Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
deps: upgrade openssl sources to 1.1.1o
This updates all sources in deps/openssl/openssl by:
    $ cd deps/openssl/
    $ rm -rf openssl
    $ tar zxf ~/tmp/openssl-1.1.1o.tar.gz
    $ mv openssl-1.1.1o openssl
    $ git add --all openssl
    $ git commit openssl

PR-URL: #42956
Refs: https://mta.openssl.org/pipermail/openssl-announce/2022-May/000223.html
Reviewed-By: Beth Griggs <bgriggs@redhat.com>
  • Loading branch information
RafaelGSS committed May 11, 2022
1 parent 20c299b commit 7f9a5ed
Show file tree
Hide file tree
Showing 38 changed files with 685 additions and 115 deletions.
13 changes: 13 additions & 0 deletions deps/openssl/openssl/CHANGES
Expand Up @@ -7,6 +7,19 @@
https://github.com/openssl/openssl/commits/ and pick the appropriate
release branch.

Changes between 1.1.1n and 1.1.1o [3 May 2022]

*) Fixed a bug in the c_rehash script which was not properly sanitising shell
metacharacters to prevent command injection. This script is distributed by
some operating systems in a manner where it is automatically executed. On
such operating systems, an attacker could execute arbitrary commands with the
privileges of the script.

Use of the c_rehash script is considered obsolete and should be replaced
by the OpenSSL rehash command line tool.
(CVE-2022-1292)
[Tomáš Mráz]

Changes between 1.1.1m and 1.1.1n [15 Mar 2022]

*) Fixed a bug in the BN_mod_sqrt() function that can cause it to loop forever
Expand Down
7 changes: 6 additions & 1 deletion deps/openssl/openssl/NEWS
Expand Up @@ -5,10 +5,15 @@
This file gives a brief overview of the major changes between each OpenSSL
release. For more details please read the CHANGES file.

Major changes between OpenSSL 1.1.1n and OpenSSL 1.1.1o [3 May 2022]

o Fixed a bug in the c_rehash script which was not properly sanitising
shell metacharacters to prevent command injection (CVE-2022-1292)

Major changes between OpenSSL 1.1.1m and OpenSSL 1.1.1n [15 Mar 2022]

o Fixed a bug in the BN_mod_sqrt() function that can cause it to loop
forever for non-prime moduli ([CVE-2022-0778])
forever for non-prime moduli (CVE-2022-0778)

Major changes between OpenSSL 1.1.1l and OpenSSL 1.1.1m [14 Dec 2021]

Expand Down
4 changes: 2 additions & 2 deletions deps/openssl/openssl/README
@@ -1,7 +1,7 @@

OpenSSL 1.1.1n 15 Mar 2022
OpenSSL 1.1.1o 3 May 2022

Copyright (c) 1998-2021 The OpenSSL Project
Copyright (c) 1998-2022 The OpenSSL Project
Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson
All rights reserved.

Expand Down
2 changes: 2 additions & 0 deletions deps/openssl/openssl/apps/apps.c
Expand Up @@ -307,6 +307,8 @@ int password_callback(char *buf, int bufsiz, int verify, PW_CB_DATA *cb_tmp)
if (cb_data != NULL && cb_data->password != NULL
&& *(const char*)cb_data->password != '\0')
pw_min_len = 1;
else if (!verify)
pw_min_len = 0;
prompt = UI_construct_prompt(ui, "pass phrase", prompt_info);
if (!prompt) {
BIO_printf(bio_err, "Out of memory\n");
Expand Down
6 changes: 3 additions & 3 deletions deps/openssl/openssl/apps/x509.c
@@ -1,5 +1,5 @@
/*
* Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
Expand Down Expand Up @@ -590,6 +590,8 @@ int x509_main(int argc, char **argv)
xca = load_cert(CAfile, CAformat, "CA Certificate");
if (xca == NULL)
goto end;
if (!X509_set_issuer_name(x, X509_get_subject_name(xca)))
goto end;
}

out = bio_open_default(outfile, 'w', outformat);
Expand Down Expand Up @@ -987,8 +989,6 @@ static int x509_certify(X509_STORE *ctx, const char *CAfile, const EVP_MD *diges
goto end;
}

if (!X509_set_issuer_name(x, X509_get_subject_name(xca)))
goto end;
if (!X509_set_serialNumber(x, bs))
goto end;

Expand Down
8 changes: 5 additions & 3 deletions deps/openssl/openssl/crypto/bn/bn_div.c
@@ -1,5 +1,5 @@
/*
* Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
Expand Down Expand Up @@ -446,8 +446,10 @@ int bn_div_fixed_top(BIGNUM *dv, BIGNUM *rm, const BIGNUM *num,
snum->neg = num_neg;
snum->top = div_n;
snum->flags |= BN_FLG_FIXED_TOP;
if (rm != NULL)
bn_rshift_fixed_top(rm, snum, norm_shift);

if (rm != NULL && bn_rshift_fixed_top(rm, snum, norm_shift) == 0)
goto err;

BN_CTX_end(ctx);
return 1;
err:
Expand Down
5 changes: 3 additions & 2 deletions deps/openssl/openssl/crypto/bn/bn_exp.c
@@ -1,5 +1,5 @@
/*
* Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
Expand Down Expand Up @@ -188,13 +188,14 @@ int BN_mod_exp_recp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
return ret;
}

BN_RECP_CTX_init(&recp);

BN_CTX_start(ctx);
aa = BN_CTX_get(ctx);
val[0] = BN_CTX_get(ctx);
if (val[0] == NULL)
goto err;

BN_RECP_CTX_init(&recp);
if (m->neg) {
/* ignore sign of 'm' */
if (!BN_copy(aa, m))
Expand Down
3 changes: 2 additions & 1 deletion deps/openssl/openssl/crypto/ec/curve448/curve448.c
@@ -1,5 +1,5 @@
/*
* Copyright 2017-2019 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 2017-2022 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 2015-2016 Cryptography Research, Inc.
*
* Licensed under the OpenSSL license (the "License"). You may not use
Expand Down Expand Up @@ -577,6 +577,7 @@ static int recode_wnaf(struct smvt_control *control,
int32_t delta = odd & mask;

assert(position >= 0);
assert(pos < 32); /* can't fail since current & 0xFFFF != 0 */
if (odd & (1 << (table_bits + 1)))
delta -= (1 << (table_bits + 1));
current -= delta * (1 << pos);
Expand Down
3 changes: 2 additions & 1 deletion deps/openssl/openssl/crypto/ec/ecp_nistz256.c
@@ -1,5 +1,5 @@
/*
* Copyright 2014-2020 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 2014-2022 The OpenSSL Project Authors. All Rights Reserved.
* Copyright (c) 2014, Intel Corporation. All Rights Reserved.
* Copyright (c) 2015, CloudFlare, Inc.
*
Expand Down Expand Up @@ -973,6 +973,7 @@ __owur static int ecp_nistz256_points_mul(const EC_GROUP *group,
return 0;
}

memset(&p, 0, sizeof(p));
BN_CTX_start(ctx);

if (scalar) {
Expand Down
33 changes: 22 additions & 11 deletions deps/openssl/openssl/crypto/engine/eng_dyn.c
Expand Up @@ -393,6 +393,26 @@ static int int_load(dynamic_data_ctx *ctx)
return 0;
}

/*
* Unfortunately the version checker does not distinguish between
* engines built for openssl 1.1.x and openssl 3.x, but loading
* an engine that is built for openssl 3.x will cause a fatal
* error. Detect such engines, since EVP_PKEY_get_base_id is exported
* as a function in openssl 3.x, while it is named EVP_PKEY_base_id
* in openssl 1.1.x. Therefore we take the presence of that symbol
* as an indication that the engine will be incompatible.
*/
static int using_libcrypto_3(dynamic_data_ctx *ctx)
{
int ret;

ERR_set_mark();
ret = DSO_bind_func(ctx->dynamic_dso, "EVP_PKEY_get_base_id") != NULL;
ERR_pop_to_mark();

return ret;
}

static int dynamic_load(ENGINE *e, dynamic_data_ctx *ctx)
{
ENGINE cpy;
Expand Down Expand Up @@ -442,18 +462,9 @@ static int dynamic_load(ENGINE *e, dynamic_data_ctx *ctx)
/*
* We fail if the version checker veto'd the load *or* if it is
* deferring to us (by returning its version) and we think it is too
* old.
* Unfortunately the version checker does not distinguish between
* engines built for openssl 1.1.x and openssl 3.x, but loading
* an engine that is built for openssl 3.x will cause a fatal
* error. Detect such engines, since EVP_PKEY_get_base_id is exported
* as a function in openssl 3.x, while it is named EVP_PKEY_base_id
* in openssl 1.1.x. Therefore we take the presence of that symbol
* as an indication that the engine will be incompatible.
* old. Also fail if this is engine for openssl 3.x.
*/
if (vcheck_res < OSSL_DYNAMIC_OLDEST
|| DSO_bind_func(ctx->dynamic_dso,
"EVP_PKEY_get_base_id") != NULL) {
if (vcheck_res < OSSL_DYNAMIC_OLDEST || using_libcrypto_3(ctx)) {
/* Fail */
ctx->bind_engine = NULL;
ctx->v_check = NULL;
Expand Down

0 comments on commit 7f9a5ed

Please sign in to comment.