diff --git a/CHANGES b/CHANGES index 8945260c..52c2edf1 100644 --- a/CHANGES +++ b/CHANGES @@ -7,6 +7,41 @@ https://github.com/openssl/openssl/commits/ and pick the appropriate release branch. + Changes between 1.1.1u and 1.1.1v [1 Aug 2023] + + *) Fix excessive time spent checking DH q parameter value. + + The function DH_check() performs various checks on DH parameters. After + fixing CVE-2023-3446 it was discovered that a large q parameter value can + also trigger an overly long computation during some of these checks. + A correct q value, if present, cannot be larger than the modulus p + parameter, thus it is unnecessary to perform these checks if q is larger + than p. + + If DH_check() is called with such q parameter value, + DH_CHECK_INVALID_Q_VALUE return flag is set and the computationally + intensive checks are skipped. + + (CVE-2023-3817) + [Tomáš Mráz] + + *) Fix DH_check() excessive time with over sized modulus + + The function DH_check() performs various checks on DH parameters. One of + those checks confirms that the modulus ("p" parameter) is not too large. + Trying to use a very large modulus is slow and OpenSSL will not normally use + a modulus which is over 10,000 bits in length. + + However the DH_check() function checks numerous aspects of the key or + parameters that have been supplied. Some of those checks use the supplied + modulus value even if it has already been found to be too large. + + A new limit has been added to DH_check of 32,768 bits. Supplying a + key/parameters with a modulus over this size will simply cause DH_check() + to fail. + (CVE-2023-3446) + [Matt Caswell] + Changes between 1.1.1t and 1.1.1u [30 May 2023] *) Mitigate for the time it takes for `OBJ_obj2txt` to translate gigantic diff --git a/NEWS b/NEWS index f5a2d5ad..c71c0291 100644 --- a/NEWS +++ b/NEWS @@ -5,6 +5,11 @@ This file gives a brief overview of the major changes between each OpenSSL release. For more details please read the CHANGES file. + Major changes between OpenSSL 1.1.1u and OpenSSL 1.1.1v [1 Aug 2023] + + o Fix excessive time spent checking DH q parameter value (CVE-2023-3817) + o Fix DH_check() excessive time with over sized modulus (CVE-2023-3446) + Major changes between OpenSSL 1.1.1t and OpenSSL 1.1.1u [30 May 2023] o Mitigate for very slow `OBJ_obj2txt()` performance with gigantic diff --git a/README.OpenSSL b/README.OpenSSL index b9bf50f4..dbe6bf75 100644 --- a/README.OpenSSL +++ b/README.OpenSSL @@ -1,5 +1,5 @@ - OpenSSL 1.1.1u 30 May 2023 + OpenSSL 1.1.1v 1 Aug 2023 Copyright (c) 1998-2023 The OpenSSL Project Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson diff --git a/THIS_VERSION_IS_1.1.1u b/THIS_VERSION_IS_1.1.1v similarity index 100% rename from THIS_VERSION_IS_1.1.1u rename to THIS_VERSION_IS_1.1.1v diff --git a/apps/tsget.pl b/apps/tsget.pl index 0cce3e14..b07a92d5 100644 --- a/apps/tsget.pl +++ b/apps/tsget.pl @@ -47,7 +47,7 @@ sub create_curl { $curl->setopt(CURLOPT_VERBOSE, 1) if $options{d}; $curl->setopt(CURLOPT_FAILONERROR, 1); $curl->setopt(CURLOPT_USERAGENT, - "OpenTSA tsget.pl/openssl-1.1.1u"); + "OpenTSA tsget.pl/openssl-1.1.1v"); # Options for POST method. $curl->setopt(CURLOPT_UPLOAD, 1); diff --git a/crypto/dh/dh_check.c b/crypto/dh/dh_check.c index 4ac169e7..ae1b03bc 100644 --- a/crypto/dh/dh_check.c +++ b/crypto/dh/dh_check.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -97,10 +97,17 @@ int DH_check_ex(const DH *dh) int DH_check(const DH *dh, int *ret) { - int ok = 0, r; + int ok = 0, r, q_good = 0; BN_CTX *ctx = NULL; BIGNUM *t1 = NULL, *t2 = NULL; + /* Don't do any checks at all with an excessively large modulus */ + if (BN_num_bits(dh->p) > OPENSSL_DH_CHECK_MAX_MODULUS_BITS) { + DHerr(DH_F_DH_CHECK, DH_R_MODULUS_TOO_LARGE); + *ret = DH_CHECK_P_NOT_PRIME; + return 0; + } + if (!DH_check_params(dh, ret)) return 0; @@ -113,7 +120,14 @@ int DH_check(const DH *dh, int *ret) if (t2 == NULL) goto err; - if (dh->q) { + if (dh->q != NULL) { + if (BN_ucmp(dh->p, dh->q) > 0) + q_good = 1; + else + *ret |= DH_CHECK_INVALID_Q_VALUE; + } + + if (q_good) { if (BN_cmp(dh->g, BN_value_one()) <= 0) *ret |= DH_NOT_SUITABLE_GENERATOR; else if (BN_cmp(dh->g, dh->p) >= 0) diff --git a/crypto/dh/dh_err.c b/crypto/dh/dh_err.c index 7285587b..92800d3f 100644 --- a/crypto/dh/dh_err.c +++ b/crypto/dh/dh_err.c @@ -1,6 +1,6 @@ /* * Generated by util/mkerr.pl DO NOT EDIT - * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -18,6 +18,7 @@ static const ERR_STRING_DATA DH_str_functs[] = { {ERR_PACK(ERR_LIB_DH, DH_F_DHPARAMS_PRINT_FP, 0), "DHparams_print_fp"}, {ERR_PACK(ERR_LIB_DH, DH_F_DH_BUILTIN_GENPARAMS, 0), "dh_builtin_genparams"}, + {ERR_PACK(ERR_LIB_DH, DH_F_DH_CHECK, 0), "DH_check"}, {ERR_PACK(ERR_LIB_DH, DH_F_DH_CHECK_EX, 0), "DH_check_ex"}, {ERR_PACK(ERR_LIB_DH, DH_F_DH_CHECK_PARAMS_EX, 0), "DH_check_params_ex"}, {ERR_PACK(ERR_LIB_DH, DH_F_DH_CHECK_PUB_KEY_EX, 0), "DH_check_pub_key_ex"}, diff --git a/crypto/err/openssl.txt b/crypto/err/openssl.txt index 9f91a4a8..c0a3cd72 100644 --- a/crypto/err/openssl.txt +++ b/crypto/err/openssl.txt @@ -1,4 +1,4 @@ -# Copyright 1999-2021 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 1999-2023 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the OpenSSL license (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy @@ -401,6 +401,7 @@ CT_F_SCT_SET_VERSION:104:SCT_set_version DH_F_COMPUTE_KEY:102:compute_key DH_F_DHPARAMS_PRINT_FP:101:DHparams_print_fp DH_F_DH_BUILTIN_GENPARAMS:106:dh_builtin_genparams +DH_F_DH_CHECK:126:DH_check DH_F_DH_CHECK_EX:121:DH_check_ex DH_F_DH_CHECK_PARAMS_EX:122:DH_check_params_ex DH_F_DH_CHECK_PUB_KEY_EX:123:DH_check_pub_key_ex diff --git a/distfiles/config_all.cmd b/distfiles/config_all.cmd index 6e8f745c..58526398 100644 --- a/distfiles/config_all.cmd +++ b/distfiles/config_all.cmd @@ -1,7 +1,7 @@ setlocal -set OPENSSL_VER=1.1.1u -set OPENSSL_VER_SED=1\.1\.1u +set OPENSSL_VER=1.1.1v +set OPENSSL_VER_SED=1\.1\.1v set OPENSSL_BASE=openssl-%OPENSSL_VER% set OPENSSL_BASE_SED=openssl-%OPENSSL_VER_SED% set OPENSSL_DIR=..\%OPENSSL_BASE% diff --git a/distfiles/download.url b/distfiles/download.url index d768b137..489ce69d 100644 --- a/distfiles/download.url +++ b/distfiles/download.url @@ -1,2 +1,2 @@ -https://www.openssl.org/source/openssl-1.1.1u.tar.gz -https://www.openssl.org/source/openssl-1.1.1u.tar.gz.asc +https://www.openssl.org/source/openssl-1.1.1v.tar.gz +https://www.openssl.org/source/openssl-1.1.1v.tar.gz.asc diff --git a/distfiles/openssl-1.1.1u.tar.gz.asc b/distfiles/openssl-1.1.1u.tar.gz.asc deleted file mode 100644 index cfb85b47..00000000 --- a/distfiles/openssl-1.1.1u.tar.gz.asc +++ /dev/null @@ -1,16 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iQIzBAABCAAdFiEE3HAyZir4heL0fyQ/UnRmohynnm0FAmR171cACgkQUnRmohyn -nm0f7RAAj+ZssEY1hiRWhuLTmmFJIR1vhEpP9addj8oaXvlJSrA6QzHZrUcuzTL0 -jtOkS4gTIla8iNNe1alwQdYXnhW46IrQAy2+bYuHCLXJm55/0PKCs2Cdy3naPU3N -9zxo+jAEx3X7hBJAzyLbGwrzpIUe9mbkyheSGxtEpW53ZvX1jo73uxyVYzq6BwJx -ngCeyBDrRrP6GgwMrpR6zExUyOwltBl/Jvx813AvXXbczJgMe3wCeQOa9Y1QWaVA -eTKz2lT7reZ80VzfXNMdPT+33+vABfwGEPsdXy7JIWGJubiC5vkHq2Im/U6wzU9v -9WsKk9MGQ4OV52gcRiYVyb9+nvGWUgfgV8c268nwWHIdYA85FjBb8xGzK1vHgA3o -E4rRT6e94l+NQChjmm7NwALLcQ+oFtqXsK+CiG9Ek6BMXJ/RitmQUHuhnRDyNL2u -OtbF549NrxwPe3CskJzP+tUizcQbM6HJtaKi+U49f1+EYZObxJ57qom34eFgET8N -GvnY6ikBccGEMjphL7dOzEnKYMRBSTCYAQfjBLFvwth2yLjM5f8AC+z6KhGiKnDY -JI+hHdca4rfrsKXxon+62x8gFmP8waHacR6Sh0OqDiYqNYn+G9q3nuLZMGpRJD2M -WgXyeu43LEXwhbCGzxnQH0mxFWSMB/2trWTTFzr5BrS7TmujVCw= -=EBqr ------END PGP SIGNATURE----- diff --git a/distfiles/openssl-1.1.1u-import.lst b/distfiles/openssl-1.1.1v-import.lst similarity index 100% rename from distfiles/openssl-1.1.1u-import.lst rename to distfiles/openssl-1.1.1v-import.lst diff --git a/distfiles/openssl-1.1.1u-import.md5 b/distfiles/openssl-1.1.1v-import.md5 similarity index 99% rename from distfiles/openssl-1.1.1u-import.md5 rename to distfiles/openssl-1.1.1v-import.md5 index 8e3f5c00..4a84e98f 100644 --- a/distfiles/openssl-1.1.1u-import.md5 +++ b/distfiles/openssl-1.1.1v-import.md5 @@ -1,6 +1,6 @@ cb0ec3e273abef55cf69e3daf0eb1aa7 ACKNOWLEDGEMENTS b09382a71a683332fed963c07c41db9d AUTHORS -077bf94ece107a263de8a5340f7d739d CHANGES +854af7ba2750274cb5651ae07b281114 CHANGES e23f91cda0dcc8d431b4bbbfc8182436 CONTRIBUTING 21411ba7e78f9625fcb00f4b1029fe46 Configurations/00-base-templates.conf a9fc60040f6d90772873e50b99bc59c6 Configurations/10-main.conf @@ -25,7 +25,7 @@ cfbd4fa03a70f1f5c7c19bf49fb3f922 Configurations/unix-checker.pm 773609f5df921846200ffdadb8183fd2 FAQ 13194751cb9a244db92b2f2db147ab42 INSTALL d343e62fc9c833710bbbed25f27364c8 LICENSE.OpenSSL -fab9a68bf9327b6e15d639d081936b02 NEWS +8acbb75444cc18b2c6f53e970bddd7f9 NEWS 8163bcfc421e98b7ae8fc6ac7614674e NOTES.ANDROID 6115eaaaa37c8efdc8ab890d6d367f61 NOTES.DJGPP 1649e73393936807d79191cb844d750a NOTES.PERL @@ -34,7 +34,7 @@ abc8f2829a88f86f9567646e3a1a6fd2 NOTES.VMS ca76687f1d02daf7076a1c7befeb8835 NOTES.WIN cc460e9dc40abccbbcf6e4f23b3653e2 README.ENGINE d9843adb59eee61091dd34eecf34607f README.FIPS -3e22ab38316d0e3ed0423edff7290950 README.OpenSSL +ddc41691fdd1fd07646dca7f3cf6c703 README.OpenSSL 1e53020c0dbb0472ac0be70ae5aa6d14 VMS/VMSify-conf.pl 28b93e3f63152ceeeed2974f86af0aba VMS/engine.opt 2bf313906cec3f9f9be270bc93f9119b VMS/msg_install.com @@ -514,9 +514,9 @@ e373b4cac0facb8b1f5f2955a2c92693 crypto/dh/dh192.pem 4567f6709f7a315c2dbbc28dc797f62a crypto/dh/dh512.pem 3f4950ad2c101b688cace28630548b22 crypto/dh/dh_ameth.c 2457bdecc954edb1b4ee94137b7b6765 crypto/dh/dh_asn1.c -313f63367c87841b64467d0ee7e8fcdb crypto/dh/dh_check.c +55149cac6e37b98302344ec519183e54 crypto/dh/dh_check.c 570a83b76fc96cb360746e3523defba7 crypto/dh/dh_depr.c -39267d950af33070c5761ad74e6e0d1a crypto/dh/dh_err.c +9212468a45c0c41d694df68d7417fd55 crypto/dh/dh_err.c 2249fc616b510df61903f2f41fd57f41 crypto/dh/dh_gen.c d0252e053218ac2227a132817c72803e crypto/dh/dh_kdf.c 44606b2aba359d242c175075bb11b674 crypto/dh/dh_key.c @@ -642,7 +642,7 @@ b677e0f7cb67f87045e47a3d923c9e35 crypto/err/README 441128b9723a5b5463fb9eda4d692b1a crypto/err/err_all.c 18e0fb299cd6e3452475820c7787fb1b crypto/err/err_prn.c 95a8536b811d8b958fca62ee7ba1b41d crypto/err/openssl.ec -3c68a52c63611d6bd0b56f8b23778bd3 crypto/err/openssl.txt +422764ef41fc888e877bb954911530ad crypto/err/openssl.txt 55fbd3d59f8bc1867a0d749f46203358 crypto/evp/bio_b64.c b35be92ed37ed45fb3769e5b104aa9f8 crypto/evp/bio_enc.c 01bb5a4dfccd68600416eefdfb174874 crypto/evp/bio_md.c @@ -1916,8 +1916,8 @@ f41135816a60bbb0547f5f73b1809a5d include/openssl/cryptoerr.h 57e2063b70bb5b426c53e07ebdb798ee include/openssl/ct.h 6bbb9ff43dd432b0584625d5ab66eb5f include/openssl/cterr.h 38e6b1b2fdcc4367bd308e973a4247a3 include/openssl/des.h -d0e26907e63a793751c1583776d8b3e0 include/openssl/dh.h -8d91b58878b3e8e19ed2e3a6e036e64e include/openssl/dherr.h +9d9b58831b0630fc55d10077366067ea include/openssl/dh.h +6e8b4a5dcfd9aa9d29bafe7f1925eca9 include/openssl/dherr.h 0ef45517f9e21886f8714661996ac6d7 include/openssl/dsa.h 4b14307e77edce4b7ae697b45f7523b1 include/openssl/dsaerr.h 3845d048ee84b3de108591b926fb9abb include/openssl/dtls1.h @@ -1948,7 +1948,7 @@ cd2c20bda6ce3ce7e68133187b79569a include/openssl/objectserr.h d1834fecb601c24ce6aa57dc1ba2e0a2 include/openssl/ocsp.h 9030e751a71574968f18b20f46e9b65e include/openssl/ocsperr.h 3d92916846ebd5f3e9c94d19d591cf0b include/openssl/opensslconf.h.in -a82893d67e3b2a4ab7679d28b933713b include/openssl/opensslv.h +9aba5fa6d95e4f44aef9eed87ba2ba01 include/openssl/opensslv.h 6d8778393403fbb9402a61f662d81e45 include/openssl/ossl_typ.h 6641d7e758543c599296c6f6804502be include/openssl/pem.h a4b103ebb4920466919e051d83a84a77 include/openssl/pem2.h @@ -2360,7 +2360,7 @@ a44cedb6378d0b852d53412b89db236d test/danetest.in 9c09e39960d1985c9e354c58b759f013 test/danetest.pem d85f25b1dfec635abbe59f7b09a050f4 test/data.bin 2ef5cdb35dbb1008ae61c1411ee478f5 test/destest.c -d9e6d44f548a93d41326ad6628a45f89 test/dhtest.c +d186f3bc0c83d3290a4a9d819a1cb337 test/dhtest.c 388d3a86cceef511195136a6d4b29c6c test/drbg_cavs_data.c 37d15954c39fa386192239219d504a65 test/drbg_cavs_data.h 08238617ab2716756b9e18007c4a3a45 test/drbg_cavs_test.c diff --git a/distfiles/openssl-1.1.1u.tar.gz b/distfiles/openssl-1.1.1v.tar.gz similarity index 56% rename from distfiles/openssl-1.1.1u.tar.gz rename to distfiles/openssl-1.1.1v.tar.gz index 385e492a..ab725b9d 100644 Binary files a/distfiles/openssl-1.1.1u.tar.gz and b/distfiles/openssl-1.1.1v.tar.gz differ diff --git a/distfiles/openssl-1.1.1v.tar.gz.asc b/distfiles/openssl-1.1.1v.tar.gz.asc new file mode 100644 index 00000000..83b41694 --- /dev/null +++ b/distfiles/openssl-1.1.1v.tar.gz.asc @@ -0,0 +1,16 @@ +-----BEGIN PGP SIGNATURE----- + +iQIzBAABCAAdFiEE78CkZ9YTy4PH7W0w2JTizos9efUFAmTJDewACgkQ2JTizos9 +efVPDBAAjgNq842XSAhmH3CBHHFtMuVlg5RV+tAV7PF7tDm/Bu0VPxZecvDhEHyk +y1bIzYki9kPQrnDc5Cz3UYHjnBp2n2GH+JDShedSJMH3qbsAlSB4j5b15UFjE8b4 +yDl4rlcug3SydqEdYJAGnOD3QBghsX7GiS6S9BgnU1D1XDZ1LYF6NumrjeypGm2r +vodcjel0tD+Xu2Du398sGmXLZLfK7eBT8dYtzWHAZubf+dNQmfRRDALo2Q5Xux6p +xIDlEQvTUkt5mF+Rx0CI1boIKeaFoZFOReUW0zkKYfwNkfq1WvGj3sGA+StQsgn1 +Dvfx6ONoS9UT+6KTegsLOIX2xOAHa8k4UgtW19eCovYzJNkBwNnq83lrvIEMoLY7 +brALTqBmlFq4prPgzpDHlTeC78uDcf/Ao95CeBw5yKVsKAN7W7vA2u6Gr2ZgUWsF +zVnrxJ9difkrvkFxm6uO2qu1qA/84Bow77M6/7FSHFZ+oDB3tjGXtq4Tf6iBkhpf +XIRu79S1LxCY7HxKVHHfpKuGSfefV/tgPeOac8CvucIq6r1Be20h0crRnDEGJt8G +Otznvt04iX+FkSVC7PjiAVZqubQQWjXUZxDngQgUOye/suExGwEoaTMmhj95eiVu +ufee+jDrVGOjhLLoEClP/+zpl2Wplq3KzLVsvvJa8v5KTVot9r4= +=mu7b +-----END PGP SIGNATURE----- diff --git a/include/openssl/dh.h b/include/openssl/dh.h index 3527540c..6c6ff363 100644 --- a/include/openssl/dh.h +++ b/include/openssl/dh.h @@ -1,5 +1,5 @@ /* - * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -29,6 +29,9 @@ extern "C" { # ifndef OPENSSL_DH_MAX_MODULUS_BITS # define OPENSSL_DH_MAX_MODULUS_BITS 10000 # endif +# ifndef OPENSSL_DH_CHECK_MAX_MODULUS_BITS +# define OPENSSL_DH_CHECK_MAX_MODULUS_BITS 32768 +# endif # define OPENSSL_DH_FIPS_MIN_MODULUS_BITS 1024 diff --git a/include/openssl/dherr.h b/include/openssl/dherr.h index 916b3bed..528c8198 100644 --- a/include/openssl/dherr.h +++ b/include/openssl/dherr.h @@ -1,6 +1,6 @@ /* * Generated by util/mkerr.pl DO NOT EDIT - * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -30,6 +30,7 @@ int ERR_load_DH_strings(void); # define DH_F_COMPUTE_KEY 102 # define DH_F_DHPARAMS_PRINT_FP 101 # define DH_F_DH_BUILTIN_GENPARAMS 106 +# define DH_F_DH_CHECK 126 # define DH_F_DH_CHECK_EX 121 # define DH_F_DH_CHECK_PARAMS_EX 122 # define DH_F_DH_CHECK_PUB_KEY_EX 123 diff --git a/include/openssl/opensslv.h b/include/openssl/opensslv.h index 5ed047d1..0dc99ecc 100644 --- a/include/openssl/opensslv.h +++ b/include/openssl/opensslv.h @@ -39,8 +39,8 @@ extern "C" { * (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for * major minor fix final patch/beta) */ -# define OPENSSL_VERSION_NUMBER 0x1010115fL -# define OPENSSL_VERSION_TEXT "OpenSSL 1.1.1u 30 May 2023" +# define OPENSSL_VERSION_NUMBER 0x1010116fL +# define OPENSSL_VERSION_TEXT "OpenSSL 1.1.1v 1 Aug 2023" /*- * The macros below are to be used for shared library (.so, .dll, ...) diff --git a/ms/arm/configdata.pm b/ms/arm/configdata.pm index 8336adc6..8c6ef710 100644 --- a/ms/arm/configdata.pm +++ b/ms/arm/configdata.pm @@ -64,7 +64,7 @@ our %config = ( options => "--prefix=C:\\Program Files\\OpenSSL-1_1 --with-zlib-include=..\\zlib --with-zlib-lib=..\\zlib\\build\\ARM\\Release\\libz-static.lib enable-zlib no-afalgeng no-asan no-buildtest-c++ no-crypto-mdebug no-crypto-mdebug-backtrace no-devcryptoeng no-dynamic-engine no-ec_nistp_64_gcc_128 no-egd no-external-tests no-fuzz-afl no-fuzz-libfuzzer no-heartbeats no-md2 no-msan no-rc5 no-sctp no-ssl-trace no-ssl3 no-ssl3-method no-ubsan no-unit-test no-weak-ssl-ciphers no-zlib-dynamic", perl_archname => "MSWin32-x64-multi-thread", perl_cmd => "C:\\Strawberry\\perl\\bin\\perl.exe", - perl_version => "5.32.1", + perl_version => "5.38.0", perlargv => [ "--prefix=C:\\Program Files\\OpenSSL-1_1", "--with-zlib-include=..\\zlib", "--with-zlib-lib=..\\zlib\\build\\ARM\\Release\\libz-static.lib", "VC-WIN32-ARM", "no-dynamic-engine", "zlib" ], perlenv => { "AR" => undef, @@ -113,8 +113,8 @@ our %config = ( sourcedir => ".", target => "VC-WIN32-ARM", tdirs => [ "ossl_shim" ], - version => "1.1.1u", - version_num => "0x1010115fL", + version => "1.1.1v", + version_num => "0x1010116fL", ); our %target = ( diff --git a/ms/arm/static/configdata.pm b/ms/arm/static/configdata.pm index 84a2ee63..455c469b 100644 --- a/ms/arm/static/configdata.pm +++ b/ms/arm/static/configdata.pm @@ -64,7 +64,7 @@ our %config = ( options => "--prefix=C:\\Program Files\\OpenSSL-1_1 --with-zlib-include=..\\zlib --with-zlib-lib=..\\zlib\\build\\ARM\\Release\\libz-static.lib enable-zlib no-afalgeng no-asan no-buildtest-c++ no-crypto-mdebug no-crypto-mdebug-backtrace no-devcryptoeng no-dynamic-engine no-ec_nistp_64_gcc_128 no-egd no-external-tests no-fuzz-afl no-fuzz-libfuzzer no-heartbeats no-md2 no-msan no-rc5 no-sctp no-shared no-ssl-trace no-ssl3 no-ssl3-method no-ubsan no-unit-test no-weak-ssl-ciphers no-zlib-dynamic", perl_archname => "MSWin32-x64-multi-thread", perl_cmd => "C:\\Strawberry\\perl\\bin\\perl.exe", - perl_version => "5.32.1", + perl_version => "5.38.0", perlargv => [ "--prefix=C:\\Program Files\\OpenSSL-1_1", "--with-zlib-include=..\\zlib", "--with-zlib-lib=..\\zlib\\build\\ARM\\Release\\libz-static.lib", "VC-WIN32-ARM", "no-shared", "no-dynamic-engine", "zlib" ], perlenv => { "AR" => undef, @@ -113,8 +113,8 @@ our %config = ( sourcedir => ".", target => "VC-WIN32-ARM", tdirs => [ "ossl_shim" ], - version => "1.1.1u", - version_num => "0x1010115fL", + version => "1.1.1v", + version_num => "0x1010116fL", ); our %target = ( diff --git a/ms/arm64/configdata.pm b/ms/arm64/configdata.pm index 2a4f8db3..1c2e98d5 100644 --- a/ms/arm64/configdata.pm +++ b/ms/arm64/configdata.pm @@ -64,7 +64,7 @@ our %config = ( options => "--prefix=C:\\Program Files\\OpenSSL-1_1 --with-zlib-include=..\\zlib --with-zlib-lib=..\\zlib\\build\\ARM64\\Release\\libz-static.lib enable-zlib no-afalgeng no-asan no-buildtest-c++ no-crypto-mdebug no-crypto-mdebug-backtrace no-devcryptoeng no-dynamic-engine no-ec_nistp_64_gcc_128 no-egd no-external-tests no-fuzz-afl no-fuzz-libfuzzer no-heartbeats no-md2 no-msan no-rc5 no-sctp no-ssl-trace no-ssl3 no-ssl3-method no-ubsan no-unit-test no-weak-ssl-ciphers no-zlib-dynamic", perl_archname => "MSWin32-x64-multi-thread", perl_cmd => "C:\\Strawberry\\perl\\bin\\perl.exe", - perl_version => "5.32.1", + perl_version => "5.38.0", perlargv => [ "--prefix=C:\\Program Files\\OpenSSL-1_1", "--with-zlib-include=..\\zlib", "--with-zlib-lib=..\\zlib\\build\\ARM64\\Release\\libz-static.lib", "VC-WIN64-ARM", "no-dynamic-engine", "zlib" ], perlenv => { "AR" => undef, @@ -113,8 +113,8 @@ our %config = ( sourcedir => ".", target => "VC-WIN64-ARM", tdirs => [ "ossl_shim" ], - version => "1.1.1u", - version_num => "0x1010115fL", + version => "1.1.1v", + version_num => "0x1010116fL", ); our %target = ( @@ -3174,6 +3174,8 @@ our %unified_info = ( { "deps" => [ + "ssl\\packet.o", + "ssl\\tls13_enc.o", "ssl\\bio_ssl.o", "ssl\\d1_lib.o", "ssl\\d1_msg.o", @@ -3203,8 +3205,6 @@ our %unified_info = ( "ssl\\t1_trce.o", "ssl\\tls13_enc.o", "ssl\\tls_srp.o", - "ssl\\packet.o", - "ssl\\tls13_enc.o", ], "products" => { diff --git a/ms/arm64/static/configdata.pm b/ms/arm64/static/configdata.pm index 2311621e..ba8cd446 100644 --- a/ms/arm64/static/configdata.pm +++ b/ms/arm64/static/configdata.pm @@ -64,7 +64,7 @@ our %config = ( options => "--prefix=C:\\Program Files\\OpenSSL-1_1 --with-zlib-include=..\\zlib --with-zlib-lib=..\\zlib\\build\\ARM64\\Release\\libz-static.lib enable-zlib no-afalgeng no-asan no-buildtest-c++ no-crypto-mdebug no-crypto-mdebug-backtrace no-devcryptoeng no-dynamic-engine no-ec_nistp_64_gcc_128 no-egd no-external-tests no-fuzz-afl no-fuzz-libfuzzer no-heartbeats no-md2 no-msan no-rc5 no-sctp no-shared no-ssl-trace no-ssl3 no-ssl3-method no-ubsan no-unit-test no-weak-ssl-ciphers no-zlib-dynamic", perl_archname => "MSWin32-x64-multi-thread", perl_cmd => "C:\\Strawberry\\perl\\bin\\perl.exe", - perl_version => "5.32.1", + perl_version => "5.38.0", perlargv => [ "--prefix=C:\\Program Files\\OpenSSL-1_1", "--with-zlib-include=..\\zlib", "--with-zlib-lib=..\\zlib\\build\\ARM64\\Release\\libz-static.lib", "VC-WIN64-ARM", "no-shared", "no-dynamic-engine", "zlib" ], perlenv => { "AR" => undef, @@ -113,8 +113,8 @@ our %config = ( sourcedir => ".", target => "VC-WIN64-ARM", tdirs => [ "ossl_shim" ], - version => "1.1.1u", - version_num => "0x1010115fL", + version => "1.1.1v", + version_num => "0x1010116fL", ); our %target = ( diff --git a/ms/openssl1_1.rc b/ms/openssl1_1.rc index 37f1c851..4ec63ce8 100644 --- a/ms/openssl1_1.rc +++ b/ms/openssl1_1.rc @@ -3,8 +3,8 @@ LANGUAGE 0x09,0x01 1 VERSIONINFO - FILEVERSION 1,1,1,21 - PRODUCTVERSION 1,1,1,21 + FILEVERSION 1,1,1,22 + PRODUCTVERSION 1,1,1,22 FILEFLAGSMASK 0x3fL #ifdef _DEBUG FILEFLAGS 0x01L @@ -30,7 +30,7 @@ BEGIN #else VALUE "FileDescription", "OpenSSL library\0" #endif - VALUE "FileVersion", "1.1.1u\0" + VALUE "FileVersion", "1.1.1v\0" #if defined(LIBCRYPTO) VALUE "InternalName", "libcrypto\0" VALUE "OriginalFilename", "libcrypto-1_1.dll\0" @@ -42,7 +42,7 @@ BEGIN VALUE "OriginalFilename", "openssl.exe\0" #endif VALUE "ProductName", "The OpenSSL Toolkit\0" - VALUE "ProductVersion", "1.1.1u\0" + VALUE "ProductVersion", "1.1.1v\0" // Optional: //VALUE "Comments", "\0" VALUE "LegalCopyright", "Copyright 1998-2023 The OpenSSL Authors. All rights reserved.\0" diff --git a/ms/x64/configdata.pm b/ms/x64/configdata.pm index a10dd32a..f74703dd 100644 --- a/ms/x64/configdata.pm +++ b/ms/x64/configdata.pm @@ -67,7 +67,7 @@ our %config = ( options => "--prefix=C:\\Program Files\\OpenSSL-1_1 --with-zlib-include=..\\zlib --with-zlib-lib=..\\zlib\\build\\x64\\Release\\libz-static.lib enable-zlib no-afalgeng no-asan no-buildtest-c++ no-crypto-mdebug no-crypto-mdebug-backtrace no-devcryptoeng no-dynamic-engine no-ec_nistp_64_gcc_128 no-egd no-external-tests no-fuzz-afl no-fuzz-libfuzzer no-heartbeats no-md2 no-msan no-rc5 no-sctp no-ssl-trace no-ssl3 no-ssl3-method no-ubsan no-unit-test no-weak-ssl-ciphers no-zlib-dynamic", perl_archname => "MSWin32-x64-multi-thread", perl_cmd => "C:\\Strawberry\\perl\\bin\\perl.exe", - perl_version => "5.32.1", + perl_version => "5.38.0", perlargv => [ "--prefix=C:\\Program Files\\OpenSSL-1_1", "--with-zlib-include=..\\zlib", "--with-zlib-lib=..\\zlib\\build\\x64\\Release\\libz-static.lib", "VC-WIN64A-masm", "no-dynamic-engine", "zlib" ], perlenv => { "AR" => undef, @@ -116,8 +116,8 @@ our %config = ( sourcedir => ".", target => "VC-WIN64A-masm", tdirs => [ "ossl_shim" ], - version => "1.1.1u", - version_num => "0x1010115fL", + version => "1.1.1v", + version_num => "0x1010116fL", ); our %target = ( @@ -3208,10 +3208,10 @@ our %unified_info = ( { "deps" => [ + "ms\\uplink.o", "ms\\applink.o", "ms\\applink.o", "ms\\applink.o", - "ms\\uplink.o", ], "products" => { @@ -3231,8 +3231,6 @@ our %unified_info = ( { "deps" => [ - "ssl\\packet.o", - "ssl\\tls13_enc.o", "ssl\\bio_ssl.o", "ssl\\d1_lib.o", "ssl\\d1_msg.o", @@ -3262,6 +3260,8 @@ our %unified_info = ( "ssl\\t1_trce.o", "ssl\\tls13_enc.o", "ssl\\tls_srp.o", + "ssl\\packet.o", + "ssl\\tls13_enc.o", ], "products" => { @@ -10114,14 +10114,14 @@ our %unified_info = ( ], "ms\\applink.o" => [ - ".", - "apps", - "include", "crypto\\ec", + "apps", ".", + "include", + ".\\crypto\\ec", ".\\apps", + ".", ".\\include", - ".\\crypto\\ec", ], "ms\\uplink.o" => [ diff --git a/ms/x64/static/configdata.pm b/ms/x64/static/configdata.pm index 61167fac..df4b7678 100644 --- a/ms/x64/static/configdata.pm +++ b/ms/x64/static/configdata.pm @@ -67,7 +67,7 @@ our %config = ( options => "--prefix=C:\\Program Files\\OpenSSL-1_1 --with-zlib-include=..\\zlib --with-zlib-lib=..\\zlib\\build\\x64\\Release\\libz-static.lib enable-zlib no-afalgeng no-asan no-buildtest-c++ no-crypto-mdebug no-crypto-mdebug-backtrace no-devcryptoeng no-dynamic-engine no-ec_nistp_64_gcc_128 no-egd no-external-tests no-fuzz-afl no-fuzz-libfuzzer no-heartbeats no-md2 no-msan no-rc5 no-sctp no-shared no-ssl-trace no-ssl3 no-ssl3-method no-ubsan no-unit-test no-weak-ssl-ciphers no-zlib-dynamic", perl_archname => "MSWin32-x64-multi-thread", perl_cmd => "C:\\Strawberry\\perl\\bin\\perl.exe", - perl_version => "5.32.1", + perl_version => "5.38.0", perlargv => [ "--prefix=C:\\Program Files\\OpenSSL-1_1", "--with-zlib-include=..\\zlib", "--with-zlib-lib=..\\zlib\\build\\x64\\Release\\libz-static.lib", "VC-WIN64A-masm", "no-shared", "no-dynamic-engine", "zlib" ], perlenv => { "AR" => undef, @@ -116,8 +116,8 @@ our %config = ( sourcedir => ".", target => "VC-WIN64A-masm", tdirs => [ "ossl_shim" ], - version => "1.1.1u", - version_num => "0x1010115fL", + version => "1.1.1v", + version_num => "0x1010116fL", ); our %target = ( diff --git a/ms/x86/configdata.pm b/ms/x86/configdata.pm index 7d6be1ce..82e5c5f7 100644 --- a/ms/x86/configdata.pm +++ b/ms/x86/configdata.pm @@ -66,7 +66,7 @@ our %config = ( options => "--prefix=C:\\Program Files (x86)\\OpenSSL-1_1 --with-zlib-include=..\\zlib --with-zlib-lib=..\\zlib\\build\\Release\\libz-static.lib enable-zlib no-afalgeng no-asan no-buildtest-c++ no-crypto-mdebug no-crypto-mdebug-backtrace no-devcryptoeng no-dynamic-engine no-ec_nistp_64_gcc_128 no-egd no-external-tests no-fuzz-afl no-fuzz-libfuzzer no-heartbeats no-md2 no-msan no-rc5 no-sctp no-ssl-trace no-ssl3 no-ssl3-method no-ubsan no-unit-test no-weak-ssl-ciphers no-zlib-dynamic", perl_archname => "MSWin32-x64-multi-thread", perl_cmd => "C:\\Strawberry\\perl\\bin\\perl.exe", - perl_version => "5.32.1", + perl_version => "5.38.0", perlargv => [ "--prefix=C:\\Program Files (x86)\\OpenSSL-1_1", "--with-zlib-include=..\\zlib", "--with-zlib-lib=..\\zlib\\build\\Release\\libz-static.lib", "VC-WIN32", "no-dynamic-engine", "zlib" ], perlenv => { "AR" => undef, @@ -115,8 +115,8 @@ our %config = ( sourcedir => ".", target => "VC-WIN32", tdirs => [ "ossl_shim" ], - version => "1.1.1u", - version_num => "0x1010115fL", + version => "1.1.1v", + version_num => "0x1010116fL", ); our %target = ( @@ -10025,14 +10025,14 @@ our %unified_info = ( ], "ms\\applink.o" => [ - ".", - "apps", - "include", "crypto\\ec", + "apps", ".", + "include", + ".\\crypto\\ec", ".\\apps", + ".", ".\\include", - ".\\crypto\\ec", ], "ms\\uplink.o" => [ diff --git a/ms/x86/static/configdata.pm b/ms/x86/static/configdata.pm index fabdf18b..1bc0c310 100644 --- a/ms/x86/static/configdata.pm +++ b/ms/x86/static/configdata.pm @@ -66,7 +66,7 @@ our %config = ( options => "--prefix=C:\\Program Files (x86)\\OpenSSL-1_1 --with-zlib-include=..\\zlib --with-zlib-lib=..\\zlib\\build\\Release\\libz-static.lib enable-zlib no-afalgeng no-asan no-buildtest-c++ no-crypto-mdebug no-crypto-mdebug-backtrace no-devcryptoeng no-dynamic-engine no-ec_nistp_64_gcc_128 no-egd no-external-tests no-fuzz-afl no-fuzz-libfuzzer no-heartbeats no-md2 no-msan no-rc5 no-sctp no-shared no-ssl-trace no-ssl3 no-ssl3-method no-ubsan no-unit-test no-weak-ssl-ciphers no-zlib-dynamic", perl_archname => "MSWin32-x64-multi-thread", perl_cmd => "C:\\Strawberry\\perl\\bin\\perl.exe", - perl_version => "5.32.1", + perl_version => "5.38.0", perlargv => [ "--prefix=C:\\Program Files (x86)\\OpenSSL-1_1", "--with-zlib-include=..\\zlib", "--with-zlib-lib=..\\zlib\\build\\Release\\libz-static.lib", "VC-WIN32", "no-shared", "no-dynamic-engine", "zlib" ], perlenv => { "AR" => undef, @@ -115,8 +115,8 @@ our %config = ( sourcedir => ".", target => "VC-WIN32", tdirs => [ "ossl_shim" ], - version => "1.1.1u", - version_num => "0x1010115fL", + version => "1.1.1v", + version_num => "0x1010116fL", ); our %target = ( diff --git a/test/dhtest.c b/test/dhtest.c index 9d5609b9..20132201 100644 --- a/test/dhtest.c +++ b/test/dhtest.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -63,7 +63,7 @@ static int dh_test(void) || !TEST_true(DH_set0_pqg(dh, p, q, g))) goto err1; - if (!DH_check(dh, &i)) + if (!TEST_true(DH_check(dh, &i))) goto err2; if (!TEST_false(i & DH_CHECK_P_NOT_PRIME) || !TEST_false(i & DH_CHECK_P_NOT_SAFE_PRIME) @@ -123,6 +123,29 @@ static int dh_test(void) /* check whether the public key was calculated correctly */ TEST_uint_eq(BN_get_word(pub_key2), 3331L); + if (!TEST_ptr(BN_copy(q, p)) || !TEST_true(BN_add(q, q, BN_value_one()))) + goto err3; + + if (!TEST_true(DH_check(dh, &i))) + goto err3; + if (!TEST_true(i & DH_CHECK_INVALID_Q_VALUE) + || !TEST_false(i & DH_CHECK_Q_NOT_PRIME)) + goto err3; + + /* Modulus of size: dh check max modulus bits + 1 */ + if (!TEST_true(BN_set_word(p, 1)) + || !TEST_true(BN_lshift(p, p, OPENSSL_DH_CHECK_MAX_MODULUS_BITS))) + goto err3; + + /* + * We expect no checks at all for an excessively large modulus + */ + if (!TEST_false(DH_check(dh, &i))) + goto err3; + + /* We'll have a stale error on the queue from the above test so clear it */ + ERR_clear_error(); + /* * II) key generation */ @@ -137,7 +160,7 @@ static int dh_test(void) goto err3; /* ... and check whether it is valid */ - if (!DH_check(a, &i)) + if (!TEST_true(DH_check(a, &i))) goto err3; if (!TEST_false(i & DH_CHECK_P_NOT_PRIME) || !TEST_false(i & DH_CHECK_P_NOT_SAFE_PRIME)