git: dc10d09c4921 - stable/12 - OpenSSL: Merge OpenSSL 1.1.1m
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Tue, 14 Dec 2021 23:20:51 UTC
The branch stable/12 has been updated by jkim:
URL: https://cgit.FreeBSD.org/src/commit/?id=dc10d09c49219fe71d2a8df2048a16270367f2f6
commit dc10d09c49219fe71d2a8df2048a16270367f2f6
Author: Jung-uk Kim <jkim@FreeBSD.org>
AuthorDate: 2021-12-14 19:04:30 +0000
Commit: Jung-uk Kim <jkim@FreeBSD.org>
CommitDate: 2021-12-14 22:58:32 +0000
OpenSSL: Merge OpenSSL 1.1.1m
(cherry picked from commit b2bf0c7e5f4037d63458def91a026592468afd2f)
---
crypto/openssl/CHANGES | 20 +++++
crypto/openssl/Configure | 3 +
crypto/openssl/NEWS | 4 +
crypto/openssl/README | 2 +-
crypto/openssl/apps/ciphers.c | 3 +-
crypto/openssl/apps/dgst.c | 6 +-
crypto/openssl/apps/s_cb.c | 4 +-
crypto/openssl/apps/s_client.c | 4 +-
crypto/openssl/apps/s_server.c | 10 +--
crypto/openssl/apps/speed.c | 10 ++-
crypto/openssl/crypto/asn1/a_print.c | 9 ++-
crypto/openssl/crypto/asn1/asn1_lib.c | 11 ++-
crypto/openssl/crypto/bio/bss_dgram.c | 6 +-
crypto/openssl/crypto/bio/bss_mem.c | 4 +-
crypto/openssl/crypto/bn/asm/mips.pl | 6 +-
crypto/openssl/crypto/cms/cms_env.c | 3 +-
crypto/openssl/crypto/dh/dh_ameth.c | 13 ++--
crypto/openssl/crypto/ec/curve448/field.h | 4 +-
crypto/openssl/crypto/ec/ec_asn1.c | 2 +-
crypto/openssl/crypto/ec/ec_curve.c | 29 ++++++-
crypto/openssl/crypto/engine/eng_dyn.c | 6 +-
crypto/openssl/crypto/engine/eng_lib.c | 4 +-
crypto/openssl/crypto/engine/eng_list.c | 89 +++++++++++++++++++++-
crypto/openssl/crypto/engine/eng_local.h | 11 ++-
crypto/openssl/crypto/err/err.c | 3 +-
crypto/openssl/crypto/evp/evp_enc.c | 12 +--
crypto/openssl/crypto/evp/p_lib.c | 13 +++-
crypto/openssl/crypto/objects/o_names.c | 16 ++--
crypto/openssl/crypto/pem/pem_lib.c | 25 +++---
crypto/openssl/crypto/rand/rand_unix.c | 2 +-
crypto/openssl/crypto/ts/ts_verify_ctx.c | 1 +
crypto/openssl/crypto/uid.c | 2 +-
crypto/openssl/crypto/x509/x509_vfy.c | 62 ++++++++-------
crypto/openssl/crypto/x509/x_name.c | 6 +-
crypto/openssl/crypto/x509v3/v3_ncons.c | 3 +
crypto/openssl/doc/man1/passwd.pod | 4 +-
crypto/openssl/doc/man1/pkeyutl.pod | 10 +++
crypto/openssl/doc/man3/BIO_f_ssl.pod | 17 ++---
crypto/openssl/doc/man3/BIO_push.pod | 53 +++++++------
crypto/openssl/doc/man3/BN_rand.pod | 4 +-
crypto/openssl/doc/man3/ENGINE_add.pod | 7 +-
crypto/openssl/doc/man3/ERR_load_strings.pod | 6 +-
crypto/openssl/doc/man3/EVP_EncryptInit.pod | 16 ++--
crypto/openssl/doc/man3/OBJ_nid2obj.pod | 30 ++++----
.../openssl/doc/man3/SSL_CTX_set_num_tickets.pod | 10 +--
.../doc/man3/SSL_CTX_set_tlsext_ticket_key_cb.pod | 4 +-
crypto/openssl/doc/man3/SSL_get_session.pod | 9 ++-
crypto/openssl/doc/man3/SSL_set_fd.pod | 13 +++-
crypto/openssl/doc/man3/d2i_X509.pod | 6 +-
crypto/openssl/doc/man7/ossl_store.pod | 4 +-
crypto/openssl/engines/e_afalg.c | 9 +--
crypto/openssl/engines/e_dasync.c | 30 +++++++-
crypto/openssl/include/crypto/rand.h | 12 ++-
crypto/openssl/include/openssl/ec.h | 17 +++--
crypto/openssl/include/openssl/opensslv.h | 4 +-
crypto/openssl/ssl/bio_ssl.c | 7 +-
crypto/openssl/ssl/record/ssl3_record.c | 2 +-
crypto/openssl/ssl/s3_cbc.c | 4 +-
crypto/openssl/ssl/ssl_asn1.c | 4 +-
crypto/openssl/ssl/ssl_ciph.c | 3 +-
crypto/openssl/ssl/ssl_lib.c | 2 +
crypto/openssl/ssl/ssl_local.h | 2 +-
crypto/openssl/ssl/statem/README | 2 +-
crypto/openssl/ssl/statem/extensions_clnt.c | 5 +-
crypto/openssl/ssl/statem/extensions_cust.c | 13 ++--
crypto/openssl/ssl/statem/statem_lib.c | 4 +-
66 files changed, 502 insertions(+), 219 deletions(-)
diff --git a/crypto/openssl/CHANGES b/crypto/openssl/CHANGES
index 824f421b8d33..9d58cb0c58d9 100644
--- a/crypto/openssl/CHANGES
+++ b/crypto/openssl/CHANGES
@@ -7,6 +7,26 @@
https://github.com/openssl/openssl/commits/ and pick the appropriate
release branch.
+ Changes between 1.1.1l and 1.1.1m [14 Dec 2021]
+
+ *) Avoid loading of a dynamic engine twice.
+
+ [Bernd Edlinger]
+
+ *) Fixed building on Debian with kfreebsd kernels
+
+ [Mattias Ellert]
+
+ *) Prioritise DANE TLSA issuer certs over peer certs
+
+ [Viktor Dukhovni]
+
+ *) Fixed random API for MacOS prior to 10.12
+
+ These MacOS versions don't support the CommonCrypto APIs
+
+ [Lenny Primak]
+
Changes between 1.1.1k and 1.1.1l [24 Aug 2021]
*) Fixed an SM2 Decryption Buffer Overflow.
diff --git a/crypto/openssl/Configure b/crypto/openssl/Configure
index b286dd0678bb..faf57b155a1c 100755
--- a/crypto/openssl/Configure
+++ b/crypto/openssl/Configure
@@ -1304,16 +1304,19 @@ if ($disabled{"dynamic-engine"}) {
unless ($disabled{asan}) {
push @{$config{cflags}}, "-fsanitize=address";
+ push @{$config{cxxflags}}, "-fsanitize=address" if $config{CXX};
}
unless ($disabled{ubsan}) {
# -DPEDANTIC or -fnosanitize=alignment may also be required on some
# platforms.
push @{$config{cflags}}, "-fsanitize=undefined", "-fno-sanitize-recover=all";
+ push @{$config{cxxflags}}, "-fsanitize=undefined", "-fno-sanitize-recover=all" if $config{CXX};
}
unless ($disabled{msan}) {
push @{$config{cflags}}, "-fsanitize=memory";
+ push @{$config{cxxflags}}, "-fsanitize=memory" if $config{CXX};
}
unless ($disabled{"fuzz-libfuzzer"} && $disabled{"fuzz-afl"}
diff --git a/crypto/openssl/NEWS b/crypto/openssl/NEWS
index 5a1207c66ed4..0769464fefa2 100644
--- a/crypto/openssl/NEWS
+++ b/crypto/openssl/NEWS
@@ -5,6 +5,10 @@
This file gives a brief overview of the major changes between each OpenSSL
release. For more details please read the CHANGES file.
+ Major changes between OpenSSL 1.1.1l and OpenSSL 1.1.1m [14 Dec 2021]
+
+ o None
+
Major changes between OpenSSL 1.1.1k and OpenSSL 1.1.1l [24 Aug 2021]
o Fixed an SM2 Decryption Buffer Overflow (CVE-2021-3711)
diff --git a/crypto/openssl/README b/crypto/openssl/README
index 7dc4e6790c34..50345c3c28eb 100644
--- a/crypto/openssl/README
+++ b/crypto/openssl/README
@@ -1,5 +1,5 @@
- OpenSSL 1.1.1l 24 Aug 2021
+ OpenSSL 1.1.1m 14 Dec 2021
Copyright (c) 1998-2021 The OpenSSL Project
Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson
diff --git a/crypto/openssl/apps/ciphers.c b/crypto/openssl/apps/ciphers.c
index 0bb33a4aca4b..aade3fbf5671 100644
--- a/crypto/openssl/apps/ciphers.c
+++ b/crypto/openssl/apps/ciphers.c
@@ -1,5 +1,5 @@
/*
- * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -172,6 +172,7 @@ int ciphers_main(int argc, char **argv)
if (convert != NULL) {
BIO_printf(bio_out, "OpenSSL cipher name: %s\n",
OPENSSL_cipher_name(convert));
+ ret = 0;
goto end;
}
diff --git a/crypto/openssl/apps/dgst.c b/crypto/openssl/apps/dgst.c
index e595f7d8186f..f9b184be4cc1 100644
--- a/crypto/openssl/apps/dgst.c
+++ b/crypto/openssl/apps/dgst.c
@@ -1,5 +1,5 @@
/*
- * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -316,7 +316,7 @@ int dgst_main(int argc, char **argv)
EVP_MD_CTX *mctx = NULL;
EVP_PKEY_CTX *pctx = NULL;
int r;
- if (!BIO_get_md_ctx(bmd, &mctx)) {
+ if (BIO_get_md_ctx(bmd, &mctx) <= 0) {
BIO_printf(bio_err, "Error getting context\n");
ERR_print_errors(bio_err);
goto end;
@@ -345,7 +345,7 @@ int dgst_main(int argc, char **argv)
/* we use md as a filter, reading from 'in' */
else {
EVP_MD_CTX *mctx = NULL;
- if (!BIO_get_md_ctx(bmd, &mctx)) {
+ if (BIO_get_md_ctx(bmd, &mctx) <= 0) {
BIO_printf(bio_err, "Error getting context\n");
ERR_print_errors(bio_err);
goto end;
diff --git a/crypto/openssl/apps/s_cb.c b/crypto/openssl/apps/s_cb.c
index dee1b2e5b4f6..d066a423dee8 100644
--- a/crypto/openssl/apps/s_cb.c
+++ b/crypto/openssl/apps/s_cb.c
@@ -819,7 +819,9 @@ int generate_stateless_cookie_callback(SSL *ssl, unsigned char *cookie,
{
unsigned int temp;
int res = generate_cookie_callback(ssl, cookie, &temp);
- *cookie_len = temp;
+
+ if (res != 0)
+ *cookie_len = temp;
return res;
}
diff --git a/crypto/openssl/apps/s_client.c b/crypto/openssl/apps/s_client.c
index 83b3fc9c7f13..121cd1444fe6 100644
--- a/crypto/openssl/apps/s_client.c
+++ b/crypto/openssl/apps/s_client.c
@@ -1,5 +1,5 @@
/*
- * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 2005 Nokia. All rights reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
@@ -3151,6 +3151,8 @@ int s_client_main(int argc, char **argv)
#endif
OPENSSL_free(connectstr);
OPENSSL_free(bindstr);
+ OPENSSL_free(bindhost);
+ OPENSSL_free(bindport);
OPENSSL_free(host);
OPENSSL_free(port);
X509_VERIFY_PARAM_free(vpm);
diff --git a/crypto/openssl/apps/s_server.c b/crypto/openssl/apps/s_server.c
index 938e244222d8..64d53e68d0ee 100644
--- a/crypto/openssl/apps/s_server.c
+++ b/crypto/openssl/apps/s_server.c
@@ -134,12 +134,12 @@ static unsigned int psk_server_cb(SSL *ssl, const char *identity,
if (s_debug)
BIO_printf(bio_s_out, "psk_server_cb\n");
- if (SSL_version(ssl) >= TLS1_3_VERSION) {
+ if (!SSL_is_dtls(ssl) && SSL_version(ssl) >= TLS1_3_VERSION) {
/*
- * This callback is designed for use in TLSv1.2. It is possible to use
- * a single callback for all protocol versions - but it is preferred to
- * use a dedicated callback for TLSv1.3. For TLSv1.3 we have
- * psk_find_session_cb.
+ * This callback is designed for use in (D)TLSv1.2 (or below). It is
+ * possible to use a single callback for all protocol versions - but it
+ * is preferred to use a dedicated callback for TLSv1.3. For TLSv1.3 we
+ * have psk_find_session_cb.
*/
return 0;
}
diff --git a/crypto/openssl/apps/speed.c b/crypto/openssl/apps/speed.c
index d4ae7ab7bfde..89bf18480fa1 100644
--- a/crypto/openssl/apps/speed.c
+++ b/crypto/openssl/apps/speed.c
@@ -1,5 +1,5 @@
/*
- * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
* Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
*
* Licensed under the OpenSSL license (the "License"). You may not use
@@ -1590,6 +1590,10 @@ int speed_main(int argc, char **argv)
case OPT_MULTI:
#ifndef NO_FORK
multi = atoi(opt_arg());
+ if (multi >= INT_MAX / (int)sizeof(int)) {
+ BIO_printf(bio_err, "%s: multi argument too large\n", prog);
+ return 0;
+ }
#endif
break;
case OPT_ASYNCJOBS:
@@ -3490,7 +3494,7 @@ static int do_multi(int multi, int size_num)
close(fd[1]);
mr = 1;
usertime = 0;
- free(fds);
+ OPENSSL_free(fds);
return 0;
}
printf("Forked child %d\n", n);
@@ -3603,7 +3607,7 @@ static int do_multi(int multi, int size_num)
fclose(f);
}
- free(fds);
+ OPENSSL_free(fds);
return 1;
}
#endif
diff --git a/crypto/openssl/crypto/asn1/a_print.c b/crypto/openssl/crypto/asn1/a_print.c
index 85a631a27aa7..3790e82bb13a 100644
--- a/crypto/openssl/crypto/asn1/a_print.c
+++ b/crypto/openssl/crypto/asn1/a_print.c
@@ -1,5 +1,5 @@
/*
- * Copyright 1995-2017 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -18,12 +18,13 @@ int ASN1_PRINTABLE_type(const unsigned char *s, int len)
int ia5 = 0;
int t61 = 0;
- if (len <= 0)
- len = -1;
if (s == NULL)
return V_ASN1_PRINTABLESTRING;
- while ((*s) && (len-- != 0)) {
+ if (len < 0)
+ len = strlen((const char *)s);
+
+ while (len-- > 0) {
c = *(s++);
if (!ossl_isasn1print(c))
ia5 = 1;
diff --git a/crypto/openssl/crypto/asn1/asn1_lib.c b/crypto/openssl/crypto/asn1/asn1_lib.c
index 3d99d1383d42..b9b7ad8e9e02 100644
--- a/crypto/openssl/crypto/asn1/asn1_lib.c
+++ b/crypto/openssl/crypto/asn1/asn1_lib.c
@@ -294,7 +294,7 @@ int ASN1_STRING_set(ASN1_STRING *str, const void *_data, int len_in)
c = str->data;
#ifdef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
/* No NUL terminator in fuzzing builds */
- str->data = OPENSSL_realloc(c, len);
+ str->data = OPENSSL_realloc(c, len != 0 ? len : 1);
#else
str->data = OPENSSL_realloc(c, len + 1);
#endif
@@ -307,7 +307,11 @@ int ASN1_STRING_set(ASN1_STRING *str, const void *_data, int len_in)
str->length = len;
if (data != NULL) {
memcpy(str->data, data, len);
-#ifndef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
+#ifdef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
+ /* Set the unused byte to something non NUL and printable. */
+ if (len == 0)
+ str->data[len] = '~';
+#else
/*
* Add a NUL terminator. This should not be necessary - but we add it as
* a safety precaution
@@ -375,7 +379,8 @@ int ASN1_STRING_cmp(const ASN1_STRING *a, const ASN1_STRING *b)
i = (a->length - b->length);
if (i == 0) {
- i = memcmp(a->data, b->data, a->length);
+ if (a->length != 0)
+ i = memcmp(a->data, b->data, a->length);
if (i == 0)
return a->type - b->type;
else
diff --git a/crypto/openssl/crypto/bio/bss_dgram.c b/crypto/openssl/crypto/bio/bss_dgram.c
index 942fd8b514be..c87ba4d26508 100644
--- a/crypto/openssl/crypto/bio/bss_dgram.c
+++ b/crypto/openssl/crypto/bio/bss_dgram.c
@@ -1,5 +1,5 @@
/*
- * Copyright 2005-2019 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2005-2021 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -7,6 +7,10 @@
* https://www.openssl.org/source/license.html
*/
+#ifndef _GNU_SOURCE
+# define _GNU_SOURCE
+#endif
+
#include <stdio.h>
#include <errno.h>
diff --git a/crypto/openssl/crypto/bio/bss_mem.c b/crypto/openssl/crypto/bio/bss_mem.c
index 7cb4a57813fd..2420b26553e0 100644
--- a/crypto/openssl/crypto/bio/bss_mem.c
+++ b/crypto/openssl/crypto/bio/bss_mem.c
@@ -1,5 +1,5 @@
/*
- * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -280,7 +280,7 @@ static long mem_ctrl(BIO *b, int cmd, long num, void *ptr)
ret = (long)bm->length;
if (ptr != NULL) {
pptr = (char **)ptr;
- *pptr = (char *)&(bm->data[0]);
+ *pptr = (char *)bm->data;
}
break;
case BIO_C_SET_BUF_MEM:
diff --git a/crypto/openssl/crypto/bn/asm/mips.pl b/crypto/openssl/crypto/bn/asm/mips.pl
index 8ad715bda4d4..76fe82334f88 100755
--- a/crypto/openssl/crypto/bn/asm/mips.pl
+++ b/crypto/openssl/crypto/bn/asm/mips.pl
@@ -1,5 +1,5 @@
#! /usr/bin/env perl
-# Copyright 2010-2020 The OpenSSL Project Authors. All Rights Reserved.
+# Copyright 2010-2021 The OpenSSL Project Authors. All Rights Reserved.
#
# Licensed under the OpenSSL license (the "License"). You may not use
# this file except in compliance with the License. You can obtain a copy
@@ -1984,6 +1984,8 @@ $code.=<<___;
sltu $at,$c_2,$t_1
$ADDU $c_3,$t_2,$at
$ST $c_2,$BNSZ($a0)
+ sltu $at,$c_3,$t_2
+ $ADDU $c_1,$at
mflo ($t_1,$a_2,$a_0)
mfhi ($t_2,$a_2,$a_0)
___
@@ -2194,6 +2196,8 @@ $code.=<<___;
sltu $at,$c_2,$t_1
$ADDU $c_3,$t_2,$at
$ST $c_2,$BNSZ($a0)
+ sltu $at,$c_3,$t_2
+ $ADDU $c_1,$at
mflo ($t_1,$a_2,$a_0)
mfhi ($t_2,$a_2,$a_0)
___
diff --git a/crypto/openssl/crypto/cms/cms_env.c b/crypto/openssl/crypto/cms/cms_env.c
index 04940146fd25..962a0137542a 100644
--- a/crypto/openssl/crypto/cms/cms_env.c
+++ b/crypto/openssl/crypto/cms/cms_env.c
@@ -1,5 +1,5 @@
/*
- * Copyright 2008-2019 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2008-2021 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -737,6 +737,7 @@ static int cms_RecipientInfo_kekri_decrypt(CMS_ContentInfo *cms,
goto err;
}
+ OPENSSL_clear_free(ec->key, ec->keylen);
ec->key = ukey;
ec->keylen = ukeylen;
diff --git a/crypto/openssl/crypto/dh/dh_ameth.c b/crypto/openssl/crypto/dh/dh_ameth.c
index d53004080d5e..576409ccb51b 100644
--- a/crypto/openssl/crypto/dh/dh_ameth.c
+++ b/crypto/openssl/crypto/dh/dh_ameth.c
@@ -1,5 +1,5 @@
/*
- * Copyright 2006-2016 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2006-2021 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -629,16 +629,18 @@ static int dh_cms_set_peerkey(EVP_PKEY_CTX *pctx,
goto err;
pk = EVP_PKEY_CTX_get0_pkey(pctx);
- if (!pk)
- goto err;
- if (pk->type != EVP_PKEY_DHX)
+ if (pk == NULL || pk->type != EVP_PKEY_DHX)
goto err;
+
/* Get parameters from parent key */
dhpeer = DHparams_dup(pk->pkey.dh);
+ if (dhpeer == NULL)
+ goto err;
+
/* We have parameters now set public key */
plen = ASN1_STRING_length(pubkey);
p = ASN1_STRING_get0_data(pubkey);
- if (!p || !plen)
+ if (p == NULL || plen == 0)
goto err;
if ((public_key = d2i_ASN1_INTEGER(NULL, &p, plen)) == NULL) {
@@ -655,6 +657,7 @@ static int dh_cms_set_peerkey(EVP_PKEY_CTX *pctx,
pkpeer = EVP_PKEY_new();
if (pkpeer == NULL)
goto err;
+
EVP_PKEY_assign(pkpeer, pk->ameth->pkey_id, dhpeer);
dhpeer = NULL;
if (EVP_PKEY_derive_set_peer(pctx, pkpeer) > 0)
diff --git a/crypto/openssl/crypto/ec/curve448/field.h b/crypto/openssl/crypto/ec/curve448/field.h
index ccd04482d205..4e4eda664f78 100644
--- a/crypto/openssl/crypto/ec/curve448/field.h
+++ b/crypto/openssl/crypto/ec/curve448/field.h
@@ -1,5 +1,5 @@
/*
- * Copyright 2017-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2017-2021 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 2014 Cryptography Research, Inc.
*
* Licensed under the OpenSSL license (the "License"). You may not use
@@ -62,7 +62,7 @@ mask_t gf_eq(const gf x, const gf y);
mask_t gf_lobit(const gf x);
mask_t gf_hibit(const gf x);
-void gf_serialize(uint8_t *serial, const gf x, int with_highbit);
+void gf_serialize(uint8_t serial[SER_BYTES], const gf x, int with_highbit);
mask_t gf_deserialize(gf x, const uint8_t serial[SER_BYTES], int with_hibit,
uint8_t hi_nmask);
diff --git a/crypto/openssl/crypto/ec/ec_asn1.c b/crypto/openssl/crypto/ec/ec_asn1.c
index c8ee1e6f1762..4335b3da1a54 100644
--- a/crypto/openssl/crypto/ec/ec_asn1.c
+++ b/crypto/openssl/crypto/ec/ec_asn1.c
@@ -548,7 +548,7 @@ ECPKPARAMETERS *EC_GROUP_get_ecpkparameters(const EC_GROUP *group,
ECPARAMETERS_free(ret->value.parameters);
}
- if (EC_GROUP_get_asn1_flag(group)) {
+ if (EC_GROUP_get_asn1_flag(group) == OPENSSL_EC_NAMED_CURVE) {
/*
* use the asn1 OID to describe the elliptic curve parameters
*/
diff --git a/crypto/openssl/crypto/ec/ec_curve.c b/crypto/openssl/crypto/ec/ec_curve.c
index 8de486cbd763..b4c14e91e175 100644
--- a/crypto/openssl/crypto/ec/ec_curve.c
+++ b/crypto/openssl/crypto/ec/ec_curve.c
@@ -1,5 +1,5 @@
/*
- * Copyright 2002-2019 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2002-2021 The OpenSSL Project Authors. All Rights Reserved.
* Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
*
* Licensed under the OpenSSL license (the "License"). You may not use
@@ -12,6 +12,7 @@
#include "ec_local.h"
#include <openssl/err.h>
#include <openssl/obj_mac.h>
+#include <openssl/objects.h>
#include <openssl/opensslconf.h>
#include "internal/nelem.h"
@@ -3097,6 +3098,32 @@ static EC_GROUP *ec_group_new_from_data(const ec_list_element curve)
goto err;
}
}
+
+ if (EC_GROUP_get_asn1_flag(group) == OPENSSL_EC_NAMED_CURVE) {
+ /*
+ * Some curves don't have an associated OID: for those we should not
+ * default to `OPENSSL_EC_NAMED_CURVE` encoding of parameters and
+ * instead set the ASN1 flag to `OPENSSL_EC_EXPLICIT_CURVE`.
+ *
+ * Note that `OPENSSL_EC_NAMED_CURVE` is set as the default ASN1 flag on
+ * `EC_GROUP_new()`, when we don't have enough elements to determine if
+ * an OID for the curve name actually exists.
+ * We could implement this check on `EC_GROUP_set_curve_name()` but
+ * overloading the simple setter with this lookup could have a negative
+ * performance impact and unexpected consequences.
+ */
+ ASN1_OBJECT *asn1obj = OBJ_nid2obj(curve.nid);
+
+ if (asn1obj == NULL) {
+ ECerr(EC_F_EC_GROUP_NEW_FROM_DATA, ERR_R_OBJ_LIB);
+ goto err;
+ }
+ if (OBJ_length(asn1obj) == 0)
+ EC_GROUP_set_asn1_flag(group, OPENSSL_EC_EXPLICIT_CURVE);
+
+ ASN1_OBJECT_free(asn1obj);
+ }
+
ok = 1;
err:
if (!ok) {
diff --git a/crypto/openssl/crypto/engine/eng_dyn.c b/crypto/openssl/crypto/engine/eng_dyn.c
index 06e677290a70..87c762edb8a0 100644
--- a/crypto/openssl/crypto/engine/eng_dyn.c
+++ b/crypto/openssl/crypto/engine/eng_dyn.c
@@ -1,5 +1,5 @@
/*
- * Copyright 2001-2016 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2001-2021 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -477,7 +477,9 @@ static int dynamic_load(ENGINE *e, dynamic_data_ctx *ctx)
engine_set_all_null(e);
/* Try to bind the ENGINE onto our own ENGINE structure */
- if (!ctx->bind_engine(e, ctx->engine_id, &fns)) {
+ if (!engine_add_dynamic_id(e, (ENGINE_DYNAMIC_ID)ctx->bind_engine, 1)
+ || !ctx->bind_engine(e, ctx->engine_id, &fns)) {
+ engine_remove_dynamic_id(e, 1);
ctx->bind_engine = NULL;
ctx->v_check = NULL;
DSO_free(ctx->dynamic_dso);
diff --git a/crypto/openssl/crypto/engine/eng_lib.c b/crypto/openssl/crypto/engine/eng_lib.c
index 5bd584c5999a..fb727b787747 100644
--- a/crypto/openssl/crypto/engine/eng_lib.c
+++ b/crypto/openssl/crypto/engine/eng_lib.c
@@ -1,5 +1,5 @@
/*
- * Copyright 2001-2020 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2001-2021 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -67,6 +67,7 @@ void engine_set_all_null(ENGINE *e)
e->load_pubkey = NULL;
e->cmd_defns = NULL;
e->flags = 0;
+ e->dynamic_id = NULL;
}
int engine_free_util(ENGINE *e, int not_locked)
@@ -92,6 +93,7 @@ int engine_free_util(ENGINE *e, int not_locked)
*/
if (e->destroy)
e->destroy(e);
+ engine_remove_dynamic_id(e, not_locked);
CRYPTO_free_ex_data(CRYPTO_EX_INDEX_ENGINE, e, &e->ex_data);
OPENSSL_free(e);
return 1;
diff --git a/crypto/openssl/crypto/engine/eng_list.c b/crypto/openssl/crypto/engine/eng_list.c
index 1352fb7c961d..e2e91d297bd6 100644
--- a/crypto/openssl/crypto/engine/eng_list.c
+++ b/crypto/openssl/crypto/engine/eng_list.c
@@ -1,5 +1,5 @@
/*
- * Copyright 2001-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2001-2021 The OpenSSL Project Authors. All Rights Reserved.
* Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
*
* Licensed under the OpenSSL license (the "License"). You may not use
@@ -24,6 +24,12 @@
static ENGINE *engine_list_head = NULL;
static ENGINE *engine_list_tail = NULL;
+/*
+ * The linked list of currently loaded dynamic engines.
+ */
+static ENGINE *engine_dyn_list_head = NULL;
+static ENGINE *engine_dyn_list_tail = NULL;
+
/*
* This cleanup function is only needed internally. If it should be called,
* we register it with the "engine_cleanup_int()" stack to be called during
@@ -126,6 +132,85 @@ static int engine_list_remove(ENGINE *e)
return 1;
}
+/* Add engine to dynamic engine list. */
+int engine_add_dynamic_id(ENGINE *e, ENGINE_DYNAMIC_ID dynamic_id,
+ int not_locked)
+{
+ int result = 0;
+ ENGINE *iterator = NULL;
+
+ if (e == NULL)
+ return 0;
+
+ if (e->dynamic_id == NULL && dynamic_id == NULL)
+ return 0;
+
+ if (not_locked && !CRYPTO_THREAD_write_lock(global_engine_lock))
+ return 0;
+
+ if (dynamic_id != NULL) {
+ iterator = engine_dyn_list_head;
+ while (iterator != NULL) {
+ if (iterator->dynamic_id == dynamic_id)
+ goto err;
+ iterator = iterator->next;
+ }
+ if (e->dynamic_id != NULL)
+ goto err;
+ e->dynamic_id = dynamic_id;
+ }
+
+ if (engine_dyn_list_head == NULL) {
+ /* We are adding to an empty list. */
+ if (engine_dyn_list_tail != NULL)
+ goto err;
+ engine_dyn_list_head = e;
+ e->prev_dyn = NULL;
+ } else {
+ /* We are adding to the tail of an existing list. */
+ if (engine_dyn_list_tail == NULL
+ || engine_dyn_list_tail->next_dyn != NULL)
+ goto err;
+ engine_dyn_list_tail->next_dyn = e;
+ e->prev_dyn = engine_dyn_list_tail;
+ }
+
+ engine_dyn_list_tail = e;
+ e->next_dyn = NULL;
+ result = 1;
+
+ err:
+ if (not_locked)
+ CRYPTO_THREAD_unlock(global_engine_lock);
+ return result;
+}
+
+/* Remove engine from dynamic engine list. */
+void engine_remove_dynamic_id(ENGINE *e, int not_locked)
+{
+ if (e == NULL || e->dynamic_id == NULL)
+ return;
+
+ if (not_locked && !CRYPTO_THREAD_write_lock(global_engine_lock))
+ return;
+
+ e->dynamic_id = NULL;
+
+ /* un-link e from the chain. */
+ if (e->next_dyn != NULL)
+ e->next_dyn->prev_dyn = e->prev_dyn;
+ if (e->prev_dyn != NULL)
+ e->prev_dyn->next_dyn = e->next_dyn;
+ /* Correct our head/tail if necessary. */
+ if (engine_dyn_list_head == e)
+ engine_dyn_list_head = e->next_dyn;
+ if (engine_dyn_list_tail == e)
+ engine_dyn_list_tail = e->prev_dyn;
+
+ if (not_locked)
+ CRYPTO_THREAD_unlock(global_engine_lock);
+}
+
/* Get the first/last "ENGINE" type available. */
ENGINE *ENGINE_get_first(void)
{
@@ -272,6 +357,8 @@ static void engine_cpy(ENGINE *dest, const ENGINE *src)
dest->load_pubkey = src->load_pubkey;
dest->cmd_defns = src->cmd_defns;
dest->flags = src->flags;
+ dest->dynamic_id = src->dynamic_id;
+ engine_add_dynamic_id(dest, NULL, 0);
}
ENGINE *ENGINE_by_id(const char *id)
diff --git a/crypto/openssl/crypto/engine/eng_local.h b/crypto/openssl/crypto/engine/eng_local.h
index 8ef7172b9f45..e271222d76a8 100644
--- a/crypto/openssl/crypto/engine/eng_local.h
+++ b/crypto/openssl/crypto/engine/eng_local.h
@@ -1,5 +1,5 @@
/*
- * Copyright 2001-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2001-2021 The OpenSSL Project Authors. All Rights Reserved.
* Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
*
* Licensed under the OpenSSL license (the "License"). You may not use
@@ -118,6 +118,11 @@ void engine_pkey_asn1_meths_free(ENGINE *e);
extern CRYPTO_ONCE engine_lock_init;
DECLARE_RUN_ONCE(do_engine_lock_init)
+typedef void (*ENGINE_DYNAMIC_ID)(void);
+int engine_add_dynamic_id(ENGINE *e, ENGINE_DYNAMIC_ID dynamic_id,
+ int not_locked);
+void engine_remove_dynamic_id(ENGINE *e, int not_locked);
+
/*
* This is a structure for storing implementations of various crypto
* algorithms and functions.
@@ -162,6 +167,10 @@ struct engine_st {
/* Used to maintain the linked-list of engines. */
struct engine_st *prev;
struct engine_st *next;
+ /* Used to maintain the linked-list of dynamic engines. */
+ struct engine_st *prev_dyn;
+ struct engine_st *next_dyn;
+ ENGINE_DYNAMIC_ID dynamic_id;
};
typedef struct st_engine_pile ENGINE_PILE;
diff --git a/crypto/openssl/crypto/err/err.c b/crypto/openssl/crypto/err/err.c
index 1372d52f80ee..bd116e249acb 100644
--- a/crypto/openssl/crypto/err/err.c
+++ b/crypto/openssl/crypto/err/err.c
@@ -1,5 +1,5 @@
/*
- * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -129,6 +129,7 @@ static ERR_STRING_DATA ERR_str_reasons[] = {
{ERR_R_INTERNAL_ERROR, "internal error"},
{ERR_R_DISABLED, "called a function that was disabled at compile-time"},
{ERR_R_INIT_FAIL, "init fail"},
+ {ERR_R_PASSED_INVALID_ARGUMENT, "passed invalid argument"},
{ERR_R_OPERATION_FAIL, "operation fail"},
{0, NULL},
diff --git a/crypto/openssl/crypto/evp/evp_enc.c b/crypto/openssl/crypto/evp/evp_enc.c
index e3c165d48e08..d835968f253c 100644
--- a/crypto/openssl/crypto/evp/evp_enc.c
+++ b/crypto/openssl/crypto/evp/evp_enc.c
@@ -85,7 +85,11 @@ int EVP_CipherInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher,
* previous check attempted to avoid this if the same ENGINE and
* EVP_CIPHER could be used).
*/
- if (ctx->cipher) {
+ if (ctx->cipher
+#ifndef OPENSSL_NO_ENGINE
+ || ctx->engine
+#endif
+ || ctx->cipher_data) {
unsigned long flags = ctx->flags;
EVP_CIPHER_CTX_reset(ctx);
/* Restore encrypt and flags */
@@ -105,11 +109,7 @@ int EVP_CipherInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher,
/* There's an ENGINE for this job ... (apparently) */
const EVP_CIPHER *c = ENGINE_get_cipher(impl, cipher->nid);
if (!c) {
- /*
- * One positive side-effect of US's export control history,
- * is that we should at least be able to avoid using US
- * misspellings of "initialisation"?
- */
+ ENGINE_finish(impl);
EVPerr(EVP_F_EVP_CIPHERINIT_EX, EVP_R_INITIALIZATION_ERROR);
return 0;
}
diff --git a/crypto/openssl/crypto/evp/p_lib.c b/crypto/openssl/crypto/evp/p_lib.c
index 9f1a485a5b83..1f36cb2164fc 100644
--- a/crypto/openssl/crypto/evp/p_lib.c
+++ b/crypto/openssl/crypto/evp/p_lib.c
@@ -1,5 +1,5 @@
/*
- * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -212,10 +212,15 @@ static int pkey_set_type(EVP_PKEY *pkey, ENGINE *e, int type, const char *str,
}
if (pkey) {
pkey->ameth = ameth;
- pkey->engine = e;
-
pkey->type = pkey->ameth->pkey_id;
pkey->save_type = type;
+# ifndef OPENSSL_NO_ENGINE
+ if (eptr == NULL && e != NULL && !ENGINE_init(e)) {
+ EVPerr(EVP_F_PKEY_SET_TYPE, EVP_R_INITIALIZATION_ERROR);
+ return 0;
+ }
+# endif
+ pkey->engine = e;
}
return 1;
}
@@ -520,7 +525,7 @@ int EVP_PKEY_set1_EC_KEY(EVP_PKEY *pkey, EC_KEY *key)
EC_KEY *EVP_PKEY_get0_EC_KEY(EVP_PKEY *pkey)
{
- if (pkey->type != EVP_PKEY_EC) {
+ if (EVP_PKEY_base_id(pkey) != EVP_PKEY_EC) {
EVPerr(EVP_F_EVP_PKEY_GET0_EC_KEY, EVP_R_EXPECTING_A_EC_KEY);
return NULL;
}
diff --git a/crypto/openssl/crypto/objects/o_names.c b/crypto/openssl/crypto/objects/o_names.c
index 979d83577c22..872676ba2277 100644
--- a/crypto/openssl/crypto/objects/o_names.c
+++ b/crypto/openssl/crypto/objects/o_names.c
@@ -1,5 +1,5 @@
/*
- * Copyright 1998-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1998-2021 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -67,8 +67,14 @@ static CRYPTO_ONCE init = CRYPTO_ONCE_STATIC_INIT;
DEFINE_RUN_ONCE_STATIC(o_names_init)
{
CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_DISABLE);
- names_lh = lh_OBJ_NAME_new(obj_name_hash, obj_name_cmp);
+ names_lh = NULL;
obj_lock = CRYPTO_THREAD_lock_new();
+ if (obj_lock != NULL)
+ names_lh = lh_OBJ_NAME_new(obj_name_hash, obj_name_cmp);
+ if (names_lh == NULL) {
+ CRYPTO_THREAD_lock_free(obj_lock);
+ obj_lock = NULL;
+ }
CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ENABLE);
return names_lh != NULL && obj_lock != NULL;
}
@@ -217,10 +223,8 @@ int OBJ_NAME_add(const char *name, int type, const char *data)
type &= ~OBJ_NAME_ALIAS;
onp = OPENSSL_malloc(sizeof(*onp));
- if (onp == NULL) {
- /* ERROR */
- goto unlock;
- }
+ if (onp == NULL)
+ return 0;
onp->name = name;
onp->alias = alias;
diff --git a/crypto/openssl/crypto/pem/pem_lib.c b/crypto/openssl/crypto/pem/pem_lib.c
index a26322119aa7..2de093595d0d 100644
--- a/crypto/openssl/crypto/pem/pem_lib.c
+++ b/crypto/openssl/crypto/pem/pem_lib.c
@@ -1,5 +1,5 @@
/*
- * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -899,18 +899,13 @@ err:
int PEM_read_bio_ex(BIO *bp, char **name_out, char **header,
unsigned char **data, long *len_out, unsigned int flags)
{
- EVP_ENCODE_CTX *ctx = EVP_ENCODE_CTX_new();
+ EVP_ENCODE_CTX *ctx = NULL;
const BIO_METHOD *bmeth;
BIO *headerB = NULL, *dataB = NULL;
char *name = NULL;
int len, taillen, headerlen, ret = 0;
BUF_MEM * buf_mem;
- if (ctx == NULL) {
- PEMerr(PEM_F_PEM_READ_BIO_EX, ERR_R_MALLOC_FAILURE);
- return 0;
- }
-
*len_out = 0;
*name_out = *header = NULL;
*data = NULL;
@@ -933,9 +928,20 @@ int PEM_read_bio_ex(BIO *bp, char **name_out, char **header,
if (!get_header_and_data(bp, &headerB, &dataB, name, flags))
goto end;
- EVP_DecodeInit(ctx);
BIO_get_mem_ptr(dataB, &buf_mem);
len = buf_mem->length;
+
+ /* There was no data in the PEM file */
+ if (len == 0)
+ goto end;
+
+ ctx = EVP_ENCODE_CTX_new();
+ if (ctx == NULL) {
+ PEMerr(PEM_F_PEM_READ_BIO_EX, ERR_R_MALLOC_FAILURE);
+ goto end;
+ }
+
+ EVP_DecodeInit(ctx);
if (EVP_DecodeUpdate(ctx, (unsigned char*)buf_mem->data, &len,
(unsigned char*)buf_mem->data, len) < 0
|| EVP_DecodeFinal(ctx, (unsigned char*)&(buf_mem->data[len]),
@@ -946,9 +952,6 @@ int PEM_read_bio_ex(BIO *bp, char **name_out, char **header,
len += taillen;
buf_mem->length = len;
- /* There was no data in the PEM file; avoid malloc(0). */
- if (len == 0)
- goto end;
headerlen = BIO_get_mem_data(headerB, NULL);
*header = pem_malloc(headerlen + 1, flags);
*data = pem_malloc(len, flags);
diff --git a/crypto/openssl/crypto/rand/rand_unix.c b/crypto/openssl/crypto/rand/rand_unix.c
index 43f1069d151d..71cedae62e02 100644
--- a/crypto/openssl/crypto/rand/rand_unix.c
+++ b/crypto/openssl/crypto/rand/rand_unix.c
@@ -381,7 +381,7 @@ static ssize_t syscall_random(void *buf, size_t buflen)
if (errno != ENOSYS)
*** 1107 LINES SKIPPED ***