Skip to content

Commit

Permalink
deps: upgrade openssl sources to 1.1.1q
Browse files Browse the repository at this point in the history
This updates all sources in deps/openssl/openssl by:
    $ cd deps/openssl/
    $ rm -rf openssl
    $ tar zxf ~/tmp/openssl-1.1.1q.tar.gz
    $ mv openssl-1.1.1q openssl
    $ git add --all openssl
    $ git commit openssl

PR-URL: #43686
Refs: https://mta.openssl.org/pipermail/openssl-announce/2022-July/000232.html
Reviewed-By: Beth Griggs <bgriggs@redhat.com>
Reviewed-By: Richard Lau <rlau@redhat.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Juan José Arboleda <soyjuanarbol@gmail.com>
  • Loading branch information
RafaelGSS authored and juanarbol committed Jul 6, 2022
1 parent 48c5aa5 commit 98965b1
Show file tree
Hide file tree
Showing 15 changed files with 215 additions and 21 deletions.
13 changes: 13 additions & 0 deletions deps/openssl/openssl/CHANGES
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,19 @@
https://github.com/openssl/openssl/commits/ and pick the appropriate
release branch.

Changes between 1.1.1p and 1.1.1q [5 Jul 2022]

*) AES OCB mode for 32-bit x86 platforms using the AES-NI assembly optimised
implementation would not encrypt the entirety of the data under some
circumstances. This could reveal sixteen bytes of data that was
preexisting in the memory that wasn't written. In the special case of
"in place" encryption, sixteen bytes of the plaintext would be revealed.

Since OpenSSL does not support OCB based cipher suites for TLS and DTLS,
they are both unaffected.
(CVE-2022-2097)
[Alex Chernyakhovsky, David Benjamin, Alejandro Sedeño]

Changes between 1.1.1o and 1.1.1p [21 Jun 2022]

*) In addition to the c_rehash shell command injection identified in
Expand Down
5 changes: 5 additions & 0 deletions deps/openssl/openssl/NEWS
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,11 @@
This file gives a brief overview of the major changes between each OpenSSL
release. For more details please read the CHANGES file.

Major changes between OpenSSL 1.1.1p and OpenSSL 1.1.1q [5 Jul 2022]

o Fixed AES OCB failure to encrypt some bytes on 32-bit x86 platforms
(CVE-2022-2097)

Major changes between OpenSSL 1.1.1o and OpenSSL 1.1.1p [21 Jun 2022]

o Fixed additional bugs in the c_rehash script which was not properly
Expand Down
2 changes: 1 addition & 1 deletion deps/openssl/openssl/README
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@

OpenSSL 1.1.1p 21 Jun 2022
OpenSSL 1.1.1q 5 Jul 2022

Copyright (c) 1998-2022 The OpenSSL Project
Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson
Expand Down
6 changes: 3 additions & 3 deletions deps/openssl/openssl/crypto/aes/asm/aesni-x86.pl
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
#! /usr/bin/env perl
# Copyright 2009-2020 The OpenSSL Project Authors. All Rights Reserved.
# Copyright 2009-2022 The OpenSSL Project Authors. All Rights Reserved.
#
# Licensed under the OpenSSL license (the "License"). You may not use
# this file except in compliance with the License. You can obtain a copy
Expand Down Expand Up @@ -2027,7 +2027,7 @@ sub aesni_generate6
&movdqu (&QWP(-16*2,$out,$inp),$inout4);
&movdqu (&QWP(-16*1,$out,$inp),$inout5);
&cmp ($inp,$len); # done yet?
&jb (&label("grandloop"));
&jbe (&label("grandloop"));

&set_label("short");
&add ($len,16*6);
Expand Down Expand Up @@ -2453,7 +2453,7 @@ sub aesni_generate6
&pxor ($rndkey1,$inout5);
&movdqu (&QWP(-16*1,$out,$inp),$inout5);
&cmp ($inp,$len); # done yet?
&jb (&label("grandloop"));
&jbe (&label("grandloop"));

&set_label("short");
&add ($len,16*6);
Expand Down
8 changes: 5 additions & 3 deletions deps/openssl/openssl/crypto/bn/bn_gcd.c
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
/*
* Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
Expand Down Expand Up @@ -47,7 +47,8 @@ BIGNUM *bn_mod_inverse_no_branch(BIGNUM *in,
if (R == NULL)
goto err;

BN_one(X);
if (!BN_one(X))
goto err;
BN_zero(Y);
if (BN_copy(B, a) == NULL)
goto err;
Expand Down Expand Up @@ -235,7 +236,8 @@ BIGNUM *int_bn_mod_inverse(BIGNUM *in,
if (R == NULL)
goto err;

BN_one(X);
if (!BN_one(X))
goto err;
BN_zero(Y);
if (BN_copy(B, a) == NULL)
goto err;
Expand Down
4 changes: 2 additions & 2 deletions deps/openssl/openssl/crypto/ec/ec_asn1.c
Original file line number Diff line number Diff line change
Expand Up @@ -794,7 +794,7 @@ EC_GROUP *EC_GROUP_new_from_ecparameters(const ECPARAMETERS *params)
}

/* extract the order */
if ((a = ASN1_INTEGER_to_BN(params->order, a)) == NULL) {
if (ASN1_INTEGER_to_BN(params->order, a) == NULL) {
ECerr(EC_F_EC_GROUP_NEW_FROM_ECPARAMETERS, ERR_R_ASN1_LIB);
goto err;
}
Expand All @@ -811,7 +811,7 @@ EC_GROUP *EC_GROUP_new_from_ecparameters(const ECPARAMETERS *params)
if (params->cofactor == NULL) {
BN_free(b);
b = NULL;
} else if ((b = ASN1_INTEGER_to_BN(params->cofactor, b)) == NULL) {
} else if (ASN1_INTEGER_to_BN(params->cofactor, b) == NULL) {
ECerr(EC_F_EC_GROUP_NEW_FROM_ECPARAMETERS, ERR_R_ASN1_LIB);
goto err;
}
Expand Down
16 changes: 13 additions & 3 deletions deps/openssl/openssl/crypto/x509v3/v3_addr.c
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
/*
* Copyright 2006-2016 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 2006-2022 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
Expand All @@ -13,6 +13,8 @@

#include <stdio.h>
#include <stdlib.h>
#include <assert.h>
#include <string.h>

#include "internal/cryptlib.h"
#include <openssl/conf.h>
Expand Down Expand Up @@ -342,8 +344,13 @@ static int range_should_be_prefix(const unsigned char *min,
unsigned char mask;
int i, j;

if (memcmp(min, max, length) <= 0)
return -1;
/*
* It is the responsibility of the caller to confirm min <= max. We don't
* use ossl_assert() here since we have no way of signalling an error from
* this function - so we just use a plain assert instead.
*/
assert(memcmp(min, max, length) <= 0);

for (i = 0; i < length && min[i] == max[i]; i++) ;
for (j = length - 1; j >= 0 && min[j] == 0x00 && max[j] == 0xFF; j--) ;
if (i < j)
Expand Down Expand Up @@ -426,6 +433,9 @@ static int make_addressRange(IPAddressOrRange **result,
IPAddressOrRange *aor;
int i, prefixlen;

if (memcmp(min, max, length) > 0)
return 0;

if ((prefixlen = range_should_be_prefix(min, max, length)) >= 0)
return make_addressPrefix(result, min, prefixlen);

Expand Down
2 changes: 2 additions & 0 deletions deps/openssl/openssl/crypto/x509v3/v3_sxnet.c
Original file line number Diff line number Diff line change
Expand Up @@ -78,6 +78,8 @@ static int sxnet_i2r(X509V3_EXT_METHOD *method, SXNET *sx, BIO *out,
for (i = 0; i < sk_SXNETID_num(sx->ids); i++) {
id = sk_SXNETID_value(sx->ids, i);
tmp = i2s_ASN1_INTEGER(NULL, id->zone);
if (tmp == NULL)
return 0;
BIO_printf(out, "\n%*sZone: %s, User: ", indent, "", tmp);
OPENSSL_free(tmp);
ASN1_STRING_print(out, id->user);
Expand Down
6 changes: 3 additions & 3 deletions deps/openssl/openssl/doc/man3/SSL_get_current_cipher.pod
Original file line number Diff line number Diff line change
Expand Up @@ -10,8 +10,8 @@ SSL_get_pending_cipher - get SSL_CIPHER of a connection

#include <openssl/ssl.h>

SSL_CIPHER *SSL_get_current_cipher(const SSL *ssl);
SSL_CIPHER *SSL_get_pending_cipher(const SSL *ssl);
const SSL_CIPHER *SSL_get_current_cipher(const SSL *ssl);
const SSL_CIPHER *SSL_get_pending_cipher(const SSL *ssl);

const char *SSL_get_cipher_name(const SSL *s);
const char *SSL_get_cipher(const SSL *s);
Expand Down Expand Up @@ -61,7 +61,7 @@ L<ssl(7)>, L<SSL_CIPHER_get_name(3)>

=head1 COPYRIGHT

Copyright 2000-2018 The OpenSSL Project Authors. All Rights Reserved.
Copyright 2000-2022 The OpenSSL Project Authors. All Rights Reserved.

Licensed under the OpenSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
Expand Down
1 change: 0 additions & 1 deletion deps/openssl/openssl/include/crypto/bn_conf.h

This file was deleted.

1 change: 0 additions & 1 deletion deps/openssl/openssl/include/crypto/dso_conf.h

This file was deleted.

1 change: 0 additions & 1 deletion deps/openssl/openssl/include/openssl/opensslconf.h

This file was deleted.

4 changes: 2 additions & 2 deletions deps/openssl/openssl/include/openssl/opensslv.h
Original file line number Diff line number Diff line change
Expand Up @@ -39,8 +39,8 @@ extern "C" {
* (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for
* major minor fix final patch/beta)
*/
# define OPENSSL_VERSION_NUMBER 0x1010110fL
# define OPENSSL_VERSION_TEXT "OpenSSL 1.1.1p 21 Jun 2022"
# define OPENSSL_VERSION_NUMBER 0x1010111fL
# define OPENSSL_VERSION_TEXT "OpenSSL 1.1.1q 5 Jul 2022"

/*-
* The macros below are to be used for shared library (.so, .dll, ...)
Expand Down
52 changes: 51 additions & 1 deletion deps/openssl/openssl/test/recipes/30-test_evp_data/evpciph.txt
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
#
# Copyright 2001-2019 The OpenSSL Project Authors. All Rights Reserved.
# Copyright 2001-2022 The OpenSSL Project Authors. All Rights Reserved.
#
# Licensed under the OpenSSL license (the "License"). You may not use
# this file except in compliance with the License. You can obtain a copy
Expand Down Expand Up @@ -1188,6 +1188,56 @@ Ciphertext = 09A4FD29DE949D9A9AA9924248422097AD4883B4713E6C214FF6567ADA08A967B21
Operation = DECRYPT
Result = CIPHERFINAL_ERROR

#Test vectors generated to validate aesni_ocb_encrypt on x86
Cipher = aes-128-ocb
Key = 000102030405060708090A0B0C0D0E0F
IV = 000000000001020304050607
Tag = C14DFF7D62A13C4A3422456207453190
Plaintext = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
Ciphertext = F5186C9CC3506386919B6FD9443956E05B203313F8AB35E916AB36932EBDDCD2945901BABE7CF29404929F322F954C916065FABF8F1E52F4BD7C538C0F96899519DBC6BC504D837D8EBD1436B45D33F528CB642FA2EB2C403FE604C12B819333

Cipher = aes-128-ocb
Key = 000102030405060708090A0B0C0D0E0F
IV = 000000000001020304050607
Tag = D47D84F6FF912C79B6A4223AB9BE2DB8
Plaintext = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F
Ciphertext = F5186C9CC3506386919B6FD9443956E05B203313F8AB35E916AB36932EBDDCD2945901BABE7CF29404929F322F954C916065FABF8F1E52F4BD7C538C0F96899519DBC6BC504D837D8EBD1436B45D33F528CB642FA2EB2C403FE604C12B8193332374120A78A1171D23ED9E9CB1ADC204

Cipher = aes-128-ocb
Key = 000102030405060708090A0B0C0D0E0F
IV = 000000000001020304050607
Tag = 41970D13737B7BD1B5FBF49ED4412CA5
Plaintext = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F7071000102030405060708090A0B0C0D
Ciphertext = F5186C9CC3506386919B6FD9443956E05B203313F8AB35E916AB36932EBDDCD2945901BABE7CF29404929F322F954C916065FABF8F1E52F4BD7C538C0F96899519DBC6BC504D837D8EBD1436B45D33F528CB642FA2EB2C403FE604C12B8193332374120A78A1171D23ED9E9CB1ADC20412C017AD0CA498827C768DDD99B26E91

Cipher = aes-128-ocb
Key = 000102030405060708090A0B0C0D0E0F
IV = 000000000001020304050607
Tag = BE0228651ED4E48A11BDED68D953F3A0
Plaintext = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F7071000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D
Ciphertext = F5186C9CC3506386919B6FD9443956E05B203313F8AB35E916AB36932EBDDCD2945901BABE7CF29404929F322F954C916065FABF8F1E52F4BD7C538C0F96899519DBC6BC504D837D8EBD1436B45D33F528CB642FA2EB2C403FE604C12B8193332374120A78A1171D23ED9E9CB1ADC20412C017AD0CA498827C768DDD99B26E91EDB8681700FF30366F07AEDE8CEACC1F

Cipher = aes-128-ocb
Key = 000102030405060708090A0B0C0D0E0F
IV = 000000000001020304050607
Tag = 17BC6E10B16E5FDC52836E7D589518C7
Plaintext = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F7071000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D
Ciphertext = F5186C9CC3506386919B6FD9443956E05B203313F8AB35E916AB36932EBDDCD2945901BABE7CF29404929F322F954C916065FABF8F1E52F4BD7C538C0F96899519DBC6BC504D837D8EBD1436B45D33F528CB642FA2EB2C403FE604C12B8193332374120A78A1171D23ED9E9CB1ADC20412C017AD0CA498827C768DDD99B26E91EDB8681700FF30366F07AEDE8CEACC1F39BE69B91BC808FA7A193F7EEA43137B

Cipher = aes-128-ocb
Key = 000102030405060708090A0B0C0D0E0F
IV = 000000000001020304050607
Tag = E84AAC18666116990A3A37B3A5FC55BD
Plaintext = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F7071000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D
Ciphertext = F5186C9CC3506386919B6FD9443956E05B203313F8AB35E916AB36932EBDDCD2945901BABE7CF29404929F322F954C916065FABF8F1E52F4BD7C538C0F96899519DBC6BC504D837D8EBD1436B45D33F528CB642FA2EB2C403FE604C12B8193332374120A78A1171D23ED9E9CB1ADC20412C017AD0CA498827C768DDD99B26E91EDB8681700FF30366F07AEDE8CEACC1F39BE69B91BC808FA7A193F7EEA43137B11CF99263D693AEBDF8ADE1A1D838DED

Cipher = aes-128-ocb
Key = 000102030405060708090A0B0C0D0E0F
IV = 000000000001020304050607
Tag = 3E5EA7EE064FE83B313E28D411E91EAD
Plaintext = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F7071000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D
Ciphertext = F5186C9CC3506386919B6FD9443956E05B203313F8AB35E916AB36932EBDDCD2945901BABE7CF29404929F322F954C916065FABF8F1E52F4BD7C538C0F96899519DBC6BC504D837D8EBD1436B45D33F528CB642FA2EB2C403FE604C12B8193332374120A78A1171D23ED9E9CB1ADC20412C017AD0CA498827C768DDD99B26E91EDB8681700FF30366F07AEDE8CEACC1F39BE69B91BC808FA7A193F7EEA43137B11CF99263D693AEBDF8ADE1A1D838DED48D9E09F452F8E6FBEB76A3DED47611C

Title = AES XTS test vectors from IEEE Std 1619-2007

# Using the same key twice for encryption is always banned.
Expand Down
Loading

0 comments on commit 98965b1

Please sign in to comment.