Skip to content

Commit

Permalink
deps: upgrade openssl sources to 1.1.1n
Browse files Browse the repository at this point in the history 
This updates all sources in deps/openssl/openssl by:
    $ cd deps/openssl/
    $ rm -rf openssl
    $ tar zxf ~/tmp/openssl-1.1.1n.tar.gz
    $ mv openssl-1.1.1n openssl
    $ git add --all openssl
    $ git commit openssl

PR-URL: #42347
Refs: https://mta.openssl.org/pipermail/openssl-announce/2022-March/000218.html
Reviewed-By: Darshan Sen <raisinten@gmail.com>
Reviewed-By: Joe Sepi <sepi@joesepi.com>
Reviewed-By: Tobias Nießen <tniessen@tnie.de>
Reviewed-By: Michael Dawson <midawson@redhat.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>
  • Loading branch information
@richardlau
richardlau committed Mar 16, 2022
1 parent b5c52e3 commit c83dd99
Show file tree
Hide file tree
Showing 60 changed files with 808 additions and 219 deletions.
37 changes: 37 additions & 0 deletions deps/openssl/openssl/CHANGES
View file
Expand Up @@ -7,6 +7,43 @@
https://github.com/openssl/openssl/commits/ and pick the appropriate
release branch.

Changes between 1.1.1m and 1.1.1n [15 Mar 2022]

*) Fixed a bug in the BN_mod_sqrt() function that can cause it to loop forever
for non-prime moduli.

Internally this function is used when parsing certificates that contain
elliptic curve public keys in compressed form or explicit elliptic curve
parameters with a base point encoded in compressed form.

It is possible to trigger the infinite loop by crafting a certificate that
has invalid explicit curve parameters.

Since certificate parsing happens prior to verification of the certificate
signature, any process that parses an externally supplied certificate may
thus be subject to a denial of service attack. The infinite loop can also
be reached when parsing crafted private keys as they can contain explicit
elliptic curve parameters.

Thus vulnerable situations include:

- TLS clients consuming server certificates
- TLS servers consuming client certificates
- Hosting providers taking certificates or private keys from customers
- Certificate authorities parsing certification requests from subscribers
- Anything else which parses ASN.1 elliptic curve parameters

Also any other applications that use the BN_mod_sqrt() where the attacker
can control the parameter values are vulnerable to this DoS issue.
(CVE-2022-0778)
[Tomáš Mráz]

*) Add ciphersuites based on DHE_PSK (RFC 4279) and ECDHE_PSK (RFC 5489)
to the list of ciphersuites providing Perfect Forward Secrecy as
required by SECLEVEL >= 3.

[Dmitry Belyavskiy, Nicola Tuveri]

Changes between 1.1.1l and 1.1.1m [14 Dec 2021]

*) Avoid loading of a dynamic engine twice.
Expand Down
9 changes: 8 additions & 1 deletion deps/openssl/openssl/Configurations/10-main.conf
View file
Expand Up @@ -988,6 +988,13 @@ my %targets = (
perlasm_scheme => "elf",
},

# riscv64 below refers to contemporary RISCV Architecture
# specifications,
"BSD-riscv64" => {
inherit_from => [ "BSD-generic64"],
perlasm_scheme => "linux64",
},

"bsdi-elf-gcc" => {
inherit_from => [ "BASE_unix", asm("x86_elf_asm") ],
CC => "gcc",
Expand Down Expand Up @@ -1765,7 +1772,7 @@ my %targets = (

disable => add('pinshared'),

apps_aux_src => "vms_term_sock.c",
apps_aux_src => "vms_term_sock.c vms_decc_argv.c",
apps_init_src => "vms_decc_init.c",
},

Expand Down
3 changes: 2 additions & 1 deletion deps/openssl/openssl/Configurations/descrip.mms.tmpl
View file
Expand Up @@ -438,7 +438,8 @@ test : tests
DEFINE SRCTOP {- sourcedir() -}
DEFINE BLDTOP {- builddir() -}
DEFINE RESULT_D {- builddir(qw(test test-runs)) -}
DEFINE OPENSSL_ENGINES {- builddir("engines") -}
engines = F$PARSE("{- builddir("engines") -}","A.;",,,"syntax_only") - "A.;"
DEFINE OPENSSL_ENGINES 'engines'
DEFINE OPENSSL_DEBUG_MEMORY "on"
IF "$(VERBOSE)" .NES. "" THEN DEFINE VERBOSE "$(VERBOSE)"
$(PERL) {- sourcefile("test", "run_tests.pl") -} $(TESTS)
Expand Down
22 changes: 11 additions & 11 deletions deps/openssl/openssl/Configure
View file
Expand Up @@ -3161,25 +3161,25 @@ sub resolve_config {
}
}

foreach (sort keys %all_keys) {
my $previous = $combined_inheritance{$_};
foreach my $key (sort keys %all_keys) {
my $previous = $combined_inheritance{$key};

# Current target doesn't have a value for the current key?
# Assign it the default combiner, the rest of this loop body
# will handle it just like any other coderef.
if (!exists $table{$target}->{$_}) {
$table{$target}->{$_} = $default_combiner;
if (!exists $table{$target}->{$key}) {
$table{$target}->{$key} = $default_combiner;
}

$table{$target}->{$_} = process_values($table{$target}->{$_},
$combined_inheritance{$_},
$target, $_);
unless(defined($table{$target}->{$_})) {
delete $table{$target}->{$_};
$table{$target}->{$key} = process_values($table{$target}->{$key},
$combined_inheritance{$key},
$target, $key);
unless(defined($table{$target}->{$key})) {
delete $table{$target}->{$key};
}
# if ($extra_checks &&
# $previous && !($add_called || $previous ~~ $table{$target}->{$_})) {
# warn "$_ got replaced in $target\n";
# $previous && !($add_called || $previous ~~ $table{$target}->{$key})) {
# warn "$key got replaced in $target\n";
# }
}

Expand Down
5 changes: 5 additions & 0 deletions deps/openssl/openssl/NEWS
View file
Expand Up @@ -5,6 +5,11 @@
This file gives a brief overview of the major changes between each OpenSSL
release. For more details please read the CHANGES file.

Major changes between OpenSSL 1.1.1m and OpenSSL 1.1.1n [15 Mar 2022]

o Fixed a bug in the BN_mod_sqrt() function that can cause it to loop
forever for non-prime moduli ([CVE-2022-0778])

Major changes between OpenSSL 1.1.1l and OpenSSL 1.1.1m [14 Dec 2021]

o None
Expand Down
2 changes: 1 addition & 1 deletion deps/openssl/openssl/README
View file
@@ -1,5 +1,5 @@

OpenSSL 1.1.1m 14 Dec 2021
OpenSSL 1.1.1n 15 Mar 2022

Copyright (c) 1998-2021 The OpenSSL Project
Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson
Expand Down
10 changes: 7 additions & 3 deletions deps/openssl/openssl/apps/apps.c
View file
@@ -1,5 +1,5 @@
/*
* Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
Expand Down Expand Up @@ -300,9 +300,13 @@ int password_callback(char *buf, int bufsiz, int verify, PW_CB_DATA *cb_tmp)
int ui_flags = 0;
const char *prompt_info = NULL;
char *prompt;
int pw_min_len = PW_MIN_LENGTH;

if (cb_data != NULL && cb_data->prompt_info != NULL)
prompt_info = cb_data->prompt_info;
if (cb_data != NULL && cb_data->password != NULL
&& *(const char*)cb_data->password != '\0')
pw_min_len = 1;
prompt = UI_construct_prompt(ui, "pass phrase", prompt_info);
if (!prompt) {
BIO_printf(bio_err, "Out of memory\n");
Expand All @@ -317,12 +321,12 @@ int password_callback(char *buf, int bufsiz, int verify, PW_CB_DATA *cb_tmp)
(void)UI_add_user_data(ui, cb_data);

ok = UI_add_input_string(ui, prompt, ui_flags, buf,
PW_MIN_LENGTH, bufsiz - 1);
pw_min_len, bufsiz - 1);

if (ok >= 0 && verify) {
buff = app_malloc(bufsiz, "password buffer");
ok = UI_add_verify_string(ui, prompt, ui_flags, buff,
PW_MIN_LENGTH, bufsiz - 1, buf);
pw_min_len, bufsiz - 1, buf);
}
if (ok >= 0)
do {
Expand Down
6 changes: 2 additions & 4 deletions deps/openssl/openssl/apps/openssl.c
View file
@@ -1,5 +1,5 @@
/*
* Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
Expand Down Expand Up @@ -120,7 +120,6 @@ int main(int argc, char *argv[])
{
FUNCTION f, *fp;
LHASH_OF(FUNCTION) *prog = NULL;
char **copied_argv = NULL;
char *p, *pname;
char buf[1024];
const char *prompt;
Expand All @@ -137,7 +136,7 @@ int main(int argc, char *argv[])
bio_err = dup_bio_err(FORMAT_TEXT);

#if defined(OPENSSL_SYS_VMS) && defined(__DECC)
copied_argv = argv = copy_argv(&argc, argv);
argv = copy_argv(&argc, argv);
#elif defined(_WIN32)
/*
* Replace argv[] with UTF-8 encoded strings.
Expand Down Expand Up @@ -258,7 +257,6 @@ int main(int argc, char *argv[])
}
ret = 1;
end:
OPENSSL_free(copied_argv);
OPENSSL_free(default_config_file);
lh_FUNCTION_free(prog);
OPENSSL_free(arg.argv);
Expand Down
10 changes: 5 additions & 5 deletions deps/openssl/openssl/apps/passwd.c
View file
@@ -1,5 +1,5 @@
/*
* Copyright 2000-2018 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 2000-2022 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
Expand Down Expand Up @@ -407,7 +407,7 @@ static char *md5crypt(const char *passwd, const char *magic, const char *salt)
n >>= 1;
}
if (!EVP_DigestFinal_ex(md, buf, NULL))
return NULL;
goto err;

for (i = 0; i < 1000; i++) {
if (!EVP_DigestInit_ex(md2, EVP_md5(), NULL))
Expand Down Expand Up @@ -633,7 +633,7 @@ static char *shacrypt(const char *passwd, const char *magic, const char *salt)
n >>= 1;
}
if (!EVP_DigestFinal_ex(md, buf, NULL))
return NULL;
goto err;

/* P sequence */
if (!EVP_DigestInit_ex(md2, sha, NULL))
Expand All @@ -644,7 +644,7 @@ static char *shacrypt(const char *passwd, const char *magic, const char *salt)
goto err;

if (!EVP_DigestFinal_ex(md2, temp_buf, NULL))
return NULL;
goto err;

if ((p_bytes = OPENSSL_zalloc(passwd_len)) == NULL)
goto err;
Expand All @@ -661,7 +661,7 @@ static char *shacrypt(const char *passwd, const char *magic, const char *salt)
goto err;

if (!EVP_DigestFinal_ex(md2, temp_buf, NULL))
return NULL;
goto err;

if ((s_bytes = OPENSSL_zalloc(salt_len)) == NULL)
goto err;
Expand Down
11 changes: 11 additions & 0 deletions deps/openssl/openssl/apps/s_client.c
View file
Expand Up @@ -938,6 +938,7 @@ int s_client_main(int argc, char **argv)
struct timeval tv;
#endif
const char *servername = NULL;
char *sname_alloc = NULL;
int noservername = 0;
const char *alpn_in = NULL;
tlsextctx tlsextcbp = { NULL, 0 };
Expand Down Expand Up @@ -1588,6 +1589,15 @@ int s_client_main(int argc, char **argv)
"%s: -proxy argument malformed or ambiguous\n", prog);
goto end;
}
if (servername == NULL && !noservername) {
res = BIO_parse_hostserv(connectstr, &sname_alloc, NULL, BIO_PARSE_PRIO_HOST);
if (!res) {
BIO_printf(bio_err,
"%s: -connect argument malformed or ambiguous\n", prog);
goto end;
}
servername = sname_alloc;
}
} else {
int res = 1;
char *tmp_host = host, *tmp_port = port;
Expand Down Expand Up @@ -3149,6 +3159,7 @@ int s_client_main(int argc, char **argv)
#ifndef OPENSSL_NO_SRP
OPENSSL_free(srp_arg.srppassin);
#endif
OPENSSL_free(sname_alloc);
OPENSSL_free(connectstr);
OPENSSL_free(bindstr);
OPENSSL_free(bindhost);
Expand Down
4 changes: 2 additions & 2 deletions deps/openssl/openssl/apps/s_socket.c
View file
@@ -1,5 +1,5 @@
/*
* Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
Expand Down Expand Up @@ -147,7 +147,7 @@ int init_client(int *sock, const char *host, const char *port,
#endif

if (!BIO_connect(*sock, BIO_ADDRINFO_address(ai),
protocol == IPPROTO_TCP ? BIO_SOCK_NODELAY : 0)) {
BIO_ADDRINFO_protocol(ai) == IPPROTO_TCP ? BIO_SOCK_NODELAY : 0)) {
BIO_closesocket(*sock);
*sock = INVALID_SOCKET;
continue;
Expand Down
66 changes: 66 additions & 0 deletions deps/openssl/openssl/apps/vms_decc_argv.c
View file
@@ -0,0 +1,66 @@
/*
* Copyright 2015-2022 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
* in the file LICENSE in the source distribution or at
* https://www.openssl.org/source/license.html
*/

#include <stdlib.h>
#include <openssl/crypto.h>
#include "apps.h" /* for app_malloc() and copy_argv() */

char **newargv = NULL;

static void cleanup_argv(void)
{
OPENSSL_free(newargv);
newargv = NULL;
}

char **copy_argv(int *argc, char *argv[])
{
/*-
* The note below is for historical purpose. On VMS now we always
* copy argv "safely."
*
* 2011-03-22 SMS.
* If we have 32-bit pointers everywhere, then we're safe, and
* we bypass this mess, as on non-VMS systems.
* Problem 1: Compaq/HP C before V7.3 always used 32-bit
* pointers for argv[].
* Fix 1: For a 32-bit argv[], when we're using 64-bit pointers
* everywhere else, we always allocate and use a 64-bit
* duplicate of argv[].
* Problem 2: Compaq/HP C V7.3 (Alpha, IA64) before ECO1 failed
* to NULL-terminate a 64-bit argv[]. (As this was written, the
* compiler ECO was available only on IA64.)
* Fix 2: Unless advised not to (VMS_TRUST_ARGV), we test a
* 64-bit argv[argc] for NULL, and, if necessary, use a
* (properly) NULL-terminated (64-bit) duplicate of argv[].
* The same code is used in either case to duplicate argv[].
* Some of these decisions could be handled in preprocessing,
* but the code tends to get even uglier, and the penalty for
* deciding at compile- or run-time is tiny.
*/

int i, count = *argc;
char **p = newargv;

cleanup_argv();

newargv = app_malloc(sizeof(*newargv) * (count + 1), "argv copy");
if (newargv == NULL)
return NULL;

/* Register automatic cleanup on first use */
if (p == NULL)
OPENSSL_atexit(cleanup_argv);

for (i = 0; i < count; i++)
newargv[i] = argv[i];
newargv[i] = NULL;
*argc = i;
return newargv;
}

0 comments on commit c83dd99

Please sign in to comment.