[openssl/openssl] 2eda98: Fix OCSP_basic_verify signer certificate validation
matt
noreply at reply.github.openssl.org
Tue May 3 14:17:43 UTC 2022
Branch: refs/heads/openssl-3.0
Home: https://github.openssl.org/openssl/openssl
Commit: 2eda98790c5c2741d76d23cc1e74b0dc4f4b391a
https://github.openssl.org/openssl/openssl/commit/2eda98790c5c2741d76d23cc1e74b0dc4f4b391a
Author: Matt Caswell <matt at openssl.org>
Date: 2022-05-03 (Tue, 03 May 2022)
Changed paths:
M crypto/ocsp/ocsp_vfy.c
Log Message:
-----------
Fix OCSP_basic_verify signer certificate validation
The function `OCSP_basic_verify` validates the signer certificate on an OCSP
response. The internal function, ocsp_verify_signer, is responsible for this
and is expected to return a 0 value in the event of a failure to verify.
Unfortunately, due to a bug, it actually returns with a postive success
response in this case. In the normal course of events OCSP_basic_verify
will then continue and will fail anyway in the ocsp_check_issuer function
because the supplied "chain" value will be empty in the case that
ocsp_verify_signer failed to verify the chain. This will cause
OCSP_basic_verify to return with a negative result (fatal error). Normally
in the event of a failure to verify it should return with 0.
However, in the case of the OCSP_NOCHECKS flag being used, OCSP_basic_verify
will return with a positvie result. This could lead to callers trusting an
OCSP Basic response when it should not be.
CVE-2022-1343
Fixes #18053
Reviewed-by: Paul Dale <pauli at openssl.org>
Reviewed-by: Tomas Mraz <tomas at openssl.org>
Reviewed-by: Matt Caswell <matt at openssl.org>
Commit: 55c80c222293a972587004c185dc5653ae207a0e
https://github.openssl.org/openssl/openssl/commit/55c80c222293a972587004c185dc5653ae207a0e
Author: Matt Caswell <matt at openssl.org>
Date: 2022-05-03 (Tue, 03 May 2022)
Changed paths:
M test/recipes/80-test_ocsp.t
Log Message:
-----------
Test ocsp with invalid responses and the "-no_cert_checks" option
The "-no_cert_checks" option causes the flag OCSP_NOCHECKS to be set.
The bug fixed in the previous commit will cause the ocsp app to respond with
a success result in the case when the OCSP response signing certificate
fails to verify and -no_cert_checks is used - so we test that it fails in
this case.
Reviewed-by: Paul Dale <pauli at openssl.org>
Reviewed-by: Tomas Mraz <tomas at openssl.org>
Reviewed-by: Matt Caswell <matt at openssl.org>
Commit: 7d56a74a96828985db7354a55227a511615f732b
https://github.openssl.org/openssl/openssl/commit/7d56a74a96828985db7354a55227a511615f732b
Author: Matt Caswell <matt at openssl.org>
Date: 2022-05-03 (Tue, 03 May 2022)
Changed paths:
M providers/implementations/ciphers/cipher_rc4_hmac_md5.c
M test/recipes/30-test_evp_data/evpciph_aes_stitched.txt
M test/recipes/30-test_evp_data/evpciph_rc4_stitched.txt
Log Message:
-----------
Fix the RC4-MD5 cipher
A copy&paste error meant that the RC4-MD5 cipher (used in TLS) used the TLS
AAD data as the MAC key.
CVE-2022-1434
Fixes #18112
Reviewed-by: Tomas Mraz <tomas at openssl.org>
Reviewed-by: Shane Lontis <shane.lontis at oracle.com>
Reviewed-by: Matt Caswell <matt at openssl.org>
Commit: 1ad73b4d27bd8c1b369a3cd453681d3a4f1bb9b2
https://github.openssl.org/openssl/openssl/commit/1ad73b4d27bd8c1b369a3cd453681d3a4f1bb9b2
Author: Tomas Mraz <tomas at openssl.org>
Date: 2022-05-03 (Tue, 03 May 2022)
Changed paths:
M tools/c_rehash.in
Log Message:
-----------
c_rehash: Do not use shell to invoke openssl
Except on VMS where it is safe.
This fixes CVE-2022-1292.
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre at ncp-e.com>
Reviewed-by: Matt Caswell <matt at openssl.org>
Commit: 17a1818942bb4cab6bee1572733c133f3d6f1aee
https://github.openssl.org/openssl/openssl/commit/17a1818942bb4cab6bee1572733c133f3d6f1aee
Author: Pauli <pauli at openssl.org>
Date: 2022-05-03 (Tue, 03 May 2022)
Changed paths:
M doc/fingerprints.txt
Log Message:
-----------
Update Paul's pgp key signature
Reviewed-by: Tomas Mraz <tomas at openssl.org>
Reviewed-by: Richard Levitte <levitte at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18219)
Commit: ffbb106a174a8bc698f41db9a07544963c01e830
https://github.openssl.org/openssl/openssl/commit/ffbb106a174a8bc698f41db9a07544963c01e830
Author: Matt Caswell <matt at openssl.org>
Date: 2022-05-03 (Tue, 03 May 2022)
Changed paths:
M CHANGES.md
M NEWS.md
Log Message:
-----------
Update CHANGES and NEWS for new release
Reviewed-by: Tomas Mraz <tomas at openssl.org>
Release: yes
Commit: 1b08f849cb7bfe7d47b701a4a93eefd806342d73
https://github.openssl.org/openssl/openssl/commit/1b08f849cb7bfe7d47b701a4a93eefd806342d73
Author: Matt Caswell <matt at openssl.org>
Date: 2022-05-03 (Tue, 03 May 2022)
Changed paths:
M .github/workflows/run-checker-ci.yml
M apps/ca.c
M apps/ecparam.c
M apps/lib/http_server.c
M apps/lib/names.c
M apps/lib/vms_term_sock.c
M apps/list.c
M apps/rsa.c
M apps/ts.c
M crypto/LPdir_unix.c
M crypto/asn1/ameth_lib.c
M crypto/asn1/asn1_gen.c
M crypto/bn/bn_div.c
M crypto/bn/bn_exp.c
M crypto/camellia/camellia.c
M crypto/cms/cms_io.c
M crypto/conf/conf_def.c
M crypto/ctype.c
M crypto/dh/dh_group_params.c
M crypto/dh/dh_kdf.c
M crypto/ec/curve448/curve448.c
M crypto/ec/ec_backend.c
M crypto/ec/ecp_nistz256.c
M crypto/encode_decode/decoder_lib.c
M crypto/encode_decode/decoder_pkey.c
M crypto/encode_decode/encoder_lib.c
M crypto/engine/tb_asnmth.c
M crypto/err/openssl.txt
M crypto/evp/ec_support.c
M crypto/evp/evp_lib.c
M crypto/evp/p5_crpt2.c
M crypto/evp/p_lib.c
M crypto/evp/pmeth_lib.c
M crypto/ffc/ffc_dh.c
M crypto/ffc/ffc_params.c
M crypto/init.c
M crypto/objects/o_names.c
M crypto/ocsp/ocsp_vfy.c
M crypto/params_dup.c
M crypto/property/property_parse.c
M crypto/s390x_arch.h
M crypto/s390xcap.c
M crypto/siphash/siphash.c
M crypto/sparse_array.c
M crypto/store/store_lib.c
M crypto/x509/v3_tlsf.c
M doc/man3/BIO_meth_new.pod
M doc/man3/EVP_blake2b512.pod
M doc/man3/EVP_md2.pod
M doc/man3/EVP_md4.pod
M doc/man3/EVP_md5.pod
M doc/man3/EVP_mdc2.pod
M doc/man3/EVP_ripemd160.pod
M doc/man3/EVP_sha1.pod
M doc/man3/EVP_sha224.pod
M doc/man3/EVP_sha3_224.pod
M doc/man3/EVP_sm3.pod
M doc/man3/EVP_whirlpool.pod
M doc/man3/OPENSSL_LH_stats.pod
M doc/man3/SSL_CTX_get0_param.pod
M doc/man3/SSL_CTX_set1_verify_cert_store.pod
M doc/man3/SSL_CTX_set_ssl_version.pod
M doc/man3/SSL_CTX_set_timeout.pod
M doc/man3/SSL_set_session.pod
M doc/man7/EVP_KDF-SSHKDF.pod
M doc/man7/provider-signature.pod
M doc/man7/provider.pod
M e_os.h
M engines/e_devcrypto.c
M engines/e_loader_attic.c
M engines/e_ossltest.c
M fuzz/client.c
M include/crypto/ctype.h
M include/internal/core.h
M include/openssl/x509.h.in
M providers/common/capabilities.c
M providers/fips/fipsprov.c
M providers/fips/self_test.c
M providers/implementations/ciphers/cipher_cts.c
M providers/implementations/ciphers/cipher_rc4_hmac_md5.c
M providers/implementations/kdfs/hkdf.c
M providers/implementations/kdfs/kbkdf.c
M providers/implementations/kdfs/sshkdf.c
M providers/implementations/kdfs/tls1_prf.c
M providers/implementations/kem/rsa_kem.c
M providers/implementations/keymgmt/ec_kmgmt.c
M providers/implementations/keymgmt/mac_legacy_kmgmt.c
M providers/implementations/macs/cmac_prov.c
M providers/implementations/macs/gmac_prov.c
M providers/implementations/macs/hmac_prov.c
M providers/implementations/macs/poly1305_prov.c
M providers/implementations/macs/siphash_prov.c
M providers/implementations/rands/drbg_ctr.c
M providers/implementations/signature/rsa_sig.c
M providers/implementations/signature/sm2_sig.c
M providers/implementations/storemgmt/file_store.c
M ssl/ssl_conf.c
M ssl/ssl_txt.c
M ssl/statem/statem_dtls.c
M test/cmsapitest.c
M test/dtls_mtu_test.c
M test/endecode_test.c
M test/evp_libctx_test.c
M test/helpers/ssl_test_ctx.c
M test/params_conversion_test.c
M test/provider_test.c
M test/recipes/02-test_localetest.t
M test/recipes/03-test_fipsinstall.t
M test/recipes/15-test_ecparam.t
M test/recipes/15-test_rsapss.t
M test/recipes/30-test_evp_data/evpmac_poly1305.txt
M test/recipes/70-test_tls13hrr.t
M test/recipes/80-test_cmsapi.t
M test/recipes/80-test_ocsp.t
M test/recipes/90-test_sslapi.t
M test/siphash_internal_test.c
M test/v3nametest.c
M tools/c_rehash.in
Log Message:
-----------
Update copyright year
Reviewed-by: Tomas Mraz <tomas at openssl.org>
Release: yes
Commit: a38328b1d44be642385904806e880d8413750dd5
https://github.openssl.org/openssl/openssl/commit/a38328b1d44be642385904806e880d8413750dd5
Author: Tomas Mraz <tomas at openssl.org>
Date: 2022-05-03 (Tue, 03 May 2022)
Changed paths:
M CHANGES.md
Log Message:
-----------
CHANGES.md: Attribute the OPENSSL_LH_flush() fix properly
Reviewed-by: Matt Caswell <matt at openssl.org>
Release: yes
Commit: 7f6c33bda143c96d4cc461839267792f5ca7e9d1
https://github.openssl.org/openssl/openssl/commit/7f6c33bda143c96d4cc461839267792f5ca7e9d1
Author: Matt Caswell <matt at openssl.org>
Date: 2022-05-03 (Tue, 03 May 2022)
Changed paths:
M providers/fips-sources.checksums
M providers/fips.checksum
M util/libcrypto.num
Log Message:
-----------
make update
Reviewed-by: Tomas Mraz <tomas at openssl.org>
Release: yes
Commit: 4d346a188c27bdf78aa76590c641e1217732ca4b
https://github.openssl.org/openssl/openssl/commit/4d346a188c27bdf78aa76590c641e1217732ca4b
Author: Matt Caswell <matt at openssl.org>
Date: 2022-05-03 (Tue, 03 May 2022)
Changed paths:
M CHANGES.md
M NEWS.md
M VERSION.dat
Log Message:
-----------
Prepare for release of 3.0.3
Reviewed-by: Tomas Mraz <tomas at openssl.org>
Release: yes
Commit: 6e79301311c5a7e4a3bbbfbf2386c02634aedfb9
https://github.openssl.org/openssl/openssl/commit/6e79301311c5a7e4a3bbbfbf2386c02634aedfb9
Author: Matt Caswell <matt at openssl.org>
Date: 2022-05-03 (Tue, 03 May 2022)
Changed paths:
M CHANGES.md
M NEWS.md
M VERSION.dat
Log Message:
-----------
Prepare for 3.0.4
Reviewed-by: Tomas Mraz <tomas at openssl.org>
Release: yes
Compare: https://github.openssl.org/openssl/openssl/compare/ae3ece03a61e...6e79301311c5
More information about the openssl-commits
mailing list