From owner-dev-commits-src-branches@freebsd.org Thu Feb 18 04:21:46 2021 Return-Path: Delivered-To: dev-commits-src-branches@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 5376854F902; Thu, 18 Feb 2021 04:21:46 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4Dh1kL1rWdz4rTF; Thu, 18 Feb 2021 04:21:46 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 31DEA12281; Thu, 18 Feb 2021 04:21:46 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 11I4LkeA070611; Thu, 18 Feb 2021 04:21:46 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 11I4Lj7Q070607; Thu, 18 Feb 2021 04:21:45 GMT (envelope-from git) Date: Thu, 18 Feb 2021 04:21:45 GMT Message-Id: <202102180421.11I4Lj7Q070607@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Jung-uk Kim Subject: git: e57523de1905 - releng/13.0 - OpenSSL: Merge OpenSSL 1.1.1j MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: jkim X-Git-Repository: src X-Git-Refname: refs/heads/releng/13.0 X-Git-Reftype: branch X-Git-Commit: e57523de190573403a48ad3af3845171d04f58b0 Auto-Submitted: auto-generated X-BeenThere: dev-commits-src-branches@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: Commits to the stable branches of the FreeBSD src repository List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 18 Feb 2021 04:21:46 -0000 The branch releng/13.0 has been updated by jkim: URL: https://cgit.FreeBSD.org/src/commit/?id=e57523de190573403a48ad3af3845171d04f58b0 commit e57523de190573403a48ad3af3845171d04f58b0 Author: Jung-uk Kim AuthorDate: 2021-02-16 22:00:27 +0000 Commit: Jung-uk Kim CommitDate: 2021-02-18 00:14:19 +0000 OpenSSL: Merge OpenSSL 1.1.1j (cherry picked from commit 88e852c0b5c872b1a3234515623104ae61b60773) (cherry picked from commit a4f76f79ffe88cb51ebc7b65b065a333fd64a75b) Approved by: re (gjb) --- crypto/openssl/AUTHORS | 7 +++ crypto/openssl/CHANGES | 37 +++++++++++++++ crypto/openssl/CONTRIBUTING | 4 +- crypto/openssl/Configure | 29 ++++++------ crypto/openssl/INSTALL | 15 +++--- crypto/openssl/NEWS | 10 ++++ crypto/openssl/README | 2 +- crypto/openssl/apps/ca.c | 53 +++++++++------------- crypto/openssl/apps/progs.pl | 0 crypto/openssl/crypto/armcap.c | 19 +++++++- crypto/openssl/crypto/asn1/charmap.h | 2 +- crypto/openssl/crypto/asn1/charmap.pl | 0 crypto/openssl/crypto/bf/asm/bf-586.pl | 0 crypto/openssl/crypto/bn/asm/bn-586.pl | 0 crypto/openssl/crypto/bn/asm/co-586.pl | 0 crypto/openssl/crypto/bn/asm/ppc.pl | 0 crypto/openssl/crypto/bn/bn_prime.h | 2 +- crypto/openssl/crypto/bn/bn_prime.pl | 0 crypto/openssl/crypto/cast/asm/cast-586.pl | 0 crypto/openssl/crypto/conf/conf_def.c | 16 ++++++- crypto/openssl/crypto/conf/conf_def.h | 2 +- crypto/openssl/crypto/conf/keysets.pl | 0 crypto/openssl/crypto/des/asm/crypt586.pl | 0 crypto/openssl/crypto/des/asm/des-586.pl | 0 crypto/openssl/crypto/des/asm/desboth.pl | 0 crypto/openssl/crypto/dh/dh_key.c | 33 ++++++++++++-- crypto/openssl/crypto/err/openssl.txt | 3 +- crypto/openssl/crypto/evp/evp_enc.c | 27 +++++++++++ crypto/openssl/crypto/evp/evp_err.c | 4 +- crypto/openssl/crypto/md5/asm/md5-586.pl | 0 crypto/openssl/crypto/mem_sec.c | 8 +++- crypto/openssl/crypto/objects/obj_dat.h | 2 +- crypto/openssl/crypto/objects/obj_dat.pl | 0 crypto/openssl/crypto/objects/obj_xref.h | 2 +- crypto/openssl/crypto/objects/objects.pl | 0 crypto/openssl/crypto/perlasm/cbc.pl | 0 crypto/openssl/crypto/perlasm/x86asm.pl | 0 crypto/openssl/crypto/perlasm/x86nasm.pl | 0 .../openssl/crypto/poly1305/asm/poly1305-armv4.pl | 13 ++++-- crypto/openssl/crypto/ppccap.c | 20 +++++++- crypto/openssl/crypto/rc4/asm/rc4-586.pl | 0 crypto/openssl/crypto/rc5/asm/rc5-586.pl | 0 crypto/openssl/crypto/ripemd/asm/rmd-586.pl | 0 crypto/openssl/crypto/rsa/rsa_ssl.c | 10 +++- crypto/openssl/crypto/sha/asm/sha1-586.pl | 0 crypto/openssl/crypto/sha/asm/sha1-ia64.pl | 0 crypto/openssl/crypto/srp/srp_lib.c | 13 ++++-- crypto/openssl/crypto/x509/x509_cmp.c | 24 ++++++---- crypto/openssl/crypto/x509/x509_vfy.c | 15 +++--- crypto/openssl/crypto/x509/x_all.c | 4 +- crypto/openssl/crypto/x509/x_attrib.c | 5 +- crypto/openssl/crypto/x509v3/v3_purp.c | 14 ++++-- crypto/openssl/crypto/x86_64cpuid.pl | 0 crypto/openssl/crypto/x86cpuid.pl | 0 crypto/openssl/doc/man1/ca.pod | 4 +- crypto/openssl/doc/man1/cms.pod | 4 +- crypto/openssl/doc/man1/crl2pkcs7.pod | 4 +- crypto/openssl/doc/man1/dgst.pod | 4 +- crypto/openssl/doc/man1/dsa.pod | 6 +-- crypto/openssl/doc/man1/ec.pod | 6 +-- crypto/openssl/doc/man1/enc.pod | 4 +- crypto/openssl/doc/man1/genpkey.pod | 4 +- crypto/openssl/doc/man1/genrsa.pod | 4 +- crypto/openssl/doc/man1/pkcs12.pod | 14 ++---- crypto/openssl/doc/man1/pkcs8.pod | 6 +-- crypto/openssl/doc/man1/pkey.pod | 6 +-- crypto/openssl/doc/man1/pkeyutl.pod | 4 +- crypto/openssl/doc/man1/req.pod | 6 +-- crypto/openssl/doc/man1/rsa.pod | 6 +-- crypto/openssl/doc/man1/s_client.pod | 4 +- crypto/openssl/doc/man1/s_server.pod | 4 +- crypto/openssl/doc/man1/smime.pod | 4 +- crypto/openssl/doc/man1/spkac.pod | 4 +- crypto/openssl/doc/man1/storeutl.pod | 4 +- crypto/openssl/doc/man1/ts.pod | 4 +- crypto/openssl/doc/man1/x509.pod | 4 +- crypto/openssl/doc/man3/DH_generate_key.pod | 27 +++++++++-- crypto/openssl/doc/man3/OCSP_sendreq_new.pod | 28 ++++++++++-- crypto/openssl/doc/man3/OPENSSL_malloc.pod | 2 +- .../openssl/doc/man3/X509_get_extension_flags.pod | 11 +++-- crypto/openssl/include/openssl/evperr.h | 7 ++- crypto/openssl/include/openssl/obj_mac.h | 2 +- crypto/openssl/include/openssl/opensslv.h | 4 +- crypto/openssl/include/openssl/x509v3.h | 7 +-- crypto/openssl/ssl/d1_lib.c | 11 +++-- crypto/openssl/ssl/record/rec_layer_d1.c | 5 +- crypto/openssl/ssl/ssl_local.h | 3 +- crypto/openssl/ssl/statem/extensions.c | 5 +- crypto/openssl/ssl/statem/statem_clnt.c | 3 +- crypto/openssl/ssl/statem/statem_lib.c | 15 +++++- 90 files changed, 433 insertions(+), 202 deletions(-) diff --git a/crypto/openssl/AUTHORS b/crypto/openssl/AUTHORS index ac93b2e7b975..dac46f8b7e08 100644 --- a/crypto/openssl/AUTHORS +++ b/crypto/openssl/AUTHORS @@ -13,6 +13,8 @@ Ben Kaduk Bernd Edlinger Bodo Möller David Benjamin +David von Oheimb +Dmitry Belyavskiy (Дмитрий Белявский) Emilia Käsper Eric Young Geoff Thorpe @@ -22,14 +24,19 @@ Lutz Jänicke Mark J. Cox Matt Caswell Matthias St. Pierre +Nicola Tuveri Nils Larsch +Patrick Steuer Paul Dale Paul C. Sutton +Paul Yang Ralf S. Engelschall Rich Salz Richard Levitte +Shane Lontis Stephen Henson Steve Marquess Tim Hudson +Tomáš Mráz Ulf Möller Viktor Dukhovni diff --git a/crypto/openssl/CHANGES b/crypto/openssl/CHANGES index 4d61c1dadbaa..a4a63a9bea22 100644 --- a/crypto/openssl/CHANGES +++ b/crypto/openssl/CHANGES @@ -7,6 +7,43 @@ https://github.com/openssl/openssl/commits/ and pick the appropriate release branch. + Changes between 1.1.1i and 1.1.1j [16 Feb 2021] + + *) Fixed the X509_issuer_and_serial_hash() function. It attempts to + create a unique hash value based on the issuer and serial number data + contained within an X509 certificate. However it was failing to correctly + handle any errors that may occur while parsing the issuer field (which might + occur if the issuer field is maliciously constructed). This may subsequently + result in a NULL pointer deref and a crash leading to a potential denial of + service attack. + (CVE-2021-23841) + [Matt Caswell] + + *) Fixed the RSA_padding_check_SSLv23() function and the RSA_SSLV23_PADDING + padding mode to correctly check for rollback attacks. This is considered a + bug in OpenSSL 1.1.1 because it does not support SSLv2. In 1.0.2 this is + CVE-2021-23839. + [Matt Caswell] + + *) Fixed the EVP_CipherUpdate, EVP_EncryptUpdate and EVP_DecryptUpdate + functions. Previously they could overflow the output length argument in some + cases where the input length is close to the maximum permissable length for + an integer on the platform. In such cases the return value from the function + call would be 1 (indicating success), but the output length value would be + negative. This could cause applications to behave incorrectly or crash. + (CVE-2021-23840) + [Matt Caswell] + + *) Fixed SRP_Calc_client_key so that it runs in constant time. The previous + implementation called BN_mod_exp without setting BN_FLG_CONSTTIME. This + could be exploited in a side channel attack to recover the password. Since + the attack is local host only this is outside of the current OpenSSL + threat model and therefore no CVE is assigned. + + Thanks to Mohammed Sabt and Daniel De Almeida Braga for reporting this + issue. + [Matt Caswell] + Changes between 1.1.1h and 1.1.1i [8 Dec 2020] *) Fixed NULL pointer deref in the GENERAL_NAME_cmp function diff --git a/crypto/openssl/CONTRIBUTING b/crypto/openssl/CONTRIBUTING index 57be75ce2b8a..83c0dde12819 100644 --- a/crypto/openssl/CONTRIBUTING +++ b/crypto/openssl/CONTRIBUTING @@ -41,8 +41,8 @@ guidelines: https://www.openssl.org/policies/codingstyle.html) and compile without warnings. Where gcc or clang is available you should use the --strict-warnings Configure option. OpenSSL compiles on many varied - platforms: try to ensure you only use portable features. Clean builds - via Travis and AppVeyor are required, and they are started automatically + platforms: try to ensure you only use portable features. Clean builds via + GitHub Actions and AppVeyor are required, and they are started automatically whenever a PR is created or updated. 5. When at all possible, patches should include tests. These can diff --git a/crypto/openssl/Configure b/crypto/openssl/Configure index 1423e1bfe14f..8e7ee1a599cc 100755 --- a/crypto/openssl/Configure +++ b/crypto/openssl/Configure @@ -1,6 +1,6 @@ #! /usr/bin/env perl # -*- mode: perl; -*- -# Copyright 2016-2020 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the OpenSSL license (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy @@ -1203,6 +1203,10 @@ foreach (keys %useradd) { # At this point, we can forget everything about %user and %useradd, # because it's now all been merged into the corresponding $config entry +if (grep { $_ eq '-static' } @{$config{LDFLAGS}}) { + disable('static', 'pic', 'threads'); +} + # Allow overriding the build file name $config{build_file} = env('BUILDFILE') || $target{build_file} || "Makefile"; @@ -1523,10 +1527,6 @@ if ($strict_warnings) } } -if (grep { $_ eq '-static' } @{$config{LDFLAGS}}) { - disable('static', 'pic', 'threads'); -} - $config{CFLAGS} = [ map { $_ eq '--ossl-strict-warnings' ? @strict_warnings_collection : ( $_ ) } @@ -2640,19 +2640,22 @@ _____ } print "\nEnabled features:\n\n"; foreach my $what (@disablables) { - print " $what\n" unless $disabled{$what}; + print " $what\n" + unless grep { $_ =~ /^${what}$/ } keys %disabled; } print "\nDisabled features:\n\n"; foreach my $what (@disablables) { - if ($disabled{$what}) { - print " $what", ' ' x ($longest - length($what) + 1), - "[$disabled{$what}]", ' ' x ($longest2 - length($disabled{$what}) + 1); - print $disabled_info{$what}->{macro} - if $disabled_info{$what}->{macro}; + my @what2 = grep { $_ =~ /^${what}$/ } keys %disabled; + my $what3 = $what2[0]; + if ($what3) { + print " $what3", ' ' x ($longest - length($what3) + 1), + "[$disabled{$what3}]", ' ' x ($longest2 - length($disabled{$what3}) + 1); + print $disabled_info{$what3}->{macro} + if $disabled_info{$what3}->{macro}; print ' (skip ', - join(', ', @{$disabled_info{$what}->{skipped}}), + join(', ', @{$disabled_info{$what3}->{skipped}}), ')' - if $disabled_info{$what}->{skipped}; + if $disabled_info{$what3}->{skipped}; print "\n"; } } diff --git a/crypto/openssl/INSTALL b/crypto/openssl/INSTALL index be84f2aa8e5d..f6f754fd5e26 100644 --- a/crypto/openssl/INSTALL +++ b/crypto/openssl/INSTALL @@ -106,8 +106,7 @@ This will build and install OpenSSL in the default location, which is: Unix: normal installation directories under /usr/local - OpenVMS: SYS$COMMON:[OPENSSL-'version'...], where 'version' is the - OpenSSL version number with underscores instead of periods. + OpenVMS: SYS$COMMON:[OPENSSL] Windows: C:\Program Files\OpenSSL or C:\Program Files (x86)\OpenSSL The installation directory should be appropriately protected to ensure @@ -116,7 +115,9 @@ your Operating System it is recommended that you do not overwrite the system version and instead install to somewhere else. - If you want to install it anywhere else, run config like this: + If you want to install it anywhere else, run config like this (the options + --prefix and --openssldir are explained further down, and the values shown + here are mere examples): On Unix: @@ -198,7 +199,7 @@ Unix: /usr/local Windows: C:\Program Files\OpenSSL or C:\Program Files (x86)\OpenSSL - OpenVMS: SYS$COMMON:[OPENSSL-'version'] + OpenVMS: SYS$COMMON:[OPENSSL] --release Build OpenSSL without debugging symbols. This is the default. @@ -970,9 +971,9 @@ share/doc/openssl/html/man7 Contains the HTML rendition of the man-pages. - OpenVMS ('arch' is replaced with the architecture name, "Alpha" - or "ia64", 'sover' is replaced with the shared library version - (0101 for 1.1), and 'pz' is replaced with the pointer size + OpenVMS ('arch' is replaced with the architecture name, "ALPHA" + or "IA64", 'sover' is replaced with the shared library version + (0101 for 1.1.x), and 'pz' is replaced with the pointer size OpenSSL was built with): [.EXE.'arch'] Contains the openssl binary. diff --git a/crypto/openssl/NEWS b/crypto/openssl/NEWS index 98f6791a8b79..3cce52506645 100644 --- a/crypto/openssl/NEWS +++ b/crypto/openssl/NEWS @@ -5,6 +5,16 @@ This file gives a brief overview of the major changes between each OpenSSL release. For more details please read the CHANGES file. + Major changes between OpenSSL 1.1.1i and OpenSSL 1.1.1j [16 Feb 2021] + + o Fixed a NULL pointer deref in the X509_issuer_and_serial_hash() + function (CVE-2021-23841) + o Fixed the RSA_padding_check_SSLv23() function and the RSA_SSLV23_PADDING + padding mode to correctly check for rollback attacks + o Fixed an overflow in the EVP_CipherUpdate, EVP_EncryptUpdate and + EVP_DecryptUpdate functions (CVE-2021-23840) + o Fixed SRP_Calc_client_key so that it runs in constant time + Major changes between OpenSSL 1.1.1h and OpenSSL 1.1.1i [8 Dec 2020] o Fixed NULL pointer deref in GENERAL_NAME_cmp (CVE-2020-1971) diff --git a/crypto/openssl/README b/crypto/openssl/README index 6325127b5693..da5629f92c81 100644 --- a/crypto/openssl/README +++ b/crypto/openssl/README @@ -1,5 +1,5 @@ - OpenSSL 1.1.1i 8 Dec 2020 + OpenSSL 1.1.1j 16 Feb 2021 Copyright (c) 1998-2020 The OpenSSL Project Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson diff --git a/crypto/openssl/apps/ca.c b/crypto/openssl/apps/ca.c index 6c9b1e57bc67..390ac37493c8 100644 --- a/crypto/openssl/apps/ca.c +++ b/crypto/openssl/apps/ca.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -2223,62 +2223,51 @@ static int get_certificate_status(const char *serial, CA_DB *db) static int do_updatedb(CA_DB *db) { - ASN1_UTCTIME *a_tm = NULL; + ASN1_TIME *a_tm = NULL; int i, cnt = 0; - int db_y2k, a_y2k; /* flags = 1 if y >= 2000 */ - char **rrow, *a_tm_s; + char **rrow; - a_tm = ASN1_UTCTIME_new(); + a_tm = ASN1_TIME_new(); if (a_tm == NULL) return -1; - /* get actual time and make a string */ + /* get actual time */ if (X509_gmtime_adj(a_tm, 0) == NULL) { - ASN1_UTCTIME_free(a_tm); + ASN1_TIME_free(a_tm); return -1; } - a_tm_s = app_malloc(a_tm->length + 1, "time string"); - - memcpy(a_tm_s, a_tm->data, a_tm->length); - a_tm_s[a_tm->length] = '\0'; - - if (strncmp(a_tm_s, "49", 2) <= 0) - a_y2k = 1; - else - a_y2k = 0; for (i = 0; i < sk_OPENSSL_PSTRING_num(db->db->data); i++) { rrow = sk_OPENSSL_PSTRING_value(db->db->data, i); if (rrow[DB_type][0] == DB_TYPE_VAL) { /* ignore entries that are not valid */ - if (strncmp(rrow[DB_exp_date], "49", 2) <= 0) - db_y2k = 1; - else - db_y2k = 0; + ASN1_TIME *exp_date = NULL; - if (db_y2k == a_y2k) { - /* all on the same y2k side */ - if (strcmp(rrow[DB_exp_date], a_tm_s) <= 0) { - rrow[DB_type][0] = DB_TYPE_EXP; - rrow[DB_type][1] = '\0'; - cnt++; + exp_date = ASN1_TIME_new(); + if (exp_date == NULL) { + ASN1_TIME_free(a_tm); + return -1; + } - BIO_printf(bio_err, "%s=Expired\n", rrow[DB_serial]); - } - } else if (db_y2k < a_y2k) { + if (!ASN1_TIME_set_string(exp_date, rrow[DB_exp_date])) { + ASN1_TIME_free(a_tm); + ASN1_TIME_free(exp_date); + return -1; + } + + if (ASN1_TIME_compare(exp_date, a_tm) <= 0) { rrow[DB_type][0] = DB_TYPE_EXP; rrow[DB_type][1] = '\0'; cnt++; BIO_printf(bio_err, "%s=Expired\n", rrow[DB_serial]); } - + ASN1_TIME_free(exp_date); } } - ASN1_UTCTIME_free(a_tm); - OPENSSL_free(a_tm_s); + ASN1_TIME_free(a_tm); return cnt; } diff --git a/crypto/openssl/apps/progs.pl b/crypto/openssl/apps/progs.pl old mode 100644 new mode 100755 diff --git a/crypto/openssl/crypto/armcap.c b/crypto/openssl/crypto/armcap.c index 58e54f0da2e1..8bf96f10214f 100644 --- a/crypto/openssl/crypto/armcap.c +++ b/crypto/openssl/crypto/armcap.c @@ -1,5 +1,5 @@ /* - * Copyright 2011-2019 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2011-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -69,6 +69,23 @@ void OPENSSL_cpuid_setup(void) __attribute__ ((constructor)); # define OSSL_IMPLEMENT_GETAUXVAL # endif # endif +# if defined(__FreeBSD__) +# include +# if __FreeBSD_version >= 1200000 +# include +# define OSSL_IMPLEMENT_GETAUXVAL + +static unsigned long getauxval(unsigned long key) +{ + unsigned long val = 0ul; + + if (elf_aux_info((int)key, &val, sizeof(val)) != 0) + return 0ul; + + return val; +} +# endif +# endif /* * ARM puts the feature bits for Crypto Extensions in AT_HWCAP2, whereas diff --git a/crypto/openssl/crypto/asn1/charmap.h b/crypto/openssl/crypto/asn1/charmap.h index cac354c6bf33..e234c9e615d0 100644 --- a/crypto/openssl/crypto/asn1/charmap.h +++ b/crypto/openssl/crypto/asn1/charmap.h @@ -2,7 +2,7 @@ * WARNING: do not edit! * Generated by crypto/asn1/charmap.pl * - * Copyright 2000-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/openssl/crypto/asn1/charmap.pl b/crypto/openssl/crypto/asn1/charmap.pl old mode 100644 new mode 100755 diff --git a/crypto/openssl/crypto/bf/asm/bf-586.pl b/crypto/openssl/crypto/bf/asm/bf-586.pl old mode 100644 new mode 100755 diff --git a/crypto/openssl/crypto/bn/asm/bn-586.pl b/crypto/openssl/crypto/bn/asm/bn-586.pl old mode 100644 new mode 100755 diff --git a/crypto/openssl/crypto/bn/asm/co-586.pl b/crypto/openssl/crypto/bn/asm/co-586.pl old mode 100644 new mode 100755 diff --git a/crypto/openssl/crypto/bn/asm/ppc.pl b/crypto/openssl/crypto/bn/asm/ppc.pl old mode 100644 new mode 100755 diff --git a/crypto/openssl/crypto/bn/bn_prime.h b/crypto/openssl/crypto/bn/bn_prime.h index ba48244534b0..1a25c285773a 100644 --- a/crypto/openssl/crypto/bn/bn_prime.h +++ b/crypto/openssl/crypto/bn/bn_prime.h @@ -2,7 +2,7 @@ * WARNING: do not edit! * Generated by crypto/bn/bn_prime.pl * - * Copyright 1998-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1998-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/openssl/crypto/bn/bn_prime.pl b/crypto/openssl/crypto/bn/bn_prime.pl old mode 100644 new mode 100755 diff --git a/crypto/openssl/crypto/cast/asm/cast-586.pl b/crypto/openssl/crypto/cast/asm/cast-586.pl old mode 100644 new mode 100755 diff --git a/crypto/openssl/crypto/conf/conf_def.c b/crypto/openssl/crypto/conf/conf_def.c index 3d710f12ae07..31c02cc49e22 100644 --- a/crypto/openssl/crypto/conf/conf_def.c +++ b/crypto/openssl/crypto/conf/conf_def.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -185,6 +185,7 @@ static int def_load_bio(CONF *conf, BIO *in, long *line) BUF_MEM *buff = NULL; char *s, *p, *end; int again; + int first_call = 1; long eline = 0; char btmp[DECIMAL_SIZE(eline) + 1]; CONF_VALUE *v = NULL, *tv; @@ -233,6 +234,19 @@ static int def_load_bio(CONF *conf, BIO *in, long *line) BIO_gets(in, p, CONFBUFSIZE - 1); p[CONFBUFSIZE - 1] = '\0'; ii = i = strlen(p); + if (first_call) { + /* Other BOMs imply unsupported multibyte encoding, + * so don't strip them and let the error raise */ + const unsigned char utf8_bom[3] = {0xEF, 0xBB, 0xBF}; + + if (i >= 3 && memcmp(p, utf8_bom, 3) == 0) { + memmove(p, p + 3, i - 3); + p[i - 3] = 0; + i -= 3; + ii -= 3; + } + first_call = 0; + } if (i == 0 && !again) { /* the currently processed BIO is at EOF */ BIO *parent; diff --git a/crypto/openssl/crypto/conf/conf_def.h b/crypto/openssl/crypto/conf/conf_def.h index 2ced300e40d6..1e4a03e10bbd 100644 --- a/crypto/openssl/crypto/conf/conf_def.h +++ b/crypto/openssl/crypto/conf/conf_def.h @@ -2,7 +2,7 @@ * WARNING: do not edit! * Generated by crypto/conf/keysets.pl * - * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy * in the file LICENSE in the source distribution or at diff --git a/crypto/openssl/crypto/conf/keysets.pl b/crypto/openssl/crypto/conf/keysets.pl old mode 100644 new mode 100755 diff --git a/crypto/openssl/crypto/des/asm/crypt586.pl b/crypto/openssl/crypto/des/asm/crypt586.pl old mode 100644 new mode 100755 diff --git a/crypto/openssl/crypto/des/asm/des-586.pl b/crypto/openssl/crypto/des/asm/des-586.pl old mode 100644 new mode 100755 diff --git a/crypto/openssl/crypto/des/asm/desboth.pl b/crypto/openssl/crypto/des/asm/desboth.pl old mode 100644 new mode 100755 diff --git a/crypto/openssl/crypto/dh/dh_key.c b/crypto/openssl/crypto/dh/dh_key.c index daffdf74dd37..117f2fa883ff 100644 --- a/crypto/openssl/crypto/dh/dh_key.c +++ b/crypto/openssl/crypto/dh/dh_key.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -25,18 +25,45 @@ int DH_generate_key(DH *dh) return dh->meth->generate_key(dh); } +/*- + * NB: This function is inherently not constant time due to the + * RFC 5246 (8.1.2) padding style that strips leading zero bytes. + */ int DH_compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh) { - return dh->meth->compute_key(key, pub_key, dh); + int ret = 0, i; + volatile size_t npad = 0, mask = 1; + + /* compute the key; ret is constant unless compute_key is external */ + if ((ret = dh->meth->compute_key(key, pub_key, dh)) <= 0) + return ret; + + /* count leading zero bytes, yet still touch all bytes */ + for (i = 0; i < ret; i++) { + mask &= !key[i]; + npad += mask; + } + + /* unpad key */ + ret -= npad; + /* key-dependent memory access, potentially leaking npad / ret */ + memmove(key, key + npad, ret); + /* key-dependent memory access, potentially leaking npad / ret */ + memset(key + ret, 0, npad); + + return ret; } int DH_compute_key_padded(unsigned char *key, const BIGNUM *pub_key, DH *dh) { int rv, pad; + + /* rv is constant unless compute_key is external */ rv = dh->meth->compute_key(key, pub_key, dh); if (rv <= 0) return rv; pad = BN_num_bytes(dh->p) - rv; + /* pad is constant (zero) unless compute_key is external */ if (pad > 0) { memmove(key + pad, key, rv); memset(key, 0, pad); @@ -212,7 +239,7 @@ static int compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh) goto err; } - ret = BN_bn2bin(tmp, key); + ret = BN_bn2binpad(tmp, key, BN_num_bytes(dh->p)); err: BN_CTX_end(ctx); BN_CTX_free(ctx); diff --git a/crypto/openssl/crypto/err/openssl.txt b/crypto/openssl/crypto/err/openssl.txt index d547c45913d6..b22e8a735ccf 100644 --- a/crypto/openssl/crypto/err/openssl.txt +++ b/crypto/openssl/crypto/err/openssl.txt @@ -1,4 +1,4 @@ -# Copyright 1999-2020 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 1999-2021 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the OpenSSL license (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy @@ -2284,6 +2284,7 @@ EVP_R_ONLY_ONESHOT_SUPPORTED:177:only oneshot supported EVP_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE:150:\ operation not supported for this keytype EVP_R_OPERATON_NOT_INITIALIZED:151:operaton not initialized +EVP_R_OUTPUT_WOULD_OVERFLOW:184:output would overflow EVP_R_PARTIALLY_OVERLAPPING:162:partially overlapping buffers EVP_R_PBKDF2_ERROR:181:pbkdf2 error EVP_R_PKEY_APPLICATION_ASN1_METHOD_ALREADY_REGISTERED:179:\ diff --git a/crypto/openssl/crypto/evp/evp_enc.c b/crypto/openssl/crypto/evp/evp_enc.c index b9b6490fe069..0843caf4f0a4 100644 --- a/crypto/openssl/crypto/evp/evp_enc.c +++ b/crypto/openssl/crypto/evp/evp_enc.c @@ -8,6 +8,7 @@ */ #include +#include #include #include "internal/cryptlib.h" #include @@ -355,6 +356,19 @@ static int evp_EncryptDecryptUpdate(EVP_CIPHER_CTX *ctx, return 1; } else { j = bl - i; + + /* + * Once we've processed the first j bytes from in, the amount of + * data left that is a multiple of the block length is: + * (inl - j) & ~(bl - 1) + * We must ensure that this amount of data, plus the one block that + * we process from ctx->buf does not exceed INT_MAX + */ + if (((inl - j) & ~(bl - 1)) > INT_MAX - bl) { + EVPerr(EVP_F_EVP_ENCRYPTDECRYPTUPDATE, + EVP_R_OUTPUT_WOULD_OVERFLOW); + return 0; + } memcpy(&(ctx->buf[i]), in, j); inl -= j; in += j; @@ -502,6 +516,19 @@ int EVP_DecryptUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl, EVPerr(EVP_F_EVP_DECRYPTUPDATE, EVP_R_PARTIALLY_OVERLAPPING); return 0; } + /* + * final_used is only ever set if buf_len is 0. Therefore the maximum + * length output we will ever see from evp_EncryptDecryptUpdate is + * the maximum multiple of the block length that is <= inl, or just: + * inl & ~(b - 1) + * Since final_used has been set then the final output length is: + * (inl & ~(b - 1)) + b + * This must never exceed INT_MAX + */ + if ((inl & ~(b - 1)) > INT_MAX - b) { + EVPerr(EVP_F_EVP_DECRYPTUPDATE, EVP_R_OUTPUT_WOULD_OVERFLOW); + return 0; + } memcpy(out, ctx->final, b); out += b; fix_len = 1; diff --git a/crypto/openssl/crypto/evp/evp_err.c b/crypto/openssl/crypto/evp/evp_err.c index 05481d827fb4..32ac0125de24 100644 --- a/crypto/openssl/crypto/evp/evp_err.c +++ b/crypto/openssl/crypto/evp/evp_err.c @@ -1,6 +1,6 @@ /* * Generated by util/mkerr.pl DO NOT EDIT - * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -239,6 +239,8 @@ static const ERR_STRING_DATA EVP_str_reasons[] = { "operation not supported for this keytype"}, {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_OPERATON_NOT_INITIALIZED), "operaton not initialized"}, + {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_OUTPUT_WOULD_OVERFLOW), + "output would overflow"}, {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_PARTIALLY_OVERLAPPING), "partially overlapping buffers"}, {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_PBKDF2_ERROR), "pbkdf2 error"}, diff --git a/crypto/openssl/crypto/md5/asm/md5-586.pl b/crypto/openssl/crypto/md5/asm/md5-586.pl old mode 100644 new mode 100755 diff --git a/crypto/openssl/crypto/mem_sec.c b/crypto/openssl/crypto/mem_sec.c index b5f959ba15d5..222c786cbaef 100644 --- a/crypto/openssl/crypto/mem_sec.c +++ b/crypto/openssl/crypto/mem_sec.c @@ -34,6 +34,12 @@ # include # endif # endif +# if defined(__FreeBSD__) +# define MADV_DONTDUMP MADV_NOCORE +# endif +# if !defined(MAP_CONCEAL) +# define MAP_CONCEAL 0 +# endif # include # include # include @@ -442,7 +448,7 @@ static int sh_init(size_t size, int minsize) if (1) { #ifdef MAP_ANON sh.map_result = mmap(NULL, sh.map_size, - PROT_READ|PROT_WRITE, MAP_ANON|MAP_PRIVATE, -1, 0); + PROT_READ|PROT_WRITE, MAP_ANON|MAP_PRIVATE|MAP_CONCEAL, -1, 0); } else { #endif int fd; diff --git a/crypto/openssl/crypto/objects/obj_dat.h b/crypto/openssl/crypto/objects/obj_dat.h index d1b1bc7faf91..24b49a2df258 100644 --- a/crypto/openssl/crypto/objects/obj_dat.h +++ b/crypto/openssl/crypto/objects/obj_dat.h @@ -2,7 +2,7 @@ * WARNING: do not edit! * Generated by crypto/objects/obj_dat.pl * - * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy * in the file LICENSE in the source distribution or at diff --git a/crypto/openssl/crypto/objects/obj_dat.pl b/crypto/openssl/crypto/objects/obj_dat.pl old mode 100644 new mode 100755 diff --git a/crypto/openssl/crypto/objects/obj_xref.h b/crypto/openssl/crypto/objects/obj_xref.h index 1ca04bbff19f..5c3561ab7d7e 100644 --- a/crypto/openssl/crypto/objects/obj_xref.h +++ b/crypto/openssl/crypto/objects/obj_xref.h @@ -2,7 +2,7 @@ * WARNING: do not edit! * Generated by objxref.pl * - * Copyright 1998-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1998-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/openssl/crypto/objects/objects.pl b/crypto/openssl/crypto/objects/objects.pl old mode 100644 new mode 100755 diff --git a/crypto/openssl/crypto/perlasm/cbc.pl b/crypto/openssl/crypto/perlasm/cbc.pl old mode 100644 new mode 100755 diff --git a/crypto/openssl/crypto/perlasm/x86asm.pl b/crypto/openssl/crypto/perlasm/x86asm.pl old mode 100644 new mode 100755 diff --git a/crypto/openssl/crypto/perlasm/x86nasm.pl b/crypto/openssl/crypto/perlasm/x86nasm.pl old mode 100644 new mode 100755 diff --git a/crypto/openssl/crypto/poly1305/asm/poly1305-armv4.pl b/crypto/openssl/crypto/poly1305/asm/poly1305-armv4.pl index f77e1170f66b..70f46cd140aa 100755 --- a/crypto/openssl/crypto/poly1305/asm/poly1305-armv4.pl +++ b/crypto/openssl/crypto/poly1305/asm/poly1305-armv4.pl @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2016-2020 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the OpenSSL license (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy @@ -133,10 +133,10 @@ poly1305_init: # ifdef __thumb2__ itete eq # endif - addeq r12,r11,#(poly1305_emit-.Lpoly1305_init) - addne r12,r11,#(poly1305_emit_neon-.Lpoly1305_init) - addeq r11,r11,#(poly1305_blocks-.Lpoly1305_init) - addne r11,r11,#(poly1305_blocks_neon-.Lpoly1305_init) + addeq r12,r11,#(.Lpoly1305_emit-.Lpoly1305_init) + addne r12,r11,#(.Lpoly1305_emit_neon-.Lpoly1305_init) + addeq r11,r11,#(.Lpoly1305_blocks-.Lpoly1305_init) + addne r11,r11,#(.Lpoly1305_blocks_neon-.Lpoly1305_init) # endif # ifdef __thumb2__ orr r12,r12,#1 @ thumb-ify address @@ -352,6 +352,7 @@ $code.=<<___; .type poly1305_emit,%function .align 5 poly1305_emit: +.Lpoly1305_emit: stmdb sp!,{r4-r11} .Lpoly1305_emit_enter: @@ -671,6 +672,7 @@ poly1305_init_neon: .type poly1305_blocks_neon,%function .align 5 poly1305_blocks_neon: +.Lpoly1305_blocks_neon: ldr ip,[$ctx,#36] @ is_base2_26 ands $len,$len,#-16 beq .Lno_data_neon @@ -1157,6 +1159,7 @@ poly1305_blocks_neon: .type poly1305_emit_neon,%function .align 5 poly1305_emit_neon: +.Lpoly1305_emit_neon: ldr ip,[$ctx,#36] @ is_base2_26 stmdb sp!,{r4-r11} diff --git a/crypto/openssl/crypto/ppccap.c b/crypto/openssl/crypto/ppccap.c index b12cd949ccfe..e51156468ae5 100644 --- a/crypto/openssl/crypto/ppccap.c +++ b/crypto/openssl/crypto/ppccap.c @@ -1,5 +1,5 @@ /* - * Copyright 2009-2019 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2009-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -214,6 +214,24 @@ size_t OPENSSL_instrument_bus2(unsigned int *out, size_t cnt, size_t max) # endif #endif +#if defined(__FreeBSD__) +# include +# if __FreeBSD_version >= 1200000 +# include +# define OSSL_IMPLEMENT_GETAUXVAL + +static unsigned long getauxval(unsigned long key) +{ + unsigned long val = 0ul; + + if (elf_aux_info((int)key, &val, sizeof(val)) != 0) + return 0ul; + + return val; +} +# endif +#endif + /* I wish was universally available */ #define HWCAP 16 /* AT_HWCAP */ #define HWCAP_PPC64 (1U << 30) diff --git a/crypto/openssl/crypto/rc4/asm/rc4-586.pl b/crypto/openssl/crypto/rc4/asm/rc4-586.pl old mode 100644 new mode 100755 diff --git a/crypto/openssl/crypto/rc5/asm/rc5-586.pl b/crypto/openssl/crypto/rc5/asm/rc5-586.pl old mode 100644 new mode 100755 diff --git a/crypto/openssl/crypto/ripemd/asm/rmd-586.pl b/crypto/openssl/crypto/ripemd/asm/rmd-586.pl old mode 100644 new mode 100755 diff --git a/crypto/openssl/crypto/rsa/rsa_ssl.c b/crypto/openssl/crypto/rsa/rsa_ssl.c index 1f155be175da..ecdb3cee1fa3 100644 --- a/crypto/openssl/crypto/rsa/rsa_ssl.c +++ b/crypto/openssl/crypto/rsa/rsa_ssl.c @@ -55,7 +55,7 @@ int RSA_padding_add_SSLv23(unsigned char *to, int tlen, /* * Copy of RSA_padding_check_PKCS1_type_2 with a twist that rejects padding - * if nul delimiter is not preceded by 8 consecutive 0x03 bytes. It also + * if nul delimiter is preceded by 8 consecutive 0x03 bytes. It also * preserves error code reporting for backward compatibility. */ int RSA_padding_check_SSLv23(unsigned char *to, int tlen, @@ -122,7 +122,13 @@ int RSA_padding_check_SSLv23(unsigned char *to, int tlen, RSA_R_NULL_BEFORE_BLOCK_MISSING); mask = ~good; - good &= constant_time_ge(threes_in_row, 8); + /* + * Reject if nul delimiter is preceded by 8 consecutive 0x03 bytes. Note + * that RFC5246 incorrectly states this the other way around, i.e. reject + * if it is not preceded by 8 consecutive 0x03 bytes. However this is + * corrected in subsequent errata for that RFC. + */ + good &= constant_time_lt(threes_in_row, 8); err = constant_time_select_int(mask | good, err, RSA_R_SSLV3_ROLLBACK_ATTACK); mask = ~good; diff --git a/crypto/openssl/crypto/sha/asm/sha1-586.pl b/crypto/openssl/crypto/sha/asm/sha1-586.pl old mode 100644 new mode 100755 diff --git a/crypto/openssl/crypto/sha/asm/sha1-ia64.pl b/crypto/openssl/crypto/sha/asm/sha1-ia64.pl old mode 100644 new mode 100755 diff --git a/crypto/openssl/crypto/srp/srp_lib.c b/crypto/openssl/crypto/srp/srp_lib.c index 4f417de0c989..ce3504825c53 100644 --- a/crypto/openssl/crypto/srp/srp_lib.c +++ b/crypto/openssl/crypto/srp/srp_lib.c @@ -1,5 +1,5 @@ /* - * Copyright 2004-2019 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2004-2021 The OpenSSL Project Authors. All Rights Reserved. * Copyright (c) 2004, EdelKey Project. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use @@ -177,6 +177,7 @@ BIGNUM *SRP_Calc_client_key(const BIGNUM *N, const BIGNUM *B, const BIGNUM *g, const BIGNUM *x, const BIGNUM *a, const BIGNUM *u) { BIGNUM *tmp = NULL, *tmp2 = NULL, *tmp3 = NULL, *k = NULL, *K = NULL; + BIGNUM *xtmp = NULL; BN_CTX *bn_ctx; if (u == NULL || B == NULL || N == NULL || g == NULL || x == NULL @@ -185,10 +186,13 @@ BIGNUM *SRP_Calc_client_key(const BIGNUM *N, const BIGNUM *B, const BIGNUM *g, if ((tmp = BN_new()) == NULL || (tmp2 = BN_new()) == NULL || - (tmp3 = BN_new()) == NULL) + (tmp3 = BN_new()) == NULL || + (xtmp = BN_new()) == NULL) goto err; - if (!BN_mod_exp(tmp, g, x, N, bn_ctx)) + BN_with_flags(xtmp, x, BN_FLG_CONSTTIME); + BN_set_flags(tmp, BN_FLG_CONSTTIME); + if (!BN_mod_exp(tmp, g, xtmp, N, bn_ctx)) goto err; if ((k = srp_Calc_k(N, g)) == NULL) goto err; @@ -196,7 +200,7 @@ BIGNUM *SRP_Calc_client_key(const BIGNUM *N, const BIGNUM *B, const BIGNUM *g, goto err; if (!BN_mod_sub(tmp, B, tmp2, N, bn_ctx)) *** 1153 LINES SKIPPED ***