git: 13a031f0d73d - stable/14 - Update to OpenSSL 3.0.14
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Sat, 29 Jun 2024 20:29:28 UTC
The branch stable/14 has been updated by ngie:
URL: https://cgit.FreeBSD.org/src/commit/?id=13a031f0d73dd39bcf89c152168f9c1d454f2d2a
commit 13a031f0d73dd39bcf89c152168f9c1d454f2d2a
Author: Enji Cooper <ngie@FreeBSD.org>
AuthorDate: 2024-06-26 23:50:13 +0000
Commit: Enji Cooper <ngie@FreeBSD.org>
CommitDate: 2024-06-29 20:29:18 +0000
Update to OpenSSL 3.0.14
This release resolves 3 upstream found CVEs:
- Fixed potential use after free after SSL_free_buffers() is called (CVE-2024-4741)
- Fixed an issue where checking excessively long DSA keys or parameters may be very slow (CVE-2024-4603)
- Fixed unbounded memory growth with session handling in TLSv1.3 (CVE-2024-2511)
MFC after: 3 days
Merge commit '1070e7dca8223387baf5155524b28f62bfe7da3c'
(cherry picked from commit 44096ebd22ddd0081a357011714eff8963614b65)
---
crypto/openssl/CHANGES.md | 69 ++++
crypto/openssl/CONTRIBUTING.md | 6 +-
crypto/openssl/Configurations/10-main.conf | 9 +-
crypto/openssl/Configurations/15-ios.conf | 6 +-
crypto/openssl/Configurations/unix-Makefile.tmpl | 14 +-
crypto/openssl/Configure | 3 +-
crypto/openssl/INSTALL.md | 9 +-
crypto/openssl/NEWS.md | 15 +
crypto/openssl/NOTES-NONSTOP.md | 5 +-
crypto/openssl/VERSION.dat | 4 +-
crypto/openssl/apps/lib/s_cb.c | 8 +-
crypto/openssl/apps/list.c | 3 +-
crypto/openssl/apps/ocsp.c | 4 +-
crypto/openssl/apps/pkcs12.c | 16 +-
crypto/openssl/apps/req.c | 2 +-
crypto/openssl/apps/speed.c | 6 +-
crypto/openssl/apps/ts.c | 11 +-
crypto/openssl/crypto/aes/build.info | 2 +-
crypto/openssl/crypto/bio/bio_lib.c | 10 +-
crypto/openssl/crypto/bio/bio_sock.c | 6 +-
crypto/openssl/crypto/bn/bn_lib.c | 53 ++-
crypto/openssl/crypto/bn/bn_rand.c | 166 ++++++--
crypto/openssl/crypto/bn/bn_shift.c | 8 +-
crypto/openssl/crypto/dsa/dsa_check.c | 46 ++-
crypto/openssl/crypto/dsa/dsa_ossl.c | 11 +-
crypto/openssl/crypto/dsa/dsa_sign.c | 9 +-
crypto/openssl/crypto/ec/build.info | 2 +-
.../openssl/crypto/ec/curve448/arch_64/f_impl64.c | 8 +-
crypto/openssl/crypto/ec/ecdsa_ossl.c | 15 +-
crypto/openssl/crypto/encode_decode/encoder_lib.c | 7 +-
crypto/openssl/crypto/engine/eng_pkey.c | 44 +--
crypto/openssl/crypto/err/openssl.ec | 4 +-
crypto/openssl/crypto/ess/ess_lib.c | 4 +-
crypto/openssl/crypto/evp/keymgmt_lib.c | 9 +-
crypto/openssl/crypto/evp/p_lib.c | 12 +-
crypto/openssl/crypto/evp/pmeth_lib.c | 69 +++-
crypto/openssl/crypto/evp/signature.c | 33 +-
crypto/openssl/crypto/init.c | 14 +-
crypto/openssl/crypto/o_str.c | 4 +-
crypto/openssl/crypto/property/property_parse.c | 3 +-
crypto/openssl/crypto/provider_core.c | 11 +-
crypto/openssl/crypto/sha/build.info | 2 +-
crypto/openssl/crypto/sm2/sm2_crypt.c | 37 +-
crypto/openssl/crypto/sm2/sm2_sign.c | 18 +-
crypto/openssl/crypto/x509/v3_addr.c | 4 +-
crypto/openssl/demos/digest/EVP_MD_demo.c | 4 +-
crypto/openssl/demos/digest/EVP_MD_stdin.c | 4 +-
crypto/openssl/doc/fingerprints.txt | 3 +
crypto/openssl/doc/internal/man3/OPTIONS.pod | 4 +-
.../doc/internal/man3/ossl_method_construct.pod | 4 +-
.../doc/internal/man3/ossl_provider_new.pod | 4 +-
.../internal/man3/ossl_random_add_conf_module.pod | 4 +-
crypto/openssl/doc/internal/man7/EVP_PKEY.pod | 4 +-
crypto/openssl/doc/man1/openssl-crl.pod.in | 5 +-
crypto/openssl/doc/man1/openssl-mac.pod.in | 17 +-
crypto/openssl/doc/man1/openssl-req.pod.in | 33 +-
crypto/openssl/doc/man1/openssl-smime.pod.in | 18 +-
crypto/openssl/doc/man1/openssl-storeutl.pod.in | 5 +-
crypto/openssl/doc/man1/openssl-ts.pod.in | 8 +-
crypto/openssl/doc/man3/DEFINE_STACK_OF.pod | 6 +-
crypto/openssl/doc/man3/EVP_DigestInit.pod | 4 +-
crypto/openssl/doc/man3/EVP_KDF.pod | 4 +-
.../openssl/doc/man3/EVP_PKEY_CTX_set_params.pod | 6 +-
crypto/openssl/doc/man3/EVP_PKEY_check.pod | 7 +-
crypto/openssl/doc/man3/SSL_CIPHER_get_name.pod | 4 +-
crypto/openssl/doc/man3/SSL_CTX_set_cert_store.pod | 6 +-
crypto/openssl/doc/man3/SSL_CTX_set_verify.pod | 5 +-
.../openssl/doc/man3/SSL_CTX_use_certificate.pod | 5 +-
.../openssl/doc/man3/SSL_load_client_CA_file.pod | 20 +-
crypto/openssl/doc/man7/EVP_PKEY-SM2.pod | 5 +-
crypto/openssl/doc/man7/migration_guide.pod | 28 +-
crypto/openssl/e_os.h | 20 +-
crypto/openssl/engines/e_afalg.c | 6 +-
crypto/openssl/engines/e_dasync.c | 4 +-
crypto/openssl/fuzz/asn1.c | 16 +-
crypto/openssl/include/crypto/bn.h | 10 +-
crypto/openssl/include/internal/constant_time.h | 25 +-
crypto/openssl/include/openssl/sslerr.h | 4 +-
crypto/openssl/os-dep/Apple/PrivacyInfo.xcprivacy | 23 ++
crypto/openssl/providers/fips-sources.checksums | 272 ++++++-------
crypto/openssl/providers/fips.checksum | 2 +-
crypto/openssl/providers/fips/fipsprov.c | 4 +-
.../providers/implementations/exchange/kdf_exch.c | 44 ++-
.../implementations/include/prov/ciphercommon.h | 15 +-
.../openssl/providers/implementations/kdfs/hkdf.c | 10 +-
.../openssl/providers/implementations/rands/drbg.c | 5 +-
.../providers/implementations/rands/drbg_ctr.c | 7 +-
.../providers/implementations/rands/drbg_hash.c | 5 +-
.../providers/implementations/rands/drbg_hmac.c | 5 +-
.../providers/implementations/rands/drbg_local.h | 3 +-
crypto/openssl/ssl/record/rec_layer_s3.c | 15 +
crypto/openssl/ssl/record/record.h | 3 +-
crypto/openssl/ssl/record/ssl3_buffer.c | 4 +-
crypto/openssl/ssl/ssl_err.c | 6 +-
crypto/openssl/ssl/ssl_lib.c | 10 +-
crypto/openssl/ssl/ssl_sess.c | 36 +-
crypto/openssl/ssl/statem/statem_srvr.c | 9 +-
crypto/openssl/ssl/t1_lib.c | 5 +-
crypto/openssl/test/bad_dtls_test.c | 4 +-
crypto/openssl/test/build.info | 1 +
crypto/openssl/test/cmp_hdr_test.c | 51 ++-
crypto/openssl/test/ct_test.c | 11 +-
crypto/openssl/test/dsatest.c | 10 +-
crypto/openssl/test/ecdsatest.c | 30 +-
crypto/openssl/test/ecstresstest.c | 4 +-
crypto/openssl/test/evp_extra_test.c | 48 ++-
crypto/openssl/test/evp_pkey_provided_test.c | 63 ++-
crypto/openssl/test/evp_test.c | 15 +-
crypto/openssl/test/helpers/ssltestlib.c | 35 +-
crypto/openssl/test/helpers/ssltestlib.h | 3 +-
crypto/openssl/test/keymgmt_internal_test.c | 10 +-
crypto/openssl/test/pathed.cnf | 22 ++
crypto/openssl/test/pkey_meth_kdf_test.c | 55 ++-
crypto/openssl/test/prov_config_test.c | 56 ++-
.../invalid/p10240_q256_too_big.pem | 57 +++
crypto/openssl/test/recipes/25-test_req.t | 3 +-
crypto/openssl/test/recipes/30-test_prov_config.t | 8 +-
crypto/openssl/test/recipes/80-test_pkcs12.t | 14 +-
crypto/openssl/test/recipes/90-test_shlibload.t | 3 +-
crypto/openssl/test/sm2_internal_test.c | 37 +-
crypto/openssl/test/ssl-tests/14-curves.cnf.in | 7 +-
crypto/openssl/test/ssl-tests/20-cert-select.cnf | 216 +++++------
.../openssl/test/ssl-tests/20-cert-select.cnf.in | 70 ++--
crypto/openssl/test/ssl-tests/28-seclevel.cnf.in | 8 +-
crypto/openssl/test/sslapitest.c | 426 ++++++++++++++++++---
crypto/openssl/test/sslbuffertest.c | 176 ++++++++-
crypto/openssl/test/test.cnf | 6 +
crypto/openssl/test/tls-provider.c | 13 +-
crypto/openssl/test/v3ext.c | 17 +-
129 files changed, 2301 insertions(+), 764 deletions(-)
diff --git a/crypto/openssl/CHANGES.md b/crypto/openssl/CHANGES.md
index bd876eb89dd4..19e0fd6e25a5 100644
--- a/crypto/openssl/CHANGES.md
+++ b/crypto/openssl/CHANGES.md
@@ -28,6 +28,72 @@ breaking changes, and mappings for the large list of deprecated functions.
[Migration guide]: https://github.com/openssl/openssl/tree/master/doc/man7/migration_guide.pod
+### Changes between 3.0.13 and 3.0.14 [4 Jun 2024]
+
+ * Fixed potential use after free after SSL_free_buffers() is called.
+
+ The SSL_free_buffers function is used to free the internal OpenSSL
+ buffer used when processing an incoming record from the network.
+ The call is only expected to succeed if the buffer is not currently
+ in use. However, two scenarios have been identified where the buffer
+ is freed even when still in use.
+
+ The first scenario occurs where a record header has been received
+ from the network and processed by OpenSSL, but the full record body
+ has not yet arrived. In this case calling SSL_free_buffers will succeed
+ even though a record has only been partially processed and the buffer
+ is still in use.
+
+ The second scenario occurs where a full record containing application
+ data has been received and processed by OpenSSL but the application has
+ only read part of this data. Again a call to SSL_free_buffers will
+ succeed even though the buffer is still in use.
+
+ ([CVE-2024-4741])
+
+ *Matt Caswell*
+
+ * Fixed an issue where checking excessively long DSA keys or parameters may
+ be very slow.
+
+ Applications that use the functions EVP_PKEY_param_check() or
+ EVP_PKEY_public_check() to check a DSA public key or DSA parameters may
+ experience long delays. Where the key or parameters that are being checked
+ have been obtained from an untrusted source this may lead to a Denial of
+ Service.
+
+ To resolve this issue DSA keys larger than OPENSSL_DSA_MAX_MODULUS_BITS
+ will now fail the check immediately with a DSA_R_MODULUS_TOO_LARGE error
+ reason.
+
+ ([CVE-2024-4603])
+
+ *Tomáš Mráz*
+
+ * Fixed an issue where some non-default TLS server configurations can cause
+ unbounded memory growth when processing TLSv1.3 sessions. An attacker may
+ exploit certain server configurations to trigger unbounded memory growth that
+ would lead to a Denial of Service
+
+ This problem can occur in TLSv1.3 if the non-default SSL_OP_NO_TICKET option
+ is being used (but not if early_data is also configured and the default
+ anti-replay protection is in use). In this case, under certain conditions,
+ the session cache can get into an incorrect state and it will fail to flush
+ properly as it fills. The session cache will continue to grow in an unbounded
+ manner. A malicious client could deliberately create the scenario for this
+ failure to force a Denial of Service. It may also happen by accident in
+ normal operation.
+
+ ([CVE-2024-2511])
+
+ *Matt Caswell*
+
+ * New atexit configuration switch, which controls whether the OPENSSL_cleanup
+ is registered when libcrypto is unloaded. This can be used on platforms
+ where using atexit() from shared libraries causes crashes on exit.
+
+ *Randall S. Becker*
+
### Changes between 3.0.12 and 3.0.13 [30 Jan 2024]
* A file in PKCS12 format can contain certificates and keys and may come from
@@ -19824,6 +19890,9 @@ ndif
<!-- Links -->
+[CVE-2024-4741]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-4741
+[CVE-2024-4603]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-4603
+[CVE-2024-2511]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-2511
[CVE-2024-0727]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-0727
[CVE-2023-6237]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-6237
[CVE-2023-6129]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-6129
diff --git a/crypto/openssl/CONTRIBUTING.md b/crypto/openssl/CONTRIBUTING.md
index 15490fd9f620..fec6616e21fe 100644
--- a/crypto/openssl/CONTRIBUTING.md
+++ b/crypto/openssl/CONTRIBUTING.md
@@ -9,7 +9,7 @@ Development is done on GitHub in the [openssl/openssl] repository.
[openssl/openssl]: <https://github.com/openssl/openssl>
-To request new a feature, ask a question, or report a bug,
+To request a new feature, ask a question, or report a bug,
please open an [issue on GitHub](https://github.com/openssl/openssl/issues).
To submit a patch or implement a new feature, please open a
@@ -67,7 +67,8 @@ guidelines:
often. We do not accept merge commits, you will have to remove them
(usually by rebasing) before it will be acceptable.
- 4. Code provided should follow our [coding style] and compile without warnings.
+ 4. Code provided should follow our [coding style] and [documentation policy]
+ and compile without warnings.
There is a [Perl tool](util/check-format.pl) that helps
finding code formatting mistakes and other coding style nits.
Where `gcc` or `clang` is available, you should use the
@@ -77,6 +78,7 @@ guidelines:
whenever a PR is created or updated by committers.
[coding style]: https://www.openssl.org/policies/technical/coding-style.html
+ [documentation policy]: https://openssl.org/policies/technical/documentation-policy.html
5. When at all possible, code contributions should include tests. These can
either be added to an existing test, or completely new. Please see
diff --git a/crypto/openssl/Configurations/10-main.conf b/crypto/openssl/Configurations/10-main.conf
index ff8af7146318..1155d9859c56 100644
--- a/crypto/openssl/Configurations/10-main.conf
+++ b/crypto/openssl/Configurations/10-main.conf
@@ -784,7 +784,14 @@ my %targets = (
asm_arch => 'aarch64',
perlasm_scheme => "linux64",
},
-
+ "linux-arm64ilp32-clang" => { # clang config abi by --target
+ inherit_from => [ "linux-generic32" ],
+ CC => "clang",
+ CXX => "clang++",
+ bn_ops => "SIXTY_FOUR_BIT RC4_CHAR",
+ asm_arch => 'aarch64',
+ perlasm_scheme => "linux64",
+ },
"linux-mips32" => {
# Configure script adds minimally required -march for assembly
# support, if no -march was specified at command line.
diff --git a/crypto/openssl/Configurations/15-ios.conf b/crypto/openssl/Configurations/15-ios.conf
index 54d37f63f445..81e3d68bc7f0 100644
--- a/crypto/openssl/Configurations/15-ios.conf
+++ b/crypto/openssl/Configurations/15-ios.conf
@@ -49,16 +49,16 @@ my %targets = (
#
"iphoneos-cross" => {
inherit_from => [ "ios-common" ],
- cflags => add("-isysroot \$(CROSS_TOP)/SDKs/\$(CROSS_SDK) -fno-common"),
+ cflags => add("-isysroot \"\$(CROSS_TOP)/SDKs/\$(CROSS_SDK)\" -fno-common"),
},
"ios-cross" => {
inherit_from => [ "ios-xcrun" ],
CC => "cc",
- cflags => add("-isysroot \$(CROSS_TOP)/SDKs/\$(CROSS_SDK)"),
+ cflags => add("-isysroot \"\$(CROSS_TOP)/SDKs/\$(CROSS_SDK)\""),
},
"ios64-cross" => {
inherit_from => [ "ios64-xcrun" ],
CC => "cc",
- cflags => add("-isysroot \$(CROSS_TOP)/SDKs/\$(CROSS_SDK)"),
+ cflags => add("-isysroot \"\$(CROSS_TOP)/SDKs/\$(CROSS_SDK)\""),
},
);
diff --git a/crypto/openssl/Configurations/unix-Makefile.tmpl b/crypto/openssl/Configurations/unix-Makefile.tmpl
index 3754595d38b5..644540397de5 100644
--- a/crypto/openssl/Configurations/unix-Makefile.tmpl
+++ b/crypto/openssl/Configurations/unix-Makefile.tmpl
@@ -21,7 +21,7 @@
sub dependmagic {
my $target = shift;
- return "$target: build_generated\n\t\$(MAKE) depend && \$(MAKE) _$target\n_$target";
+ return "$target: build_generated\n\t\"\$(MAKE)\" depend && \"\$(MAKE)\" _$target\n_$target";
}
our $COLUMNS = $ENV{COLUMNS};
@@ -527,7 +527,7 @@ all: build_sw build_docs
test: tests
{- dependmagic('tests'); -}: build_programs_nodep build_modules_nodep link-utils
- $(MAKE) run_tests
+ "$(MAKE)" run_tests
run_tests: FORCE
@ : {- output_off() if $disabled{tests}; "" -}
( SRCTOP=$(SRCDIR) \
@@ -542,7 +542,7 @@ run_tests: FORCE
list-tests:
@ : {- output_off() if $disabled{tests}; "" -}
- $(MAKE) run_tests TESTS=list
+ "$(MAKE)" run_tests TESTS=list
@ : {- if ($disabled{tests}) { output_on(); } else { output_off(); } "" -}
@echo "Tests are not supported with your chosen Configure options"
@ : {- output_on() if !$disabled{tests}; "" -}
@@ -1193,12 +1193,12 @@ providers/fips.module.sources.new: configdata.pm
cd sources-tmp \
&& $$srcdir/Configure --banner=Configured enable-fips -O0 \
&& ./configdata.pm --query 'get_sources("providers/fips")' > sources1 \
- && $(MAKE) -sj 4 build_generated providers/fips.so \
+ && "$(MAKE)" -sj 4 build_generated providers/fips.so \
&& find . -name '*.d' | xargs cat > dep1 \
- && $(MAKE) distclean \
+ && "$(MAKE)" distclean \
&& $$srcdir/Configure --banner=Configured enable-fips no-asm -O0 \
&& ./configdata.pm --query 'get_sources("providers/fips")' > sources2 \
- && $(MAKE) -sj 4 build_generated providers/fips.so \
+ && "$(MAKE)" -sj 4 build_generated providers/fips.so \
&& find . -name '*.d' | xargs cat > dep2 \
&& cat sources1 sources2 \
| grep -v ' : \\$$' | grep -v util/providers.num \
@@ -1332,7 +1332,7 @@ ordinals: build_generated
$(SSLHEADERS)
test_ordinals:
- $(MAKE) run_tests TESTS=test_ordinals
+ "$(MAKE)" run_tests TESTS=test_ordinals
tags TAGS: FORCE
rm -f TAGS tags
diff --git a/crypto/openssl/Configure b/crypto/openssl/Configure
index 84cc4094644a..40c03ad0af32 100755
--- a/crypto/openssl/Configure
+++ b/crypto/openssl/Configure
@@ -1,6 +1,6 @@
#! /usr/bin/env perl
# -*- mode: perl; -*-
-# Copyright 2016-2023 The OpenSSL Project Authors. All Rights Reserved.
+# Copyright 2016-2024 The OpenSSL Project Authors. All Rights Reserved.
#
# Licensed under the Apache License 2.0 (the "License"). You may not use
# this file except in compliance with the License. You can obtain a copy
@@ -405,6 +405,7 @@ my @disablables = (
"asan",
"asm",
"async",
+ "atexit",
"autoalginit",
"autoerrinit",
"autoload-config",
diff --git a/crypto/openssl/INSTALL.md b/crypto/openssl/INSTALL.md
index fef408e9d1e3..c0dae491c94d 100644
--- a/crypto/openssl/INSTALL.md
+++ b/crypto/openssl/INSTALL.md
@@ -480,7 +480,7 @@ Setting the FIPS HMAC key
As part of its self-test validation, the FIPS module must verify itself
by performing a SHA-256 HMAC computation on itself. The default key is
-the SHA256 value of "the holy handgrenade of antioch" and is sufficient
+the SHA256 value of "holy hand grenade of antioch" and is sufficient
for meeting the FIPS requirements.
To change the key to a different value, use this flag. The value should
@@ -546,6 +546,13 @@ be used even with this option.
Do not build support for async operations.
+### no-atexit
+
+Do not use `atexit()` in libcrypto builds.
+
+`atexit()` has varied semantics between platforms and can cause SIGSEGV in some
+circumstances. This option disables the atexit registration of OPENSSL_cleanup.
+
### no-autoalginit
Don't automatically load all supported ciphers and digests.
diff --git a/crypto/openssl/NEWS.md b/crypto/openssl/NEWS.md
index d9a48b157eb1..fb231bcd8459 100644
--- a/crypto/openssl/NEWS.md
+++ b/crypto/openssl/NEWS.md
@@ -18,6 +18,18 @@ OpenSSL Releases
OpenSSL 3.0
-----------
+### Major changes between OpenSSL 3.0.13 and OpenSSL 3.0.14 [4 Jun 2024]
+
+ * Fixed potential use after free after SSL_free_buffers() is called
+ ([CVE-2024-4741])
+
+ * Fixed an issue where checking excessively long DSA keys or parameters may
+ be very slow
+ ([CVE-2024-4603])
+
+ * Fixed unbounded memory growth with session handling in TLSv1.3
+ ([CVE-2024-2511])
+
### Major changes between OpenSSL 3.0.12 and OpenSSL 3.0.13 [30 Jan 2024]
* Fixed PKCS12 Decoding crashes
@@ -1470,6 +1482,9 @@ OpenSSL 0.9.x
<!-- Links -->
+[CVE-2024-4741]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-4741
+[CVE-2024-4603]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-4603
+[CVE-2024-2511]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-2511
[CVE-2024-0727]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-0727
[CVE-2023-6237]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-6237
[CVE-2023-6129]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-6129
diff --git a/crypto/openssl/NOTES-NONSTOP.md b/crypto/openssl/NOTES-NONSTOP.md
index 68438b998884..ab13de7d3a76 100644
--- a/crypto/openssl/NOTES-NONSTOP.md
+++ b/crypto/openssl/NOTES-NONSTOP.md
@@ -56,7 +56,10 @@ relating to `atexit()` processing when a shared library is unloaded and when
the program terminates. This limitation applies to all OpenSSL shared library
components.
-A resolution to this situation is under investigation.
+It is possible to configure the build with `no-atexit` to avoid the SIGSEGV.
+Preferably, you can explicitly call `OPENSSL_cleanup()` from your application.
+It is not mandatory as it just deallocates various global data structures
+OpenSSL allocated.
About Prefix and OpenSSLDir
---------------------------
diff --git a/crypto/openssl/VERSION.dat b/crypto/openssl/VERSION.dat
index 3ee1a6f829f4..5de9bf3d01ba 100644
--- a/crypto/openssl/VERSION.dat
+++ b/crypto/openssl/VERSION.dat
@@ -1,7 +1,7 @@
MAJOR=3
MINOR=0
-PATCH=13
+PATCH=14
PRE_RELEASE_TAG=
BUILD_METADATA=
-RELEASE_DATE="30 Jan 2024"
+RELEASE_DATE="4 Jun 2024"
SHLIB_VERSION=3
diff --git a/crypto/openssl/apps/lib/s_cb.c b/crypto/openssl/apps/lib/s_cb.c
index f2ddd94c3de4..7881c1667626 100644
--- a/crypto/openssl/apps/lib/s_cb.c
+++ b/crypto/openssl/apps/lib/s_cb.c
@@ -1,5 +1,5 @@
/*
- * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2024 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -1318,7 +1318,8 @@ int ssl_load_stores(SSL_CTX *ctx,
if (vfyCAstore != NULL && !X509_STORE_load_store(vfy, vfyCAstore))
goto err;
add_crls_store(vfy, crls);
- SSL_CTX_set1_verify_cert_store(ctx, vfy);
+ if (SSL_CTX_set1_verify_cert_store(ctx, vfy) == 0)
+ goto err;
if (crl_download)
store_setup_crl_download(vfy);
}
@@ -1332,7 +1333,8 @@ int ssl_load_stores(SSL_CTX *ctx,
goto err;
if (chCAstore != NULL && !X509_STORE_load_store(ch, chCAstore))
goto err;
- SSL_CTX_set1_chain_cert_store(ctx, ch);
+ if (SSL_CTX_set1_chain_cert_store(ctx, ch) == 0)
+ goto err;
}
rv = 1;
err:
diff --git a/crypto/openssl/apps/list.c b/crypto/openssl/apps/list.c
index 0fcbcbb083cb..7d3136a8a161 100644
--- a/crypto/openssl/apps/list.c
+++ b/crypto/openssl/apps/list.c
@@ -1,5 +1,5 @@
/*
- * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2024 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -1230,6 +1230,7 @@ static void list_provider_info(void)
}
if (OSSL_PROVIDER_do_all(NULL, &collect_providers, providers) != 1) {
+ sk_OSSL_PROVIDER_free(providers);
BIO_printf(bio_err, "ERROR: Memory allocation\n");
return;
}
diff --git a/crypto/openssl/apps/ocsp.c b/crypto/openssl/apps/ocsp.c
index 821e224c6ce4..fb3105da5526 100644
--- a/crypto/openssl/apps/ocsp.c
+++ b/crypto/openssl/apps/ocsp.c
@@ -1,5 +1,5 @@
/*
- * Copyright 2001-2022 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2001-2024 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -11,7 +11,7 @@
#ifdef OPENSSL_SYS_VMS
/* So fd_set and friends get properly defined on OpenVMS */
-# define _XOPEN_SOURCE_EXTENDED
+# define _XOPEN_SOURCE_EXTENDED 1
#endif
#include <stdio.h>
diff --git a/crypto/openssl/apps/pkcs12.c b/crypto/openssl/apps/pkcs12.c
index b442d358f8b7..ab78903ee9cd 100644
--- a/crypto/openssl/apps/pkcs12.c
+++ b/crypto/openssl/apps/pkcs12.c
@@ -1,5 +1,5 @@
/*
- * Copyright 1999-2022 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1999-2024 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -712,9 +712,6 @@ int pkcs12_main(int argc, char **argv)
in = bio_open_default(infile, 'r', FORMAT_PKCS12);
if (in == NULL)
goto end;
- out = bio_open_owner(outfile, FORMAT_PEM, private);
- if (out == NULL)
- goto end;
p12 = PKCS12_init_ex(NID_pkcs7_data, app_get0_libctx(), app_get0_propq());
if (p12 == NULL) {
@@ -814,6 +811,11 @@ int pkcs12_main(int argc, char **argv)
dump:
assert(private);
+
+ out = bio_open_owner(outfile, FORMAT_PEM, private);
+ if (out == NULL)
+ goto end;
+
if (!dump_certs_keys_p12(out, p12, cpass, -1, options, passout, enc)) {
BIO_printf(bio_err, "Error outputting keys and certificates\n");
ERR_print_errors(bio_err);
@@ -855,7 +857,11 @@ int dump_certs_keys_p12(BIO *out, const PKCS12 *p12, const char *pass,
} else if (bagnid == NID_pkcs7_encrypted) {
if (options & INFO) {
BIO_printf(bio_err, "PKCS7 Encrypted data: ");
- alg_print(p7->d.encrypted->enc_data->algorithm);
+ if (p7->d.encrypted == NULL) {
+ BIO_printf(bio_err, "<no data>\n");
+ } else {
+ alg_print(p7->d.encrypted->enc_data->algorithm);
+ }
}
bags = PKCS12_unpack_p7encdata(p7, pass, passlen);
} else {
diff --git a/crypto/openssl/apps/req.c b/crypto/openssl/apps/req.c
index c7d4c7822cda..2fc53d4bfcfa 100644
--- a/crypto/openssl/apps/req.c
+++ b/crypto/openssl/apps/req.c
@@ -569,7 +569,7 @@ int req_main(int argc, char **argv)
X509V3_CTX ctx;
X509V3_set_ctx_test(&ctx);
- X509V3_set_nconf(&ctx, addext_conf);
+ X509V3_set_nconf(&ctx, req_conf);
if (!X509V3_EXT_add_nconf(addext_conf, &ctx, "default", NULL)) {
BIO_printf(bio_err, "Error checking extensions defined using -addext\n");
goto end;
diff --git a/crypto/openssl/apps/speed.c b/crypto/openssl/apps/speed.c
index 1113d775b8ab..d8e2c70e6128 100644
--- a/crypto/openssl/apps/speed.c
+++ b/crypto/openssl/apps/speed.c
@@ -1,5 +1,5 @@
/*
- * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2024 The OpenSSL Project Authors. All Rights Reserved.
* Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
@@ -727,8 +727,12 @@ static int EVP_Update_loop(void *args)
unsigned char *buf = tempargs->buf;
EVP_CIPHER_CTX *ctx = tempargs->ctx;
int outl, count, rc;
+ unsigned char faketag[16] = { 0xcc };
if (decrypt) {
+ if (EVP_CIPHER_get_flags(EVP_CIPHER_CTX_get0_cipher(ctx)) & EVP_CIPH_FLAG_AEAD_CIPHER) {
+ (void)EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_TAG, sizeof(faketag), faketag);
+ }
for (count = 0; COND(c[D_EVP][testnum]); count++) {
rc = EVP_DecryptUpdate(ctx, buf, &outl, buf, lengths[testnum]);
if (rc != 1) {
diff --git a/crypto/openssl/apps/ts.c b/crypto/openssl/apps/ts.c
index 57292e187cd2..01b73f380428 100644
--- a/crypto/openssl/apps/ts.c
+++ b/crypto/openssl/apps/ts.c
@@ -1,5 +1,5 @@
/*
- * Copyright 2006-2022 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2006-2024 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -535,15 +535,18 @@ static int create_digest(BIO *input, const char *digest, const EVP_MD *md,
*md_value = OPENSSL_hexstr2buf(digest, &digest_len);
if (*md_value == NULL || md_value_len != digest_len) {
- OPENSSL_free(*md_value);
- *md_value = NULL;
BIO_printf(bio_err, "bad digest, %d bytes "
"must be specified\n", md_value_len);
- return 0;
+ goto err;
}
}
rv = md_value_len;
err:
+ if (rv <= 0) {
+ OPENSSL_free(*md_value);
+ *md_value = NULL;
+ rv = 0;
+ }
EVP_MD_CTX_free(md_ctx);
return rv;
}
diff --git a/crypto/openssl/crypto/aes/build.info b/crypto/openssl/crypto/aes/build.info
index b250903fa6e2..271015e35e1b 100644
--- a/crypto/openssl/crypto/aes/build.info
+++ b/crypto/openssl/crypto/aes/build.info
@@ -76,7 +76,7 @@ DEFINE[../../providers/libdefault.a]=$AESDEF
# already gets everything that the static libcrypto.a has, and doesn't need it
# added again.
IF[{- !$disabled{module} && !$disabled{shared} -}]
- DEFINE[../providers/liblegacy.a]=$AESDEF
+ DEFINE[../../providers/liblegacy.a]=$AESDEF
ENDIF
GENERATE[aes-ia64.s]=asm/aes-ia64.S
diff --git a/crypto/openssl/crypto/bio/bio_lib.c b/crypto/openssl/crypto/bio/bio_lib.c
index c86b9ac198ca..245a75afa1b8 100644
--- a/crypto/openssl/crypto/bio/bio_lib.c
+++ b/crypto/openssl/crypto/bio/bio_lib.c
@@ -1,5 +1,5 @@
/*
- * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2024 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -869,8 +869,12 @@ static int bio_wait(BIO *bio, time_t max_time, unsigned int nap_milliseconds)
return 1;
#ifndef OPENSSL_NO_SOCK
- if (BIO_get_fd(bio, &fd) > 0 && fd < FD_SETSIZE)
- return BIO_socket_wait(fd, BIO_should_read(bio), max_time);
+ if (BIO_get_fd(bio, &fd) > 0) {
+ int ret = BIO_socket_wait(fd, BIO_should_read(bio), max_time);
+
+ if (ret != -1)
+ return ret;
+ }
#endif
/* fall back to polling since no sockets are available */
diff --git a/crypto/openssl/crypto/bio/bio_sock.c b/crypto/openssl/crypto/bio/bio_sock.c
index 476cbcc5cef1..12e6a68e3a25 100644
--- a/crypto/openssl/crypto/bio/bio_sock.c
+++ b/crypto/openssl/crypto/bio/bio_sock.c
@@ -1,5 +1,5 @@
/*
- * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2024 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -396,7 +396,11 @@ int BIO_socket_wait(int fd, int for_read, time_t max_time)
struct timeval tv;
time_t now;
+#ifdef _WIN32
+ if ((SOCKET)fd == INVALID_SOCKET)
+#else
if (fd < 0 || fd >= FD_SETSIZE)
+#endif
return -1;
if (max_time == 0)
return 1;
diff --git a/crypto/openssl/crypto/bn/bn_lib.c b/crypto/openssl/crypto/bn/bn_lib.c
index cf1bfe8ab085..9677a603cb2d 100644
--- a/crypto/openssl/crypto/bn/bn_lib.c
+++ b/crypto/openssl/crypto/bn/bn_lib.c
@@ -1,5 +1,5 @@
/*
- * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2024 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -618,14 +618,29 @@ int BN_ucmp(const BIGNUM *a, const BIGNUM *b)
int i;
BN_ULONG t1, t2, *ap, *bp;
+ ap = a->d;
+ bp = b->d;
+
+ if (BN_get_flags(a, BN_FLG_CONSTTIME)
+ && a->top == b->top) {
+ int res = 0;
+
+ for (i = 0; i < b->top; i++) {
+ res = constant_time_select_int(constant_time_lt_bn(ap[i], bp[i]),
+ -1, res);
+ res = constant_time_select_int(constant_time_lt_bn(bp[i], ap[i]),
+ 1, res);
+ }
+ return res;
+ }
+
bn_check_top(a);
bn_check_top(b);
i = a->top - b->top;
if (i != 0)
return i;
- ap = a->d;
- bp = b->d;
+
for (i = a->top - 1; i >= 0; i--) {
t1 = ap[i];
t2 = bp[i];
@@ -737,11 +752,10 @@ int BN_is_bit_set(const BIGNUM *a, int n)
return (int)(((a->d[i]) >> j) & ((BN_ULONG)1));
}
-int BN_mask_bits(BIGNUM *a, int n)
+int ossl_bn_mask_bits_fixed_top(BIGNUM *a, int n)
{
int b, w;
- bn_check_top(a);
if (n < 0)
return 0;
@@ -755,10 +769,21 @@ int BN_mask_bits(BIGNUM *a, int n)
a->top = w + 1;
a->d[w] &= ~(BN_MASK2 << b);
}
- bn_correct_top(a);
+ a->flags |= BN_FLG_FIXED_TOP;
return 1;
}
+int BN_mask_bits(BIGNUM *a, int n)
+{
+ int ret;
+
+ bn_check_top(a);
+ ret = ossl_bn_mask_bits_fixed_top(a, n);
+ if (ret)
+ bn_correct_top(a);
+ return ret;
+}
+
void BN_set_negative(BIGNUM *a, int b)
{
if (b && !BN_is_zero(a))
@@ -935,6 +960,22 @@ int BN_is_word(const BIGNUM *a, const BN_ULONG w)
return BN_abs_is_word(a, w) && (!w || !a->neg);
}
+int ossl_bn_is_word_fixed_top(const BIGNUM *a, BN_ULONG w)
+{
+ int res, i;
+ const BN_ULONG *ap = a->d;
+
+ if (a->neg || a->top == 0)
+ return 0;
+
+ res = constant_time_select_int(constant_time_eq_bn(ap[0], w), 1, 0);
+
+ for (i = 1; i < a->top; i++)
+ res = constant_time_select_int(constant_time_is_zero_bn(ap[i]),
+ res, 0);
+ return res;
+}
+
int BN_is_odd(const BIGNUM *a)
{
return (a->top > 0) && (a->d[0] & 1);
diff --git a/crypto/openssl/crypto/bn/bn_rand.c b/crypto/openssl/crypto/bn/bn_rand.c
index 2ca426ff76ed..ba0970b1f87d 100644
--- a/crypto/openssl/crypto/bn/bn_rand.c
+++ b/crypto/openssl/crypto/bn/bn_rand.c
@@ -1,5 +1,5 @@
/*
- * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2024 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -186,8 +186,8 @@ static int bnrand_range(BNRAND_FLAG flag, BIGNUM *r, const BIGNUM *range,
} else {
do {
/* range = 11..._2 or range = 101..._2 */
- if (!bnrand(flag, r, n, BN_RAND_TOP_ANY, BN_RAND_BOTTOM_ANY, 0,
- ctx))
+ if (!bnrand(flag, r, n, BN_RAND_TOP_ANY, BN_RAND_BOTTOM_ANY,
+ strength, ctx))
return 0;
if (!--count) {
@@ -240,17 +240,63 @@ int BN_pseudo_rand_range(BIGNUM *r, const BIGNUM *range)
# endif
#endif
+int ossl_bn_priv_rand_range_fixed_top(BIGNUM *r, const BIGNUM *range,
+ unsigned int strength, BN_CTX *ctx)
+{
+ int n;
+ int count = 100;
+
+ if (r == NULL) {
+ ERR_raise(ERR_LIB_BN, ERR_R_PASSED_NULL_PARAMETER);
+ return 0;
+ }
+
+ if (range->neg || BN_is_zero(range)) {
+ ERR_raise(ERR_LIB_BN, BN_R_INVALID_RANGE);
+ return 0;
+ }
+
+ n = BN_num_bits(range); /* n > 0 */
+
+ /* BN_is_bit_set(range, n - 1) always holds */
+
+ if (n == 1) {
+ BN_zero(r);
+ } else {
+ BN_set_flags(r, BN_FLG_CONSTTIME);
+ do {
+ if (!bnrand(PRIVATE, r, n + 1, BN_RAND_TOP_ONE, BN_RAND_BOTTOM_ANY,
+ strength, ctx))
+ return 0;
+
+ if (!--count) {
+ ERR_raise(ERR_LIB_BN, BN_R_TOO_MANY_ITERATIONS);
+ return 0;
+ }
+ ossl_bn_mask_bits_fixed_top(r, n);
+ }
+ while (BN_ucmp(r, range) >= 0);
+#ifdef BN_DEBUG
+ /* With BN_DEBUG on a fixed top number cannot be returned */
+ bn_correct_top(r);
+#endif
+ }
+
+ return 1;
+}
+
/*
- * BN_generate_dsa_nonce generates a random number 0 <= out < range. Unlike
- * BN_rand_range, it also includes the contents of |priv| and |message| in
- * the generation so that an RNG failure isn't fatal as long as |priv|
+ * ossl_bn_gen_dsa_nonce_fixed_top generates a random number 0 <= out < range.
+ * Unlike BN_rand_range, it also includes the contents of |priv| and |message|
+ * in the generation so that an RNG failure isn't fatal as long as |priv|
* remains secret. This is intended for use in DSA and ECDSA where an RNG
* weakness leads directly to private key exposure unless this function is
* used.
*/
-int BN_generate_dsa_nonce(BIGNUM *out, const BIGNUM *range,
- const BIGNUM *priv, const unsigned char *message,
- size_t message_len, BN_CTX *ctx)
+int ossl_bn_gen_dsa_nonce_fixed_top(BIGNUM *out, const BIGNUM *range,
+ const BIGNUM *priv,
+ const unsigned char *message,
+ size_t message_len, BN_CTX *ctx)
{
EVP_MD_CTX *mdctx = EVP_MD_CTX_new();
/*
@@ -260,20 +306,24 @@ int BN_generate_dsa_nonce(BIGNUM *out, const BIGNUM *range,
unsigned char random_bytes[64];
unsigned char digest[SHA512_DIGEST_LENGTH];
unsigned done, todo;
- /* We generate |range|+8 bytes of random output. */
- const unsigned num_k_bytes = BN_num_bytes(range) + 8;
+ /* We generate |range|+1 bytes of random output. */
+ const unsigned num_k_bytes = BN_num_bytes(range) + 1;
unsigned char private_bytes[96];
unsigned char *k_bytes = NULL;
+ const int max_n = 64; /* Pr(failure to generate) < 2^max_n */
+ int n;
int ret = 0;
EVP_MD *md = NULL;
OSSL_LIB_CTX *libctx = ossl_bn_get_libctx(ctx);
if (mdctx == NULL)
- goto err;
+ goto end;
k_bytes = OPENSSL_malloc(num_k_bytes);
if (k_bytes == NULL)
- goto err;
+ goto end;
+ /* Ensure top byte is set to avoid non-constant time in bin2bn */
+ k_bytes[0] = 0xff;
/* We copy |priv| into a local buffer to avoid exposing its length. */
if (BN_bn2binpad(priv, private_bytes, sizeof(private_bytes)) < 0) {
@@ -283,41 +333,60 @@ int BN_generate_dsa_nonce(BIGNUM *out, const BIGNUM *range,
* length of the private key.
*/
ERR_raise(ERR_LIB_BN, BN_R_PRIVATE_KEY_TOO_LARGE);
- goto err;
+ goto end;
}
md = EVP_MD_fetch(libctx, "SHA512", NULL);
if (md == NULL) {
ERR_raise(ERR_LIB_BN, BN_R_NO_SUITABLE_DIGEST);
- goto err;
- }
- for (done = 0; done < num_k_bytes;) {
- if (RAND_priv_bytes_ex(libctx, random_bytes, sizeof(random_bytes), 0) <= 0)
- goto err;
-
- if (!EVP_DigestInit_ex(mdctx, md, NULL)
- || !EVP_DigestUpdate(mdctx, &done, sizeof(done))
- || !EVP_DigestUpdate(mdctx, private_bytes,
- sizeof(private_bytes))
- || !EVP_DigestUpdate(mdctx, message, message_len)
- || !EVP_DigestUpdate(mdctx, random_bytes, sizeof(random_bytes))
- || !EVP_DigestFinal_ex(mdctx, digest, NULL))
- goto err;
-
- todo = num_k_bytes - done;
- if (todo > SHA512_DIGEST_LENGTH)
- todo = SHA512_DIGEST_LENGTH;
- memcpy(k_bytes + done, digest, todo);
- done += todo;
+ goto end;
}
+ for (n = 0; n < max_n; n++) {
+ unsigned char i = 0;
*** 5529 LINES SKIPPED ***