[openssl] OpenSSL_1_1_1-stable update

Matt Caswell matt at openssl.org
Thu Mar 25 13:43:20 UTC 2021


The branch OpenSSL_1_1_1-stable has been updated
       via  122e5f7c010859f0b2984d553fa45cd1f18a6fc4 (commit)
       via  fd78df59b0f656aefe96e39533130454aa957c00 (commit)
       via  e83638bc3a3e2f731fd10946bd460b021465b285 (commit)
       via  62f75c999ec8b125f154ad70b028e92ea312d084 (commit)
       via  d33c2a3d8453a75509bcc8d2cf7d2dc2a3a518d0 (commit)
       via  fb9fa6b51defd48157eeb207f52181f735d96148 (commit)
       via  3ff38629a2df6635f36bfb79513cc6440db8cd70 (commit)
       via  46d81bcabe2d36055bdd37079ed6acf976d967a7 (commit)
       via  2a40b7bc7b94dd7de897a74571e7024f0cf0d63b (commit)
      from  cfd74383d9b06f85cb1e166180346115a3f9a452 (commit)


- Log -----------------------------------------------------------------
commit 122e5f7c010859f0b2984d553fa45cd1f18a6fc4
Author: Matt Caswell <matt at openssl.org>
Date:   Thu Mar 25 13:28:48 2021 +0000

    Prepare for 1.1.1l-dev
    
    Reviewed-by: Tomas Mraz <tomas at openssl.org>

commit fd78df59b0f656aefe96e39533130454aa957c00
Author: Matt Caswell <matt at openssl.org>
Date:   Thu Mar 25 13:28:38 2021 +0000

    Prepare for 1.1.1k release
    
    Reviewed-by: Tomas Mraz <tomas at openssl.org>

commit e83638bc3a3e2f731fd10946bd460b021465b285
Author: Matt Caswell <matt at openssl.org>
Date:   Thu Mar 25 13:21:32 2021 +0000

    Update copyright year
    
    Reviewed-by: Tomas Mraz <tomas at openssl.org>

commit 62f75c999ec8b125f154ad70b028e92ea312d084
Author: Matt Caswell <matt at openssl.org>
Date:   Thu Mar 25 10:29:55 2021 +0000

    Update CHANGES and NEWS for new release
    
    Reviewed-by: Tomas Mraz <tomas at openssl.org>

commit d33c2a3d8453a75509bcc8d2cf7d2dc2a3a518d0
Author: Matt Caswell <matt at openssl.org>
Date:   Thu Mar 18 16:52:10 2021 +0000

    Ensure buffer/length pairs are always in sync
    
    Following on from CVE-2021-3449 which was caused by a non-zero length
    associated with a NULL buffer, other buffer/length pairs are updated to
    ensure that they too are always in sync.
    
    Reviewed-by: Tomas Mraz <tomas at openssl.org>
    Reviewed-by: Paul Dale <pauli at openssl.org>

commit fb9fa6b51defd48157eeb207f52181f735d96148
Author: Peter Kaestle <peter.kaestle at nokia.com>
Date:   Mon Mar 15 13:19:56 2021 +0100

    ssl sigalg extension: fix NULL pointer dereference
    
    As the variable peer_sigalgslen is not cleared on ssl rehandshake, it's
    possible to crash an openssl tls secured server remotely by sending a
    manipulated hello message in a rehandshake.
    
    On such a manipulated rehandshake, tls1_set_shared_sigalgs() calls
    tls12_shared_sigalgs() with the peer_sigalgslen of the previous
    handshake, while the peer_sigalgs has been freed.
    As a result tls12_shared_sigalgs() walks over the available
    peer_sigalgs and tries to access data of a NULL pointer.
    
    This issue was introduced by c589c34e61 (Add support for the TLS 1.3
    signature_algorithms_cert extension, 2018-01-11).
    
    Signed-off-by: Peter Kästle <peter.kaestle at nokia.com>
    Signed-off-by: Samuel Sapalski <samuel.sapalski at nokia.com>
    
    CVE-2021-3449
    
    CLA: trivial
    
    Reviewed-by: Tomas Mraz <tomas at openssl.org>
    Reviewed-by: Paul Dale <pauli at openssl.org>
    Reviewed-by: Matt Caswell <matt at openssl.org>

commit 3ff38629a2df6635f36bfb79513cc6440db8cd70
Author: Matt Caswell <matt at openssl.org>
Date:   Thu Mar 18 15:29:04 2021 +0000

    Add a test for CVE-2021-3449
    
    We perform a reneg handshake, where the second ClientHello drops the
    sig_algs extension. It must also contain cert_sig_algs for the test to
    work.
    
    Reviewed-by: Tomas Mraz <tomas at openssl.org>
    Reviewed-by: Paul Dale <pauli at openssl.org>

commit 46d81bcabe2d36055bdd37079ed6acf976d967a7
Author: Matt Caswell <matt at openssl.org>
Date:   Thu Mar 18 15:25:42 2021 +0000

    Teach TLSProxy how to encrypt <= TLSv1.2 ETM records
    
    Previously TLSProxy only knew how to "repack" messages for TLSv1.3.
    Most of the handshake in <= TLSv1.2 is unencrypted so this hasn't been
    too much of restriction. However we now want to modify reneg handshakes
    which are encrypted so we need to add that capability.
    
    Reviewed-by: Tomas Mraz <tomas at openssl.org>
    Reviewed-by: Paul Dale <pauli at openssl.org>

commit 2a40b7bc7b94dd7de897a74571e7024f0cf0d63b
Author: Tomas Mraz <tomas at openssl.org>
Date:   Mon Mar 22 08:51:52 2021 +0000

    check_chain_extensions: Do not override error return value by check_curve
    
    The X509_V_FLAG_X509_STRICT flag enables additional security checks of the
    certificates present in a certificate chain. It is not set by default.
    
    Starting from OpenSSL version 1.1.1h a check to disallow certificates with
    explicitly encoded elliptic curve parameters in the chain was added to the
    strict checks.
    
    An error in the implementation of this check meant that the result of a
    previous check to confirm that certificates in the chain are valid CA
    certificates was overwritten. This effectively bypasses the check
    that non-CA certificates must not be able to issue other certificates.
    
    If a "purpose" has been configured then a subsequent check that the
    certificate is consistent with that purpose also checks that it is a
    valid CA. Therefore where a purpose is set the certificate chain will
    still be rejected even when the strict flag has been used. A purpose is
    set by default in libssl client and server certificate verification
    routines, but it can be overriden by an application.
    
    Affected applications explicitly set the X509_V_FLAG_X509_STRICT
    verification flag and either do not set a purpose for the certificate
    verification or, in the case of TLS client or server applications,
    override the default purpose to make it not set.
    
    CVE-2021-3450
    
    Reviewed-by: Matt Caswell <matt at openssl.org>
    Reviewed-by: Paul Dale <pauli at openssl.org>

-----------------------------------------------------------------------

Summary of changes:
 CHANGES                              | 46 +++++++++++++++++++++++++++++++++++-
 NEWS                                 | 10 +++++++-
 README                               |  4 ++--
 apps/s_cb.c                          |  2 +-
 apps/s_time.c                        |  2 +-
 crypto/asn1/asn1_par.c               |  2 +-
 crypto/asn1/bio_ndef.c               |  2 +-
 crypto/engine/eng_devcrypto.c        |  2 +-
 crypto/evp/evp_enc.c                 |  2 +-
 crypto/modes/cbc128.c                |  2 +-
 crypto/modes/gcm128.c                |  2 +-
 crypto/o_time.c                      |  2 +-
 crypto/rand/rand_lib.c               |  2 +-
 crypto/rsa/rsa_ssl.c                 |  2 +-
 crypto/x509/x509_vfy.c               | 12 ++++++----
 fuzz/x509.c                          |  2 +-
 include/openssl/opensslv.h           |  6 ++---
 ssl/s3_lib.c                         |  7 ++++--
 ssl/ssl_lib.c                        | 16 +++++++++----
 ssl/statem/extensions.c              |  2 ++
 ssl/statem/extensions_clnt.c         | 16 ++++++++++---
 ssl/statem/statem_clnt.c             |  7 +++++-
 ssl/statem/statem_srvr.c             | 19 +++++++++++----
 test/recipes/70-test_renegotiation.t | 38 +++++++++++++++++++++++++++--
 test/rsa_test.c                      |  2 +-
 test/verify_extra_test.c             | 16 +++++++++++--
 tools/c_rehash.in                    |  2 +-
 util/perl/TLSProxy/Message.pm        | 39 +++++++++++++++++++++++-------
 28 files changed, 215 insertions(+), 51 deletions(-)

diff --git a/CHANGES b/CHANGES
index 8c2b701311..e5666c87f9 100644
--- a/CHANGES
+++ b/CHANGES
@@ -7,10 +7,54 @@
  https://github.com/openssl/openssl/commits/ and pick the appropriate
  release branch.
 
- Changes between 1.1.1j and 1.1.1k [xx XXX xxxx]
+ Changes between 1.1.1k and 1.1.1l [xx XXX xxxx]
 
   *)
 
+ Changes between 1.1.1j and 1.1.1k [25 Mar 2021]
+
+  *) Fixed a problem with verifying a certificate chain when using the
+     X509_V_FLAG_X509_STRICT flag. This flag enables additional security checks
+     of the certificates present in a certificate chain. It is not set by
+     default.
+
+     Starting from OpenSSL version 1.1.1h a check to disallow certificates in
+     the chain that have explicitly encoded elliptic curve parameters was added
+     as an additional strict check.
+
+     An error in the implementation of this check meant that the result of a
+     previous check to confirm that certificates in the chain are valid CA
+     certificates was overwritten. This effectively bypasses the check
+     that non-CA certificates must not be able to issue other certificates.
+
+     If a "purpose" has been configured then there is a subsequent opportunity
+     for checks that the certificate is a valid CA.  All of the named "purpose"
+     values implemented in libcrypto perform this check.  Therefore, where
+     a purpose is set the certificate chain will still be rejected even when the
+     strict flag has been used. A purpose is set by default in libssl client and
+     server certificate verification routines, but it can be overridden or
+     removed by an application.
+
+     In order to be affected, an application must explicitly set the
+     X509_V_FLAG_X509_STRICT verification flag and either not set a purpose
+     for the certificate verification or, in the case of TLS client or server
+     applications, override the default purpose.
+     (CVE-2021-3450)
+     [Tomáš Mráz]
+
+  *) Fixed an issue where an OpenSSL TLS server may crash if sent a maliciously
+     crafted renegotiation ClientHello message from a client. If a TLSv1.2
+     renegotiation ClientHello omits the signature_algorithms extension (where
+     it was present in the initial ClientHello), but includes a
+     signature_algorithms_cert extension then a NULL pointer dereference will
+     result, leading to a crash and a denial of service attack.
+
+     A server is only vulnerable if it has TLSv1.2 and renegotiation enabled
+     (which is the default configuration). OpenSSL TLS clients are not impacted
+     by this issue.
+     (CVE-2021-3449)
+     [Peter Kästle and Samuel Sapalski]
+
  Changes between 1.1.1i and 1.1.1j [16 Feb 2021]
 
   *) Fixed the X509_issuer_and_serial_hash() function. It attempts to
diff --git a/NEWS b/NEWS
index 7e1cdf94e0..a8c68a704f 100644
--- a/NEWS
+++ b/NEWS
@@ -5,10 +5,18 @@
   This file gives a brief overview of the major changes between each OpenSSL
   release. For more details please read the CHANGES file.
 
-  Major changes between OpenSSL 1.1.1j and OpenSSL 1.1.1k [under development]
+  Major changes between OpenSSL 1.1.1k and OpenSSL 1.1.1l [under development]
 
       o
 
+  Major changes between OpenSSL 1.1.1j and OpenSSL 1.1.1k [25 Mar 2021]
+
+      o Fixed a problem with verifying a certificate chain when using the
+        X509_V_FLAG_X509_STRICT flag (CVE-2021-3450)
+      o Fixed an issue where an OpenSSL TLS server may crash if sent a
+        maliciously crafted renegotiation ClientHello message from a client
+        (CVE-2021-3449)
+
   Major changes between OpenSSL 1.1.1i and OpenSSL 1.1.1j [16 Feb 2021]
 
       o Fixed a NULL pointer deref in the X509_issuer_and_serial_hash()
diff --git a/README b/README
index 98ad8a356a..a50bd0f2e7 100644
--- a/README
+++ b/README
@@ -1,7 +1,7 @@
 
- OpenSSL 1.1.1k-dev
+ OpenSSL 1.1.1l-dev
 
- Copyright (c) 1998-2020 The OpenSSL Project
+ Copyright (c) 1998-2021 The OpenSSL Project
  Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson
  All rights reserved.
 
diff --git a/apps/s_cb.c b/apps/s_cb.c
index 7241df4978..dee1b2e5b4 100644
--- a/apps/s_cb.c
+++ b/apps/s_cb.c
@@ -1,5 +1,5 @@
 /*
- * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the OpenSSL license (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
diff --git a/apps/s_time.c b/apps/s_time.c
index eabf3c1a79..1235e545c2 100644
--- a/apps/s_time.c
+++ b/apps/s_time.c
@@ -1,5 +1,5 @@
 /*
- * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the OpenSSL license (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
diff --git a/crypto/asn1/asn1_par.c b/crypto/asn1/asn1_par.c
index d45f810bce..a32fa47f22 100644
--- a/crypto/asn1/asn1_par.c
+++ b/crypto/asn1/asn1_par.c
@@ -1,5 +1,5 @@
 /*
- * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the OpenSSL license (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
diff --git a/crypto/asn1/bio_ndef.c b/crypto/asn1/bio_ndef.c
index 5642262719..d7d7d80eea 100644
--- a/crypto/asn1/bio_ndef.c
+++ b/crypto/asn1/bio_ndef.c
@@ -1,5 +1,5 @@
 /*
- * Copyright 2008-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2008-2021 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the OpenSSL license (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
diff --git a/crypto/engine/eng_devcrypto.c b/crypto/engine/eng_devcrypto.c
index 997271e150..84a3b7dbec 100644
--- a/crypto/engine/eng_devcrypto.c
+++ b/crypto/engine/eng_devcrypto.c
@@ -1,5 +1,5 @@
 /*
- * Copyright 2017-2019 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2017-2021 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the OpenSSL license (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
diff --git a/crypto/evp/evp_enc.c b/crypto/evp/evp_enc.c
index 0843caf4f0..e3c165d48e 100644
--- a/crypto/evp/evp_enc.c
+++ b/crypto/evp/evp_enc.c
@@ -1,5 +1,5 @@
 /*
- * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the OpenSSL license (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
diff --git a/crypto/modes/cbc128.c b/crypto/modes/cbc128.c
index 78949c1ed7..15a14be708 100644
--- a/crypto/modes/cbc128.c
+++ b/crypto/modes/cbc128.c
@@ -1,5 +1,5 @@
 /*
- * Copyright 2008-2020 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2008-2021 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the OpenSSL license (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
diff --git a/crypto/modes/gcm128.c b/crypto/modes/gcm128.c
index 4b29ead08c..8304efff48 100644
--- a/crypto/modes/gcm128.c
+++ b/crypto/modes/gcm128.c
@@ -1,5 +1,5 @@
 /*
- * Copyright 2010-2020 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2010-2021 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the OpenSSL license (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
diff --git a/crypto/o_time.c b/crypto/o_time.c
index 6aafd67c46..3fa70c45af 100644
--- a/crypto/o_time.c
+++ b/crypto/o_time.c
@@ -1,5 +1,5 @@
 /*
- * Copyright 2001-2020 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2001-2021 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the OpenSSL license (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
diff --git a/crypto/rand/rand_lib.c b/crypto/rand/rand_lib.c
index 46e83d0741..5c72fad8ca 100644
--- a/crypto/rand/rand_lib.c
+++ b/crypto/rand/rand_lib.c
@@ -1,5 +1,5 @@
 /*
- * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the OpenSSL license (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
diff --git a/crypto/rsa/rsa_ssl.c b/crypto/rsa/rsa_ssl.c
index ecdb3cee1f..e1c755ae46 100644
--- a/crypto/rsa/rsa_ssl.c
+++ b/crypto/rsa/rsa_ssl.c
@@ -1,5 +1,5 @@
 /*
- * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the OpenSSL license (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c
index 0c71b2e8b4..20a36e763c 100644
--- a/crypto/x509/x509_vfy.c
+++ b/crypto/x509/x509_vfy.c
@@ -524,15 +524,19 @@ static int check_chain_extensions(X509_STORE_CTX *ctx)
                 ret = 1;
             break;
         }
-        if ((ctx->param->flags & X509_V_FLAG_X509_STRICT) && num > 1) {
+        if (ret > 0
+            && (ctx->param->flags & X509_V_FLAG_X509_STRICT) && num > 1) {
             /* Check for presence of explicit elliptic curve parameters */
             ret = check_curve(x);
-            if (ret < 0)
+            if (ret < 0) {
                 ctx->error = X509_V_ERR_UNSPECIFIED;
-            else if (ret == 0)
+                ret = 0;
+            } else if (ret == 0) {
                 ctx->error = X509_V_ERR_EC_KEY_EXPLICIT_PARAMS;
+            }
         }
-        if ((x->ex_flags & EXFLAG_CA) == 0
+        if (ret > 0
+            && (x->ex_flags & EXFLAG_CA) == 0
             && x->ex_pathlen != -1
             && (ctx->param->flags & X509_V_FLAG_X509_STRICT)) {
             ctx->error = X509_V_ERR_INVALID_EXTENSION;
diff --git a/fuzz/x509.c b/fuzz/x509.c
index 1a20ca21db..ceaec0797b 100644
--- a/fuzz/x509.c
+++ b/fuzz/x509.c
@@ -1,5 +1,5 @@
 /*
- * Copyright 2016 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the OpenSSL licenses, (the "License");
  * you may not use this file except in compliance with the License.
diff --git a/include/openssl/opensslv.h b/include/openssl/opensslv.h
index 48c54fe673..a236ebbf0d 100644
--- a/include/openssl/opensslv.h
+++ b/include/openssl/opensslv.h
@@ -1,5 +1,5 @@
 /*
- * Copyright 1999-2020 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1999-2021 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the OpenSSL license (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
@@ -39,8 +39,8 @@ extern "C" {
  * (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for
  *  major minor fix final patch/beta)
  */
-# define OPENSSL_VERSION_NUMBER  0x101010b0L
-# define OPENSSL_VERSION_TEXT    "OpenSSL 1.1.1k-dev  xx XXX xxxx"
+# define OPENSSL_VERSION_NUMBER  0x101010c0L
+# define OPENSSL_VERSION_TEXT    "OpenSSL 1.1.1l-dev  xx XXX xxxx"
 
 /*-
  * The macros below are to be used for shared library (.so, .dll, ...)
diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c
index 4511b52c9a..b256a4b935 100644
--- a/ssl/s3_lib.c
+++ b/ssl/s3_lib.c
@@ -1,5 +1,5 @@
 /*
- * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
  * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
  * Copyright 2005 Nokia. All rights reserved.
  *
@@ -4629,6 +4629,7 @@ int ssl_generate_master_secret(SSL *s, unsigned char *pms, size_t pmslen,
 
         OPENSSL_clear_free(s->s3->tmp.psk, psklen);
         s->s3->tmp.psk = NULL;
+        s->s3->tmp.psklen = 0;
         if (!s->method->ssl3_enc->generate_master_secret(s,
                     s->session->master_key, pskpms, pskpmslen,
                     &s->session->master_key_length)) {
@@ -4658,8 +4659,10 @@ int ssl_generate_master_secret(SSL *s, unsigned char *pms, size_t pmslen,
         else
             OPENSSL_cleanse(pms, pmslen);
     }
-    if (s->server == 0)
+    if (s->server == 0) {
         s->s3->tmp.pms = NULL;
+        s->s3->tmp.pmslen = 0;
+    }
     return ret;
 }
 
diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
index 98057921f8..58f8f3c14c 100644
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -1,5 +1,5 @@
 /*
- * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
  * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
  * Copyright 2005 Nokia. All rights reserved.
  *
@@ -779,8 +779,10 @@ SSL *SSL_new(SSL_CTX *ctx)
         s->ext.ecpointformats =
             OPENSSL_memdup(ctx->ext.ecpointformats,
                            ctx->ext.ecpointformats_len);
-        if (!s->ext.ecpointformats)
+        if (!s->ext.ecpointformats) {
+            s->ext.ecpointformats_len = 0;
             goto err;
+        }
         s->ext.ecpointformats_len =
             ctx->ext.ecpointformats_len;
     }
@@ -789,8 +791,10 @@ SSL *SSL_new(SSL_CTX *ctx)
             OPENSSL_memdup(ctx->ext.supportedgroups,
                            ctx->ext.supportedgroups_len
                                 * sizeof(*ctx->ext.supportedgroups));
-        if (!s->ext.supportedgroups)
+        if (!s->ext.supportedgroups) {
+            s->ext.supportedgroups_len = 0;
             goto err;
+        }
         s->ext.supportedgroups_len = ctx->ext.supportedgroups_len;
     }
 #endif
@@ -800,8 +804,10 @@ SSL *SSL_new(SSL_CTX *ctx)
 
     if (s->ctx->ext.alpn) {
         s->ext.alpn = OPENSSL_malloc(s->ctx->ext.alpn_len);
-        if (s->ext.alpn == NULL)
+        if (s->ext.alpn == NULL) {
+            s->ext.alpn_len = 0;
             goto err;
+        }
         memcpy(s->ext.alpn, s->ctx->ext.alpn, s->ctx->ext.alpn_len);
         s->ext.alpn_len = s->ctx->ext.alpn_len;
     }
@@ -2834,6 +2840,7 @@ int SSL_CTX_set_alpn_protos(SSL_CTX *ctx, const unsigned char *protos,
     OPENSSL_free(ctx->ext.alpn);
     ctx->ext.alpn = OPENSSL_memdup(protos, protos_len);
     if (ctx->ext.alpn == NULL) {
+        ctx->ext.alpn_len = 0;
         SSLerr(SSL_F_SSL_CTX_SET_ALPN_PROTOS, ERR_R_MALLOC_FAILURE);
         return 1;
     }
@@ -2853,6 +2860,7 @@ int SSL_set_alpn_protos(SSL *ssl, const unsigned char *protos,
     OPENSSL_free(ssl->ext.alpn);
     ssl->ext.alpn = OPENSSL_memdup(protos, protos_len);
     if (ssl->ext.alpn == NULL) {
+        ssl->ext.alpn_len = 0;
         SSLerr(SSL_F_SSL_SET_ALPN_PROTOS, ERR_R_MALLOC_FAILURE);
         return 1;
     }
diff --git a/ssl/statem/extensions.c b/ssl/statem/extensions.c
index b055935d69..e1a3b1db67 100644
--- a/ssl/statem/extensions.c
+++ b/ssl/statem/extensions.c
@@ -1139,6 +1139,7 @@ static int init_sig_algs(SSL *s, unsigned int context)
     /* Clear any signature algorithms extension received */
     OPENSSL_free(s->s3->tmp.peer_sigalgs);
     s->s3->tmp.peer_sigalgs = NULL;
+    s->s3->tmp.peer_sigalgslen = 0;
 
     return 1;
 }
@@ -1148,6 +1149,7 @@ static int init_sig_algs_cert(SSL *s, unsigned int context)
     /* Clear any signature algorithms extension received */
     OPENSSL_free(s->s3->tmp.peer_cert_sigalgs);
     s->s3->tmp.peer_cert_sigalgs = NULL;
+    s->s3->tmp.peer_cert_sigalgslen = 0;
 
     return 1;
 }
diff --git a/ssl/statem/extensions_clnt.c b/ssl/statem/extensions_clnt.c
index bcce0f1d95..ce8a75794c 100644
--- a/ssl/statem/extensions_clnt.c
+++ b/ssl/statem/extensions_clnt.c
@@ -1,5 +1,5 @@
 /*
- * Copyright 2016-2019 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the OpenSSL license (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
@@ -816,6 +816,7 @@ EXT_RETURN tls_construct_ctos_early_data(SSL *s, WPACKET *pkt,
         OPENSSL_free(s->psksession_id);
         s->psksession_id = OPENSSL_memdup(id, idlen);
         if (s->psksession_id == NULL) {
+            s->psksession_id_len = 0;
             SSLfatal(s, SSL_AD_INTERNAL_ERROR,
                      SSL_F_TLS_CONSTRUCT_CTOS_EARLY_DATA, ERR_R_INTERNAL_ERROR);
             return EXT_RETURN_FAIL;
@@ -1375,6 +1376,7 @@ int tls_parse_stoc_ec_pt_formats(SSL *s, PACKET *pkt, unsigned int context,
         OPENSSL_free(s->ext.peer_ecpointformats);
         s->ext.peer_ecpointformats = OPENSSL_malloc(ecpointformats_len);
         if (s->ext.peer_ecpointformats == NULL) {
+            s->ext.peer_ecpointformats_len = 0;
             SSLfatal(s, SSL_AD_INTERNAL_ERROR,
                      SSL_F_TLS_PARSE_STOC_EC_PT_FORMATS, ERR_R_INTERNAL_ERROR);
             return 0;
@@ -1492,8 +1494,13 @@ int tls_parse_stoc_sct(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
         s->ext.scts_len = (uint16_t)size;
         if (size > 0) {
             s->ext.scts = OPENSSL_malloc(size);
-            if (s->ext.scts == NULL
-                    || !PACKET_copy_bytes(pkt, s->ext.scts, size)) {
+            if (s->ext.scts == NULL) {
+                s->ext.scts_len = 0;
+                SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_STOC_SCT,
+                         ERR_R_MALLOC_FAILURE);
+                return 0;
+            }
+            if (!PACKET_copy_bytes(pkt, s->ext.scts, size)) {
                 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_STOC_SCT,
                          ERR_R_INTERNAL_ERROR);
                 return 0;
@@ -1592,6 +1599,7 @@ int tls_parse_stoc_npn(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
     OPENSSL_free(s->ext.npn);
     s->ext.npn = OPENSSL_malloc(selected_len);
     if (s->ext.npn == NULL) {
+        s->ext.npn_len = 0;
         SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_STOC_NPN,
                  ERR_R_INTERNAL_ERROR);
         return 0;
@@ -1632,6 +1640,7 @@ int tls_parse_stoc_alpn(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
     OPENSSL_free(s->s3->alpn_selected);
     s->s3->alpn_selected = OPENSSL_malloc(len);
     if (s->s3->alpn_selected == NULL) {
+        s->s3->alpn_selected_len = 0;
         SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_STOC_ALPN,
                  ERR_R_INTERNAL_ERROR);
         return 0;
@@ -1663,6 +1672,7 @@ int tls_parse_stoc_alpn(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
         s->session->ext.alpn_selected =
             OPENSSL_memdup(s->s3->alpn_selected, s->s3->alpn_selected_len);
         if (s->session->ext.alpn_selected == NULL) {
+            s->session->ext.alpn_selected_len = 0;
             SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_STOC_ALPN,
                      ERR_R_INTERNAL_ERROR);
             return 0;
diff --git a/ssl/statem/statem_clnt.c b/ssl/statem/statem_clnt.c
index 09fba3d8c0..de58f1a4b7 100644
--- a/ssl/statem/statem_clnt.c
+++ b/ssl/statem/statem_clnt.c
@@ -2462,6 +2462,7 @@ MSG_PROCESS_RETURN tls_process_certificate_request(SSL *s, PACKET *pkt)
         s->s3->tmp.ctype_len = 0;
         OPENSSL_free(s->pha_context);
         s->pha_context = NULL;
+        s->pha_context_len = 0;
 
         if (!PACKET_get_length_prefixed_1(pkt, &reqctx) ||
             !PACKET_memdup(&reqctx, &s->pha_context, &s->pha_context_len)) {
@@ -2771,16 +2772,17 @@ int tls_process_cert_status_body(SSL *s, PACKET *pkt)
     }
     s->ext.ocsp.resp = OPENSSL_malloc(resplen);
     if (s->ext.ocsp.resp == NULL) {
+        s->ext.ocsp.resp_len = 0;
         SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CERT_STATUS_BODY,
                  ERR_R_MALLOC_FAILURE);
         return 0;
     }
+    s->ext.ocsp.resp_len = resplen;
     if (!PACKET_copy_bytes(pkt, s->ext.ocsp.resp, resplen)) {
         SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CERT_STATUS_BODY,
                  SSL_R_LENGTH_MISMATCH);
         return 0;
     }
-    s->ext.ocsp.resp_len = resplen;
 
     return 1;
 }
@@ -3351,9 +3353,11 @@ int tls_construct_client_key_exchange(SSL *s, WPACKET *pkt)
  err:
     OPENSSL_clear_free(s->s3->tmp.pms, s->s3->tmp.pmslen);
     s->s3->tmp.pms = NULL;
+    s->s3->tmp.pmslen = 0;
 #ifndef OPENSSL_NO_PSK
     OPENSSL_clear_free(s->s3->tmp.psk, s->s3->tmp.psklen);
     s->s3->tmp.psk = NULL;
+    s->s3->tmp.psklen = 0;
 #endif
     return 0;
 }
@@ -3428,6 +3432,7 @@ int tls_client_key_exchange_post_work(SSL *s)
  err:
     OPENSSL_clear_free(pms, pmslen);
     s->s3->tmp.pms = NULL;
+    s->s3->tmp.pmslen = 0;
     return 0;
 }
 
diff --git a/ssl/statem/statem_srvr.c b/ssl/statem/statem_srvr.c
index cf45a40ce4..fec12f6130 100644
--- a/ssl/statem/statem_srvr.c
+++ b/ssl/statem/statem_srvr.c
@@ -1,5 +1,5 @@
 /*
- * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
  * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
  * Copyright 2005 Nokia. All rights reserved.
  *
@@ -2178,6 +2178,7 @@ int tls_handle_alpn(SSL *s)
             OPENSSL_free(s->s3->alpn_selected);
             s->s3->alpn_selected = OPENSSL_memdup(selected, selected_len);
             if (s->s3->alpn_selected == NULL) {
+                s->s3->alpn_selected_len = 0;
                 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_HANDLE_ALPN,
                          ERR_R_INTERNAL_ERROR);
                 return 0;
@@ -2853,9 +2854,16 @@ int tls_construct_certificate_request(SSL *s, WPACKET *pkt)
         if (s->post_handshake_auth == SSL_PHA_REQUEST_PENDING) {
             OPENSSL_free(s->pha_context);
             s->pha_context_len = 32;
-            if ((s->pha_context = OPENSSL_malloc(s->pha_context_len)) == NULL
-                    || RAND_bytes(s->pha_context, s->pha_context_len) <= 0
-                    || !WPACKET_sub_memcpy_u8(pkt, s->pha_context, s->pha_context_len)) {
+            if ((s->pha_context = OPENSSL_malloc(s->pha_context_len)) == NULL) {
+                s->pha_context_len = 0;
+                SSLfatal(s, SSL_AD_INTERNAL_ERROR,
+                         SSL_F_TLS_CONSTRUCT_CERTIFICATE_REQUEST,
+                         ERR_R_INTERNAL_ERROR);
+                return 0;
+            }
+            if (RAND_bytes(s->pha_context, s->pha_context_len) <= 0
+                    || !WPACKET_sub_memcpy_u8(pkt, s->pha_context,
+                                              s->pha_context_len)) {
                 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
                          SSL_F_TLS_CONSTRUCT_CERTIFICATE_REQUEST,
                          ERR_R_INTERNAL_ERROR);
@@ -2969,6 +2977,7 @@ static int tls_process_cke_psk_preamble(SSL *s, PACKET *pkt)
     OPENSSL_cleanse(psk, psklen);
 
     if (s->s3->tmp.psk == NULL) {
+        s->s3->tmp.psklen = 0;
         SSLfatal(s, SSL_AD_INTERNAL_ERROR,
                  SSL_F_TLS_PROCESS_CKE_PSK_PREAMBLE, ERR_R_MALLOC_FAILURE);
         return 0;
@@ -3508,6 +3517,7 @@ MSG_PROCESS_RETURN tls_process_client_key_exchange(SSL *s, PACKET *pkt)
 #ifndef OPENSSL_NO_PSK
     OPENSSL_clear_free(s->s3->tmp.psk, s->s3->tmp.psklen);
     s->s3->tmp.psk = NULL;
+    s->s3->tmp.psklen = 0;
 #endif
     return MSG_PROCESS_ERROR;
 }
@@ -4117,6 +4127,7 @@ int tls_construct_new_session_ticket(SSL *s, WPACKET *pkt)
             s->session->ext.alpn_selected =
                 OPENSSL_memdup(s->s3->alpn_selected, s->s3->alpn_selected_len);
             if (s->session->ext.alpn_selected == NULL) {
+                s->session->ext.alpn_selected_len = 0;
                 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
                          SSL_F_TLS_CONSTRUCT_NEW_SESSION_TICKET,
                          ERR_R_MALLOC_FAILURE);
diff --git a/test/recipes/70-test_renegotiation.t b/test/recipes/70-test_renegotiation.t
index 734f1cd21e..a8162189ed 100644
--- a/test/recipes/70-test_renegotiation.t
+++ b/test/recipes/70-test_renegotiation.t
@@ -1,5 +1,5 @@
 #! /usr/bin/env perl
-# Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved.
+# Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved.
 #
 # Licensed under the OpenSSL license (the "License").  You may not use
 # this file except in compliance with the License.  You can obtain a copy
@@ -38,7 +38,7 @@ my $proxy = TLSProxy::Proxy->new(
 $proxy->clientflags("-no_tls1_3");
 $proxy->reneg(1);
 $proxy->start() or plan skip_all => "Unable to start up Proxy for tests";
-plan tests => 3;
+plan tests => 4;
 ok(TLSProxy::Message->success(), "Basic renegotiation");
 
 #Test 2: Client does not send the Reneg SCSV. Reneg should fail
@@ -77,6 +77,20 @@ SKIP: {
        "Check ClientHello version is the same");
 }
 
+SKIP: {
+    skip "TLSv1.2 disabled", 1
+        if disabled("tls1_2");
+
+    #Test 4: Test for CVE-2021-3449. client_sig_algs instead of sig_algs in
+    #        resumption ClientHello
+    $proxy->clear();
+    $proxy->filter(\&sigalgs_filter);
+    $proxy->clientflags("-tls1_2");
+    $proxy->reneg(1);
+    $proxy->start();
+    ok(TLSProxy::Message->fail(), "client_sig_algs instead of sig_algs");
+}
+
 sub reneg_filter
 {
     my $proxy = shift;
@@ -96,3 +110,23 @@ sub reneg_filter
         }
     }
 }
+
+sub sigalgs_filter
+{
+    my $proxy = shift;
+    my $cnt = 0;
+
+    # We're only interested in the second ClientHello message
+    foreach my $message (@{$proxy->message_list}) {
+        if ($message->mt == TLSProxy::Message::MT_CLIENT_HELLO) {
+            next if ($cnt++ == 0);
+
+            my $sigs = pack "C10", 0x00, 0x08,
+                            # rsa_pkcs_sha{256,384,512,1}
+                            0x04, 0x01,  0x05, 0x01,  0x06, 0x01,  0x02, 0x01;
+            $message->set_extension(TLSProxy::Message::EXT_SIG_ALGS_CERT, $sigs);
+            $message->delete_extension(TLSProxy::Message::EXT_SIG_ALGS);
+            $message->repack();
+        }
+    }
+}
diff --git a/test/rsa_test.c b/test/rsa_test.c
index bdbab75f8f..be6db02941 100644
--- a/test/rsa_test.c
+++ b/test/rsa_test.c
@@ -1,5 +1,5 @@
 /*
- * Copyright 1999-2020 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1999-2021 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the OpenSSL license (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
diff --git a/test/verify_extra_test.c b/test/verify_extra_test.c
index 010403e74a..b9959e0c66 100644
--- a/test/verify_extra_test.c
+++ b/test/verify_extra_test.c
@@ -140,10 +140,22 @@ static int test_alt_chains_cert_forgery(void)
 
     i = X509_verify_cert(sctx);
 
-    if (i == 0 && X509_STORE_CTX_get_error(sctx) == X509_V_ERR_INVALID_CA) {
+    if (i != 0 || X509_STORE_CTX_get_error(sctx) != X509_V_ERR_INVALID_CA)
+        goto err;
+
+    /* repeat with X509_V_FLAG_X509_STRICT */
+    X509_STORE_CTX_cleanup(sctx);
+    X509_STORE_set_flags(store, X509_V_FLAG_X509_STRICT);
+
+    if (!X509_STORE_CTX_init(sctx, store, x, untrusted))
+        goto err;
+
+    i = X509_verify_cert(sctx);
+
+    if (i == 0 && X509_STORE_CTX_get_error(sctx) == X509_V_ERR_INVALID_CA)
         /* This is the result we were expecting: Test passed */
         ret = 1;
-    }
+
  err:
     X509_STORE_CTX_free(sctx);
     X509_free(x);
diff --git a/tools/c_rehash.in b/tools/c_rehash.in
index d97cab0ed5..fa7c6c9fef 100644
--- a/tools/c_rehash.in
+++ b/tools/c_rehash.in
@@ -1,7 +1,7 @@
 #!{- $config{HASHBANGPERL} -}
 
 # {- join("\n# ", @autowarntext) -}
-# Copyright 1999-2018 The OpenSSL Project Authors. All Rights Reserved.
+# Copyright 1999-2021 The OpenSSL Project Authors. All Rights Reserved.
 #
 # Licensed under the OpenSSL license (the "License").  You may not use
 # this file except in compliance with the License.  You can obtain a copy
diff --git a/util/perl/TLSProxy/Message.pm b/util/perl/TLSProxy/Message.pm
index 10b6156074..c3c480669c 100644
--- a/util/perl/TLSProxy/Message.pm
+++ b/util/perl/TLSProxy/Message.pm
@@ -1,4 +1,4 @@
-# Copyright 2016-2019 The OpenSSL Project Authors. All Rights Reserved.
+# Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved.
 #
 # Licensed under the OpenSSL license (the "License").  You may not use
 # this file except in compliance with the License.  You can obtain a copy
@@ -448,7 +448,7 @@ sub ciphersuite
 }
 
 #Update all the underlying records with the modified data from this message
-#Note: Only supports re-encrypting for TLSv1.3
+#Note: Only supports TLSv1.3 and ETM encryption
 sub repack
 {
     my $self = shift;
@@ -490,15 +490,38 @@ sub repack
         # (If a length override is ever needed to construct invalid packets,
         #  use an explicit override field instead.)
         $rec->decrypt_len(length($rec->decrypt_data));
-        $rec->len($rec->len + length($msgdata) - $old_length);
-        # Only support re-encryption for TLSv1.3.
-        if (TLSProxy::Proxy->is_tls13() && $rec->encrypted()) {
-            #Add content type (1 byte) and 16 tag bytes
-            $rec->data($rec->decrypt_data
-                .pack("C", TLSProxy::Record::RT_HANDSHAKE).("\0"x16));
+        # Only support re-encryption for TLSv1.3 and ETM.
+        if ($rec->encrypted()) {
+            if (TLSProxy::Proxy->is_tls13()) {
+                #Add content type (1 byte) and 16 tag bytes
+                $rec->data($rec->decrypt_data
+                    .pack("C", TLSProxy::Record::RT_HANDSHAKE).("\0"x16));
+            } elsif ($rec->etm()) {
+                my $data = $rec->decrypt_data;
+                #Add padding
+                my $padval = length($data) % 16;
+                $padval = 15 - $padval;
+                for (0..$padval) {
+                    $data .= pack("C", $padval);
+                }
+
+                #Add MAC. Assumed to be 20 bytes
+                foreach my $macval (0..19) {
+                    $data .= pack("C", $macval);
+                }
+
+                if ($rec->version() >= TLSProxy::Record::VERS_TLS_1_1) {
+                    #Explicit IV
+                    $data = ("\0"x16).$data;
+                }
+                $rec->data($data);
+            } else {
+                die "Unsupported encryption: No ETM";
+            }
         } else {
             $rec->data($rec->decrypt_data);
         }
+        $rec->len(length($rec->data));
 
         #Update the fragment len in case we changed it above
         ${$self->message_frag_lens}[0] = length($msgdata)


More information about the openssl-commits mailing list