts(out, "\n"); if (pci->proxyPolicy->policy && pci->proxyPolicy->policy->data) - BIO_printf(out, "%*sPolicy Text: %s\n", indent, "", + BIO_printf(out, "%*sPolicy Text: %.*s\n", indent, "", + pci->proxyPolicy->policy->length, pci->proxyPolicy->policy->data); return 1; } diff --git a/crypto/x509v3/v3_utl.c b/crypto/x509v3/v3_utl.c index 7281a7b917a8..f41c699b5af0 100644 --- a/crypto/x509v3/v3_utl.c +++ b/crypto/x509v3/v3_utl.c @@ -1,5 +1,5 @@ /* - * Copyright 1999-2017 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1999-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -12,6 +12,7 @@ #include "e_os.h" #include "internal/cryptlib.h" #include +#include #include "crypto/ctype.h" #include #include @@ -34,17 +35,26 @@ static int ipv6_hex(unsigned char *out, const char *in, int inlen); /* Add a CONF_VALUE name value pair to stack */ -int X509V3_add_value(const char *name, const char *value, - STACK_OF(CONF_VALUE) **extlist) +static int x509v3_add_len_value(const char *name, const char *value, + size_t vallen, STACK_OF(CONF_VALUE) **extlist) { CONF_VALUE *vtmp = NULL; char *tname = NULL, *tvalue = NULL; int sk_allocated = (*extlist == NULL); - if (name && (tname = OPENSSL_strdup(name)) == NULL) - goto err; - if (value && (tvalue = OPENSSL_strdup(value)) == NULL) + if (name != NULL && (tname = OPENSSL_strdup(name)) == NULL) goto err; + if (value != NULL && vallen > 0) { + /* + * We tolerate a single trailing NUL character, but otherwise no + * embedded NULs + */ + if (memchr(value, 0, vallen - 1) != NULL) + goto err; + tvalue = OPENSSL_strndup(value, vallen); + if (tvalue == NULL) + goto err; + } if ((vtmp = OPENSSL_malloc(sizeof(*vtmp))) == NULL) goto err; if (sk_allocated && (*extlist = sk_CONF_VALUE_new_null()) == NULL) @@ -56,7 +66,7 @@ int X509V3_add_value(const char *name, const char *value, goto err; return 1; err: - X509V3err(X509V3_F_X509V3_ADD_VALUE, ERR_R_MALLOC_FAILURE); + X509V3err(X509V3_F_X509V3_ADD_LEN_VALUE, ERR_R_MALLOC_FAILURE); if (sk_allocated) { sk_CONF_VALUE_free(*extlist); *extlist = NULL; @@ -67,10 +77,26 @@ int X509V3_add_value(const char *name, const char *value, return 0; } +int X509V3_add_value(const char *name, const char *value, + STACK_OF(CONF_VALUE) **extlist) +{ + return x509v3_add_len_value(name, value, + value != NULL ? strlen((const char *)value) : 0, + extlist); +} + int X509V3_add_value_uchar(const char *name, const unsigned char *value, STACK_OF(CONF_VALUE) **extlist) { - return X509V3_add_value(name, (const char *)value, extlist); + return x509v3_add_len_value(name, (const char *)value, + value != NULL ? strlen((const char *)value) : 0, + extlist); +} + +int x509v3_add_len_value_uchar(const char *name, const unsigned char *value, + size_t vallen, STACK_OF(CONF_VALUE) **extlist) +{ + return x509v3_add_len_value(name, (const char *)value, vallen, extlist); } /* Free function for STACK_OF(CONF_VALUE) */ @@ -502,18 +528,26 @@ static int append_ia5(STACK_OF(OPENSSL_STRING) **sk, const ASN1_IA5STRING *email /* First some sanity checks */ if (email->type != V_ASN1_IA5STRING) return 1; - if (!email->data || !email->length) + if (email->data == NULL || email->length == 0) + return 1; + if (memchr(email->data, 0, email->length) != NULL) return 1; if (*sk == NULL) *sk = sk_OPENSSL_STRING_new(sk_strcmp); if (*sk == NULL) return 0; + + emtmp = OPENSSL_strndup((char *)email->data, email->length); + if (emtmp == NULL) + return 0; + /* Don't add duplicates */ - if (sk_OPENSSL_STRING_find(*sk, (char *)email->data) != -1) + if (sk_OPENSSL_STRING_find(*sk, emtmp) != -1) { + OPENSSL_free(emtmp); return 1; - emtmp = OPENSSL_strdup((char *)email->data); - if (emtmp == NULL || !sk_OPENSSL_STRING_push(*sk, emtmp)) { - OPENSSL_free(emtmp); /* free on push failure */ + } + if (!sk_OPENSSL_STRING_push(*sk, emtmp)) { + OPENSSL_free(emtmp); /* free on push failure */ X509_email_free(*sk); *sk = NULL; return 0; diff --git a/crypto/x509v3/v3err.c b/crypto/x509v3/v3err.c index 4f2ea52a4a5f..8b2918a64fff 100644 --- a/crypto/x509v3/v3err.c +++ b/crypto/x509v3/v3err.c @@ -1,6 +1,6 @@ /* * Generated by util/mkerr.pl DO NOT EDIT - * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -39,6 +39,8 @@ static const ERR_STRING_DATA X509V3_str_functs[] = { "i2s_ASN1_INTEGER"}, {ERR_PACK(ERR_LIB_X509V3, X509V3_F_I2V_AUTHORITY_INFO_ACCESS, 0), "i2v_AUTHORITY_INFO_ACCESS"}, + {ERR_PACK(ERR_LIB_X509V3, X509V3_F_I2V_AUTHORITY_KEYID, 0), + "i2v_AUTHORITY_KEYID"}, {ERR_PACK(ERR_LIB_X509V3, X509V3_F_LEVEL_ADD_NODE, 0), "level_add_node"}, {ERR_PACK(ERR_LIB_X509V3, X509V3_F_NOTICE_SECTION, 0), "notice_section"}, {ERR_PACK(ERR_LIB_X509V3, X509V3_F_NREF_NOS, 0), "nref_nos"}, @@ -104,6 +106,8 @@ static const ERR_STRING_DATA X509V3_str_functs[] = { {ERR_PACK(ERR_LIB_X509V3, X509V3_F_V3_GENERIC_EXTENSION, 0), "v3_generic_extension"}, {ERR_PACK(ERR_LIB_X509V3, X509V3_F_X509V3_ADD1_I2D, 0), "X509V3_add1_i2d"}, + {ERR_PACK(ERR_LIB_X509V3, X509V3_F_X509V3_ADD_LEN_VALUE, 0), + "x509v3_add_len_value"}, {ERR_PACK(ERR_LIB_X509V3, X509V3_F_X509V3_ADD_VALUE, 0), "X509V3_add_value"}, {ERR_PACK(ERR_LIB_X509V3, X509V3_F_X509V3_EXT_ADD, 0), "X509V3_EXT_add"}, diff --git a/doc/man1/enc.pod b/doc/man1/enc.pod index 3c7b6c42ea2c..9068282db543 100644 --- a/doc/man1/enc.pod +++ b/doc/man1/enc.pod @@ -180,8 +180,8 @@ Debug the BIOs used for I/O. =item B<-z> -Compress or decompress clear text using zlib before encryption or after -decryption. This option exists only if OpenSSL with compiled with zlib +Compress or decompress encrypted data using zlib after encryption or before +decryption. This option exists only if OpenSSL was compiled with the zlib or zlib-dynamic option. =item B<-none> diff --git a/doc/man1/s_client.pod b/doc/man1/s_client.pod index 743b2db2ba43..f1a2c4abdf53 100644 --- a/doc/man1/s_client.pod +++ b/doc/man1/s_client.pod @@ -797,7 +797,7 @@ server. The B utility is a test tool and is designed to continue the handshake after any certificate verification errors. As a result it will -accept any certificate chain (trusted or not) sent by the peer. None test +accept any certificate chain (trusted or not) sent by the peer. Non-test applications should B do this as it makes them vulnerable to a MITM attack. This behaviour can be changed by with the B<-verify_return_error> option: any verify errors are then returned aborting the handshake. diff --git a/doc/man1/s_server.pod b/doc/man1/s_server.pod index 9fdac4919038..aa6c19d31f9a 100644 --- a/doc/man1/s_server.pod +++ b/doc/man1/s_server.pod @@ -701,7 +701,7 @@ disabling the ephemeral DH cipher suites. =item B<-alpn val>, B<-nextprotoneg val> -These flags enable the Enable the Application-Layer Protocol Negotiation +These flags enable the Application-Layer Protocol Negotiation or Next Protocol Negotiation (NPN) extension, respectively. ALPN is the IETF standard and replaces NPN. The B list is a comma-separated list of supported protocol diff --git a/doc/man3/BIO_f_ssl.pod b/doc/man3/BIO_f_ssl.pod index 59cccbd4e597..641ee2329efc 100644 --- a/doc/man3/BIO_f_ssl.pod +++ b/doc/man3/BIO_f_ssl.pod @@ -185,11 +185,6 @@ unencrypted example in L. ERR_print_errors_fp(stderr); exit(1); } - if (BIO_do_handshake(sbio) <= 0) { - fprintf(stderr, "Error establishing SSL connection\n"); - ERR_print_errors_fp(stderr); - exit(1); - } /* XXX Could examine ssl here to get connection info */ @@ -298,7 +293,7 @@ be modified to handle this fix or they may free up an already freed BIO. =head1 COPYRIGHT -Copyright 2000-2019 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved. Licensed under the OpenSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/BIO_push.pod b/doc/man3/BIO_push.pod index 93f2cc31fdae..8b98bee49885 100644 --- a/doc/man3/BIO_push.pod +++ b/doc/man3/BIO_push.pod @@ -61,8 +61,8 @@ the new chain is B. Data written to B will be digested by B and B, B encoded and written to B. It should be noted that reading causes data to pass in the reverse -direction, that is data is read from B, base64 B and digested -by B and B. If the call: +direction, that is data is read from B, B decoded and digested +by B and B. If the call: BIO_pop(md2); @@ -79,7 +79,7 @@ The BIO_set_next() function was added in OpenSSL 1.1.0. =head1 COPYRIGHT -Copyright 2000-2019 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved. Licensed under the OpenSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/BN_cmp.pod b/doc/man3/BN_cmp.pod index 95d162ff2957..261619c512ab 100644 --- a/doc/man3/BN_cmp.pod +++ b/doc/man3/BN_cmp.pod @@ -2,42 +2,47 @@ =head1 NAME -BN_cmp, BN_ucmp, BN_is_zero, BN_is_one, BN_is_word, BN_is_odd - BIGNUM comparison and test functions +BN_cmp, BN_ucmp, BN_is_zero, BN_is_one, BN_is_word, BN_abs_is_word, BN_is_odd - BIGNUM comparison and test functions =head1 SYNOPSIS #include - int BN_cmp(BIGNUM *a, BIGNUM *b); - int BN_ucmp(BIGNUM *a, BIGNUM *b); + int BN_cmp(const BIGNUM *a, const BIGNUM *b); + int BN_ucmp(const BIGNUM *a, const BIGNUM *b); - int BN_is_zero(BIGNUM *a); - int BN_is_one(BIGNUM *a); - int BN_is_word(BIGNUM *a, BN_ULONG w); - int BN_is_odd(BIGNUM *a); + int BN_is_zero(const BIGNUM *a); + int BN_is_one(const BIGNUM *a); + int BN_is_word(const BIGNUM *a, const BN_ULONG w); + int BN_abs_is_word(const BIGNUM *a, const BN_ULONG w); + int BN_is_odd(const BIGNUM *a); =head1 DESCRIPTION -BN_cmp() compares the numbers B and B. BN_ucmp() compares their +BN_cmp() compares the numbers I and I. BN_ucmp() compares their absolute values. -BN_is_zero(), BN_is_one() and BN_is_word() test if B equals 0, 1, -or B respectively. BN_is_odd() tests if a is odd. - -BN_is_zero(), BN_is_one(), BN_is_word() and BN_is_odd() are macros. +BN_is_zero(), BN_is_one(), BN_is_word() and BN_abs_is_word() test if +I equals 0, 1, I, or EIE respectively. +BN_is_odd() tests if I is odd. =head1 RETURN VALUES -BN_cmp() returns -1 if B E B, 0 if B == B and 1 if -B E B. BN_ucmp() is the same using the absolute values -of B and B. +BN_cmp() returns -1 if I E I, 0 if I == I and 1 if +I E I. BN_ucmp() is the same using the absolute values +of I and I. + +BN_is_zero(), BN_is_one() BN_is_word(), BN_abs_is_word() and +BN_is_odd() return 1 if the condition is true, 0 otherwise. + +=head1 HISTORY -BN_is_zero(), BN_is_one() BN_is_word() and BN_is_odd() return 1 if -the condition is true, 0 otherwise. +Prior to OpenSSL 1.1.0, BN_is_zero(), BN_is_one(), BN_is_word(), +BN_abs_is_word() and BN_is_odd() were macros. =head1 COPYRIGHT -Copyright 2000-2017 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved. Licensed under the OpenSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/d2i_PrivateKey.pod b/doc/man3/d2i_PrivateKey.pod index 4e3f20f8b324..e7272595bc40 100644 --- a/doc/man3/d2i_PrivateKey.pod +++ b/doc/man3/d2i_PrivateKey.pod @@ -42,6 +42,10 @@ These functions are similar to the d2i_X509() functions; see L. =head1 NOTES +All the functions that operate on data in memory update the data pointer I<*pp> +after a successful operation, just like the other d2i and i2d functions; +see L. + All these functions use DER format and unencrypted keys. Applications wishing to encrypt or decrypt private keys should use other functions such as d2i_PKCS8PrivateKey() instead. @@ -71,7 +75,7 @@ L =head1 COPYRIGHT -Copyright 2017-2019 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2017-2021 The OpenSSL Project Authors. All Rights Reserved. Licensed under the OpenSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man7/x509.pod b/doc/man7/x509.pod index 065dcb14fbeb..7274e5ce9552 100644 --- a/doc/man7/x509.pod +++ b/doc/man7/x509.pod @@ -11,7 +11,7 @@ x509 - X.509 certificate handling =head1 DESCRIPTION An X.509 certificate is a structured grouping of information about -an individual, a device, or anything one can imagine. A X.509 CRL +an individual, a device, or anything one can imagine. An X.509 CRL (certificate revocation list) is a tool to help determine if a certificate is still valid. The exact definition of those can be found in the X.509 document from ITU-T, or in RFC3280 from PKIX. @@ -24,7 +24,7 @@ X509_REQ is used to express such a certificate request. To handle some complex parts of a certificate, there are the types X509_NAME (to express a certificate name), X509_ATTRIBUTE (to express -a certificate attributes), X509_EXTENSION (to express a certificate +a certificate attribute), X509_EXTENSION (to express a certificate extension) and a few more. Finally, there's the supertype X509_INFO, which can contain a CRL, a @@ -63,7 +63,7 @@ L =head1 COPYRIGHT -Copyright 2003-2017 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2003-2021 The OpenSSL Project Authors. All Rights Reserved. Licensed under the OpenSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/include/crypto/sm2.h b/include/crypto/sm2.h index 76ee80baff19..a7f5548c0843 100644 --- a/include/crypto/sm2.h +++ b/include/crypto/sm2.h @@ -1,5 +1,5 @@ /* - * Copyright 2017-2018 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2017-2021 The OpenSSL Project Authors. All Rights Reserved. * Copyright 2017 Ribose Inc. All Rights Reserved. * Ported from Ribose contributions from Botan. * @@ -60,8 +60,7 @@ int sm2_verify(const unsigned char *dgst, int dgstlen, int sm2_ciphertext_size(const EC_KEY *key, const EVP_MD *digest, size_t msg_len, size_t *ct_size); -int sm2_plaintext_size(const EC_KEY *key, const EVP_MD *digest, size_t msg_len, - size_t *pt_size); +int sm2_plaintext_size(const unsigned char *ct, size_t ct_size, size_t *pt_size); int sm2_encrypt(const EC_KEY *key, const EVP_MD *digest, diff --git a/include/crypto/x509.h b/include/crypto/x509.h index b53c2b03c39e..243ea74f6f4e 100644 --- a/include/crypto/x509.h +++ b/include/crypto/x509.h @@ -1,5 +1,5 @@ /* - * Copyright 2015-2018 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2015-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -8,6 +8,8 @@ */ #include "internal/refcount.h" +#include +#include /* Internal X509 structures and functions: not for application use */ @@ -284,3 +286,6 @@ int a2i_ipadd(unsigned char *ipout, const char *ipasc); int x509_set1_time(ASN1_TIME **ptm, const ASN1_TIME *tm); void x509_init_sig_info(X509 *x); + +int x509v3_add_len_value_uchar(const char *name, const unsigned char *value, + size_t vallen, STACK_OF(CONF_VALUE) **extlist); diff --git a/include/openssl/e_os2.h b/include/openssl/e_os2.h index cf308eee2cd2..5c88e5194919 100644 --- a/include/openssl/e_os2.h +++ b/include/openssl/e_os2.h @@ -1,5 +1,5 @@ /* - * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -279,7 +279,8 @@ typedef unsigned __int64 uint64_t; # define ossl_inline inline # endif -# if defined(__STDC_VERSION__) && __STDC_VERSION__ >= 201112L +# if defined(__STDC_VERSION__) && __STDC_VERSION__ >= 201112L && \ + !defined(__cplusplus) # define ossl_noreturn _Noreturn # elif defined(__GNUC__) && __GNUC__ >= 2 # define ossl_noreturn __attribute__((noreturn)) diff --git a/include/openssl/opensslv.h b/include/openssl/opensslv.h index 0cd6b2f94858..cbbfab12b3f3 100644 --- a/include/openssl/opensslv.h +++ b/include/openssl/opensslv.h @@ -39,8 +39,8 @@ extern "C" { * (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for * major minor fix final patch/beta) */ -# define OPENSSL_VERSION_NUMBER 0x101010bfL -# define OPENSSL_VERSION_TEXT "OpenSSL 1.1.1k 25 Mar 2021" +# define OPENSSL_VERSION_NUMBER 0x101010cfL +# define OPENSSL_VERSION_TEXT "OpenSSL 1.1.1l 24 Aug 2021" /*- * The macros below are to be used for shared library (.so, .dll, ...) diff --git a/include/openssl/sslerr.h b/include/openssl/sslerr.h index 82983d3c1e99..701d61c6e9cb 100644 --- a/include/openssl/sslerr.h +++ b/include/openssl/sslerr.h @@ -1,6 +1,6 @@ /* * Generated by util/mkerr.pl DO NOT EDIT - * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -70,6 +70,7 @@ int ERR_load_SSL_strings(void); # define SSL_F_FINAL_EMS 486 # define SSL_F_FINAL_KEY_SHARE 503 # define SSL_F_FINAL_MAXFRAGMENTLEN 557 +# define SSL_F_FINAL_PSK 639 # define SSL_F_FINAL_RENEGOTIATE 483 # define SSL_F_FINAL_SERVER_NAME 558 # define SSL_F_FINAL_SIG_ALGS 497 @@ -592,6 +593,7 @@ int ERR_load_SSL_strings(void); # define SSL_R_MISSING_ECDSA_SIGNING_CERT 381 # define SSL_R_MISSING_FATAL 256 # define SSL_R_MISSING_PARAMETERS 290 +# define SSL_R_MISSING_PSK_KEX_MODES_EXTENSION 310 # define SSL_R_MISSING_RSA_CERTIFICATE 168 # define SSL_R_MISSING_RSA_ENCRYPTING_CERT 169 # define SSL_R_MISSING_RSA_SIGNING_CERT 170 @@ -633,6 +635,7 @@ int ERR_load_SSL_strings(void); # define SSL_R_NO_VERIFY_COOKIE_CALLBACK 403 # define SSL_R_NULL_SSL_CTX 195 # define SSL_R_NULL_SSL_METHOD_PASSED 196 +# define SSL_R_OCSP_CALLBACK_FAILURE 294 # define SSL_R_OLD_SESSION_CIPHER_NOT_RETURNED 197 # define SSL_R_OLD_SESSION_COMPRESSION_ALGORITHM_NOT_RETURNED 344 # define SSL_R_OVERFLOW_ERROR 237 diff --git a/include/openssl/x509v3err.h b/include/openssl/x509v3err.h index 5f25442f12fd..3b9f7139d80e 100644 --- a/include/openssl/x509v3err.h +++ b/include/openssl/x509v3err.h @@ -1,6 +1,6 @@ /* * Generated by util/mkerr.pl DO NOT EDIT - * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -38,6 +38,7 @@ int ERR_load_X509V3_strings(void); # define X509V3_F_I2S_ASN1_IA5STRING 149 # define X509V3_F_I2S_ASN1_INTEGER 120 # define X509V3_F_I2V_AUTHORITY_INFO_ACCESS 138 +# define X509V3_F_I2V_AUTHORITY_KEYID 173 # define X509V3_F_LEVEL_ADD_NODE 168 # define X509V3_F_NOTICE_SECTION 132 # define X509V3_F_NREF_NOS 133 @@ -78,6 +79,7 @@ int ERR_load_X509V3_strings(void); # define X509V3_F_V2I_TLS_FEATURE 165 # define X509V3_F_V3_GENERIC_EXTENSION 116 # define X509V3_F_X509V3_ADD1_I2D 140 +# define X509V3_F_X509V3_ADD_LEN_VALUE 174 # define X509V3_F_X509V3_ADD_VALUE 105 # define X509V3_F_X509V3_EXT_ADD 104 # define X509V3_F_X509V3_EXT_ADD_ALIAS 106 diff --git a/ssl/bio_ssl.c b/ssl/bio_ssl.c index 53129bfb8811..c4239345b633 100644 --- a/ssl/bio_ssl.c +++ b/ssl/bio_ssl.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -451,6 +451,7 @@ BIO *BIO_new_ssl_connect(SSL_CTX *ctx) goto err; return ret; err: + BIO_free(ssl); BIO_free(con); #endif return NULL; diff --git a/ssl/d1_lib.c b/ssl/d1_lib.c index afbf015216a3..05b85c1078c0 100644 --- a/ssl/d1_lib.c +++ b/ssl/d1_lib.c @@ -342,12 +342,11 @@ int dtls1_is_timer_expired(SSL *s) return 1; } -void dtls1_double_timeout(SSL *s) +static void dtls1_double_timeout(SSL *s) { s->d1->timeout_duration_us *= 2; if (s->d1->timeout_duration_us > 60000000) s->d1->timeout_duration_us = 60000000; - dtls1_start_timer(s); } void dtls1_stop_timer(SSL *s) diff --git a/ssl/record/rec_layer_s3.c b/ssl/record/rec_layer_s3.c index b2a7a47eb075..8249b4ace9cd 100644 --- a/ssl/record/rec_layer_s3.c +++ b/ssl/record/rec_layer_s3.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -172,9 +172,9 @@ int ssl3_read_n(SSL *s, size_t n, size_t max, int extend, int clearold, /* * If extend == 0, obtain new n-byte packet; if extend == 1, increase * packet by another n bytes. The packet will be in the sub-array of - * s->s3->rbuf.buf specified by s->packet and s->packet_length. (If - * s->rlayer.read_ahead is set, 'max' bytes may be stored in rbuf [plus - * s->packet_length bytes if extend == 1].) + * s->rlayer.rbuf.buf specified by s->rlayer.packet and + * s->rlayer.packet_length. (If s->rlayer.read_ahead is set, 'max' bytes may + * be stored in rbuf [plus s->rlayer.packet_length bytes if extend == 1].) * if clearold == 1, move the packet to the start of the buffer; if * clearold == 0 then leave any old packets where they were */ diff --git a/ssl/record/ssl3_buffer.c b/ssl/record/ssl3_buffer.c index 9b2a6964c689..b9ba25e0c3f8 100644 --- a/ssl/record/ssl3_buffer.c +++ b/ssl/record/ssl3_buffer.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -74,7 +74,6 @@ int ssl3_setup_read_buffer(SSL *s) b->len = len; } - RECORD_LAYER_set_packet(&s->rlayer, &(b->buf[0])); return 1; } diff --git a/ssl/record/ssl3_record.c b/ssl/record/ssl3_record.c index ab5d22aa10cb..e6a8bbd71073 100644 --- a/ssl/record/ssl3_record.c +++ b/ssl/record/ssl3_record.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -405,7 +405,7 @@ int ssl3_get_record(SSL *s) more = thisrr->length; } if (more > 0) { - /* now s->packet_length == SSL3_RT_HEADER_LENGTH */ + /* now s->rlayer.packet_length == SSL3_RT_HEADER_LENGTH */ rret = ssl3_read_n(s, more, more, 1, 0, &n); if (rret <= 0) @@ -416,9 +416,9 @@ int ssl3_get_record(SSL *s) RECORD_LAYER_set_rstate(&s->rlayer, SSL_ST_READ_HEADER); /* - * At this point, s->packet_length == SSL3_RT_HEADER_LENGTH - * + thisrr->length, or s->packet_length == SSL2_RT_HEADER_LENGTH - * + thisrr->length and we have that many bytes in s->packet + * At this point, s->rlayer.packet_length == SSL3_RT_HEADER_LENGTH + * + thisrr->length, or s->rlayer.packet_length == SSL2_RT_HEADER_LENGTH + * + thisrr->length and we have that many bytes in s->rlayer.packet */ if (thisrr->rec_version == SSL2_VERSION) { thisrr->input = @@ -429,11 +429,11 @@ int ssl3_get_record(SSL *s) } /* - * ok, we can now read from 's->packet' data into 'thisrr' thisrr->input - * points at thisrr->length bytes, which need to be copied into - * thisrr->data by either the decryption or by the decompression When - * the data is 'copied' into the thisrr->data buffer, thisrr->input will - * be pointed at the new buffer + * ok, we can now read from 's->rlayer.packet' data into 'thisrr'. + * thisrr->input points at thisrr->length bytes, which need to be copied + * into thisrr->data by either the decryption or by the decompression. + * When the data is 'copied' into the thisrr->data buffer, + * thisrr->input will be updated to point at the new buffer */ /* @@ -1616,16 +1616,16 @@ int dtls1_process_record(SSL *s, DTLS1_BITMAP *bitmap) sess = s->session; /* - * At this point, s->packet_length == SSL3_RT_HEADER_LNGTH + rr->length, - * and we have that many bytes in s->packet + * At this point, s->rlayer.packet_length == SSL3_RT_HEADER_LNGTH + rr->length, + * and we have that many bytes in s->rlayer.packet */ rr->input = &(RECORD_LAYER_get_packet(&s->rlayer)[DTLS1_RT_HEADER_LENGTH]); /* - * ok, we can now read from 's->packet' data into 'rr' rr->input points - * at rr->length bytes, which need to be copied into rr->data by either - * the decryption or by the decompression When the data is 'copied' into - * the rr->data buffer, rr->input will be pointed at the new buffer + * ok, we can now read from 's->rlayer.packet' data into 'rr'. rr->input + * points at rr->length bytes, which need to be copied into rr->data by + * either the decryption or by the decompression. When the data is 'copied' + * into the rr->data buffer, rr->input will be pointed at the new buffer */ /* @@ -1947,7 +1947,7 @@ int dtls1_get_record(SSL *s) if (rr->length > RECORD_LAYER_get_packet_length(&s->rlayer) - DTLS1_RT_HEADER_LENGTH) { - /* now s->packet_length == DTLS1_RT_HEADER_LENGTH */ + /* now s->rlayer.packet_length == DTLS1_RT_HEADER_LENGTH */ more = rr->length; rret = ssl3_read_n(s, more, more, 1, 1, &n); /* this packet contained a partial record, dump it */ @@ -1963,7 +1963,7 @@ int dtls1_get_record(SSL *s) } /* - * now n == rr->length, and s->packet_length == + * now n == rr->length, and s->rlayer.packet_length == * DTLS1_RT_HEADER_LENGTH + rr->length */ } diff --git a/ssl/s3_msg.c b/ssl/s3_msg.c index 339fb2774a63..707e962d73d4 100644 --- a/ssl/s3_msg.c +++ b/ssl/s3_msg.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -48,6 +48,8 @@ int ssl3_send_alert(SSL *s, int level, int desc) * protocol_version alerts */ if (desc < 0) return -1; + if (s->shutdown & SSL_SENT_SHUTDOWN && desc != SSL_AD_CLOSE_NOTIFY) + return -1; /* If a fatal one, remove from cache */ if ((level == SSL3_AL_FATAL) && (s->session != NULL)) SSL_CTX_remove_session(s->session_ctx, s->session); diff --git a/ssl/ssl_cert.c b/ssl/ssl_cert.c index 5d3e83f32897..e7feda81d046 100644 --- a/ssl/ssl_cert.c +++ b/ssl/ssl_cert.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved * * Licensed under the OpenSSL license (the "License"). You may not use @@ -876,18 +876,36 @@ int ssl_cert_set_cert_store(CERT *c, X509_STORE *store, int chain, int ref) return 1; } +int ssl_get_security_level_bits(const SSL *s, const SSL_CTX *ctx, int *levelp) +{ + int level; + static const int minbits_table[5 + 1] = { 0, 80, 112, 128, 192, 256 }; + + if (ctx != NULL) + level = SSL_CTX_get_security_level(ctx); + else + level = SSL_get_security_level(s); + + if (level > 5) + level = 5; + else if (level < 0) + level = 0; + + if (levelp != NULL) + *levelp = level; + + return minbits_table[level]; +} + static int ssl_security_default_callback(const SSL *s, const SSL_CTX *ctx, int op, int bits, int nid, void *other, void *ex) { int level, minbits; - static const int minbits_table[5] = { 80, 112, 128, 192, 256 }; - if (ctx) - level = SSL_CTX_get_security_level(ctx); - else - level = SSL_get_security_level(s); - if (level <= 0) { + minbits = ssl_get_security_level_bits(s, ctx, &level); + + if (level == 0) { /* * No EDH keys weaker than 1024-bits even at level 0, otherwise, * anything goes. @@ -896,9 +914,6 @@ static int ssl_security_default_callback(const SSL *s, const SSL_CTX *ctx, return 0; return 1; } - if (level > 5) - level = 5; - minbits = minbits_table[level - 1]; switch (op) { case SSL_SECOP_CIPHER_SUPPORTED: case SSL_SECOP_CIPHER_SHARED: diff --git a/ssl/ssl_err.c b/ssl/ssl_err.c index 4b12ed1485d9..324f2ccbb0de 100644 --- a/ssl/ssl_err.c +++ b/ssl/ssl_err.c @@ -1,6 +1,6 @@ /* * Generated by util/mkerr.pl DO NOT EDIT - * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -85,6 +85,7 @@ static const ERR_STRING_DATA SSL_str_functs[] = { {ERR_PACK(ERR_LIB_SSL, SSL_F_FINAL_KEY_SHARE, 0), "final_key_share"}, {ERR_PACK(ERR_LIB_SSL, SSL_F_FINAL_MAXFRAGMENTLEN, 0), "final_maxfragmentlen"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_FINAL_PSK, 0), "final_psk"}, {ERR_PACK(ERR_LIB_SSL, SSL_F_FINAL_RENEGOTIATE, 0), "final_renegotiate"}, {ERR_PACK(ERR_LIB_SSL, SSL_F_FINAL_SERVER_NAME, 0), "final_server_name"}, {ERR_PACK(ERR_LIB_SSL, SSL_F_FINAL_SIG_ALGS, 0), "final_sig_algs"}, @@ -948,6 +949,8 @@ static const ERR_STRING_DATA SSL_str_reasons[] = { "missing ecdsa signing cert"}, {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_MISSING_FATAL), "missing fatal"}, {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_MISSING_PARAMETERS), "missing parameters"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_MISSING_PSK_KEX_MODES_EXTENSION), + "missing psk kex modes extension"}, {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_MISSING_RSA_CERTIFICATE), "missing rsa certificate"}, {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_MISSING_RSA_ENCRYPTING_CERT), @@ -1018,6 +1021,8 @@ static const ERR_STRING_DATA SSL_str_reasons[] = { {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_NULL_SSL_CTX), "null ssl ctx"}, {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_NULL_SSL_METHOD_PASSED), "null ssl method passed"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_OCSP_CALLBACK_FAILURE), + "ocsp callback failure"}, {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_OLD_SESSION_CIPHER_NOT_RETURNED), "old session cipher not returned"}, {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_OLD_SESSION_COMPRESSION_ALGORITHM_NOT_RETURNED), diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c index 58f8f3c14cfa..ffd0a0bc6d17 100644 --- a/ssl/ssl_lib.c +++ b/ssl/ssl_lib.c @@ -2119,6 +2119,11 @@ int SSL_key_update(SSL *s, int updatetype) return 0; } + if (RECORD_LAYER_write_pending(&s->rlayer)) { + SSLerr(SSL_F_SSL_KEY_UPDATE, SSL_R_BAD_WRITE_RETRY); + return 0; + } + ossl_statem_set_in_init(s, 1); s->key_update = updatetype; return 1; @@ -2829,6 +2834,19 @@ void SSL_CTX_set_npn_select_cb(SSL_CTX *ctx, } #endif +static int alpn_value_ok(const unsigned char *protos, unsigned int protos_len) +{ + unsigned int idx; + + if (protos_len < 2 || protos == NULL) + return 0; + + for (idx = 0; idx < protos_len; idx += protos[idx] + 1) { + if (protos[idx] == 0) + return 0; + } + return idx == protos_len; +} /* * SSL_CTX_set_alpn_protos sets the ALPN protocol list on |ctx| to |protos|. * |protos| must be in wire-format (i.e. a series of non-empty, 8-bit @@ -2837,13 +2855,25 @@ void SSL_CTX_set_npn_select_cb(SSL_CTX *ctx, int SSL_CTX_set_alpn_protos(SSL_CTX *ctx, const unsigned char *protos, unsigned int protos_len) { - OPENSSL_free(ctx->ext.alpn); - ctx->ext.alpn = OPENSSL_memdup(protos, protos_len); - if (ctx->ext.alpn == NULL) { + unsigned char *alpn; + + if (protos_len == 0 || protos == NULL) { + OPENSSL_free(ctx->ext.alpn); + ctx->ext.alpn = NULL; ctx->ext.alpn_len = 0; + return 0; + } + /* Not valid per RFC */ + if (!alpn_value_ok(protos, protos_len)) + return 1; + + alpn = OPENSSL_memdup(protos, protos_len); + if (alpn == NULL) { SSLerr(SSL_F_SSL_CTX_SET_ALPN_PROTOS, ERR_R_MALLOC_FAILURE); return 1; } + OPENSSL_free(ctx->ext.alpn); + ctx->ext.alpn = alpn; ctx->ext.alpn_len = protos_len; return 0; @@ -2857,13 +2887,25 @@ int SSL_CTX_set_alpn_protos(SSL_CTX *ctx, const unsigned char *protos, int SSL_set_alpn_protos(SSL *ssl, const unsigned char *protos, unsigned int protos_len) { - OPENSSL_free(ssl->ext.alpn); - ssl->ext.alpn = OPENSSL_memdup(protos, protos_len); - if (ssl->ext.alpn == NULL) { + unsigned char *alpn; + + if (protos_len == 0 || protos == NULL) { + OPENSSL_free(ssl->ext.alpn); + ssl->ext.alpn = NULL; ssl->ext.alpn_len = 0; + return 0; + } + /* Not valid per RFC */ + if (!alpn_value_ok(protos, protos_len)) + return 1; + + alpn = OPENSSL_memdup(protos, protos_len); + if (alpn == NULL) { SSLerr(SSL_F_SSL_SET_ALPN_PROTOS, ERR_R_MALLOC_FAILURE); return 1; } + OPENSSL_free(ssl->ext.alpn); + ssl->ext.alpn = alpn; ssl->ext.alpn_len = protos_len; return 0; @@ -4520,8 +4562,11 @@ int ssl_handshake_hash(SSL *s, unsigned char *out, size_t outlen, } ctx = EVP_MD_CTX_new(); - if (ctx == NULL) + if (ctx == NULL) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL_HANDSHAKE_HASH, + ERR_R_INTERNAL_ERROR); goto err; + } if (!EVP_MD_CTX_copy_ex(ctx, hdgst) || EVP_DigestFinal_ex(ctx, out, NULL) <= 0) { diff --git a/ssl/ssl_local.h b/ssl/ssl_local.h index 8c3542a5422f..f92472117a1b 100644 --- a/ssl/ssl_local.h +++ b/ssl/ssl_local.h @@ -2305,6 +2305,7 @@ __owur int ssl_cert_set_cert_store(CERT *c, X509_STORE *store, int chain, __owur int ssl_security(const SSL *s, int op, int bits, int nid, void *other); __owur int ssl_ctx_security(const SSL_CTX *ctx, int op, int bits, int nid, void *other); +int ssl_get_security_level_bits(const SSL *s, const SSL_CTX *ctx, int *levelp); __owur int ssl_cert_lookup_by_nid(int nid, size_t *pidx); __owur const SSL_CERT_LOOKUP *ssl_cert_lookup_by_pkey(const EVP_PKEY *pk, @@ -2426,7 +2427,6 @@ __owur int dtls1_handle_timeout(SSL *s); void dtls1_start_timer(SSL *s); void dtls1_stop_timer(SSL *s); __owur int dtls1_is_timer_expired(SSL *s); -void dtls1_double_timeout(SSL *s); __owur int dtls_raw_hello_verify_request(WPACKET *pkt, unsigned char *cookie, size_t cookie_len); __owur size_t dtls1_min_mtu(SSL *s); diff --git a/ssl/statem/extensions.c b/ssl/statem/extensions.c index e1a3b1db67a1..0f39275baa01 100644 --- a/ssl/statem/extensions.c +++ b/ssl/statem/extensions.c @@ -18,6 +18,7 @@ static int final_renegotiate(SSL *s, unsigned int context, int sent); static int init_server_name(SSL *s, unsigned int context); static int final_server_name(SSL *s, unsigned int context, int sent); #ifndef OPENSSL_NO_EC +static int init_ec_point_formats(SSL *s, unsigned int context); static int final_ec_pt_formats(SSL *s, unsigned int context, int sent); #endif static int init_session_ticket(SSL *s, unsigned int context); @@ -56,6 +57,7 @@ static int final_sig_algs(SSL *s, unsigned int context, int sent); static int final_early_data(SSL *s, unsigned int context, int sent); static int final_maxfragmentlen(SSL *s, unsigned int context, int sent); static int init_post_handshake_auth(SSL *s, unsigned int context); +static int final_psk(SSL *s, unsigned int context, int sent); /* Structure to define a built-in extension */ typedef struct extensions_definition_st { @@ -158,7 +160,7 @@ static const EXTENSION_DEFINITION ext_defs[] = { TLSEXT_TYPE_ec_point_formats, SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_SERVER_HELLO | SSL_EXT_TLS1_2_AND_BELOW_ONLY, - NULL, tls_parse_ctos_ec_pt_formats, tls_parse_stoc_ec_pt_formats, + init_ec_point_formats, tls_parse_ctos_ec_pt_formats, tls_parse_stoc_ec_pt_formats, tls_construct_stoc_ec_pt_formats, tls_construct_ctos_ec_pt_formats, final_ec_pt_formats }, @@ -389,7 +391,7 @@ static const EXTENSION_DEFINITION ext_defs[] = { SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_3_SERVER_HELLO | SSL_EXT_TLS_IMPLEMENTATION_ONLY | SSL_EXT_TLS1_3_ONLY, NULL, tls_parse_ctos_psk, tls_parse_stoc_psk, tls_construct_stoc_psk, - tls_construct_ctos_psk, NULL + tls_construct_ctos_psk, final_psk } }; @@ -1026,6 +1028,15 @@ static int final_server_name(SSL *s, unsigned int context, int sent) } #ifndef OPENSSL_NO_EC +static int init_ec_point_formats(SSL *s, unsigned int context) +{ + OPENSSL_free(s->ext.peer_ecpointformats); + s->ext.peer_ecpointformats = NULL; + s->ext.peer_ecpointformats_len = 0; + + return 1; +} + static int final_ec_pt_formats(SSL *s, unsigned int context, int sent) { unsigned long alg_k, alg_a; @@ -1718,3 +1729,19 @@ static int init_post_handshake_auth(SSL *s, unsigned int context) return 1; } + +/* + * If clients offer "pre_shared_key" without a "psk_key_exchange_modes" + * extension, servers MUST abort the handshake. + */ +static int final_psk(SSL *s, unsigned int context, int sent) +{ + if (s->server && sent && s->clienthello != NULL + && !s->clienthello->pre_proc_exts[TLSEXT_IDX_psk_kex_modes].present) { + SSLfatal(s, TLS13_AD_MISSING_EXTENSION, SSL_F_FINAL_PSK, + SSL_R_MISSING_PSK_KEX_MODES_EXTENSION); + return 0; + } + + return 1; +} diff --git a/ssl/statem/extensions_srvr.c b/ssl/statem/extensions_srvr.c index 3c7395c0eb26..04f64f810640 100644 --- a/ssl/statem/extensions_srvr.c +++ b/ssl/statem/extensions_srvr.c @@ -1,5 +1,5 @@ /* - * Copyright 2016-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -1714,6 +1714,13 @@ EXT_RETURN tls_construct_stoc_key_share(SSL *s, WPACKET *pkt, } return EXT_RETURN_NOT_SENT; } + if (s->hit && (s->ext.psk_kex_mode & TLSEXT_KEX_MODE_FLAG_KE_DHE) == 0) { + /* + * PSK ('hit') and explicitly not doing DHE (if the client sent the + * DHE option we always take it); don't send key share. + */ + return EXT_RETURN_NOT_SENT; + } if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_key_share) || !WPACKET_start_sub_packet_u16(pkt) diff --git a/ssl/statem/statem_clnt.c b/ssl/statem/statem_clnt.c index de58f1a4b7e9..d1a39698124b 100644 --- a/ssl/statem/statem_clnt.c +++ b/ssl/statem/statem_clnt.c @@ -1001,7 +1001,8 @@ size_t ossl_statem_client_max_message_size(SSL *s) return CCS_MAX_LENGTH; case TLS_ST_CR_SESSION_TICKET: - return SSL3_RT_MAX_PLAIN_LENGTH; + return (SSL_IS_TLS13(s)) ? SESSION_TICKET_MAX_LENGTH_TLS13 + : SESSION_TICKET_MAX_LENGTH_TLS12; case TLS_ST_CR_FINISHED: return FINISHED_MAX_LENGTH; @@ -2833,7 +2834,7 @@ int tls_process_initial_server_flight(SSL *s) if (ret < 0) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_INITIAL_SERVER_FLIGHT, - ERR_R_MALLOC_FAILURE); + SSL_R_OCSP_CALLBACK_FAILURE); return 0; } } diff --git a/ssl/statem/statem_local.h b/ssl/statem/statem_local.h index e27c0c13a2bb..eae88053dcd7 100644 --- a/ssl/statem/statem_local.h +++ b/ssl/statem/statem_local.h @@ -1,5 +1,5 @@ /* - * Copyright 2015-2019 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2015-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -22,6 +22,8 @@ #define SERVER_HELLO_MAX_LENGTH 20000 #define HELLO_RETRY_REQUEST_MAX_LENGTH 20000 #define ENCRYPTED_EXTENSIONS_MAX_LENGTH 20000 +#define SESSION_TICKET_MAX_LENGTH_TLS13 131338 +#define SESSION_TICKET_MAX_LENGTH_TLS12 65541 #define SERVER_KEY_EXCH_MAX_LENGTH 102400 #define SERVER_HELLO_DONE_MAX_LENGTH 0 #define KEY_UPDATE_MAX_LENGTH 1 diff --git a/ssl/statem/statem_srvr.c b/ssl/statem/statem_srvr.c index fec12f613004..d701c46b43b5 100644 --- a/ssl/statem/statem_srvr.c +++ b/ssl/statem/statem_srvr.c @@ -3753,6 +3753,7 @@ MSG_PROCESS_RETURN tls_process_client_certificate(SSL *s, PACKET *pkt) sk_X509_pop_free(s->session->peer_chain, X509_free); s->session->peer_chain = sk; + sk = NULL; /* * Freeze the handshake buffer. For generate_ticket_cb != NULL && - tctx->generate_ticket_cb(s, tctx->ticket_cb_data) == 0) + tctx->generate_ticket_cb(s, tctx->ticket_cb_data) == 0) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, + SSL_F_TLS_CONSTRUCT_NEW_SESSION_TICKET, + ERR_R_INTERNAL_ERROR); goto err; - + } /* * If we are using anti-replay protection then we behave as if * SSL_OP_NO_TICKET is set - we are caching tickets anyway so there diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c index 48d46f8a48bd..b1d3add18743 100644 --- a/ssl/t1_lib.c +++ b/ssl/t1_lib.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -2441,7 +2441,8 @@ DH *ssl_get_auto_dh(SSL *s) { DH *dhp = NULL; BIGNUM *p = NULL, *g = NULL; - int dh_secbits = 80; + int dh_secbits = 80, sec_level_bits; + if (s->cert->dh_tmp_auto != 2) { if (s->s3->tmp.new_cipher->algorithm_auth & (SSL_aNULL | SSL_aPSK)) { if (s->s3->tmp.new_cipher->strength_bits == 256) @@ -2464,6 +2465,12 @@ DH *ssl_get_auto_dh(SSL *s) BN_free(g); return NULL; } + + /* Do not pick a prime that is too weak for the current security level */ + sec_level_bits = ssl_get_security_level_bits(s, NULL, NULL); + if (dh_secbits < sec_level_bits) + dh_secbits = sec_level_bits; + if (dh_secbits >= 192) p = BN_get_rfc3526_prime_8192(NULL); else if (dh_secbits >= 152) -- cgit v1.2.3