src - FreeBSD source tree

diff options


context:
space:
mode:

author	Jung-uk Kim <jkim@FreeBSD.org>	2022-06-21 14:36:39 +0000
committer	Jung-uk Kim <jkim@FreeBSD.org>	2022-06-21 14:36:39 +0000
commit	54ae8e38f717f22963c2a87f48af6ecefc6b3e9b (patch)
tree	a39a3a39d27ffb2f828ba54bb69a53f2dc5bf60c
parent	cf0ffd7607ed8f39829c6951a65a55fa1eb3aafe (diff)

Import OpenSSL 1.1.1pvendor/openssl/1.1.1p

-rw-r--r--

-rw-r--r--

-rw-r--r--

-rw-r--r--

-rwxr-xr-x

-rwxr-xr-x

crypto/bn/asm/x86_64-mont5.pl

198

-rw-r--r--

-rw-r--r--

-rw-r--r--

-rw-r--r--

-rw-r--r--

-rw-r--r--

crypto/x509/x509_cmp.c

-rw-r--r--

crypto/x509/x_crl.c

-rw-r--r--

crypto/x509v3/v3_asid.c

-rw-r--r--

crypto/x509v3/v3_sxnet.c

-rw-r--r--

doc/man3/BIO_f_base64.pod

-rw-r--r--

doc/man3/SSL_CTX_set1_verify_cert_store.pod

-rw-r--r--

include/openssl/opensslv.h

-rw-r--r--

include/openssl/ssl.h

-rw-r--r--

ssl/record/ssl3_record.c

-rw-r--r--

ssl/s3_lib.c

-rw-r--r--

ssl/ssl_cert.c

-rw-r--r--

ssl/ssl_local.h

-rw-r--r--

ssl/statem/extensions_clnt.c

-rw-r--r--

ssl/t1_lib.c

25 files changed, 297 insertions, 283 deletions

diff --git a/CHANGES b/CHANGES
index a5522e5fa564..18c320f85c84 100644
--- a/CHANGES
+++ b/CHANGES

@@ -7,18 +7,44 @@

https://github.com/openssl/openssl/commits/ and pick the appropriate

release branch.

+ Changes between 1.1.1o and 1.1.1p [21 Jun 2022]

+ *) In addition to the c_rehash shell command injection identified in

+ CVE-2022-1292, further bugs where the c_rehash script does not

+ properly sanitise shell metacharacters to prevent command injection have been

+ fixed.

+ When the CVE-2022-1292 was fixed it was not discovered that there

+ are other places in the script where the file names of certificates

+ being hashed were possibly passed to a command executed through the shell.

+ This script is distributed by some operating systems in a manner where

+ it is automatically executed. On such operating systems, an attacker

+ could execute arbitrary commands with the privileges of the script.

+ Use of the c_rehash script is considered obsolete and should be replaced

+ by the OpenSSL rehash command line tool.

+ (CVE-2022-2068)

+ [Daniel Fiala, Tomáš Mráz]

+ *) When OpenSSL TLS client is connecting without any supported elliptic

+ curves and TLS-1.3 protocol is disabled the connection will no longer fail

+ if a ciphersuite that does not use a key exchange based on elliptic

+ curves can be negotiated.

+ [Tomáš Mráz]

Changes between 1.1.1n and 1.1.1o [3 May 2022]

*) Fixed a bug in the c_rehash script which was not properly sanitising shell

- metacharacters to prevent command injection. This script is distributed by

- some operating systems in a manner where it is automatically executed. On

- such operating systems, an attacker could execute arbitrary commands with the

- privileges of the script.

- Use of the c_rehash script is considered obsolete and should be replaced

- by the OpenSSL rehash command line tool.

- (CVE-2022-1292)

- [Tomáš Mráz]

+ metacharacters to prevent command injection. This script is distributed

+ by some operating systems in a manner where it is automatically executed.

+ On such operating systems, an attacker could execute arbitrary commands

+ with the privileges of the script.

+ Use of the c_rehash script is considered obsolete and should be replaced

+ by the OpenSSL rehash command line tool.

+ (CVE-2022-1292)

+ [Tomáš Mráz]

Changes between 1.1.1m and 1.1.1n [15 Mar 2022]

diff --git a/NEWS b/NEWS
index d32cf5bb48dd..f5f5759c0ff2 100644
--- a/NEWS
+++ b/NEWS

@@ -5,6 +5,12 @@

This file gives a brief overview of the major changes between each OpenSSL

release. For more details please read the CHANGES file.

+ Major changes between OpenSSL 1.1.1o and OpenSSL 1.1.1p [21 Jun 2022]

+ o Fixed additional bugs in the c_rehash script which was not properly

+ sanitising shell metacharacters to prevent command injection

+ (CVE-2022-2068)

Major changes between OpenSSL 1.1.1n and OpenSSL 1.1.1o [3 May 2022]

o Fixed a bug in the c_rehash script which was not properly sanitising

diff --git a/README b/README
index a56311a4d186..97a0042b8651 100644
--- a/README
+++ b/README

@@ -1,5 +1,5 @@

- OpenSSL 1.1.1o 3 May 2022

+ OpenSSL 1.1.1p 21 Jun 2022

diff --git a/apps/s_server.c b/apps/s_server.c
index 64d53e68d0ee..1a42bf89c7a0 100644
--- a/apps/s_server.c
+++ b/apps/s_server.c

@@ -1,5 +1,5 @@

@@ -2236,6 +2236,30 @@ static void print_stats(BIO *bio, SSL_CTX *ssl_ctx)

SSL_CTX_sess_get_cache_size(ssl_ctx));

}

+static long int count_reads_callback(BIO *bio, int cmd, const char *argp,

+ int argi, long int argl, long int ret)

+ unsigned int *p_counter = (unsigned int *)BIO_get_callback_arg(bio);

+ switch (cmd) {

+ case BIO_CB_READ: /* No break here */

+ case BIO_CB_GETS:

+ if (p_counter != NULL)

+ ++*p_counter;

+ break;

+ default:

+ break;

+ }

+ if (s_debug) {

+ BIO_set_callback_arg(bio, (char *)bio_s_out);

+ ret = bio_dump_callback(bio, cmd, argp, argi, argl, ret);

+ BIO_set_callback_arg(bio, (char *)p_counter);

+ }

+ return ret;

static int sv_body(int s, int stype, int prot, unsigned char *context)

{

char *buf = NULL;

@@ -2353,10 +2377,7 @@ static int sv_body(int s, int stype, int prot, unsigned char *context)

SSL_set_accept_state(con);

/* SSL_set_fd(con,s); */

- if (s_debug) {

- BIO_set_callback(SSL_get_rbio(con), bio_dump_callback);

- BIO_set_callback_arg(SSL_get_rbio(con), (char *)bio_s_out);

- }

+ BIO_set_callback(SSL_get_rbio(con), count_reads_callback);

if (s_msg) {

#ifndef OPENSSL_NO_SSL_TRACE

if (s_msg == 2)

@@ -2648,7 +2669,25 @@ static int sv_body(int s, int stype, int prot, unsigned char *context)

if ((!async || !SSL_waiting_for_async(con))

&& !SSL_is_init_finished(con)) {

+ /*

+ * Count number of reads during init_ssl_connection.

+ * It helps us to distinguish configuration errors from errors

+ * caused by a client.

+ */

+ unsigned int read_counter = 0;

+ BIO_set_callback_arg(SSL_get_rbio(con), (char *)&read_counter);

i = init_ssl_connection(con);

+ BIO_set_callback_arg(SSL_get_rbio(con), NULL);

+ /*

+ * If initialization fails without reads, then

+ * there was a fatal error in configuration.

+ */

+ if (i <= 0 && read_counter == 0) {

+ ret = -1;

+ goto err;

+ }

if (i < 0) {

ret = 0;

diff --git a/config b/config
index 49422981ae84..c7b035a0c57c 100755
--- a/config
+++ b/config

@@ -1,5 +1,5 @@

#!/bin/sh

# Licensed under the OpenSSL license (the "License"). You may not use

# this file except in compliance with the License. You can obtain a copy

@@ -709,6 +709,7 @@ case "$GUESSOS" in

ia64-*-*bsd*) OUT="BSD-ia64" ;;

x86_64-*-dragonfly*) OUT="BSD-x86_64" ;;

amd64-*-*bsd*) OUT="BSD-x86_64" ;;

+ arm64-*-*bsd*) OUT="BSD-aarch64" ;;

*86*-*-*bsd*) # mimic ld behaviour when it's looking for libc...

if [ -L /usr/lib/libc.so ]; then # [Free|Net]BSD

libc=/usr/lib/libc.so

diff --git a/crypto/bn/asm/x86_64-mont5.pl b/crypto/bn/asm/x86_64-mont5.pl
index 8c37d132e476..33cb769c36d5 100755
--- a/crypto/bn/asm/x86_64-mont5.pl
+++ b/crypto/bn/asm/x86_64-mont5.pl

@@ -1,5 +1,5 @@

#! /usr/bin/env perl

# Licensed under the OpenSSL license (the "License"). You may not use

# this file except in compliance with the License. You can obtain a copy

@@ -2101,193 +2101,6 @@ __bn_post4x_internal:

.size __bn_post4x_internal,.-__bn_post4x_internal

___

}

-$code.=<<___;

-.globl bn_from_montgomery

-.type bn_from_montgomery,\@abi-omnipotent

-.align 32

-bn_from_montgomery:

-.cfi_startproc

- testl \$7,`($win64?"48(%rsp)":"%r9d")`

- jz bn_from_mont8x

- xor %eax,%eax

- ret

-.cfi_endproc

-.size bn_from_montgomery,.-bn_from_montgomery

-.type bn_from_mont8x,\@function,6

-.align 32

-bn_from_mont8x:

-.cfi_startproc

- .byte 0x67

- mov %rsp,%rax

-.cfi_def_cfa_register %rax

- push %rbx

-.cfi_push %rbx

- push %rbp

-.cfi_push %rbp

- push %r12

-.cfi_push %r12

- push %r13

-.cfi_push %r13

- push %r14

-.cfi_push %r14

- push %r15

-.cfi_push %r15

-.Lfrom_prologue:

- shl \$3,${num}d # convert $num to bytes

- lea ($num,$num,2),%r10 # 3*$num in bytes

- neg $num

- mov ($n0),$n0 # *n0

- ##############################################################

- # Ensure that stack frame doesn't alias with $rptr+3*$num

- # modulo 4096, which covers ret[num], am[num] and n[num]

- # (see bn_exp.c). The stack is allocated to aligned with

- # bn_power5's frame, and as bn_from_montgomery happens to be

- # last operation, we use the opportunity to cleanse it.

- #

- lea -320(%rsp,$num,2),%r11

- mov %rsp,%rbp

- sub $rptr,%r11

- and \$4095,%r11

- cmp %r11,%r10

- jb .Lfrom_sp_alt

- sub %r11,%rbp # align with $aptr

- lea -320(%rbp,$num,2),%rbp # future alloca(frame+2*$num*8+256)

- jmp .Lfrom_sp_done

-.align 32

-.Lfrom_sp_alt:

- lea 4096-320(,$num,2),%r10

- lea -320(%rbp,$num,2),%rbp # future alloca(frame+2*$num*8+256)

- sub %r10,%r11

- mov \$0,%r10

- cmovc %r10,%r11

- sub %r11,%rbp

-.Lfrom_sp_done:

- and \$-64,%rbp

- mov %rsp,%r11

- sub %rbp,%r11

- and \$-4096,%r11

- lea (%rbp,%r11),%rsp

- mov (%rsp),%r10

- cmp %rbp,%rsp

- ja .Lfrom_page_walk

- jmp .Lfrom_page_walk_done

-.Lfrom_page_walk:

- lea -4096(%rsp),%rsp

- mov (%rsp),%r10

- cmp %rbp,%rsp

- ja .Lfrom_page_walk

-.Lfrom_page_walk_done:

- mov $num,%r10

- neg $num

- ##############################################################

- # Stack layout

- #

- # +0 saved $num, used in reduction section

- # +8 &t[2*$num], used in reduction section

- # +32 saved *n0

- # +40 saved %rsp

- # +48 t[2*$num]

- #

- mov $n0, 32(%rsp)

- mov %rax, 40(%rsp) # save original %rsp

-.cfi_cfa_expression %rsp+40,deref,+8

-.Lfrom_body:

- mov $num,%r11

- lea 48(%rsp),%rax

- pxor %xmm0,%xmm0

- jmp .Lmul_by_1

-.align 32

-.Lmul_by_1:

- movdqu ($aptr),%xmm1

- movdqu 16($aptr),%xmm2

- movdqu 32($aptr),%xmm3

- movdqa %xmm0,(%rax,$num)

- movdqu 48($aptr),%xmm4

- movdqa %xmm0,16(%rax,$num)

- .byte 0x48,0x8d,0xb6,0x40,0x00,0x00,0x00 # lea 64($aptr),$aptr

- movdqa %xmm1,(%rax)

- movdqa %xmm0,32(%rax,$num)

- movdqa %xmm2,16(%rax)

- movdqa %xmm0,48(%rax,$num)

- movdqa %xmm3,32(%rax)

- movdqa %xmm4,48(%rax)

- lea 64(%rax),%rax

- sub \$64,%r11

- jnz .Lmul_by_1

- movq $rptr,%xmm1

- movq $nptr,%xmm2

- .byte 0x67

- mov $nptr,%rbp

- movq %r10, %xmm3 # -num

-___

-$code.=<<___ if ($addx);

- mov OPENSSL_ia32cap_P+8(%rip),%r11d

- and \$0x80108,%r11d

- cmp \$0x80108,%r11d # check for AD*X+BMI2+BMI1

- jne .Lfrom_mont_nox

- lea (%rax,$num),$rptr

- call __bn_sqrx8x_reduction

- call __bn_postx4x_internal

- pxor %xmm0,%xmm0

- lea 48(%rsp),%rax

- jmp .Lfrom_mont_zero

-.align 32

-.Lfrom_mont_nox:

-___

-$code.=<<___;

- call __bn_sqr8x_reduction

- call __bn_post4x_internal

- pxor %xmm0,%xmm0

- lea 48(%rsp),%rax

- jmp .Lfrom_mont_zero

-.align 32

-.Lfrom_mont_zero:

- mov 40(%rsp),%rsi # restore %rsp

-.cfi_def_cfa %rsi,8

- movdqa %xmm0,16*0(%rax)

- movdqa %xmm0,16*1(%rax)

- movdqa %xmm0,16*2(%rax)

- movdqa %xmm0,16*3(%rax)

- lea 16*4(%rax),%rax

- sub \$32,$num

- jnz .Lfrom_mont_zero

- mov \$1,%rax

- mov -48(%rsi),%r15

-.cfi_restore %r15

- mov -40(%rsi),%r14

-.cfi_restore %r14

- mov -32(%rsi),%r13

-.cfi_restore %r13

- mov -24(%rsi),%r12

-.cfi_restore %r12

- mov -16(%rsi),%rbp

-.cfi_restore %rbp

- mov -8(%rsi),%rbx

-.cfi_restore %rbx

- lea (%rsi),%rsp

-.cfi_def_cfa_register %rsp

-.Lfrom_epilogue:

- ret

-.cfi_endproc

-.size bn_from_mont8x,.-bn_from_mont8x

-___

}}}

if ($addx) {{{

@@ -3894,10 +3707,6 @@ mul_handler:

.rva .LSEH_begin_bn_power5

.rva .LSEH_end_bn_power5

.rva .LSEH_info_bn_power5

- .rva .LSEH_begin_bn_from_mont8x

- .rva .LSEH_end_bn_from_mont8x

- .rva .LSEH_info_bn_from_mont8x

___

$code.=<<___ if ($addx);

.rva .LSEH_begin_bn_mulx4x_mont_gather5

@@ -3929,11 +3738,6 @@ $code.=<<___;

.byte 9,0,0,0

.rva mul_handler

.rva .Lpower5_prologue,.Lpower5_body,.Lpower5_epilogue # HandlerData[]

-.align 8

-.LSEH_info_bn_from_mont8x:

- .byte 9,0,0,0

- .rva mul_handler

- .rva .Lfrom_prologue,.Lfrom_body,.Lfrom_epilogue # HandlerData[]

___

$code.=<<___ if ($addx);

.align 8

diff --git a/crypto/bn/bn_exp.c b/crypto/bn/bn_exp.c
index 8c54ab005ca6..e21dcff027c5 100644
--- a/crypto/bn/bn_exp.c
+++ b/crypto/bn/bn_exp.c

@@ -900,14 +900,21 @@ int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p,

#if defined(OPENSSL_BN_ASM_MONT5)

if (window == 5 && top > 1) {

- * This optimization uses ideas from http://eprint.iacr.org/2011/239,

- * specifically optimization of cache-timing attack countermeasures

- * and pre-computation optimization.

- */

- /*

- * Dedicated window==4 case improves 512-bit RSA sign by ~15%, but as

- * 512-bit RSA is hardly relevant, we omit it to spare size...

+ * This optimization uses ideas from https://eprint.iacr.org/2011/239,

+ * specifically optimization of cache-timing attack countermeasures,

+ * pre-computation optimization, and Almost Montgomery Multiplication.

+ *

+ * The paper discusses a 4-bit window to optimize 512-bit modular

+ * exponentiation, used in RSA-1024 with CRT, but RSA-1024 is no longer

+ * important.

+ *

+ * |bn_mul_mont_gather5| and |bn_power5| implement the "almost"

+ * reduction variant, so the values here may not be fully reduced.

+ * They are bounded by R (i.e. they fit in |top| words), not |m|.

+ * Additionally, we pass these "almost" reduced inputs into

+ * |bn_mul_mont|, which implements the normal reduction variant.

+ * Given those inputs, |bn_mul_mont| may not give reduced

+ * output, but it will still produce "almost" reduced output.

void bn_mul_mont_gather5(BN_ULONG *rp, const BN_ULONG *ap,

const void *table, const BN_ULONG *np,

@@ -919,9 +926,6 @@ int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p,

const void *table, const BN_ULONG *np,

const BN_ULONG *n0, int num, int power);

int bn_get_bits5(const BN_ULONG *ap, int off);

- int bn_from_montgomery(BN_ULONG *rp, const BN_ULONG *ap,

- const BN_ULONG *not_used, const BN_ULONG *np,

- const BN_ULONG *n0, int num);

BN_ULONG *n0 = mont->n0, *np;

@@ -1010,14 +1014,18 @@ int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p,

}

- ret = bn_from_montgomery(tmp.d, tmp.d, NULL, np, n0, top);

tmp.top = top;

- bn_correct_top(&tmp);

- if (ret) {

- if (!BN_copy(rr, &tmp))

- ret = 0;

- goto err; /* non-zero ret means it's not error */

- }

+ /*

+ * The result is now in |tmp| in Montgomery form, but it may not be

+ * fully reduced. This is within bounds for |BN_from_montgomery|

+ * (tmp < R <= m*R) so it will, when converting from Montgomery form,

+ * produce a fully reduced result.

+ *

+ * This differs from Figure 2 of the paper, which uses AMM(h, 1) to

+ * convert from Montgomery form with unreduced output, followed by an

+ * extra reduction step. In the paper's terminology, we replace

+ * steps 9 and 10 with MM(h, 1).

+ */

} else

#endif

{

diff --git a/crypto/bn/rsaz_exp.c b/crypto/bn/rsaz_exp.c
index 22455b8a6374..a2ab58bbeb4c 100644
--- a/crypto/bn/rsaz_exp.c
+++ b/crypto/bn/rsaz_exp.c

@@ -1,5 +1,5 @@

* Licensed under the OpenSSL license (the "License"). You may not use

@@ -66,6 +66,7 @@ void RSAZ_1024_mod_exp_avx2(BN_ULONG result_norm[16],

unsigned char *R2 = table_s; /* borrow */

int index;

int wvalue;

+ BN_ULONG tmp[16];

if ((((size_t)p_str & 4095) + 320) >> 12) {

result = p_str;

@@ -237,7 +238,10 @@ void RSAZ_1024_mod_exp_avx2(BN_ULONG result_norm[16],

rsaz_1024_red2norm_avx2(result_norm, result);

+ bn_reduce_once_in_place(result_norm, /*carry=*/0, m_norm, tmp, 16);

OPENSSL_cleanse(storage, sizeof(storage));

+ OPENSSL_cleanse(tmp, sizeof(tmp));

}

@@ -266,6 +270,7 @@ void RSAZ_512_mod_exp(BN_ULONG result[8],

unsigned char *p_str = (unsigned char *)exponent;

int index;

unsigned int wvalue;

+ BN_ULONG tmp[8];

/* table[0] = 1_inv */

temp[0] = 0 - m[0];

@@ -309,7 +314,10 @@ void RSAZ_512_mod_exp(BN_ULONG result[8],

/* from Montgomery */

rsaz_512_mul_by_one(result, temp, m, k0);

+ bn_reduce_once_in_place(result, /*carry=*/0, m, tmp, 8);

OPENSSL_cleanse(storage, sizeof(storage));

+ OPENSSL_cleanse(tmp, sizeof(tmp));

}

#endif

diff --git a/crypto/bn/rsaz_exp.h b/crypto/bn/rsaz_exp.h
index 88f65a4bae46..1532a7e07179 100644
--- a/crypto/bn/rsaz_exp.h
+++ b/crypto/bn/rsaz_exp.h

@@ -1,5 +1,5 @@

* Licensed under the OpenSSL license (the "License"). You may not use

@@ -22,6 +22,8 @@

# define RSAZ_ENABLED

# include <openssl/bn.h>

+# include "internal/constant_time.h"

+# include "bn_local.h"

void RSAZ_1024_mod_exp_avx2(BN_ULONG result[16],

const BN_ULONG base_norm[16],

@@ -35,6 +37,27 @@ void RSAZ_512_mod_exp(BN_ULONG result[8],

const BN_ULONG m_norm[8], BN_ULONG k0,

const BN_ULONG RR[8]);

+static ossl_inline void bn_select_words(BN_ULONG *r, BN_ULONG mask,

+ const BN_ULONG *a,

+ const BN_ULONG *b, size_t num)

+ size_t i;

+ for (i = 0; i < num; i++) {

+ r[i] = constant_time_select_64(mask, a[i], b[i]);

+ }

+static ossl_inline BN_ULONG bn_reduce_once_in_place(BN_ULONG *r,

+ BN_ULONG carry,

+ const BN_ULONG *m,

+ BN_ULONG *tmp, size_t num)

+ carry -= bn_sub_words(tmp, r, m, num);

+ bn_select_words(r, carry, r /* tmp < 0 */, tmp /* tmp >= 0 */, num);

+ return carry;

# endif

#endif

diff --git a/crypto/ec/ec_asn1.c b/crypto/ec/ec_asn1.c
index 4335b3da1a54..34de7b2aabf7 100644
--- a/crypto/ec/ec_asn1.c
+++ b/crypto/ec/ec_asn1.c

@@ -1,5 +1,5 @@

* Licensed under the OpenSSL license (the "License"). You may not use

* this file except in compliance with the License. You can obtain a copy

@@ -751,6 +751,16 @@ EC_GROUP *EC_GROUP_new_from_ecparameters(const ECPARAMETERS *params)

/* extract seed (optional) */

if (params->curve->seed != NULL) {

+ /*

+ * This happens for instance with

+ * fuzz/corpora/asn1/65cf44e85614c62f10cf3b7a7184c26293a19e4a

+ * and causes the OPENSSL_malloc below to choke on the

+ * zero length allocation request.

+ */

+ if (params->curve->seed->length == 0) {

+ ECerr(EC_F_EC_GROUP_NEW_FROM_ECPARAMETERS, EC_R_ASN1_ERROR);

+ goto err;

+ }

OPENSSL_free(ret->seed);

if ((ret->seed = OPENSSL_malloc(params->curve->seed->length)) == NULL) {

ECerr(EC_F_EC_GROUP_NEW_FROM_ECPARAMETERS, ERR_R_MALLOC_FAILURE);

diff --git a/crypto/ec/ec_key.c b/crypto/ec/ec_key.c
index 23efbd015ca4..3017f0936c0d 100644
--- a/crypto/ec/ec_key.c
+++ b/crypto/ec/ec_key.c

@@ -1,5 +1,5 @@

* Licensed under the OpenSSL license (the "License"). You may not use

@@ -657,8 +657,7 @@ int ec_key_simple_oct2priv(EC_KEY *eckey, const unsigned char *buf, size_t len)

ECerr(EC_F_EC_KEY_SIMPLE_OCT2PRIV, ERR_R_MALLOC_FAILURE);

return 0;

}

- eckey->priv_key = BN_bin2bn(buf, len, eckey->priv_key);

- if (eckey->priv_key == NULL) {

+ if (BN_bin2bn(buf, len, eckey->priv_key) == NULL) {

ECerr(EC_F_EC_KEY_SIMPLE_OCT2PRIV, ERR_R_BN_LIB);

return 0;

}

diff --git a/crypto/x509/x509_cmp.c b/crypto/x509/x509_cmp.c
index 1d8d2d7b28e9..3724a118f343 100644
--- a/crypto/x509/x509_cmp.c
+++ b/crypto/x509/x509_cmp.c

@@ -1,5 +1,5 @@

* Licensed under the OpenSSL license (the "License"). You may not use

* this file except in compliance with the License. You can obtain a copy

@@ -34,7 +34,7 @@ unsigned long X509_issuer_and_serial_hash(X509 *a)

unsigned long ret = 0;

EVP_MD_CTX *ctx = EVP_MD_CTX_new();

unsigned char md[16];

- char *f;

+ char *f = NULL;

if (ctx == NULL)

goto err;

@@ -45,7 +45,6 @@ unsigned long X509_issuer_and_serial_hash(X509 *a)

goto err;

if (!EVP_DigestUpdate(ctx, (unsigned char *)f, strlen(f)))

goto err;

- OPENSSL_free(f);

if (!EVP_DigestUpdate

(ctx, (unsigned char *)a->cert_info.serialNumber.data,

(unsigned long)a->cert_info.serialNumber.length))

@@ -56,6 +55,7 @@ unsigned long X509_issuer_and_serial_hash(X509 *a)

((unsigned long)md[2] << 16L) | ((unsigned long)md[3] << 24L)

) & 0xffffffffL;

err:

+ OPENSSL_free(f);

EVP_MD_CTX_free(ctx);

return ret;

}

diff --git a/crypto/x509/x_crl.c b/crypto/x509/x_crl.c
index c9762f9e2394..df0041c0108c 100644
--- a/crypto/x509/x_crl.c
+++ b/crypto/x509/x_crl.c

@@ -1,5 +1,5 @@

* Licensed under the OpenSSL license (the "License"). You may not use

* this file except in compliance with the License. You can obtain a copy

@@ -103,13 +103,17 @@ static int crl_set_issuers(X509_CRL *crl)

if (gtmp) {

gens = gtmp;

- if (!crl->issuers) {

+ if (crl->issuers == NULL) {

crl->issuers = sk_GENERAL_NAMES_new_null();

- if (!crl->issuers)

+ if (crl->issuers == NULL) {

+ GENERAL_NAMES_free(gtmp);

return 0;

+ }

}

- if (!sk_GENERAL_NAMES_push(crl->issuers, gtmp))

+ if (!sk_GENERAL_NAMES_push(crl->issuers, gtmp)) {

+ GENERAL_NAMES_free(gtmp);

return 0;

+ }

}

rev->issuer = gens;

@@ -255,7 +259,7 @@ static int crl_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it,

break;

case ASN1_OP_FREE_POST:

- if (crl->meth->crl_free) {

+ if (crl->meth != NULL && crl->meth->crl_free != NULL) {

if (!crl->meth->crl_free(crl))

return 0;

}

diff --git a/crypto/x509v3/v3_asid.c b/crypto/x509v3/v3_asid.c
index ac6857267291..8e9e919804d0 100644
--- a/crypto/x509v3/v3_asid.c
+++ b/crypto/x509v3/v3_asid.c

@@ -1,5 +1,5 @@

* Licensed under the OpenSSL license (the "License"). You may not use

* this file except in compliance with the License. You can obtain a copy

@@ -700,15 +700,28 @@ static int asid_contains(ASIdOrRanges *parent, ASIdOrRanges *child)

int X509v3_asid_subset(ASIdentifiers *a, ASIdentifiers *b)

{

- return (a == NULL ||

- a == b ||

- (b != NULL &&

- !X509v3_asid_inherits(a) &&

- !X509v3_asid_inherits(b) &&

- asid_contains(b->asnum->u.asIdsOrRanges,

- a->asnum->u.asIdsOrRanges) &&

- asid_contains(b->rdi->u.asIdsOrRanges,

- a->rdi->u.asIdsOrRanges)));

+ int subset;

+ if (a == NULL || a == b)

+ return 1;

+ if (b == NULL)

+ return 0;

+ if (X509v3_asid_inherits(a) || X509v3_asid_inherits(b))

+ return 0;

+ subset = a->asnum == NULL

+ || (b->asnum != NULL

+ && asid_contains(b->asnum->u.asIdsOrRanges,

+ a->asnum->u.asIdsOrRanges));

+ if (!subset)

+ return 0;

+ return a->rdi == NULL

+ || (b->rdi != NULL

+ && asid_contains(b->rdi->u.asIdsOrRanges,

+ a->rdi->u.asIdsOrRanges));

}

diff --git a/crypto/x509v3/v3_sxnet.c b/crypto/x509v3/v3_sxnet.c
index 89cda01be2a5..144e8bee84ad 100644
--- a/crypto/x509v3/v3_sxnet.c
+++ b/crypto/x509v3/v3_sxnet.c

@@ -1,5 +1,5 @@

* Licensed under the OpenSSL license (the "License"). You may not use

* this file except in compliance with the License. You can obtain a copy

@@ -57,12 +57,24 @@ IMPLEMENT_ASN1_FUNCTIONS(SXNET)

static int sxnet_i2r(X509V3_EXT_METHOD *method, SXNET *sx, BIO *out,

int indent)

{

- long v;

+ int64_t v;

char *tmp;

SXNETID *id;

int i;

- v = ASN1_INTEGER_get(sx->version);

- BIO_printf(out, "%*sVersion: %ld (0x%lX)", indent, "", v + 1, v);

+ /*

+ * Since we add 1 to the version number to display it, we don't support

+ * LONG_MAX since that would cause on overflow.

+ */

+ if (!ASN1_INTEGER_get_int64(&v, sx->version)

+ || v >= LONG_MAX

+ || v < LONG_MIN) {

+ BIO_printf(out, "%*sVersion: <unsupported>", indent, "");

+ } else {

+ long vl = (long)v;

+ BIO_printf(out, "%*sVersion: %ld (0x%lX)", indent, "", vl + 1, vl);

+ }

for (i = 0; i < sk_SXNETID_num(sx->ids); i++) {

id = sk_SXNETID_value(sx->ids, i);

tmp = i2s_ASN1_INTEGER(NULL, id->zone);

diff --git a/doc/man3/BIO_f_base64.pod b/doc/man3/BIO_f_base64.pod
index c2c5309a6017..55ca5d4de30f 100644
--- a/doc/man3/BIO_f_base64.pod
+++ b/doc/man3/BIO_f_base64.pod

@@ -38,9 +38,8 @@ to flush the final block through the BIO.

The flag BIO_FLAGS_BASE64_NO_NL can be set with BIO_set_flags().

For writing, it causes all data to be written on one line without

newline at the end.

-For reading, it forces the decoder to process the data regardless

-of newlines. All newlines are ignored and the input does not need

-to contain any newline at all.

+For reading, it expects the data to be all on one line (with or

+without a trailing newline).

=head1 NOTES

diff --git a/doc/man3/SSL_CTX_set1_verify_cert_store.pod b/doc/man3/SSL_CTX_set1_verify_cert_store.pod
index b42f2a499f13..a7f2a53a80af 100644
--- a/doc/man3/SSL_CTX_set1_verify_cert_store.pod
+++ b/doc/man3/SSL_CTX_set1_verify_cert_store.pod

@@ -5,7 +5,9 @@

SSL_CTX_set0_verify_cert_store, SSL_CTX_set1_verify_cert_store,

SSL_CTX_set0_chain_cert_store, SSL_CTX_set1_chain_cert_store,

SSL_set0_verify_cert_store, SSL_set1_verify_cert_store,

-SSL_set0_chain_cert_store, SSL_set1_chain_cert_store - set certificate

+SSL_set0_chain_cert_store, SSL_set1_chain_cert_store,

+SSL_CTX_get0_verify_cert_store, SSL_CTX_get0_chain_cert_store,

+SSL_get0_verify_cert_store, SSL_get0_chain_cert_store - set certificate

verification or chain store

=head1 SYNOPSIS

@@ -16,11 +18,15 @@ verification or chain store

int SSL_CTX_set1_verify_cert_store(SSL_CTX *ctx, X509_STORE *st);

int SSL_CTX_set0_chain_cert_store(SSL_CTX *ctx, X509_STORE *st);

int SSL_CTX_set1_chain_cert_store(SSL_CTX *ctx, X509_STORE *st);

+ int SSL_CTX_get0_verify_cert_store(SSL_CTX *ctx, X509_STORE **st);

+ int SSL_CTX_get0_chain_cert_store(SSL_CTX *ctx, X509_STORE **st);

int SSL_set0_verify_cert_store(SSL *ctx, X509_STORE *st);

int SSL_set1_verify_cert_store(SSL *ctx, X509_STORE *st);

int SSL_set0_chain_cert_store(SSL *ctx, X509_STORE *st);

int SSL_set1_chain_cert_store(SSL *ctx, X509_STORE *st);

+ int SSL_get0_verify_cert_store(SSL *ctx, X509_STORE **st);

+ int SSL_get0_chain_cert_store(SSL *ctx, X509_STORE **st);

=head1 DESCRIPTION

@@ -34,6 +40,11 @@ SSL_set0_verify_cert_store(), SSL_set1_verify_cert_store(),

SSL_set0_chain_cert_store() and SSL_set1_chain_cert_store() are similar

except they apply to SSL structure B<ssl>.

+SSL_CTX_get0_verify_chain_store(), SSL_get0_verify_chain_store(),

+SSL_CTX_get0_chain_cert_store() and SSL_get0_chain_cert_store() retrieve the

+objects previously set via the above calls. A pointer to the object (or NULL if

+no such object has been set) is written to B<*st>.

All these functions are implemented as macros. Those containing a B<1>

increment the reference count of the supplied store so it must

be freed at some point after the operation. Those containing a B<0> do

@@ -90,7 +101,7 @@ These functions were added in OpenSSL 1.0.2.

=head1 COPYRIGHT

Licensed under the OpenSSL license (the "License"). You may not use

this file except in compliance with the License. You can obtain a copy

diff --git a/include/openssl/opensslv.h b/include/openssl/opensslv.h
index bd9dc9209163..7fb1b21f7ae8 100644
--- a/include/openssl/opensslv.h
+++ b/include/openssl/opensslv.h

@@ -39,8 +39,8 @@ extern "C" {

* (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for

* major minor fix final patch/beta)

-# define OPENSSL_VERSION_NUMBER 0x101010ffL

-# define OPENSSL_VERSION_TEXT "OpenSSL 1.1.1o 3 May 2022"

+# define OPENSSL_VERSION_NUMBER 0x1010110fL

+# define OPENSSL_VERSION_TEXT "OpenSSL 1.1.1p 21 Jun 2022"

/*-

* The macros below are to be used for shared library (.so, .dll, ...)

diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h
index fd0c5a99967f..9af0c8995ecc 100644
--- a/include/openssl/ssl.h
+++ b/include/openssl/ssl.h

@@ -1,5 +1,5 @@

@@ -1305,6 +1305,8 @@ DECLARE_PEM_rw(SSL_SESSION, SSL_SESSION)

# define SSL_CTRL_GET_MAX_PROTO_VERSION 131

# define SSL_CTRL_GET_SIGNATURE_NID 132

# define SSL_CTRL_GET_TMP_KEY 133

+# define SSL_CTRL_GET_VERIFY_CERT_STORE 137

+# define SSL_CTRL_GET_CHAIN_CERT_STORE 138

# define SSL_CERT_SET_FIRST 1

# define SSL_CERT_SET_NEXT 2

# define SSL_CERT_SET_SERVER 3

@@ -1360,10 +1362,14 @@ DECLARE_PEM_rw(SSL_SESSION, SSL_SESSION)

SSL_CTX_ctrl(ctx,SSL_CTRL_SET_VERIFY_CERT_STORE,0,(char *)(st))

# define SSL_CTX_set1_verify_cert_store(ctx,st) \

SSL_CTX_ctrl(ctx,SSL_CTRL_SET_VERIFY_CERT_STORE,1,(char *)(st))

+# define SSL_CTX_get0_verify_cert_store(ctx,st) \

+ SSL_CTX_ctrl(ctx,SSL_CTRL_GET_VERIFY_CERT_STORE,0,(char *)(st))

# define SSL_CTX_set0_chain_cert_store(ctx,st) \

SSL_CTX_ctrl(ctx,SSL_CTRL_SET_CHAIN_CERT_STORE,0,(char *)(st))

# define SSL_CTX_set1_chain_cert_store(ctx,st) \

SSL_CTX_ctrl(ctx,SSL_CTRL_SET_CHAIN_CERT_STORE,1,(char *)(st))

+# define SSL_CTX_get0_chain_cert_store(ctx,st) \

+ SSL_CTX_ctrl(ctx,SSL_CTRL_GET_CHAIN_CERT_STORE,0,(char *)(st))

# define SSL_set0_chain(s,sk) \

SSL_ctrl(s,SSL_CTRL_CHAIN,0,(char *)(sk))

# define SSL_set1_chain(s,sk) \

@@ -1386,10 +1392,14 @@ DECLARE_PEM_rw(SSL_SESSION, SSL_SESSION)

SSL_ctrl(s,SSL_CTRL_SET_VERIFY_CERT_STORE,0,(char *)(st))

# define SSL_set1_verify_cert_store(s,st) \

SSL_ctrl(s,SSL_CTRL_SET_VERIFY_CERT_STORE,1,(char *)(st))

+#define SSL_get0_verify_cert_store(s,st) \

+ SSL_ctrl(s,SSL_CTRL_GET_VERIFY_CERT_STORE,0,(char *)(st))

# define SSL_set0_chain_cert_store(s,st) \

SSL_ctrl(s,SSL_CTRL_SET_CHAIN_CERT_STORE,0,(char *)(st))

# define SSL_set1_chain_cert_store(s,st) \

SSL_ctrl(s,SSL_CTRL_SET_CHAIN_CERT_STORE,1,(char *)(st))

+#define SSL_get0_chain_cert_store(s,st) \

+ SSL_ctrl(s,SSL_CTRL_GET_CHAIN_CERT_STORE,0,(char *)(st))

# define SSL_get1_groups(s, glist) \

SSL_ctrl(s,SSL_CTRL_GET_GROUPS,0,(int*)(glist))

# define SSL_CTX_set1_groups(ctx, glist, glistlen) \

diff --git a/ssl/record/ssl3_record.c b/ssl/record/ssl3_record.c
index f158544789bb..47c7369ed549 100644
--- a/ssl/record/ssl3_record.c
+++ b/ssl/record/ssl3_record.c

@@ -1,5 +1,5 @@

* Licensed under the OpenSSL license (the "License"). You may not use

* this file except in compliance with the License. You can obtain a copy

@@ -1532,6 +1532,7 @@ int ssl3_cbc_copy_mac(unsigned char *out,

#if defined(CBC_MAC_ROTATE_IN_PLACE)

unsigned char rotated_mac_buf[64 + EVP_MAX_MD_SIZE];

unsigned char *rotated_mac;

+ char aux1, aux2, aux3, mask;

#else

unsigned char rotated_mac[EVP_MAX_MD_SIZE];

#endif

@@ -1581,9 +1582,16 @@ int ssl3_cbc_copy_mac(unsigned char *out,

#if defined(CBC_MAC_ROTATE_IN_PLACE)

j = 0;

for (i = 0; i < md_size; i++) {

- /* in case cache-line is 32 bytes, touch second line */

- ((volatile unsigned char *)rotated_mac)[rotate_offset ^ 32];

- out[j++] = rotated_mac[rotate_offset++];

+ /*

+ * in case cache-line is 32 bytes,

+ * load from both lines and select appropriately

+ */

+ aux1 = rotated_mac[rotate_offset & ~32];

+ aux2 = rotated_mac[rotate_offset | 32];

+ mask = constant_time_eq_8(rotate_offset & ~32, rotate_offset);

+ aux3 = constant_time_select_8(mask, aux1, aux2);

+ out[j++] = aux3;

+ rotate_offset++;

rotate_offset &= constant_time_lt_s(rotate_offset, md_size);

}

#else

diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c
index e4cf007f82a5..32f9b257106b 100644
--- a/ssl/s3_lib.c
+++ b/ssl/s3_lib.c

@@ -3676,6 +3676,12 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg)

case SSL_CTRL_SET_CHAIN_CERT_STORE:

return ssl_cert_set_cert_store(s->cert, parg, 1, larg);

+ case SSL_CTRL_GET_VERIFY_CERT_STORE:

+ return ssl_cert_get_cert_store(s->cert, parg, 0);

+ case SSL_CTRL_GET_CHAIN_CERT_STORE:

+ return ssl_cert_get_cert_store(s->cert, parg, 1);

case SSL_CTRL_GET_PEER_SIGNATURE_NID:

if (s->s3->tmp.peer_sigalg == NULL)

return 0;

@@ -3949,6 +3955,12 @@ long ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg)

case SSL_CTRL_SET_CHAIN_CERT_STORE:

return ssl_cert_set_cert_store(ctx->cert, parg, 1, larg);

+ case SSL_CTRL_GET_VERIFY_CERT_STORE:

+ return ssl_cert_get_cert_store(ctx->cert, parg, 0);

+ case SSL_CTRL_GET_CHAIN_CERT_STORE:

+ return ssl_cert_get_cert_store(ctx->cert, parg, 1);

/* A Thawte special :-) */

case SSL_CTRL_EXTRA_CHAIN_CERT:

if (ctx->extra_certs == NULL) {

diff --git a/ssl/ssl_cert.c b/ssl/ssl_cert.c
index eba96b207eee..b615e7048da4 100644
--- a/ssl/ssl_cert.c
+++ b/ssl/ssl_cert.c

@@ -876,6 +876,12 @@ int ssl_cert_set_cert_store(CERT *c, X509_STORE *store, int chain, int ref)

return 1;

}

+int ssl_cert_get_cert_store(CERT *c, X509_STORE **pstore, int chain)

+ *pstore = (chain ? c->chain_store : c->verify_store);

+ return 1;

int ssl_get_security_level_bits(const SSL *s, const SSL_CTX *ctx, int *levelp)

{

int level;

diff --git a/ssl/ssl_local.h b/ssl/ssl_local.h
index 9f346e30e8f4..5c7921542310 100644
--- a/ssl/ssl_local.h
+++ b/ssl/ssl_local.h

@@ -1,5 +1,5 @@

@@ -2301,6 +2301,7 @@ __owur int ssl_verify_cert_chain(SSL *s, STACK_OF(X509) *sk);

__owur int ssl_build_cert_chain(SSL *s, SSL_CTX *ctx, int flags);

__owur int ssl_cert_set_cert_store(CERT *c, X509_STORE *store, int chain,

int ref);

+__owur int ssl_cert_get_cert_store(CERT *c, X509_STORE **pstore, int chain);

__owur int ssl_security(const SSL *s, int op, int bits, int nid, void *other);

__owur int ssl_ctx_security(const SSL_CTX *ctx, int op, int bits, int nid,

diff --git a/ssl/statem/extensions_clnt.c b/ssl/statem/extensions_clnt.c
index 9d38ac23b5f0..b6f72d685c2c 100644
--- a/ssl/statem/extensions_clnt.c
+++ b/ssl/statem/extensions_clnt.c

@@ -1,5 +1,5 @@

* Licensed under the OpenSSL license (the "License"). You may not use

* this file except in compliance with the License. You can obtain a copy

@@ -118,6 +118,8 @@ static int use_ecc(SSL *s)

int i, end, ret = 0;

unsigned long alg_k, alg_a;

STACK_OF(SSL_CIPHER) *cipher_stack = NULL;

+ const uint16_t *pgroups = NULL;

+ size_t num_groups, j;

/* See if we support any ECC ciphersuites */

if (s->version == SSL3_VERSION)

@@ -139,7 +141,19 @@ static int use_ecc(SSL *s)

}

sk_SSL_CIPHER_free(cipher_stack);

- return ret;

+ if (!ret)

+ return 0;

+ /* Check we have at least one EC supported group */

+ tls1_get_supported_groups(s, &pgroups, &num_groups);

+ for (j = 0; j < num_groups; j++) {

+ uint16_t ctmp = pgroups[j];

+ if (tls_curve_allowed(s, ctmp, SSL_SECOP_CURVE_SUPPORTED))

+ return 1;

+ }

+ return 0;

}

EXT_RETURN tls_construct_ctos_ec_pt_formats(SSL *s, WPACKET *pkt,

diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
index b1d3add18743..5f657f888e0d 100644
--- a/ssl/t1_lib.c
+++ b/ssl/t1_lib.c

@@ -1,5 +1,5 @@

* Licensed under the OpenSSL license (the "License"). You may not use

* this file except in compliance with the License. You can obtain a copy

@@ -2369,22 +2369,20 @@ int tls1_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain,

ca_dn = s->s3->tmp.peer_ca_names;

- if (!sk_X509_NAME_num(ca_dn))

+ if (ca_dn == NULL

+ || sk_X509_NAME_num(ca_dn) == 0

+ || ssl_check_ca_name(ca_dn, x))

rv |= CERT_PKEY_ISSUER_NAME;

- if (!(rv & CERT_PKEY_ISSUER_NAME)) {

- if (ssl_check_ca_name(ca_dn, x))

- rv |= CERT_PKEY_ISSUER_NAME;

- }

- if (!(rv & CERT_PKEY_ISSUER_NAME)) {

+ else

for (i = 0; i < sk_X509_num(chain); i++) {

X509 *xtmp = sk_X509_value(chain, i);

if (ssl_check_ca_name(ca_dn, xtmp)) {

rv |= CERT_PKEY_ISSUER_NAME;

break;

}

- }

if (!check_flags && !(rv & CERT_PKEY_ISSUER_NAME))

goto end;

} else

@@ -2555,6 +2553,8 @@ int ssl_security_cert_chain(SSL *s, STACK_OF(X509) *sk, X509 *x, int vfy)

int rv, start_idx, i;

if (x == NULL) {

x = sk_X509_value(sk, 0);

+ if (x == NULL)

+ return ERR_R_INTERNAL_ERROR;

start_idx = 1;

} else

start_idx = 0;