Squashed 'openssl/' changes from 75a6bc17f32..19cc035b6c6

19cc035b6c6 Prepare for release of 3.0.7
4539f7486b8 make update
2fa4bde7264 Update copyright year
cf889ec8d9e Update CHANGES.md and NEWS.md for new release
f0f530216bf punycode: add unit tests
c42165b5706 Fix CVE-2022-3786 in punycode decoder.
fe3b639dc19 Fix CVE-2022-3602 in punycode decoder.
4bae06d47ae tests: clear error queue before executing a testcase
e6623693597 Fix parameter names for RSA private key example
bc84a93a992 Make openVMS seeding less dependent of OpenVMS version
34e3cbf99f2 Use RSA CRT parameters in FIPS self tests.
1cfc95b25c9 test: driver: fix -Wunused-but-set-variable
1b85fc806a7 x509: fix -Wunused-but-set-variable
e8c8f6faeac txt_db: fix -Wunused-but-set-variable
15d698d2f82 pem: fix -Wunused-but-set-variable
49c2c81d55d CI: add Clang 15
33da0e2b0d0 CI: Upgrade to Ubuntu 22.04 to add GCC 12, Clang 13, Clang 14
e701d98618e CI: add GCC 11
3efb41c026d ssl_cipher_process_rulestr: don't read outside rule_str buffer
38acfc30cc7 Add missing ERR_R_XXX_LIB codes
840a8298297 Finer grained error records for provider load/init failures
9cbd2e1098c Fix a lock in provider_remove_store_methods()
b0ef844283f openssl list: Fix help text about -cipher-algorithms option
0b3fec50229 Workaround egd rand source deficiencies
3e9ce25c6a3 Checking the return of BIO_new_fp(). If it returns NULL, then it is unnecessary to build the BIO chain and better make the caller directly return NULL
f713ec7d9d1 doc: fix copy/paste error
6c366417f74 Errors raised from OPENSSL_sk_set should have ERR_LIB_CRYPTO
b20d44eac8f Document the stack functions that are forgiving
367ee2152e0 stack: Do not add error if pop/shift/value accesses outside of the stack
d8f0b0fc1fe Fix trivial check_docs CI failure
0c9441652bb Add changes entry for RIPEMD160 in 3.0.7
2561dea8c60 Replace BIO_free(bio_err) with BIO_free_all(bio_err)
e5b8044a7a8 update pyca cryptography to 38.0.2
f531e4ae0c3 link the pyca tests against the correct openssl
bd7379b0db5 Fix no longer implicitly refresh the cached TBSCertificate
312a6b3a032 Fix many inconsistencies in doc of CMS_verify() and PKC7_verify() etc.
f1e990b855c ripemd: document as being present in the default provider
2f355186551 Avoid putting ripemd_prov.c in libcommon otherwise it is regarded as fips source
4534468866c default provider: include RIPEMD160
c861c3ee142 Add a test for TLSv1.3 only client sending a correct key_share
78d00e05a53 Add a test for where a client sends a non-TLSv1.3 key share
3df6aed7826 Ensure that the key share group is allowed for our protocol version
e2b2e6b166b init: fix defined but unused warning/error
69c71545456 disable 5x interleave on buffers shorter than 512 bytes: 3% speedup on Graviton2
679ea6a1d4f Fix documentation for OFB/OCB in the FIPS provider
bba03df4d98 Add missing include for DH_get0_priv_key()
5b5ab6ebe6d Fix an occasional CI failure due to unaligned access
e18186aa6ab Add translation for ECX group parameter
667ece5ed08 eckey_priv_encode(): Call ASN1_STRING_free() only on an ASN1_STRING
cdb505ea475 Prepare for 3.0.7

git-subtree-dir: openssl
git-subtree-split: 19cc035b6c6f2283573d29c7ea7f7d675cf750ce

.github/workflows/compiler-zoo.yml

@@ -19,35 +19,86 @@ jobs:
       matrix:
         zoo: [
           {
-            cc: gcc-7
+            cc: gcc-7,
+            distro: ubuntu-20.04
           }, {
-            cc: gcc-8
+            cc: gcc-8,
+            distro: ubuntu-20.04
           }, {
-            cc: gcc-9
+            cc: gcc-9,
+            distro: ubuntu-20.04
           }, {
-            cc: gcc-10
+            cc: gcc-10,
+            distro: ubuntu-20.04
           }, {
-            cc: clang-6.0
+            cc: gcc-11,
+            distro: ubuntu-22.04
           }, {
-            cc: clang-7
+            cc: gcc-12,
+            distro: ubuntu-22.04
           }, {
-            cc: clang-8
+            cc: clang-6.0,
+            distro: ubuntu-20.04
           }, {
-            cc: clang-9
+            cc: clang-7,
+            distro: ubuntu-20.04
           }, {
-            cc: clang-10
+            cc: clang-8,
+            distro: ubuntu-20.04
           }, {
-            cc: clang-11
+            cc: clang-9,
+            distro: ubuntu-20.04
           }, {
-            cc: clang-12
+            cc: clang-10,
+            distro: ubuntu-20.04
+          }, {
+            cc: clang-11,
+            distro: ubuntu-20.04
+          }, {
+            cc: clang-12,
+            distro: ubuntu-20.04
+          }, {
+            cc: clang-13,
+            distro: ubuntu-22.04
+          }, {
+            cc: clang-14,
+            distro: ubuntu-22.04
+          }, {
+            cc: clang-15,
+            distro: ubuntu-22.04,
+            llvm-ppa-name: jammy
           }
         ]
-    runs-on: ubuntu-latest
+    # We set per-compiler now to allow testing with both older and newer sets
+    # Often, the full range of oldest->newest compilers we want aren't available
+    # in a single version of Ubuntu.
+    runs-on: ${{ matrix.zoo.distro }}
     steps:
     - name: install packages
       run: |
+        llvm_ppa_name="${{ matrix.zoo.llvm-ppa-name }}"
+
+        # In the Matrix above, we set llvm-ppa-name if an LLVM version isn't
+        # part of the Ubuntu version we're using. See https://apt.llvm.org/.
+        if [[ -n ${llvm_ppa_name} ]] ; then
+            wget -O - https://apt.llvm.org/llvm-snapshot.gpg.key |\
+                gpg --dearmor |\
+                sudo tee /usr/share/keyrings/llvm-snapshot.gpg.key > /dev/null
+
+            clang_version="${{ matrix.zoo.cc }}"
+            clang_version="${clang_version/clang-}"
+
+            echo "deb [signed-by=/usr/share/keyrings/llvm-snapshot.gpg.key] http://apt.llvm.org/${{ matrix.zoo.llvm-ppa-name }}/ llvm-toolchain-${{ matrix.zoo.llvm-ppa-name }}-${clang_version} main" \
+                | sudo tee /etc/apt/sources.list.d/llvm.list
+            echo "deb-src [signed-by=/usr/share/keyrings/llvm-snapshot.gpg.key] http://apt.llvm.org/${{ matrix.zoo.llvm-ppa-name }}/ llvm-toolchain-${{ matrix.zoo.llvm-ppa-name }}-${clang_version} main" \
+                | sudo tee -a /etc/apt/sources.list.d/llvm.list
+
+            cat /etc/apt/sources.list.d/llvm.list
+        fi
+
         sudo apt-get update
-        sudo apt-get -yq --force-yes install ${{ matrix.zoo.cc }}
+        sudo apt-get -y install ${{ matrix.zoo.cc }}
+
     - uses: actions/checkout@v2
 
     - name: config

CHANGES.md

@@ -28,6 +28,64 @@ breaking changes, and mappings for the large list of deprecated functions.
 
 [Migration guide]: https://github.com/openssl/openssl/tree/master/doc/man7/migration_guide.pod
 
+### Changes between 3.0.6 and 3.0.7 [1 Nov 2022]
+
+ * Fixed two buffer overflows in punycode decoding functions.
+
+   A buffer overrun can be triggered in X.509 certificate verification,
+   specifically in name constraint checking. Note that this occurs after
+   certificate chain signature verification and requires either a CA to
+   have signed the malicious certificate or for the application to continue
+   certificate verification despite failure to construct a path to a trusted
+   issuer.
+
+   In a TLS client, this can be triggered by connecting to a malicious
+   server.  In a TLS server, this can be triggered if the server requests
+   client authentication and a malicious client connects.
+
+   An attacker can craft a malicious email address to overflow
+   an arbitrary number of bytes containing the `.`  character (decimal 46)
+   on the stack.  This buffer overflow could result in a crash (causing a
+   denial of service).
+   ([CVE-2022-3786])
+
+   An attacker can craft a malicious email address to overflow four
+   attacker-controlled bytes on the stack.  This buffer overflow could
+   result in a crash (causing a denial of service) or potentially remote code
+   execution depending on stack layout for any given platform/compiler.
+   ([CVE-2022-3602])
+
+   *Paul Dale*
+
+ * Removed all references to invalid OSSL_PKEY_PARAM_RSA names for CRT
+   parameters in OpenSSL code.
+   Applications should not use the names OSSL_PKEY_PARAM_RSA_FACTOR,
+   OSSL_PKEY_PARAM_RSA_EXPONENT and OSSL_PKEY_PARAM_RSA_COEFFICIENT.
+   Use the numbered names such as OSSL_PKEY_PARAM_RSA_FACTOR1 instead.
+   Using these invalid names may cause algorithms to use slower methods
+   that ignore the CRT parameters.
+
+   *Shane Lontis*
+
+ * Fixed a regression introduced in 3.0.6 version raising errors on some stack
+   operations.
+
+   *Tomáš Mráz*
+
+ * Fixed a regression introduced in 3.0.6 version not refreshing the certificate
+   data to be signed before signing the certificate.
+
+   *Gibeom Gwon*
+
+ * Added RIPEMD160 to the default provider.
+
+   *Paul Dale*
+
+ * Ensured that the key share group sent or accepted for the key exchange
+   is allowed for the protocol version.
+
+   *Matt Caswell*
+
 ### Changes between 3.0.5 and 3.0.6 [11 Oct 2022]
 
  * OpenSSL supports creating a custom cipher via the legacy

NEWS.md

@@ -18,6 +18,13 @@ OpenSSL Releases
 OpenSSL 3.0
 -----------
 
+### Major changes between OpenSSL 3.0.6 and OpenSSL 3.0.7 [1 Nov 2022]
+
+  * Added RIPEMD160 to the default provider.
+  * Fixed regressions introduced in 3.0.6 version.
+  * Fixed two buffer overflows in punycode decoding functions.
+    ([CVE-2022-3786]) and ([CVE-2022-3602])
+
 ### Major changes between OpenSSL 3.0.5 and OpenSSL 3.0.6 [11 Oct 2022]
 
   * Fix for custom ciphers to prevent accidental use of NULL encryption

README-ENGINES.md

@@ -314,4 +314,3 @@ It seems like the ENGINE part doesn't work too well with CryptoSwift on Win32.
 A quick test done right before the release showed that trying "openssl speed
 -engine cswift" generated errors. If the DSO gets enabled, an attempt is made
 to write at memory address 0x00000002.
-

VERSION.dat

@@ -1,7 +1,7 @@
 MAJOR=3
 MINOR=0
-PATCH=6
+PATCH=7
 PRE_RELEASE_TAG=
 BUILD_METADATA=
-RELEASE_DATE="11 Oct 2022"
+RELEASE_DATE="1 Nov 2022"
 SHLIB_VERSION=3

apps/lib/apps.c

@@ -2936,6 +2936,9 @@ BIO *dup_bio_out(int format)
                         BIO_NOCLOSE | (FMT_istext(format) ? BIO_FP_TEXT : 0));
     void *prefix = NULL;
 
+    if (b == NULL)
+        return NULL;
+
 #ifdef OPENSSL_SYS_VMS
     if (FMT_istext(format))
         b = BIO_push(BIO_new(BIO_f_linebuffer()), b);
@@ -2955,7 +2958,7 @@ BIO *dup_bio_err(int format)
     BIO *b = BIO_new_fp(stderr,
                         BIO_NOCLOSE | (FMT_istext(format) ? BIO_FP_TEXT : 0));
 #ifdef OPENSSL_SYS_VMS
-    if (FMT_istext(format))
+    if (b != NULL && FMT_istext(format))
         b = BIO_push(BIO_new(BIO_f_linebuffer()), b);
 #endif
     return b;

apps/list.c

@@ -1474,7 +1474,7 @@ const OPTIONS list_options[] = {
     "List of cipher commands (deprecated)"},
 #endif
     {"cipher-algorithms", OPT_CIPHER_ALGORITHMS, '-',
-     "List of cipher algorithms"},
+     "List of symmetric cipher algorithms"},
     {"encoders", OPT_ENCODERS, '-', "List of encoding methods" },
     {"decoders", OPT_DECODERS, '-', "List of decoding methods" },
     {"key-managers", OPT_KEYMANAGERS, '-', "List of key managers" },

apps/openssl.c

@@ -1,5 +1,5 @@
 /*
- * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the Apache License 2.0 (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
@@ -307,7 +307,7 @@ int main(int argc, char *argv[])
     BIO_free(bio_in);
     BIO_free_all(bio_out);
     apps_shutdown();
-    BIO_free(bio_err);
+    BIO_free_all(bio_err);
     EXIT(ret);
 }
 

crypto/aes/asm/aesv8-armx.pl

@@ -1825,7 +1825,7 @@ ()
 	vorr		$dat2,$ivec,$ivec
 ___
 $code.=<<___	if ($flavour =~ /64/);
-	cmp		$len,#2
+	cmp		$len,#32
 	b.lo		.Loop3x_ctr32
 
 	add		w13,$ctr,#1

crypto/bn/rsaz_exp_x2.c

@@ -31,6 +31,14 @@ NON_EMPTY_TRANSLATION_UNIT
 #  define ALIGN64
 # endif
 
+# if defined(__GNUC__)
+#  define ALIGN1  __attribute__((aligned(1)))
+# elif defined(_MSC_VER)
+#  define ALIGN1  __declspec(align(1))
+# else
+#  define ALIGN1
+# endif
+
 # define ALIGN_OF(ptr, boundary) \
     ((unsigned char *)(ptr) + (boundary - (((size_t)(ptr)) & (boundary - 1))))
 
@@ -42,6 +50,8 @@ NON_EMPTY_TRANSLATION_UNIT
 # define BITS2WORD8_SIZE(x)  (((x) + 7) >> 3)
 # define BITS2WORD64_SIZE(x) (((x) + 63) >> 6)
 
+typedef uint64_t ALIGN1 uint64_t_align1;
+
 static ossl_inline uint64_t get_digit52(const uint8_t *in, int in_len);
 static ossl_inline void put_digit52(uint8_t *out, int out_len, uint64_t digit);
 static void to_words52(BN_ULONG *out, int out_len, const BN_ULONG *in,
@@ -468,9 +478,9 @@ static void to_words52(BN_ULONG *out, int out_len,
     in_str = (uint8_t *)in;
 
     for (; in_bitsize >= (2 * DIGIT_SIZE); in_bitsize -= (2 * DIGIT_SIZE), out += 2) {
-        out[0] = (*(uint64_t *)in_str) & DIGIT_MASK;
+        out[0] = (*(uint64_t_align1 *)in_str) & DIGIT_MASK;
         in_str += 6;
-        out[1] = ((*(uint64_t *)in_str) >> 4) & DIGIT_MASK;
+        out[1] = ((*(uint64_t_align1 *)in_str) >> 4) & DIGIT_MASK;
         in_str += 7;
         out_len -= 2;
     }
@@ -527,9 +537,9 @@ static void from_words52(BN_ULONG *out, int out_bitsize, const BN_ULONG *in)
         uint8_t *out_str = (uint8_t *)out;
 
         for (; out_bitsize >= (2 * DIGIT_SIZE); out_bitsize -= (2 * DIGIT_SIZE), in += 2) {
-            (*(uint64_t *)out_str) = in[0];
+            (*(uint64_t_align1 *)out_str) = in[0];
             out_str += 6;
-            (*(uint64_t *)out_str) ^= in[1] << 4;
+            (*(uint64_t_align1 *)out_str) ^= in[1] << 4;
             out_str += 7;
         }
 

crypto/conf/conf_def.c

@@ -296,7 +296,7 @@ static int def_load_bio(CONF *conf, BIO *in, long *line)
             }
 #endif
             /* no more files in directory, continue with processing parent */
-            if (sk_BIO_num(biosk) < 1 || (parent = sk_BIO_pop(biosk)) == NULL) {
+            if ((parent = sk_BIO_pop(biosk)) == NULL) {
                 /* everything processed get out of the loop */
                 break;
             } else {

crypto/ec/ec_ameth.c

@@ -42,7 +42,6 @@ static int eckey_param2type(int *pptype, void **ppval, const EC_KEY *ec_key)
         ASN1_OBJECT *asn1obj = OBJ_nid2obj(nid);
 
         if (asn1obj == NULL || OBJ_length(asn1obj) == 0) {
-            ASN1_OBJECT_free(asn1obj);
             ERR_raise(ERR_LIB_EC, EC_R_MISSING_OID);
             return 0;
         }
@@ -92,9 +91,7 @@ static int eckey_pub_encode(X509_PUBKEY *pk, const EVP_PKEY *pkey)
                                ptype, pval, penc, penclen))
         return 1;
  err:
-    if (ptype == V_ASN1_OBJECT)
-        ASN1_OBJECT_free(pval);
-    else
+    if (ptype == V_ASN1_SEQUENCE)
         ASN1_STRING_free(pval);
     OPENSSL_free(penc);
     return 0;
@@ -187,19 +184,22 @@ static int eckey_priv_encode(PKCS8_PRIV_KEY_INFO *p8, const EVP_PKEY *pkey)
     eplen = i2d_ECPrivateKey(&ec_key, &ep);
     if (eplen <= 0) {
         ERR_raise(ERR_LIB_EC, ERR_R_EC_LIB);
-        ASN1_STRING_free(pval);
-        return 0;
+        goto err;
     }
 
     if (!PKCS8_pkey_set0(p8, OBJ_nid2obj(NID_X9_62_id_ecPublicKey), 0,
                          ptype, pval, ep, eplen)) {
-        ERR_raise(ERR_LIB_EC, ERR_R_EC_LIB);
-        ASN1_STRING_free(pval);
+        ERR_raise(ERR_LIB_EC, ERR_R_ASN1_LIB);
         OPENSSL_clear_free(ep, eplen);
-        return 0;
+        goto err;
     }
 
     return 1;
+
+ err:
+    if (ptype == V_ASN1_SEQUENCE)
+        ASN1_STRING_free(pval);
+    return 0;
 }
 
 static int int_ec_size(const EVP_PKEY *pkey)