Skip to content

Commit

Permalink
deps: upgrade openssl sources to 1.1.1k
Browse files Browse the repository at this point in the history
This updates all sources in deps/openssl/openssl by:
    $ cd deps/openssl/
    $ rm -rf openssl
    $ tar zxf ~/tmp/openssl-1.1.1k.tar.gz
    $ mv openssl-1.1.1k openssl
    $ git add --all openssl
    $ git commit openssl

PR-URL: #37938
Refs: #37913
Refs: #37916
Reviewed-By: Jiawen Geng <[email protected]>
Reviewed-By: Daniel Bevenius <[email protected]>
  • Loading branch information
tniessen authored and MylesBorins committed Apr 4, 2021
1 parent 6a9ec8d commit 403a014
Show file tree
Hide file tree
Showing 32 changed files with 254 additions and 66 deletions.
44 changes: 44 additions & 0 deletions deps/openssl/openssl/CHANGES
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,50 @@
https://github.com/openssl/openssl/commits/ and pick the appropriate
release branch.

Changes between 1.1.1j and 1.1.1k [25 Mar 2021]

*) Fixed a problem with verifying a certificate chain when using the
X509_V_FLAG_X509_STRICT flag. This flag enables additional security checks
of the certificates present in a certificate chain. It is not set by
default.

Starting from OpenSSL version 1.1.1h a check to disallow certificates in
the chain that have explicitly encoded elliptic curve parameters was added
as an additional strict check.

An error in the implementation of this check meant that the result of a
previous check to confirm that certificates in the chain are valid CA
certificates was overwritten. This effectively bypasses the check
that non-CA certificates must not be able to issue other certificates.

If a "purpose" has been configured then there is a subsequent opportunity
for checks that the certificate is a valid CA. All of the named "purpose"
values implemented in libcrypto perform this check. Therefore, where
a purpose is set the certificate chain will still be rejected even when the
strict flag has been used. A purpose is set by default in libssl client and
server certificate verification routines, but it can be overridden or
removed by an application.

In order to be affected, an application must explicitly set the
X509_V_FLAG_X509_STRICT verification flag and either not set a purpose
for the certificate verification or, in the case of TLS client or server
applications, override the default purpose.
(CVE-2021-3450)
[Tomáš Mráz]

*) Fixed an issue where an OpenSSL TLS server may crash if sent a maliciously
crafted renegotiation ClientHello message from a client. If a TLSv1.2
renegotiation ClientHello omits the signature_algorithms extension (where
it was present in the initial ClientHello), but includes a
signature_algorithms_cert extension then a NULL pointer dereference will
result, leading to a crash and a denial of service attack.

A server is only vulnerable if it has TLSv1.2 and renegotiation enabled
(which is the default configuration). OpenSSL TLS clients are not impacted
by this issue.
(CVE-2021-3449)
[Peter Kästle and Samuel Sapalski]

Changes between 1.1.1i and 1.1.1j [16 Feb 2021]

*) Fixed the X509_issuer_and_serial_hash() function. It attempts to
Expand Down
4 changes: 2 additions & 2 deletions deps/openssl/openssl/Configurations/unix-Makefile.tmpl
Original file line number Diff line number Diff line change
Expand Up @@ -917,8 +917,8 @@ errors:
done )

ordinals:
( b=`pwd`; cd $(SRCDIR); $(PERL) -I$$b util/mkdef.pl crypto update )
( b=`pwd`; cd $(SRCDIR); $(PERL) -I$$b util/mkdef.pl ssl update )
$(PERL) $(SRCDIR)/util/mkdef.pl crypto update
$(PERL) $(SRCDIR)/util/mkdef.pl ssl update

test_ordinals:
( cd test; \
Expand Down
8 changes: 8 additions & 0 deletions deps/openssl/openssl/NEWS
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,14 @@
This file gives a brief overview of the major changes between each OpenSSL
release. For more details please read the CHANGES file.

Major changes between OpenSSL 1.1.1j and OpenSSL 1.1.1k [25 Mar 2021]

o Fixed a problem with verifying a certificate chain when using the
X509_V_FLAG_X509_STRICT flag (CVE-2021-3450)
o Fixed an issue where an OpenSSL TLS server may crash if sent a
maliciously crafted renegotiation ClientHello message from a client
(CVE-2021-3449)

Major changes between OpenSSL 1.1.1i and OpenSSL 1.1.1j [16 Feb 2021]

o Fixed a NULL pointer deref in the X509_issuer_and_serial_hash()
Expand Down
4 changes: 2 additions & 2 deletions deps/openssl/openssl/README
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@

OpenSSL 1.1.1j 16 Feb 2021
OpenSSL 1.1.1k 25 Mar 2021

Copyright (c) 1998-2020 The OpenSSL Project
Copyright (c) 1998-2021 The OpenSSL Project
Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson
All rights reserved.

Expand Down
5 changes: 3 additions & 2 deletions deps/openssl/openssl/apps/s_cb.c
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
/*
* Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
Expand Down Expand Up @@ -934,7 +934,8 @@ static int set_cert_cb(SSL *ssl, void *arg)
if (!SSL_build_cert_chain(ssl, 0))
return 0;
} else if (exc->chain != NULL) {
SSL_set1_chain(ssl, exc->chain);
if (!SSL_set1_chain(ssl, exc->chain))
return 0;
}
}
exc = exc->prev;
Expand Down
5 changes: 3 additions & 2 deletions deps/openssl/openssl/apps/s_time.c
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
/*
* Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
Expand Down Expand Up @@ -263,7 +263,8 @@ int s_time_main(int argc, char **argv)
nConn, totalTime, ((double)nConn / totalTime), bytes_read);
printf
("%d connections in %ld real seconds, %ld bytes read per connection\n",
nConn, (long)time(NULL) - finishtime + maxtime, bytes_read / nConn);
nConn, (long)time(NULL) - finishtime + maxtime,
nConn > 0 ? bytes_read / nConn : 0l);

/*
* Now loop and time connections using the same session id over and over
Expand Down
3 changes: 2 additions & 1 deletion deps/openssl/openssl/crypto/asn1/asn1_par.c
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
/*
* Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
Expand Down Expand Up @@ -325,6 +325,7 @@ static int asn1_parse2(BIO *bp, const unsigned char **pp, long length,
}
if (BIO_puts(bp, "]") <= 0)
goto end;
dump_cont = 0;
}

if (!nl) {
Expand Down
4 changes: 3 additions & 1 deletion deps/openssl/openssl/crypto/asn1/bio_ndef.c
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
/*
* Copyright 2008-2018 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 2008-2021 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
Expand Down Expand Up @@ -113,6 +113,8 @@ static int ndef_prefix(BIO *b, unsigned char **pbuf, int *plen, void *parg)
ndef_aux = *(NDEF_SUPPORT **)parg;

derlen = ASN1_item_ndef_i2d(ndef_aux->val, NULL, ndef_aux->it);
if (derlen < 0)
return 0;
if ((p = OPENSSL_malloc(derlen)) == NULL) {
ASN1err(ASN1_F_NDEF_PREFIX, ERR_R_MALLOC_FAILURE);
return 0;
Expand Down
17 changes: 15 additions & 2 deletions deps/openssl/openssl/crypto/engine/eng_devcrypto.c
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
/*
* Copyright 2017-2019 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 2017-2021 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
Expand Down Expand Up @@ -758,15 +758,28 @@ static int devcrypto_unload(ENGINE *e)
void engine_load_devcrypto_int()
{
ENGINE *e = NULL;
int fd;

if ((cfd = open("/dev/crypto", O_RDWR, 0)) < 0) {
if ((fd = open("/dev/crypto", O_RDWR, 0)) < 0) {
#ifndef ENGINE_DEVCRYPTO_DEBUG
if (errno != ENOENT)
#endif
fprintf(stderr, "Could not open /dev/crypto: %s\n", strerror(errno));
return;
}

#ifdef CRIOGET
if (ioctl(fd, CRIOGET, &cfd) < 0) {
fprintf(stderr, "Could not create crypto fd: %s\n", strerror(errno));
close(fd);
cfd = -1;
return;
}
close(fd);
#else
cfd = fd;
#endif

if ((e = ENGINE_new()) == NULL
|| !ENGINE_set_destroy_function(e, devcrypto_unload)) {
ENGINE_free(e);
Expand Down
2 changes: 1 addition & 1 deletion deps/openssl/openssl/crypto/evp/evp_enc.c
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
/*
* Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
Expand Down
8 changes: 5 additions & 3 deletions deps/openssl/openssl/crypto/modes/cbc128.c
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
/*
* Copyright 2008-2020 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 2008-2021 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
Expand Down Expand Up @@ -69,7 +69,8 @@ void CRYPTO_cbc128_encrypt(const unsigned char *in, unsigned char *out,
in += 16;
out += 16;
}
memcpy(ivec, iv, 16);
if (ivec != iv)
memcpy(ivec, iv, 16);
}

void CRYPTO_cbc128_decrypt(const unsigned char *in, unsigned char *out,
Expand Down Expand Up @@ -114,7 +115,8 @@ void CRYPTO_cbc128_decrypt(const unsigned char *in, unsigned char *out,
out += 16;
}
}
memcpy(ivec, iv, 16);
if (ivec != iv)
memcpy(ivec, iv, 16);
} else {
if (STRICT_ALIGNMENT &&
((size_t)in | (size_t)out | (size_t)ivec) % sizeof(size_t) != 0) {
Expand Down
6 changes: 3 additions & 3 deletions deps/openssl/openssl/crypto/modes/gcm128.c
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
/*
* Copyright 2010-2020 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 2010-2021 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
Expand Down Expand Up @@ -1385,8 +1385,8 @@ int CRYPTO_gcm128_decrypt(GCM128_CONTEXT *ctx,
else
ctx->Yi.d[3] = ctr;
for (i = 0; i < 16 / sizeof(size_t); ++i) {
size_t c = in[i];
out[i] = c ^ ctx->EKi.t[i];
size_t c = in_t[i];
out_t[i] = c ^ ctx->EKi.t[i];
ctx->Xi.t[i] ^= c;
}
GCM_MUL(ctx);
Expand Down
6 changes: 3 additions & 3 deletions deps/openssl/openssl/crypto/o_time.c
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
/*
* Copyright 2001-2020 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 2001-2021 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
Expand Down Expand Up @@ -133,8 +133,8 @@ int OPENSSL_gmtime_diff(int *pday, int *psec,
static int julian_adj(const struct tm *tm, int off_day, long offset_sec,
long *pday, int *psec)
{
int offset_hms, offset_day;
long time_jd;
int offset_hms;
long offset_day, time_jd;
int time_year, time_month, time_day;
/* split offset into days and day seconds */
offset_day = offset_sec / SECS_PER_DAY;
Expand Down
8 changes: 6 additions & 2 deletions deps/openssl/openssl/crypto/rand/rand_lib.c
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
/*
* Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
Expand Down Expand Up @@ -432,9 +432,13 @@ int RAND_poll(void)
RAND_POOL *rand_pool_new(int entropy_requested, int secure,
size_t min_len, size_t max_len)
{
RAND_POOL *pool = OPENSSL_zalloc(sizeof(*pool));
RAND_POOL *pool;
size_t min_alloc_size = RAND_POOL_MIN_ALLOCATION(secure);

if (!RUN_ONCE(&rand_init, do_rand_init))
return NULL;

pool = OPENSSL_zalloc(sizeof(*pool));
if (pool == NULL) {
RANDerr(RAND_F_RAND_POOL_NEW, ERR_R_MALLOC_FAILURE);
return NULL;
Expand Down
2 changes: 1 addition & 1 deletion deps/openssl/openssl/crypto/rsa/rsa_ssl.c
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
/*
* Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
Expand Down
12 changes: 8 additions & 4 deletions deps/openssl/openssl/crypto/x509/x509_vfy.c
Original file line number Diff line number Diff line change
Expand Up @@ -524,15 +524,19 @@ static int check_chain_extensions(X509_STORE_CTX *ctx)
ret = 1;
break;
}
if ((ctx->param->flags & X509_V_FLAG_X509_STRICT) && num > 1) {
if (ret > 0
&& (ctx->param->flags & X509_V_FLAG_X509_STRICT) && num > 1) {
/* Check for presence of explicit elliptic curve parameters */
ret = check_curve(x);
if (ret < 0)
if (ret < 0) {
ctx->error = X509_V_ERR_UNSPECIFIED;
else if (ret == 0)
ret = 0;
} else if (ret == 0) {
ctx->error = X509_V_ERR_EC_KEY_EXPLICIT_PARAMS;
}
}
if ((x->ex_flags & EXFLAG_CA) == 0
if (ret > 0
&& (x->ex_flags & EXFLAG_CA) == 0
&& x->ex_pathlen != -1
&& (ctx->param->flags & X509_V_FLAG_X509_STRICT)) {
ctx->error = X509_V_ERR_INVALID_EXTENSION;
Expand Down
2 changes: 1 addition & 1 deletion deps/openssl/openssl/fuzz/x509.c
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
/*
* Copyright 2016 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL licenses, (the "License");
* you may not use this file except in compliance with the License.
Expand Down
1 change: 0 additions & 1 deletion deps/openssl/openssl/include/crypto/bn_conf.h

This file was deleted.

1 change: 0 additions & 1 deletion deps/openssl/openssl/include/crypto/dso_conf.h

This file was deleted.

1 change: 0 additions & 1 deletion deps/openssl/openssl/include/openssl/opensslconf.h

This file was deleted.

6 changes: 3 additions & 3 deletions deps/openssl/openssl/include/openssl/opensslv.h
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
/*
* Copyright 1999-2020 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 1999-2021 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
Expand Down Expand Up @@ -39,8 +39,8 @@ extern "C" {
* (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for
* major minor fix final patch/beta)
*/
# define OPENSSL_VERSION_NUMBER 0x101010afL
# define OPENSSL_VERSION_TEXT "OpenSSL 1.1.1j 16 Feb 2021"
# define OPENSSL_VERSION_NUMBER 0x101010bfL
# define OPENSSL_VERSION_TEXT "OpenSSL 1.1.1k 25 Mar 2021"

/*-
* The macros below are to be used for shared library (.so, .dll, ...)
Expand Down
7 changes: 5 additions & 2 deletions deps/openssl/openssl/ssl/s3_lib.c
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
/*
* Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
* Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
* Copyright 2005 Nokia. All rights reserved.
*
Expand Down Expand Up @@ -4629,6 +4629,7 @@ int ssl_generate_master_secret(SSL *s, unsigned char *pms, size_t pmslen,

OPENSSL_clear_free(s->s3->tmp.psk, psklen);
s->s3->tmp.psk = NULL;
s->s3->tmp.psklen = 0;
if (!s->method->ssl3_enc->generate_master_secret(s,
s->session->master_key, pskpms, pskpmslen,
&s->session->master_key_length)) {
Expand Down Expand Up @@ -4658,8 +4659,10 @@ int ssl_generate_master_secret(SSL *s, unsigned char *pms, size_t pmslen,
else
OPENSSL_cleanse(pms, pmslen);
}
if (s->server == 0)
if (s->server == 0) {
s->s3->tmp.pms = NULL;
s->s3->tmp.pmslen = 0;
}
return ret;
}

Expand Down
Loading

0 comments on commit 403a014

Please sign in to comment.