diff -Nru openssl-1.1.1j/apps/s_cb.c openssl-1.1.1k/apps/s_cb.c --- openssl-1.1.1j/apps/s_cb.c 2021-02-16 16:24:01.000000000 +0100 +++ openssl-1.1.1k/apps/s_cb.c 2021-03-25 14:28:38.000000000 +0100 @@ -1,5 +1,5 @@ /* - * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -934,7 +934,8 @@ if (!SSL_build_cert_chain(ssl, 0)) return 0; } else if (exc->chain != NULL) { - SSL_set1_chain(ssl, exc->chain); + if (!SSL_set1_chain(ssl, exc->chain)) + return 0; } } exc = exc->prev; diff -Nru openssl-1.1.1j/apps/s_time.c openssl-1.1.1k/apps/s_time.c --- openssl-1.1.1j/apps/s_time.c 2021-02-16 16:24:01.000000000 +0100 +++ openssl-1.1.1k/apps/s_time.c 2021-03-25 14:28:38.000000000 +0100 @@ -1,5 +1,5 @@ /* - * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -263,7 +263,8 @@ nConn, totalTime, ((double)nConn / totalTime), bytes_read); printf ("%d connections in %ld real seconds, %ld bytes read per connection\n", - nConn, (long)time(NULL) - finishtime + maxtime, bytes_read / nConn); + nConn, (long)time(NULL) - finishtime + maxtime, + nConn > 0 ? bytes_read / nConn : 0l); /* * Now loop and time connections using the same session id over and over diff -Nru openssl-1.1.1j/CHANGES openssl-1.1.1k/CHANGES --- openssl-1.1.1j/CHANGES 2021-02-16 16:24:01.000000000 +0100 +++ openssl-1.1.1k/CHANGES 2021-03-25 14:28:38.000000000 +0100 @@ -7,6 +7,50 @@ https://github.com/openssl/openssl/commits/ and pick the appropriate release branch. + Changes between 1.1.1j and 1.1.1k [25 Mar 2021] + + *) Fixed a problem with verifying a certificate chain when using the + X509_V_FLAG_X509_STRICT flag. This flag enables additional security checks + of the certificates present in a certificate chain. It is not set by + default. + + Starting from OpenSSL version 1.1.1h a check to disallow certificates in + the chain that have explicitly encoded elliptic curve parameters was added + as an additional strict check. + + An error in the implementation of this check meant that the result of a + previous check to confirm that certificates in the chain are valid CA + certificates was overwritten. This effectively bypasses the check + that non-CA certificates must not be able to issue other certificates. + + If a "purpose" has been configured then there is a subsequent opportunity + for checks that the certificate is a valid CA. All of the named "purpose" + values implemented in libcrypto perform this check. Therefore, where + a purpose is set the certificate chain will still be rejected even when the + strict flag has been used. A purpose is set by default in libssl client and + server certificate verification routines, but it can be overridden or + removed by an application. + + In order to be affected, an application must explicitly set the + X509_V_FLAG_X509_STRICT verification flag and either not set a purpose + for the certificate verification or, in the case of TLS client or server + applications, override the default purpose. + (CVE-2021-3450) + [Tomáš Mráz] + + *) Fixed an issue where an OpenSSL TLS server may crash if sent a maliciously + crafted renegotiation ClientHello message from a client. If a TLSv1.2 + renegotiation ClientHello omits the signature_algorithms extension (where + it was present in the initial ClientHello), but includes a + signature_algorithms_cert extension then a NULL pointer dereference will + result, leading to a crash and a denial of service attack. + + A server is only vulnerable if it has TLSv1.2 and renegotiation enabled + (which is the default configuration). OpenSSL TLS clients are not impacted + by this issue. + (CVE-2021-3449) + [Peter Kästle and Samuel Sapalski] + Changes between 1.1.1i and 1.1.1j [16 Feb 2021] *) Fixed the X509_issuer_and_serial_hash() function. It attempts to diff -Nru openssl-1.1.1j/Configurations/unix-Makefile.tmpl openssl-1.1.1k/Configurations/unix-Makefile.tmpl --- openssl-1.1.1j/Configurations/unix-Makefile.tmpl 2021-02-16 16:24:01.000000000 +0100 +++ openssl-1.1.1k/Configurations/unix-Makefile.tmpl 2021-03-25 14:28:38.000000000 +0100 @@ -917,8 +917,8 @@ done ) ordinals: - ( b=`pwd`; cd $(SRCDIR); $(PERL) -I$$b util/mkdef.pl crypto update ) - ( b=`pwd`; cd $(SRCDIR); $(PERL) -I$$b util/mkdef.pl ssl update ) + $(PERL) $(SRCDIR)/util/mkdef.pl crypto update + $(PERL) $(SRCDIR)/util/mkdef.pl ssl update test_ordinals: ( cd test; \ diff -Nru openssl-1.1.1j/crypto/asn1/asn1_par.c openssl-1.1.1k/crypto/asn1/asn1_par.c --- openssl-1.1.1j/crypto/asn1/asn1_par.c 2021-02-16 16:24:01.000000000 +0100 +++ openssl-1.1.1k/crypto/asn1/asn1_par.c 2021-03-25 14:28:38.000000000 +0100 @@ -1,5 +1,5 @@ /* - * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -325,6 +325,7 @@ } if (BIO_puts(bp, "]") <= 0) goto end; + dump_cont = 0; } if (!nl) { diff -Nru openssl-1.1.1j/crypto/asn1/bio_ndef.c openssl-1.1.1k/crypto/asn1/bio_ndef.c --- openssl-1.1.1j/crypto/asn1/bio_ndef.c 2021-02-16 16:24:01.000000000 +0100 +++ openssl-1.1.1k/crypto/asn1/bio_ndef.c 2021-03-25 14:28:38.000000000 +0100 @@ -1,5 +1,5 @@ /* - * Copyright 2008-2018 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2008-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -113,6 +113,8 @@ ndef_aux = *(NDEF_SUPPORT **)parg; derlen = ASN1_item_ndef_i2d(ndef_aux->val, NULL, ndef_aux->it); + if (derlen < 0) + return 0; if ((p = OPENSSL_malloc(derlen)) == NULL) { ASN1err(ASN1_F_NDEF_PREFIX, ERR_R_MALLOC_FAILURE); return 0; diff -Nru openssl-1.1.1j/crypto/engine/eng_devcrypto.c openssl-1.1.1k/crypto/engine/eng_devcrypto.c --- openssl-1.1.1j/crypto/engine/eng_devcrypto.c 2021-02-16 16:24:01.000000000 +0100 +++ openssl-1.1.1k/crypto/engine/eng_devcrypto.c 2021-03-25 14:28:38.000000000 +0100 @@ -1,5 +1,5 @@ /* - * Copyright 2017-2019 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2017-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -758,8 +758,9 @@ void engine_load_devcrypto_int() { ENGINE *e = NULL; + int fd; - if ((cfd = open("/dev/crypto", O_RDWR, 0)) < 0) { + if ((fd = open("/dev/crypto", O_RDWR, 0)) < 0) { #ifndef ENGINE_DEVCRYPTO_DEBUG if (errno != ENOENT) #endif @@ -767,6 +768,18 @@ return; } +#ifdef CRIOGET + if (ioctl(fd, CRIOGET, &cfd) < 0) { + fprintf(stderr, "Could not create crypto fd: %s\n", strerror(errno)); + close(fd); + cfd = -1; + return; + } + close(fd); +#else + cfd = fd; +#endif + if ((e = ENGINE_new()) == NULL || !ENGINE_set_destroy_function(e, devcrypto_unload)) { ENGINE_free(e); diff -Nru openssl-1.1.1j/crypto/evp/evp_enc.c openssl-1.1.1k/crypto/evp/evp_enc.c --- openssl-1.1.1j/crypto/evp/evp_enc.c 2021-02-16 16:24:01.000000000 +0100 +++ openssl-1.1.1k/crypto/evp/evp_enc.c 2021-03-25 14:28:38.000000000 +0100 @@ -1,5 +1,5 @@ /* - * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff -Nru openssl-1.1.1j/crypto/modes/cbc128.c openssl-1.1.1k/crypto/modes/cbc128.c --- openssl-1.1.1j/crypto/modes/cbc128.c 2021-02-16 16:24:01.000000000 +0100 +++ openssl-1.1.1k/crypto/modes/cbc128.c 2021-03-25 14:28:38.000000000 +0100 @@ -1,5 +1,5 @@ /* - * Copyright 2008-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2008-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -69,7 +69,8 @@ in += 16; out += 16; } - memcpy(ivec, iv, 16); + if (ivec != iv) + memcpy(ivec, iv, 16); } void CRYPTO_cbc128_decrypt(const unsigned char *in, unsigned char *out, @@ -114,7 +115,8 @@ out += 16; } } - memcpy(ivec, iv, 16); + if (ivec != iv) + memcpy(ivec, iv, 16); } else { if (STRICT_ALIGNMENT && ((size_t)in | (size_t)out | (size_t)ivec) % sizeof(size_t) != 0) { diff -Nru openssl-1.1.1j/crypto/modes/gcm128.c openssl-1.1.1k/crypto/modes/gcm128.c --- openssl-1.1.1j/crypto/modes/gcm128.c 2021-02-16 16:24:01.000000000 +0100 +++ openssl-1.1.1k/crypto/modes/gcm128.c 2021-03-25 14:28:38.000000000 +0100 @@ -1,5 +1,5 @@ /* - * Copyright 2010-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2010-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -1385,8 +1385,8 @@ else ctx->Yi.d[3] = ctr; for (i = 0; i < 16 / sizeof(size_t); ++i) { - size_t c = in[i]; - out[i] = c ^ ctx->EKi.t[i]; + size_t c = in_t[i]; + out_t[i] = c ^ ctx->EKi.t[i]; ctx->Xi.t[i] ^= c; } GCM_MUL(ctx); diff -Nru openssl-1.1.1j/crypto/o_time.c openssl-1.1.1k/crypto/o_time.c --- openssl-1.1.1j/crypto/o_time.c 2021-02-16 16:24:01.000000000 +0100 +++ openssl-1.1.1k/crypto/o_time.c 2021-03-25 14:28:38.000000000 +0100 @@ -1,5 +1,5 @@ /* - * Copyright 2001-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2001-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -133,8 +133,8 @@ static int julian_adj(const struct tm *tm, int off_day, long offset_sec, long *pday, int *psec) { - int offset_hms, offset_day; - long time_jd; + int offset_hms; + long offset_day, time_jd; int time_year, time_month, time_day; /* split offset into days and day seconds */ offset_day = offset_sec / SECS_PER_DAY; diff -Nru openssl-1.1.1j/crypto/rand/rand_lib.c openssl-1.1.1k/crypto/rand/rand_lib.c --- openssl-1.1.1j/crypto/rand/rand_lib.c 2021-02-16 16:24:01.000000000 +0100 +++ openssl-1.1.1k/crypto/rand/rand_lib.c 2021-03-25 14:28:38.000000000 +0100 @@ -1,5 +1,5 @@ /* - * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -432,9 +432,13 @@ RAND_POOL *rand_pool_new(int entropy_requested, int secure, size_t min_len, size_t max_len) { - RAND_POOL *pool = OPENSSL_zalloc(sizeof(*pool)); + RAND_POOL *pool; size_t min_alloc_size = RAND_POOL_MIN_ALLOCATION(secure); + if (!RUN_ONCE(&rand_init, do_rand_init)) + return NULL; + + pool = OPENSSL_zalloc(sizeof(*pool)); if (pool == NULL) { RANDerr(RAND_F_RAND_POOL_NEW, ERR_R_MALLOC_FAILURE); return NULL; diff -Nru openssl-1.1.1j/crypto/rsa/rsa_ssl.c openssl-1.1.1k/crypto/rsa/rsa_ssl.c --- openssl-1.1.1j/crypto/rsa/rsa_ssl.c 2021-02-16 16:24:01.000000000 +0100 +++ openssl-1.1.1k/crypto/rsa/rsa_ssl.c 2021-03-25 14:28:38.000000000 +0100 @@ -1,5 +1,5 @@ /* - * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff -Nru openssl-1.1.1j/crypto/x509/x509_vfy.c openssl-1.1.1k/crypto/x509/x509_vfy.c --- openssl-1.1.1j/crypto/x509/x509_vfy.c 2021-02-16 16:24:01.000000000 +0100 +++ openssl-1.1.1k/crypto/x509/x509_vfy.c 2021-03-25 14:28:38.000000000 +0100 @@ -524,15 +524,19 @@ ret = 1; break; } - if ((ctx->param->flags & X509_V_FLAG_X509_STRICT) && num > 1) { + if (ret > 0 + && (ctx->param->flags & X509_V_FLAG_X509_STRICT) && num > 1) { /* Check for presence of explicit elliptic curve parameters */ ret = check_curve(x); - if (ret < 0) + if (ret < 0) { ctx->error = X509_V_ERR_UNSPECIFIED; - else if (ret == 0) + ret = 0; + } else if (ret == 0) { ctx->error = X509_V_ERR_EC_KEY_EXPLICIT_PARAMS; + } } - if ((x->ex_flags & EXFLAG_CA) == 0 + if (ret > 0 + && (x->ex_flags & EXFLAG_CA) == 0 && x->ex_pathlen != -1 && (ctx->param->flags & X509_V_FLAG_X509_STRICT)) { ctx->error = X509_V_ERR_INVALID_EXTENSION; diff -Nru openssl-1.1.1j/debian/changelog openssl-1.1.1k/debian/changelog --- openssl-1.1.1j/debian/changelog 2021-07-23 14:32:42.000000000 +0200 +++ openssl-1.1.1k/debian/changelog 2021-08-11 13:00:48.000000000 +0200 @@ -1,3 +1,45 @@ +openssl (1.1.1k-1ubuntu1) impish; urgency=low + + * Merge from Debian unstable (LP: #1939544). Remaining changes: + - Replace duplicate files in the doc directory with symlinks. + - debian/libssl1.1.postinst: + + Display a system restart required notification on libssl1.1 + upgrade on servers, unless needrestart is available. + + Use a different priority for libssl1.1/restart-services depending + on whether a desktop, or server dist-upgrade is being performed. + + Skip services restart & reboot notification if needrestart is in-use. + + Bump version check to to 1.1.1. + + Import libraries/restart-without-asking template as used by above. + - Revert "Enable system default config to enforce TLS1.2 as a + minimum" & "Increase default security level from 1 to 2". + - Reword the NEWS entry, as applicable on Ubuntu. + - Cherrypick s390x SIMD acceleration patches for poly1305 and chacha20 + and ECC from master. + - Use perl:native in the autopkgtest for installability on i386. + - Set OPENSSL_TLS_SECURITY_LEVEL=2 as compiled-in minimum security + level. Change meaning of SECURITY_LEVEL=2 to prohibit TLS versions + below 1.2 and update documentation. Previous default of 1, can be set + by calling SSL_CTX_set_security_level(), SSL_set_security_level() or + using ':@SECLEVEL=1' CipherString value in openssl.cfg. + - Import https://github.com/openssl/openssl/pull/12272.patch to enable + CET. + - Add support for building with noudeb build profile. + * Dropped changes, superseded upstream: + - SECURITY UPDATE: NULL pointer deref in signature_algorithms processing + -> CVE-2021-3449 + - SECURITY UPDATE: CA cert check bypass with X509_V_FLAG_X509_STRICT + -> CVE-2021-3450 + + -- Simon Chopin Wed, 11 Aug 2021 13:00:48 +0200 + +openssl (1.1.1k-1) unstable; urgency=medium + + * New upstream version. + - CVE-2021-3450 (CA certificate check bypass with X509_V_FLAG_X509_STRICT). + - CVE-2021-3449 (NULL pointer deref in signature_algorithms processing). + + -- Sebastian Andrzej Siewior Thu, 25 Mar 2021 21:49:34 +0100 + openssl (1.1.1j-1ubuntu5) impish; urgency=medium * Cherry-pick an upstream patch to fix s390x AES code (LP: #1931994) diff -Nru openssl-1.1.1j/debian/patches/c_rehash-compat.patch openssl-1.1.1k/debian/patches/c_rehash-compat.patch --- openssl-1.1.1j/debian/patches/c_rehash-compat.patch 2021-02-16 20:34:26.000000000 +0100 +++ openssl-1.1.1k/debian/patches/c_rehash-compat.patch 2021-07-27 23:42:21.000000000 +0200 @@ -7,7 +7,7 @@ 1 file changed, 14 insertions(+), 6 deletions(-) diff --git a/tools/c_rehash.in b/tools/c_rehash.in -index 421fd892086f..5ad1ab1d655f 100644 +index fa7c6c9fef91..a7e538a72d7d 100644 --- a/tools/c_rehash.in +++ b/tools/c_rehash.in @@ -17,8 +17,6 @@ my $prefix = {- quotify1($config{prefix}) -}; @@ -46,7 +46,7 @@ sub link_hash_cert { my $fname = $_[0]; + my $x509hash = $_[1] || '-subject_hash'; - $fname =~ s/'/'\\''/g; + $fname =~ s/\"/\\\"/g; my ($hash, $fprint) = `"$openssl" x509 $x509hash -fingerprint -noout -in "$fname"`; chomp $hash; @@ -198,10 +196,20 @@ sub link_hash_cert { diff -Nru openssl-1.1.1j/debian/patches/CVE-2021-3449-1.patch openssl-1.1.1k/debian/patches/CVE-2021-3449-1.patch --- openssl-1.1.1j/debian/patches/CVE-2021-3449-1.patch 2021-03-25 16:44:02.000000000 +0100 +++ openssl-1.1.1k/debian/patches/CVE-2021-3449-1.patch 1970-01-01 01:00:00.000000000 +0100 @@ -1,43 +0,0 @@ -From c911f9f10651d5bb502a40884680ad81b06a4ff9 Mon Sep 17 00:00:00 2001 -From: Peter Kaestle -Date: Mon, 15 Mar 2021 13:19:56 +0100 -Subject: [PATCH] ssl sigalg extension: fix NULL pointer dereference -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -As the variable peer_sigalgslen is not cleared on ssl rehandshake, it's -possible to crash an openssl tls secured server remotely by sending a -manipulated hello message in a rehandshake. - -On such a manipulated rehandshake, tls1_set_shared_sigalgs() calls -tls12_shared_sigalgs() with the peer_sigalgslen of the previous -handshake, while the peer_sigalgs has been freed. -As a result tls12_shared_sigalgs() walks over the available -peer_sigalgs and tries to access data of a NULL pointer. - -This issue was introduced by c589c34e61 (Add support for the TLS 1.3 -signature_algorithms_cert extension, 2018-01-11). - -Signed-off-by: Peter Kästle -Signed-off-by: Samuel Sapalski - -CVE-2021-3449 - -CLA: trivial ---- - ssl/statem/extensions.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/ssl/statem/extensions.c b/ssl/statem/extensions.c -index 9f51a6eb28..c77ed8c1e5 100644 ---- a/ssl/statem/extensions.c -+++ b/ssl/statem/extensions.c -@@ -1137,6 +1137,7 @@ static int init_sig_algs(SSL *s, unsigned int context) - /* Clear any signature algorithms extension received */ - OPENSSL_free(s->s3->tmp.peer_sigalgs); - s->s3->tmp.peer_sigalgs = NULL; -+ s->s3->tmp.peer_sigalgslen = 0; - - return 1; - } diff -Nru openssl-1.1.1j/debian/patches/CVE-2021-3449-2.patch openssl-1.1.1k/debian/patches/CVE-2021-3449-2.patch --- openssl-1.1.1j/debian/patches/CVE-2021-3449-2.patch 2021-03-25 16:44:06.000000000 +0100 +++ openssl-1.1.1k/debian/patches/CVE-2021-3449-2.patch 1970-01-01 01:00:00.000000000 +0100 @@ -1,71 +0,0 @@ -From 45793142f5a52974c3486dd29281d929f69110fb Mon Sep 17 00:00:00 2001 -From: Matt Caswell -Date: Thu, 18 Mar 2021 15:25:42 +0000 -Subject: [PATCH] Teach TLSProxy how to encrypt <= TLSv1.2 ETM records - -Previously TLSProxy only knew how to "repack" messages for TLSv1.3. -Most of the handshake in <= TLSv1.2 is unencrypted so this hasn't been -too much of restriction. However we now want to modify reneg handshakes -which are encrypted so we need to add that capability. ---- - util/perl/TLSProxy/Message.pm | 37 ++++++++++++++++++++++++++++------- - 1 file changed, 30 insertions(+), 7 deletions(-) - -diff --git a/util/perl/TLSProxy/Message.pm b/util/perl/TLSProxy/Message.pm -index 10b6156074..3d0266e48f 100644 ---- a/util/perl/TLSProxy/Message.pm -+++ b/util/perl/TLSProxy/Message.pm -@@ -448,7 +448,7 @@ sub ciphersuite - } - - #Update all the underlying records with the modified data from this message --#Note: Only supports re-encrypting for TLSv1.3 -+#Note: Only supports TLSv1.3 and ETM encryption - sub repack - { - my $self = shift; -@@ -490,15 +490,38 @@ sub repack - # (If a length override is ever needed to construct invalid packets, - # use an explicit override field instead.) - $rec->decrypt_len(length($rec->decrypt_data)); -- $rec->len($rec->len + length($msgdata) - $old_length); -- # Only support re-encryption for TLSv1.3. -- if (TLSProxy::Proxy->is_tls13() && $rec->encrypted()) { -- #Add content type (1 byte) and 16 tag bytes -- $rec->data($rec->decrypt_data -- .pack("C", TLSProxy::Record::RT_HANDSHAKE).("\0"x16)); -+ # Only support re-encryption for TLSv1.3 and ETM. -+ if ($rec->encrypted()) { -+ if (TLSProxy::Proxy->is_tls13()) { -+ #Add content type (1 byte) and 16 tag bytes -+ $rec->data($rec->decrypt_data -+ .pack("C", TLSProxy::Record::RT_HANDSHAKE).("\0"x16)); -+ } elsif ($rec->etm()) { -+ my $data = $rec->decrypt_data; -+ #Add padding -+ my $padval = length($data) % 16; -+ $padval = 15 - $padval; -+ for (0..$padval) { -+ $data .= pack("C", $padval); -+ } -+ -+ #Add MAC. Assumed to be 20 bytes -+ foreach my $macval (0..19) { -+ $data .= pack("C", $macval); -+ } -+ -+ if ($rec->version() >= TLSProxy::Record::VERS_TLS_1_1) { -+ #Explicit IV -+ $data = ("\0"x16).$data; -+ } -+ $rec->data($data); -+ } else { -+ die "Unsupported encryption: No ETM"; -+ } - } else { - $rec->data($rec->decrypt_data); - } -+ $rec->len(length($rec->data)); - - #Update the fragment len in case we changed it above - ${$self->message_frag_lens}[0] = length($msgdata) diff -Nru openssl-1.1.1j/debian/patches/CVE-2021-3449-3.patch openssl-1.1.1k/debian/patches/CVE-2021-3449-3.patch --- openssl-1.1.1j/debian/patches/CVE-2021-3449-3.patch 2021-03-25 16:44:09.000000000 +0100 +++ openssl-1.1.1k/debian/patches/CVE-2021-3449-3.patch 1970-01-01 01:00:00.000000000 +0100 @@ -1,70 +0,0 @@ -From 0cb44054466536a326019ba2ac2f57fe9b894909 Mon Sep 17 00:00:00 2001 -From: Matt Caswell -Date: Thu, 18 Mar 2021 15:29:04 +0000 -Subject: [PATCH] Add a test for CVE-2021-3449 - -We perform a reneg handshake, where the second ClientHello drops the -sig_algs extension. It must also contain cert_sig_algs for the test to -work. ---- - test/recipes/70-test_renegotiation.t | 36 +++++++++++++++++++++++++++- - 1 file changed, 35 insertions(+), 1 deletion(-) - -diff --git a/test/recipes/70-test_renegotiation.t b/test/recipes/70-test_renegotiation.t -index 734f1cd21e..89cab85aa1 100644 ---- a/test/recipes/70-test_renegotiation.t -+++ b/test/recipes/70-test_renegotiation.t -@@ -38,7 +38,7 @@ my $proxy = TLSProxy::Proxy->new( - $proxy->clientflags("-no_tls1_3"); - $proxy->reneg(1); - $proxy->start() or plan skip_all => "Unable to start up Proxy for tests"; --plan tests => 3; -+plan tests => 4; - ok(TLSProxy::Message->success(), "Basic renegotiation"); - - #Test 2: Client does not send the Reneg SCSV. Reneg should fail -@@ -77,6 +77,20 @@ SKIP: { - "Check ClientHello version is the same"); - } - -+SKIP: { -+ skip "TLSv1.2 disabled", 1 -+ if disabled("tls1_2"); -+ -+ #Test 4: Test for CVE-2021-3449. client_sig_algs instead of sig_algs in -+ # resumption ClientHello -+ $proxy->clear(); -+ $proxy->filter(\&sigalgs_filter); -+ $proxy->clientflags("-tls1_2"); -+ $proxy->reneg(1); -+ $proxy->start(); -+ ok(TLSProxy::Message->fail(), "client_sig_algs instead of sig_algs"); -+} -+ - sub reneg_filter - { - my $proxy = shift; -@@ -96,3 +110,23 @@ sub reneg_filter - } - } - } -+ -+sub sigalgs_filter -+{ -+ my $proxy = shift; -+ my $cnt = 0; -+ -+ # We're only interested in the second ClientHello message -+ foreach my $message (@{$proxy->message_list}) { -+ if ($message->mt == TLSProxy::Message::MT_CLIENT_HELLO) { -+ next if ($cnt++ == 0); -+ -+ my $sigs = pack "C10", 0x00, 0x08, -+ # rsa_pkcs_sha{256,384,512,1} -+ 0x04, 0x01, 0x05, 0x01, 0x06, 0x01, 0x02, 0x01; -+ $message->set_extension(TLSProxy::Message::EXT_SIG_ALGS_CERT, $sigs); -+ $message->delete_extension(TLSProxy::Message::EXT_SIG_ALGS); -+ $message->repack(); -+ } -+ } -+} diff -Nru openssl-1.1.1j/debian/patches/CVE-2021-3449-4.patch openssl-1.1.1k/debian/patches/CVE-2021-3449-4.patch --- openssl-1.1.1j/debian/patches/CVE-2021-3449-4.patch 2021-03-25 16:44:18.000000000 +0100 +++ openssl-1.1.1k/debian/patches/CVE-2021-3449-4.patch 1970-01-01 01:00:00.000000000 +0100 @@ -1,264 +0,0 @@ -From 3259aace3715440b49c20dc318f10363f03590ea Mon Sep 17 00:00:00 2001 -From: Matt Caswell -Date: Thu, 18 Mar 2021 16:52:10 +0000 -Subject: [PATCH] Ensure buffer/length pairs are always in sync - -Following on from CVE-2021-3449 which was caused by a non-zero length -associated with a NULL buffer, other buffer/length pairs are updated to -ensure that they too are always in sync. ---- - ssl/s3_lib.c | 5 ++++- - ssl/ssl_lib.c | 14 +++++++++++--- - ssl/statem/extensions.c | 1 + - ssl/statem/extensions_clnt.c | 14 ++++++++++++-- - ssl/statem/statem_clnt.c | 7 ++++++- - ssl/statem/statem_srvr.c | 17 ++++++++++++++--- - 6 files changed, 48 insertions(+), 10 deletions(-) - ---- a/ssl/s3_lib.c -+++ b/ssl/s3_lib.c -@@ -4629,6 +4629,7 @@ int ssl_generate_master_secret(SSL *s, u - - OPENSSL_clear_free(s->s3->tmp.psk, psklen); - s->s3->tmp.psk = NULL; -+ s->s3->tmp.psklen = 0; - if (!s->method->ssl3_enc->generate_master_secret(s, - s->session->master_key, pskpms, pskpmslen, - &s->session->master_key_length)) { -@@ -4658,8 +4659,10 @@ int ssl_generate_master_secret(SSL *s, u - else - OPENSSL_cleanse(pms, pmslen); - } -- if (s->server == 0) -+ if (s->server == 0) { - s->s3->tmp.pms = NULL; -+ s->s3->tmp.pmslen = 0; -+ } - return ret; - } - ---- a/ssl/ssl_lib.c -+++ b/ssl/ssl_lib.c -@@ -779,8 +779,10 @@ SSL *SSL_new(SSL_CTX *ctx) - s->ext.ecpointformats = - OPENSSL_memdup(ctx->ext.ecpointformats, - ctx->ext.ecpointformats_len); -- if (!s->ext.ecpointformats) -+ if (!s->ext.ecpointformats) { -+ s->ext.ecpointformats_len = 0; - goto err; -+ } - s->ext.ecpointformats_len = - ctx->ext.ecpointformats_len; - } -@@ -789,8 +791,10 @@ SSL *SSL_new(SSL_CTX *ctx) - OPENSSL_memdup(ctx->ext.supportedgroups, - ctx->ext.supportedgroups_len - * sizeof(*ctx->ext.supportedgroups)); -- if (!s->ext.supportedgroups) -+ if (!s->ext.supportedgroups) { -+ s->ext.supportedgroups_len = 0; - goto err; -+ } - s->ext.supportedgroups_len = ctx->ext.supportedgroups_len; - } - #endif -@@ -800,8 +804,10 @@ SSL *SSL_new(SSL_CTX *ctx) - - if (s->ctx->ext.alpn) { - s->ext.alpn = OPENSSL_malloc(s->ctx->ext.alpn_len); -- if (s->ext.alpn == NULL) -+ if (s->ext.alpn == NULL) { -+ s->ext.alpn_len = 0; - goto err; -+ } - memcpy(s->ext.alpn, s->ctx->ext.alpn, s->ctx->ext.alpn_len); - s->ext.alpn_len = s->ctx->ext.alpn_len; - } -@@ -2834,6 +2840,7 @@ int SSL_CTX_set_alpn_protos(SSL_CTX *ctx - OPENSSL_free(ctx->ext.alpn); - ctx->ext.alpn = OPENSSL_memdup(protos, protos_len); - if (ctx->ext.alpn == NULL) { -+ ctx->ext.alpn_len = 0; - SSLerr(SSL_F_SSL_CTX_SET_ALPN_PROTOS, ERR_R_MALLOC_FAILURE); - return 1; - } -@@ -2853,6 +2860,7 @@ int SSL_set_alpn_protos(SSL *ssl, const - OPENSSL_free(ssl->ext.alpn); - ssl->ext.alpn = OPENSSL_memdup(protos, protos_len); - if (ssl->ext.alpn == NULL) { -+ ssl->ext.alpn_len = 0; - SSLerr(SSL_F_SSL_SET_ALPN_PROTOS, ERR_R_MALLOC_FAILURE); - return 1; - } ---- a/ssl/statem/extensions.c -+++ b/ssl/statem/extensions.c -@@ -1147,6 +1147,7 @@ static int init_sig_algs_cert(SSL *s, un - /* Clear any signature algorithms extension received */ - OPENSSL_free(s->s3->tmp.peer_cert_sigalgs); - s->s3->tmp.peer_cert_sigalgs = NULL; -+ s->s3->tmp.peer_cert_sigalgslen = 0; - - return 1; - } ---- a/ssl/statem/extensions_clnt.c -+++ b/ssl/statem/extensions_clnt.c -@@ -816,6 +816,7 @@ EXT_RETURN tls_construct_ctos_early_data - OPENSSL_free(s->psksession_id); - s->psksession_id = OPENSSL_memdup(id, idlen); - if (s->psksession_id == NULL) { -+ s->psksession_id_len = 0; - SSLfatal(s, SSL_AD_INTERNAL_ERROR, - SSL_F_TLS_CONSTRUCT_CTOS_EARLY_DATA, ERR_R_INTERNAL_ERROR); - return EXT_RETURN_FAIL; -@@ -1375,6 +1376,7 @@ int tls_parse_stoc_ec_pt_formats(SSL *s, - OPENSSL_free(s->ext.peer_ecpointformats); - s->ext.peer_ecpointformats = OPENSSL_malloc(ecpointformats_len); - if (s->ext.peer_ecpointformats == NULL) { -+ s->ext.peer_ecpointformats_len = 0; - SSLfatal(s, SSL_AD_INTERNAL_ERROR, - SSL_F_TLS_PARSE_STOC_EC_PT_FORMATS, ERR_R_INTERNAL_ERROR); - return 0; -@@ -1492,8 +1494,13 @@ int tls_parse_stoc_sct(SSL *s, PACKET *p - s->ext.scts_len = (uint16_t)size; - if (size > 0) { - s->ext.scts = OPENSSL_malloc(size); -- if (s->ext.scts == NULL -- || !PACKET_copy_bytes(pkt, s->ext.scts, size)) { -+ if (s->ext.scts == NULL) { -+ s->ext.scts_len = 0; -+ SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_STOC_SCT, -+ ERR_R_MALLOC_FAILURE); -+ return 0; -+ } -+ if (!PACKET_copy_bytes(pkt, s->ext.scts, size)) { - SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_STOC_SCT, - ERR_R_INTERNAL_ERROR); - return 0; -@@ -1592,6 +1599,7 @@ int tls_parse_stoc_npn(SSL *s, PACKET *p - OPENSSL_free(s->ext.npn); - s->ext.npn = OPENSSL_malloc(selected_len); - if (s->ext.npn == NULL) { -+ s->ext.npn_len = 0; - SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_STOC_NPN, - ERR_R_INTERNAL_ERROR); - return 0; -@@ -1632,6 +1640,7 @@ int tls_parse_stoc_alpn(SSL *s, PACKET * - OPENSSL_free(s->s3->alpn_selected); - s->s3->alpn_selected = OPENSSL_malloc(len); - if (s->s3->alpn_selected == NULL) { -+ s->s3->alpn_selected_len = 0; - SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_STOC_ALPN, - ERR_R_INTERNAL_ERROR); - return 0; -@@ -1663,6 +1672,7 @@ int tls_parse_stoc_alpn(SSL *s, PACKET * - s->session->ext.alpn_selected = - OPENSSL_memdup(s->s3->alpn_selected, s->s3->alpn_selected_len); - if (s->session->ext.alpn_selected == NULL) { -+ s->session->ext.alpn_selected_len = 0; - SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_STOC_ALPN, - ERR_R_INTERNAL_ERROR); - return 0; ---- a/ssl/statem/statem_clnt.c -+++ b/ssl/statem/statem_clnt.c -@@ -2462,6 +2462,7 @@ MSG_PROCESS_RETURN tls_process_certifica - s->s3->tmp.ctype_len = 0; - OPENSSL_free(s->pha_context); - s->pha_context = NULL; -+ s->pha_context_len = 0; - - if (!PACKET_get_length_prefixed_1(pkt, &reqctx) || - !PACKET_memdup(&reqctx, &s->pha_context, &s->pha_context_len)) { -@@ -2771,16 +2772,17 @@ int tls_process_cert_status_body(SSL *s, - } - s->ext.ocsp.resp = OPENSSL_malloc(resplen); - if (s->ext.ocsp.resp == NULL) { -+ s->ext.ocsp.resp_len = 0; - SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CERT_STATUS_BODY, - ERR_R_MALLOC_FAILURE); - return 0; - } -+ s->ext.ocsp.resp_len = resplen; - if (!PACKET_copy_bytes(pkt, s->ext.ocsp.resp, resplen)) { - SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CERT_STATUS_BODY, - SSL_R_LENGTH_MISMATCH); - return 0; - } -- s->ext.ocsp.resp_len = resplen; - - return 1; - } -@@ -3350,9 +3352,11 @@ int tls_construct_client_key_exchange(SS - err: - OPENSSL_clear_free(s->s3->tmp.pms, s->s3->tmp.pmslen); - s->s3->tmp.pms = NULL; -+ s->s3->tmp.pmslen = 0; - #ifndef OPENSSL_NO_PSK - OPENSSL_clear_free(s->s3->tmp.psk, s->s3->tmp.psklen); - s->s3->tmp.psk = NULL; -+ s->s3->tmp.psklen = 0; - #endif - return 0; - } -@@ -3427,6 +3431,7 @@ int tls_client_key_exchange_post_work(SS - err: - OPENSSL_clear_free(pms, pmslen); - s->s3->tmp.pms = NULL; -+ s->s3->tmp.pmslen = 0; - return 0; - } - ---- a/ssl/statem/statem_srvr.c -+++ b/ssl/statem/statem_srvr.c -@@ -2178,6 +2178,7 @@ int tls_handle_alpn(SSL *s) - OPENSSL_free(s->s3->alpn_selected); - s->s3->alpn_selected = OPENSSL_memdup(selected, selected_len); - if (s->s3->alpn_selected == NULL) { -+ s->s3->alpn_selected_len = 0; - SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_HANDLE_ALPN, - ERR_R_INTERNAL_ERROR); - return 0; -@@ -2853,9 +2854,16 @@ int tls_construct_certificate_request(SS - if (s->post_handshake_auth == SSL_PHA_REQUEST_PENDING) { - OPENSSL_free(s->pha_context); - s->pha_context_len = 32; -- if ((s->pha_context = OPENSSL_malloc(s->pha_context_len)) == NULL -- || RAND_bytes(s->pha_context, s->pha_context_len) <= 0 -- || !WPACKET_sub_memcpy_u8(pkt, s->pha_context, s->pha_context_len)) { -+ if ((s->pha_context = OPENSSL_malloc(s->pha_context_len)) == NULL) { -+ s->pha_context_len = 0; -+ SSLfatal(s, SSL_AD_INTERNAL_ERROR, -+ SSL_F_TLS_CONSTRUCT_CERTIFICATE_REQUEST, -+ ERR_R_INTERNAL_ERROR); -+ return 0; -+ } -+ if (RAND_bytes(s->pha_context, s->pha_context_len) <= 0 -+ || !WPACKET_sub_memcpy_u8(pkt, s->pha_context, -+ s->pha_context_len)) { - SSLfatal(s, SSL_AD_INTERNAL_ERROR, - SSL_F_TLS_CONSTRUCT_CERTIFICATE_REQUEST, - ERR_R_INTERNAL_ERROR); -@@ -2969,6 +2977,7 @@ static int tls_process_cke_psk_preamble( - OPENSSL_cleanse(psk, psklen); - - if (s->s3->tmp.psk == NULL) { -+ s->s3->tmp.psklen = 0; - SSLfatal(s, SSL_AD_INTERNAL_ERROR, - SSL_F_TLS_PROCESS_CKE_PSK_PREAMBLE, ERR_R_MALLOC_FAILURE); - return 0; -@@ -3508,6 +3517,7 @@ MSG_PROCESS_RETURN tls_process_client_ke - #ifndef OPENSSL_NO_PSK - OPENSSL_clear_free(s->s3->tmp.psk, s->s3->tmp.psklen); - s->s3->tmp.psk = NULL; -+ s->s3->tmp.psklen = 0; - #endif - return MSG_PROCESS_ERROR; - } -@@ -4117,6 +4127,7 @@ int tls_construct_new_session_ticket(SSL - s->session->ext.alpn_selected = - OPENSSL_memdup(s->s3->alpn_selected, s->s3->alpn_selected_len); - if (s->session->ext.alpn_selected == NULL) { -+ s->session->ext.alpn_selected_len = 0; - SSLfatal(s, SSL_AD_INTERNAL_ERROR, - SSL_F_TLS_CONSTRUCT_NEW_SESSION_TICKET, - ERR_R_MALLOC_FAILURE); diff -Nru openssl-1.1.1j/debian/patches/CVE-2021-3450-1.patch openssl-1.1.1k/debian/patches/CVE-2021-3450-1.patch --- openssl-1.1.1j/debian/patches/CVE-2021-3450-1.patch 2021-03-25 16:44:22.000000000 +0100 +++ openssl-1.1.1k/debian/patches/CVE-2021-3450-1.patch 1970-01-01 01:00:00.000000000 +0100 @@ -1,89 +0,0 @@ -From 4cef0617eb7ff0a9970da1be032a07067cfa348e Mon Sep 17 00:00:00 2001 -From: Tomas Mraz -Date: Mon, 22 Mar 2021 08:51:52 +0000 -Subject: [PATCH] check_chain_extensions: Do not override error return value by - check_curve - -The X509_V_FLAG_X509_STRICT flag enables additional security checks of the -certificates present in a certificate chain. It is not set by default. - -Starting from OpenSSL version 1.1.1h a check to disallow certificates with -explicitly encoded elliptic curve parameters in the chain was added to the -strict checks. - -An error in the implementation of this check meant that the result of a -previous check to confirm that certificates in the chain are valid CA -certificates was overwritten. This effectively bypasses the check -that non-CA certificates must not be able to issue other certificates. - -If a "purpose" has been configured then a subsequent check that the -certificate is consistent with that purpose also checks that it is a -valid CA. Therefore where a purpose is set the certificate chain will -still be rejected even when the strict flag has been used. A purpose is -set by default in libssl client and server certificate verification -routines, but it can be overriden by an application. - -Affected applications explicitly set the X509_V_FLAG_X509_STRICT -verification flag and either do not set a purpose for the certificate -verification or, in the case of TLS client or server applications, -override the default purpose to make it not set. - -CVE-2021-3450 ---- - crypto/x509/x509_vfy.c | 9 ++++++--- - test/verify_extra_test.c | 16 ++++++++++++++-- - 2 files changed, 20 insertions(+), 5 deletions(-) - -diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c -index 0c71b2e8b4..5f74dfa7fa 100644 ---- a/crypto/x509/x509_vfy.c -+++ b/crypto/x509/x509_vfy.c -@@ -524,13 +524,16 @@ static int check_chain_extensions(X509_STORE_CTX *ctx) - ret = 1; - break; - } -- if ((ctx->param->flags & X509_V_FLAG_X509_STRICT) && num > 1) { -+ if (ret > 0 -+ && (ctx->param->flags & X509_V_FLAG_X509_STRICT) && num > 1) { - /* Check for presence of explicit elliptic curve parameters */ - ret = check_curve(x); -- if (ret < 0) -+ if (ret < 0) { - ctx->error = X509_V_ERR_UNSPECIFIED; -- else if (ret == 0) -+ ret = 0; -+ } else if (ret == 0) { - ctx->error = X509_V_ERR_EC_KEY_EXPLICIT_PARAMS; -+ } - } - if ((x->ex_flags & EXFLAG_CA) == 0 - && x->ex_pathlen != -1 -diff --git a/test/verify_extra_test.c b/test/verify_extra_test.c -index 010403e74a..b9959e0c66 100644 ---- a/test/verify_extra_test.c -+++ b/test/verify_extra_test.c -@@ -140,10 +140,22 @@ static int test_alt_chains_cert_forgery(void) - - i = X509_verify_cert(sctx); - -- if (i == 0 && X509_STORE_CTX_get_error(sctx) == X509_V_ERR_INVALID_CA) { -+ if (i != 0 || X509_STORE_CTX_get_error(sctx) != X509_V_ERR_INVALID_CA) -+ goto err; -+ -+ /* repeat with X509_V_FLAG_X509_STRICT */ -+ X509_STORE_CTX_cleanup(sctx); -+ X509_STORE_set_flags(store, X509_V_FLAG_X509_STRICT); -+ -+ if (!X509_STORE_CTX_init(sctx, store, x, untrusted)) -+ goto err; -+ -+ i = X509_verify_cert(sctx); -+ -+ if (i == 0 && X509_STORE_CTX_get_error(sctx) == X509_V_ERR_INVALID_CA) - /* This is the result we were expecting: Test passed */ - ret = 1; -- } -+ - err: - X509_STORE_CTX_free(sctx); - X509_free(x); diff -Nru openssl-1.1.1j/debian/patches/CVE-2021-3450-2.patch openssl-1.1.1k/debian/patches/CVE-2021-3450-2.patch --- openssl-1.1.1j/debian/patches/CVE-2021-3450-2.patch 2021-03-25 16:44:26.000000000 +0100 +++ openssl-1.1.1k/debian/patches/CVE-2021-3450-2.patch 1970-01-01 01:00:00.000000000 +0100 @@ -1,24 +0,0 @@ -From 1675bc43fb08e72f3d4ed02d05f62c6c6d382fc9 Mon Sep 17 00:00:00 2001 -From: Matt Caswell -Date: Thu, 25 Mar 2021 09:22:06 +0000 -Subject: [PATCH] fixup! check_chain_extensions: Do not override error return - value by check_curve - ---- - crypto/x509/x509_vfy.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c -index 5f74dfa7fa..20a36e763c 100644 ---- a/crypto/x509/x509_vfy.c -+++ b/crypto/x509/x509_vfy.c -@@ -535,7 +535,8 @@ static int check_chain_extensions(X509_STORE_CTX *ctx) - ctx->error = X509_V_ERR_EC_KEY_EXPLICIT_PARAMS; - } - } -- if ((x->ex_flags & EXFLAG_CA) == 0 -+ if (ret > 0 -+ && (x->ex_flags & EXFLAG_CA) == 0 - && x->ex_pathlen != -1 - && (ctx->param->flags & X509_V_FLAG_X509_STRICT)) { - ctx->error = X509_V_ERR_INVALID_EXTENSION; diff -Nru openssl-1.1.1j/debian/patches/man-section.patch openssl-1.1.1k/debian/patches/man-section.patch --- openssl-1.1.1j/debian/patches/man-section.patch 2021-02-16 20:34:26.000000000 +0100 +++ openssl-1.1.1k/debian/patches/man-section.patch 2021-07-27 23:42:21.000000000 +0200 @@ -8,7 +8,7 @@ 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/Configurations/unix-Makefile.tmpl b/Configurations/unix-Makefile.tmpl -index 3a24d551359b..d0c90cb2546c 100644 +index 41648c952667..e013d464bd73 100644 --- a/Configurations/unix-Makefile.tmpl +++ b/Configurations/unix-Makefile.tmpl @@ -281,7 +281,8 @@ HTMLDIR=$(DOCDIR)/html diff -Nru openssl-1.1.1j/debian/patches/series openssl-1.1.1k/debian/patches/series --- openssl-1.1.1j/debian/patches/series 2021-07-23 14:32:42.000000000 +0200 +++ openssl-1.1.1k/debian/patches/series 2021-08-11 13:00:48.000000000 +0200 @@ -40,10 +40,4 @@ # Ubuntu patches tests-use-seclevel-1.patch tls1.2-min-seclevel2.patch -CVE-2021-3449-1.patch -CVE-2021-3449-2.patch -CVE-2021-3449-3.patch -CVE-2021-3449-4.patch -CVE-2021-3450-1.patch -CVE-2021-3450-2.patch lp1931994-s390x-evp-init-fix.patch diff -Nru openssl-1.1.1j/fuzz/x509.c openssl-1.1.1k/fuzz/x509.c --- openssl-1.1.1j/fuzz/x509.c 2021-02-16 16:24:01.000000000 +0100 +++ openssl-1.1.1k/fuzz/x509.c 2021-03-25 14:28:38.000000000 +0100 @@ -1,5 +1,5 @@ /* - * Copyright 2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL licenses, (the "License"); * you may not use this file except in compliance with the License. diff -Nru openssl-1.1.1j/include/openssl/opensslv.h openssl-1.1.1k/include/openssl/opensslv.h --- openssl-1.1.1j/include/openssl/opensslv.h 2021-02-16 16:24:01.000000000 +0100 +++ openssl-1.1.1k/include/openssl/opensslv.h 2021-03-25 14:28:38.000000000 +0100 @@ -1,5 +1,5 @@ /* - * Copyright 1999-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1999-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -39,8 +39,8 @@ * (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for * major minor fix final patch/beta) */ -# define OPENSSL_VERSION_NUMBER 0x101010afL -# define OPENSSL_VERSION_TEXT "OpenSSL 1.1.1j 16 Feb 2021" +# define OPENSSL_VERSION_NUMBER 0x101010bfL +# define OPENSSL_VERSION_TEXT "OpenSSL 1.1.1k 25 Mar 2021" /*- * The macros below are to be used for shared library (.so, .dll, ...) diff -Nru openssl-1.1.1j/NEWS openssl-1.1.1k/NEWS --- openssl-1.1.1j/NEWS 2021-02-16 16:24:01.000000000 +0100 +++ openssl-1.1.1k/NEWS 2021-03-25 14:28:38.000000000 +0100 @@ -5,6 +5,14 @@ This file gives a brief overview of the major changes between each OpenSSL release. For more details please read the CHANGES file. + Major changes between OpenSSL 1.1.1j and OpenSSL 1.1.1k [25 Mar 2021] + + o Fixed a problem with verifying a certificate chain when using the + X509_V_FLAG_X509_STRICT flag (CVE-2021-3450) + o Fixed an issue where an OpenSSL TLS server may crash if sent a + maliciously crafted renegotiation ClientHello message from a client + (CVE-2021-3449) + Major changes between OpenSSL 1.1.1i and OpenSSL 1.1.1j [16 Feb 2021] o Fixed a NULL pointer deref in the X509_issuer_and_serial_hash() diff -Nru openssl-1.1.1j/README openssl-1.1.1k/README --- openssl-1.1.1j/README 2021-02-16 16:24:01.000000000 +0100 +++ openssl-1.1.1k/README 2021-03-25 14:28:38.000000000 +0100 @@ -1,7 +1,7 @@ - OpenSSL 1.1.1j 16 Feb 2021 + OpenSSL 1.1.1k 25 Mar 2021 - Copyright (c) 1998-2020 The OpenSSL Project + Copyright (c) 1998-2021 The OpenSSL Project Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson All rights reserved. diff -Nru openssl-1.1.1j/ssl/s3_lib.c openssl-1.1.1k/ssl/s3_lib.c --- openssl-1.1.1j/ssl/s3_lib.c 2021-02-16 16:24:01.000000000 +0100 +++ openssl-1.1.1k/ssl/s3_lib.c 2021-03-25 14:28:38.000000000 +0100 @@ -1,5 +1,5 @@ /* - * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved * Copyright 2005 Nokia. All rights reserved. * @@ -4629,6 +4629,7 @@ OPENSSL_clear_free(s->s3->tmp.psk, psklen); s->s3->tmp.psk = NULL; + s->s3->tmp.psklen = 0; if (!s->method->ssl3_enc->generate_master_secret(s, s->session->master_key, pskpms, pskpmslen, &s->session->master_key_length)) { @@ -4658,8 +4659,10 @@ else OPENSSL_cleanse(pms, pmslen); } - if (s->server == 0) + if (s->server == 0) { s->s3->tmp.pms = NULL; + s->s3->tmp.pmslen = 0; + } return ret; } diff -Nru openssl-1.1.1j/ssl/ssl_lib.c openssl-1.1.1k/ssl/ssl_lib.c --- openssl-1.1.1j/ssl/ssl_lib.c 2021-02-16 16:24:01.000000000 +0100 +++ openssl-1.1.1k/ssl/ssl_lib.c 2021-03-25 14:28:38.000000000 +0100 @@ -1,5 +1,5 @@ /* - * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved * Copyright 2005 Nokia. All rights reserved. * @@ -779,8 +779,10 @@ s->ext.ecpointformats = OPENSSL_memdup(ctx->ext.ecpointformats, ctx->ext.ecpointformats_len); - if (!s->ext.ecpointformats) + if (!s->ext.ecpointformats) { + s->ext.ecpointformats_len = 0; goto err; + } s->ext.ecpointformats_len = ctx->ext.ecpointformats_len; } @@ -789,8 +791,10 @@ OPENSSL_memdup(ctx->ext.supportedgroups, ctx->ext.supportedgroups_len * sizeof(*ctx->ext.supportedgroups)); - if (!s->ext.supportedgroups) + if (!s->ext.supportedgroups) { + s->ext.supportedgroups_len = 0; goto err; + } s->ext.supportedgroups_len = ctx->ext.supportedgroups_len; } #endif @@ -800,8 +804,10 @@ if (s->ctx->ext.alpn) { s->ext.alpn = OPENSSL_malloc(s->ctx->ext.alpn_len); - if (s->ext.alpn == NULL) + if (s->ext.alpn == NULL) { + s->ext.alpn_len = 0; goto err; + } memcpy(s->ext.alpn, s->ctx->ext.alpn, s->ctx->ext.alpn_len); s->ext.alpn_len = s->ctx->ext.alpn_len; } @@ -2834,6 +2840,7 @@ OPENSSL_free(ctx->ext.alpn); ctx->ext.alpn = OPENSSL_memdup(protos, protos_len); if (ctx->ext.alpn == NULL) { + ctx->ext.alpn_len = 0; SSLerr(SSL_F_SSL_CTX_SET_ALPN_PROTOS, ERR_R_MALLOC_FAILURE); return 1; } @@ -2853,6 +2860,7 @@ OPENSSL_free(ssl->ext.alpn); ssl->ext.alpn = OPENSSL_memdup(protos, protos_len); if (ssl->ext.alpn == NULL) { + ssl->ext.alpn_len = 0; SSLerr(SSL_F_SSL_SET_ALPN_PROTOS, ERR_R_MALLOC_FAILURE); return 1; } diff -Nru openssl-1.1.1j/ssl/statem/extensions.c openssl-1.1.1k/ssl/statem/extensions.c --- openssl-1.1.1j/ssl/statem/extensions.c 2021-02-16 16:24:01.000000000 +0100 +++ openssl-1.1.1k/ssl/statem/extensions.c 2021-03-25 14:28:38.000000000 +0100 @@ -336,6 +336,8 @@ tls_construct_stoc_key_share, tls_construct_ctos_key_share, final_key_share }, +#else + INVALID_EXTENSION, #endif { /* Must be after key_share */ @@ -1137,6 +1139,7 @@ /* Clear any signature algorithms extension received */ OPENSSL_free(s->s3->tmp.peer_sigalgs); s->s3->tmp.peer_sigalgs = NULL; + s->s3->tmp.peer_sigalgslen = 0; return 1; } @@ -1146,6 +1149,7 @@ /* Clear any signature algorithms extension received */ OPENSSL_free(s->s3->tmp.peer_cert_sigalgs); s->s3->tmp.peer_cert_sigalgs = NULL; + s->s3->tmp.peer_cert_sigalgslen = 0; return 1; } diff -Nru openssl-1.1.1j/ssl/statem/extensions_clnt.c openssl-1.1.1k/ssl/statem/extensions_clnt.c --- openssl-1.1.1j/ssl/statem/extensions_clnt.c 2021-02-16 16:24:01.000000000 +0100 +++ openssl-1.1.1k/ssl/statem/extensions_clnt.c 2021-03-25 14:28:38.000000000 +0100 @@ -1,5 +1,5 @@ /* - * Copyright 2016-2019 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -816,6 +816,7 @@ OPENSSL_free(s->psksession_id); s->psksession_id = OPENSSL_memdup(id, idlen); if (s->psksession_id == NULL) { + s->psksession_id_len = 0; SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CTOS_EARLY_DATA, ERR_R_INTERNAL_ERROR); return EXT_RETURN_FAIL; @@ -1375,6 +1376,7 @@ OPENSSL_free(s->ext.peer_ecpointformats); s->ext.peer_ecpointformats = OPENSSL_malloc(ecpointformats_len); if (s->ext.peer_ecpointformats == NULL) { + s->ext.peer_ecpointformats_len = 0; SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_STOC_EC_PT_FORMATS, ERR_R_INTERNAL_ERROR); return 0; @@ -1492,8 +1494,13 @@ s->ext.scts_len = (uint16_t)size; if (size > 0) { s->ext.scts = OPENSSL_malloc(size); - if (s->ext.scts == NULL - || !PACKET_copy_bytes(pkt, s->ext.scts, size)) { + if (s->ext.scts == NULL) { + s->ext.scts_len = 0; + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_STOC_SCT, + ERR_R_MALLOC_FAILURE); + return 0; + } + if (!PACKET_copy_bytes(pkt, s->ext.scts, size)) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_STOC_SCT, ERR_R_INTERNAL_ERROR); return 0; @@ -1592,6 +1599,7 @@ OPENSSL_free(s->ext.npn); s->ext.npn = OPENSSL_malloc(selected_len); if (s->ext.npn == NULL) { + s->ext.npn_len = 0; SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_STOC_NPN, ERR_R_INTERNAL_ERROR); return 0; @@ -1632,6 +1640,7 @@ OPENSSL_free(s->s3->alpn_selected); s->s3->alpn_selected = OPENSSL_malloc(len); if (s->s3->alpn_selected == NULL) { + s->s3->alpn_selected_len = 0; SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_STOC_ALPN, ERR_R_INTERNAL_ERROR); return 0; @@ -1663,6 +1672,7 @@ s->session->ext.alpn_selected = OPENSSL_memdup(s->s3->alpn_selected, s->s3->alpn_selected_len); if (s->session->ext.alpn_selected == NULL) { + s->session->ext.alpn_selected_len = 0; SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_STOC_ALPN, ERR_R_INTERNAL_ERROR); return 0; diff -Nru openssl-1.1.1j/ssl/statem/statem_clnt.c openssl-1.1.1k/ssl/statem/statem_clnt.c --- openssl-1.1.1j/ssl/statem/statem_clnt.c 2021-02-16 16:24:01.000000000 +0100 +++ openssl-1.1.1k/ssl/statem/statem_clnt.c 2021-03-25 14:28:38.000000000 +0100 @@ -2462,6 +2462,7 @@ s->s3->tmp.ctype_len = 0; OPENSSL_free(s->pha_context); s->pha_context = NULL; + s->pha_context_len = 0; if (!PACKET_get_length_prefixed_1(pkt, &reqctx) || !PACKET_memdup(&reqctx, &s->pha_context, &s->pha_context_len)) { @@ -2771,16 +2772,17 @@ } s->ext.ocsp.resp = OPENSSL_malloc(resplen); if (s->ext.ocsp.resp == NULL) { + s->ext.ocsp.resp_len = 0; SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CERT_STATUS_BODY, ERR_R_MALLOC_FAILURE); return 0; } + s->ext.ocsp.resp_len = resplen; if (!PACKET_copy_bytes(pkt, s->ext.ocsp.resp, resplen)) { SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CERT_STATUS_BODY, SSL_R_LENGTH_MISMATCH); return 0; } - s->ext.ocsp.resp_len = resplen; return 1; } @@ -2905,6 +2907,7 @@ if (psklen > PSK_MAX_PSK_LEN) { SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_TLS_CONSTRUCT_CKE_PSK_PREAMBLE, ERR_R_INTERNAL_ERROR); + psklen = PSK_MAX_PSK_LEN; /* Avoid overrunning the array on cleanse */ goto err; } else if (psklen == 0) { SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, @@ -3350,9 +3353,11 @@ err: OPENSSL_clear_free(s->s3->tmp.pms, s->s3->tmp.pmslen); s->s3->tmp.pms = NULL; + s->s3->tmp.pmslen = 0; #ifndef OPENSSL_NO_PSK OPENSSL_clear_free(s->s3->tmp.psk, s->s3->tmp.psklen); s->s3->tmp.psk = NULL; + s->s3->tmp.psklen = 0; #endif return 0; } @@ -3427,6 +3432,7 @@ err: OPENSSL_clear_free(pms, pmslen); s->s3->tmp.pms = NULL; + s->s3->tmp.pmslen = 0; return 0; } diff -Nru openssl-1.1.1j/ssl/statem/statem_srvr.c openssl-1.1.1k/ssl/statem/statem_srvr.c --- openssl-1.1.1j/ssl/statem/statem_srvr.c 2021-02-16 16:24:01.000000000 +0100 +++ openssl-1.1.1k/ssl/statem/statem_srvr.c 2021-03-25 14:28:38.000000000 +0100 @@ -1,5 +1,5 @@ /* - * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved * Copyright 2005 Nokia. All rights reserved. * @@ -2178,6 +2178,7 @@ OPENSSL_free(s->s3->alpn_selected); s->s3->alpn_selected = OPENSSL_memdup(selected, selected_len); if (s->s3->alpn_selected == NULL) { + s->s3->alpn_selected_len = 0; SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_HANDLE_ALPN, ERR_R_INTERNAL_ERROR); return 0; @@ -2853,9 +2854,16 @@ if (s->post_handshake_auth == SSL_PHA_REQUEST_PENDING) { OPENSSL_free(s->pha_context); s->pha_context_len = 32; - if ((s->pha_context = OPENSSL_malloc(s->pha_context_len)) == NULL - || RAND_bytes(s->pha_context, s->pha_context_len) <= 0 - || !WPACKET_sub_memcpy_u8(pkt, s->pha_context, s->pha_context_len)) { + if ((s->pha_context = OPENSSL_malloc(s->pha_context_len)) == NULL) { + s->pha_context_len = 0; + SSLfatal(s, SSL_AD_INTERNAL_ERROR, + SSL_F_TLS_CONSTRUCT_CERTIFICATE_REQUEST, + ERR_R_INTERNAL_ERROR); + return 0; + } + if (RAND_bytes(s->pha_context, s->pha_context_len) <= 0 + || !WPACKET_sub_memcpy_u8(pkt, s->pha_context, + s->pha_context_len)) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CERTIFICATE_REQUEST, ERR_R_INTERNAL_ERROR); @@ -2969,6 +2977,7 @@ OPENSSL_cleanse(psk, psklen); if (s->s3->tmp.psk == NULL) { + s->s3->tmp.psklen = 0; SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_PSK_PREAMBLE, ERR_R_MALLOC_FAILURE); return 0; @@ -3508,6 +3517,7 @@ #ifndef OPENSSL_NO_PSK OPENSSL_clear_free(s->s3->tmp.psk, s->s3->tmp.psklen); s->s3->tmp.psk = NULL; + s->s3->tmp.psklen = 0; #endif return MSG_PROCESS_ERROR; } @@ -4117,6 +4127,7 @@ s->session->ext.alpn_selected = OPENSSL_memdup(s->s3->alpn_selected, s->s3->alpn_selected_len); if (s->session->ext.alpn_selected == NULL) { + s->session->ext.alpn_selected_len = 0; SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_NEW_SESSION_TICKET, ERR_R_MALLOC_FAILURE); diff -Nru openssl-1.1.1j/test/recipes/70-test_renegotiation.t openssl-1.1.1k/test/recipes/70-test_renegotiation.t --- openssl-1.1.1j/test/recipes/70-test_renegotiation.t 2021-02-16 16:24:01.000000000 +0100 +++ openssl-1.1.1k/test/recipes/70-test_renegotiation.t 2021-03-25 14:28:38.000000000 +0100 @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the OpenSSL license (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy @@ -38,7 +38,7 @@ $proxy->clientflags("-no_tls1_3"); $proxy->reneg(1); $proxy->start() or plan skip_all => "Unable to start up Proxy for tests"; -plan tests => 3; +plan tests => 4; ok(TLSProxy::Message->success(), "Basic renegotiation"); #Test 2: Client does not send the Reneg SCSV. Reneg should fail @@ -77,6 +77,20 @@ "Check ClientHello version is the same"); } +SKIP: { + skip "TLSv1.2 disabled", 1 + if disabled("tls1_2"); + + #Test 4: Test for CVE-2021-3449. client_sig_algs instead of sig_algs in + # resumption ClientHello + $proxy->clear(); + $proxy->filter(\&sigalgs_filter); + $proxy->clientflags("-tls1_2"); + $proxy->reneg(1); + $proxy->start(); + ok(TLSProxy::Message->fail(), "client_sig_algs instead of sig_algs"); +} + sub reneg_filter { my $proxy = shift; @@ -95,4 +109,24 @@ $message->repack(); } } +} + +sub sigalgs_filter +{ + my $proxy = shift; + my $cnt = 0; + + # We're only interested in the second ClientHello message + foreach my $message (@{$proxy->message_list}) { + if ($message->mt == TLSProxy::Message::MT_CLIENT_HELLO) { + next if ($cnt++ == 0); + + my $sigs = pack "C10", 0x00, 0x08, + # rsa_pkcs_sha{256,384,512,1} + 0x04, 0x01, 0x05, 0x01, 0x06, 0x01, 0x02, 0x01; + $message->set_extension(TLSProxy::Message::EXT_SIG_ALGS_CERT, $sigs); + $message->delete_extension(TLSProxy::Message::EXT_SIG_ALGS); + $message->repack(); + } + } } diff -Nru openssl-1.1.1j/test/rsa_test.c openssl-1.1.1k/test/rsa_test.c --- openssl-1.1.1j/test/rsa_test.c 2021-02-16 16:24:01.000000000 +0100 +++ openssl-1.1.1k/test/rsa_test.c 2021-03-25 14:28:38.000000000 +0100 @@ -1,5 +1,5 @@ /* - * Copyright 1999-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1999-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -304,7 +304,7 @@ static int test_rsa_oaep(int idx) { int ret = 0; - RSA *key; + RSA *key = NULL; unsigned char ptext[256]; unsigned char ctext[256]; static unsigned char ptext_ex[] = "\x54\x85\x9b\x34\x2c\x49\xea\x2a"; diff -Nru openssl-1.1.1j/test/verify_extra_test.c openssl-1.1.1k/test/verify_extra_test.c --- openssl-1.1.1j/test/verify_extra_test.c 2021-02-16 16:24:01.000000000 +0100 +++ openssl-1.1.1k/test/verify_extra_test.c 2021-03-25 14:28:38.000000000 +0100 @@ -140,10 +140,22 @@ i = X509_verify_cert(sctx); - if (i == 0 && X509_STORE_CTX_get_error(sctx) == X509_V_ERR_INVALID_CA) { + if (i != 0 || X509_STORE_CTX_get_error(sctx) != X509_V_ERR_INVALID_CA) + goto err; + + /* repeat with X509_V_FLAG_X509_STRICT */ + X509_STORE_CTX_cleanup(sctx); + X509_STORE_set_flags(store, X509_V_FLAG_X509_STRICT); + + if (!X509_STORE_CTX_init(sctx, store, x, untrusted)) + goto err; + + i = X509_verify_cert(sctx); + + if (i == 0 && X509_STORE_CTX_get_error(sctx) == X509_V_ERR_INVALID_CA) /* This is the result we were expecting: Test passed */ ret = 1; - } + err: X509_STORE_CTX_free(sctx); X509_free(x); diff -Nru openssl-1.1.1j/tools/c_rehash.in openssl-1.1.1k/tools/c_rehash.in --- openssl-1.1.1j/tools/c_rehash.in 2021-02-16 16:24:01.000000000 +0100 +++ openssl-1.1.1k/tools/c_rehash.in 2021-03-25 14:28:38.000000000 +0100 @@ -1,7 +1,7 @@ #!{- $config{HASHBANGPERL} -} # {- join("\n# ", @autowarntext) -} -# Copyright 1999-2018 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 1999-2021 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the OpenSSL license (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy @@ -161,7 +161,7 @@ sub link_hash_cert { my $fname = $_[0]; - $fname =~ s/'/'\\''/g; + $fname =~ s/\"/\\\"/g; my ($hash, $fprint) = `"$openssl" x509 $x509hash -fingerprint -noout -in "$fname"`; chomp $hash; chomp $fprint; diff -Nru openssl-1.1.1j/util/perl/TLSProxy/Message.pm openssl-1.1.1k/util/perl/TLSProxy/Message.pm --- openssl-1.1.1j/util/perl/TLSProxy/Message.pm 2021-02-16 16:24:01.000000000 +0100 +++ openssl-1.1.1k/util/perl/TLSProxy/Message.pm 2021-03-25 14:28:38.000000000 +0100 @@ -1,4 +1,4 @@ -# Copyright 2016-2019 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the OpenSSL license (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy @@ -448,7 +448,7 @@ } #Update all the underlying records with the modified data from this message -#Note: Only supports re-encrypting for TLSv1.3 +#Note: Only supports TLSv1.3 and ETM encryption sub repack { my $self = shift; @@ -490,15 +490,38 @@ # (If a length override is ever needed to construct invalid packets, # use an explicit override field instead.) $rec->decrypt_len(length($rec->decrypt_data)); - $rec->len($rec->len + length($msgdata) - $old_length); - # Only support re-encryption for TLSv1.3. - if (TLSProxy::Proxy->is_tls13() && $rec->encrypted()) { - #Add content type (1 byte) and 16 tag bytes - $rec->data($rec->decrypt_data - .pack("C", TLSProxy::Record::RT_HANDSHAKE).("\0"x16)); + # Only support re-encryption for TLSv1.3 and ETM. + if ($rec->encrypted()) { + if (TLSProxy::Proxy->is_tls13()) { + #Add content type (1 byte) and 16 tag bytes + $rec->data($rec->decrypt_data + .pack("C", TLSProxy::Record::RT_HANDSHAKE).("\0"x16)); + } elsif ($rec->etm()) { + my $data = $rec->decrypt_data; + #Add padding + my $padval = length($data) % 16; + $padval = 15 - $padval; + for (0..$padval) { + $data .= pack("C", $padval); + } + + #Add MAC. Assumed to be 20 bytes + foreach my $macval (0..19) { + $data .= pack("C", $macval); + } + + if ($rec->version() >= TLSProxy::Record::VERS_TLS_1_1) { + #Explicit IV + $data = ("\0"x16).$data; + } + $rec->data($data); + } else { + die "Unsupported encryption: No ETM"; + } } else { $rec->data($rec->decrypt_data); } + $rec->len(length($rec->data)); #Update the fragment len in case we changed it above ${$self->message_frag_lens}[0] = length($msgdata)