From bd3ddc2a8cecec3f0421e7ca918d2d972099722f Mon Sep 17 00:00:00 2001 From: Futaura Date: Tue, 1 Aug 2023 18:45:25 +0100 Subject: [PATCH] OpenSSL 3.1.2 integration --- CHANGES.md | 12 ++++++++++++ Makefile | 2 +- include/libraries/amisslmaster.h | 1 + include/openssl/configuration.h | 3 --- include/openssl/dh.h | 8 ++++++-- include/openssl/opensslv.h | 10 +++++----- include/openssl/x509err.h | 3 ++- src/amisslmaster_library.c | 3 ++- 8 files changed, 29 insertions(+), 13 deletions(-) diff --git a/CHANGES.md b/CHANGES.md index ae288e0c4..a97353f19 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -1,3 +1,15 @@ +## AmiSSL 5.10 (1.8.2023) + +- Updated OpenSSL backend to full compatibility with the latest + OpenSSL 3.1.2 (1.8.2023) version, which includes improvements and + fixes for three low severity identified vulnerabilities: + + Fix excessive time spent checking DH q parameter value. + (CVE-2023-3817) + + Fix DH_check() excessive time with over sized modulus. + (CVE-2023-3446) + + Do not ignore empty associated data entries with AES-SIV. + (CVE-2023-2975) + ## AmiSSL 5.9 (30.5.2023) - Updated OpenSSL backend to full compatibility with the latest diff --git a/Makefile b/Makefile index 620194631..82366c113 100644 --- a/Makefile +++ b/Makefile @@ -152,7 +152,7 @@ endif # none - because we want to compile with -Wall all the time VERSION=5 -REVISION=9 +REVISION=10 include openssl/VERSION.dat VERSIONNAME=$(MAJOR)$(MINOR)$(PATCH) diff --git a/include/libraries/amisslmaster.h b/include/libraries/amisslmaster.h index c88b32d45..5f612013d 100644 --- a/include/libraries/amisslmaster.h +++ b/include/libraries/amisslmaster.h @@ -56,6 +56,7 @@ enum AmiSSLVersion AMISSL_V308, /* AmiSSL v5.7 */ AMISSL_V310, /* AmiSSL v5.8 */ AMISSL_V311, /* AmiSSL v5.9 */ + AMISSL_V312, /* AmiSSL v5.10 */ /* ADD NEW VERSIONS ABOVE THIS LINE */ AMISSL_VMAX diff --git a/include/openssl/configuration.h b/include/openssl/configuration.h index 6c864c108..21597ce5c 100644 --- a/include/openssl/configuration.h +++ b/include/openssl/configuration.h @@ -67,9 +67,6 @@ extern "C" { # ifndef OPENSSL_NO_DEVCRYPTOENG # define OPENSSL_NO_DEVCRYPTOENG # endif -# ifndef OPENSSL_NO_DSO -# define OPENSSL_NO_DSO -# endif # ifndef OPENSSL_NO_EC_NISTP_64_GCC_128 # define OPENSSL_NO_EC_NISTP_64_GCC_128 # endif diff --git a/include/openssl/dh.h b/include/openssl/dh.h index 4b15e0201..2c4db16b5 100644 --- a/include/openssl/dh.h +++ b/include/openssl/dh.h @@ -5,7 +5,7 @@ * * This file has been modified for use with AmiSSL for AmigaOS-based systems. * - * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -104,7 +104,11 @@ int EVP_PKEY_CTX_get0_dh_kdf_ukm(EVP_PKEY_CTX *ctx, unsigned char **ukm); # include # ifndef OPENSSL_DH_MAX_MODULUS_BITS -# define OPENSSL_DH_MAX_MODULUS_BITS 10000 +# define OPENSSL_DH_MAX_MODULUS_BITS 10000 +# endif + +# ifndef OPENSSL_DH_CHECK_MAX_MODULUS_BITS +# define OPENSSL_DH_CHECK_MAX_MODULUS_BITS 32768 # endif # define OPENSSL_DH_FIPS_MIN_MODULUS_BITS 1024 diff --git a/include/openssl/opensslv.h b/include/openssl/opensslv.h index a23dc817b..862f624c1 100644 --- a/include/openssl/opensslv.h +++ b/include/openssl/opensslv.h @@ -41,7 +41,7 @@ extern "C" { */ # define OPENSSL_VERSION_MAJOR 3 # define OPENSSL_VERSION_MINOR 1 -# define OPENSSL_VERSION_PATCH 1 +# define OPENSSL_VERSION_PATCH 2 /* * Additional version information @@ -86,21 +86,21 @@ extern "C" { * longer variant with OPENSSL_VERSION_PRE_RELEASE_STR and * OPENSSL_VERSION_BUILD_METADATA_STR appended. */ -# define OPENSSL_VERSION_STR "3.1.1" -# define OPENSSL_FULL_VERSION_STR "3.1.1" +# define OPENSSL_VERSION_STR "3.1.2" +# define OPENSSL_FULL_VERSION_STR "3.1.2" /* * SECTION 3: ADDITIONAL METADATA * * These strings are defined separately to allow them to be parsable. */ -# define OPENSSL_RELEASE_DATE "30 May 2023" +# define OPENSSL_RELEASE_DATE "1 Aug 2023" /* * SECTION 4: BACKWARD COMPATIBILITY */ -# define OPENSSL_VERSION_TEXT "OpenSSL 3.1.1 30 May 2023" +# define OPENSSL_VERSION_TEXT "OpenSSL 3.1.2 1 Aug 2023" /* Synthesize OPENSSL_VERSION_NUMBER with the layout 0xMNN00PPSL */ # ifdef OPENSSL_VERSION_PRE_RELEASE diff --git a/include/openssl/x509err.h b/include/openssl/x509err.h index ffe7ed834..5a9aca949 100644 --- a/include/openssl/x509err.h +++ b/include/openssl/x509err.h @@ -6,7 +6,7 @@ * * This file has been modified for use with AmiSSL for AmigaOS-based systems. * - * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -42,6 +42,7 @@ # define X509_R_CERT_ALREADY_IN_HASH_TABLE 101 # define X509_R_CRL_ALREADY_DELTA 127 # define X509_R_CRL_VERIFY_FAILURE 131 +# define X509_R_DUPLICATE_ATTRIBUTE 140 # define X509_R_ERROR_GETTING_MD_BY_NID 141 # define X509_R_ERROR_USING_SIGINF_SET 142 # define X509_R_IDP_MISMATCH 128 diff --git a/src/amisslmaster_library.c b/src/amisslmaster_library.c index 4c2857714..552e9b1e7 100644 --- a/src/amisslmaster_library.c +++ b/src/amisslmaster_library.c @@ -249,7 +249,8 @@ LIBPROTO(OpenAmiSSL, struct Library *, REG(a6, UNUSED __BASE_OR_IFACE)) // (https://wiki.openssl.org/index.php/OpenSSL_3.0#Versioning_Scheme) but we must // take care to prevent applications requiring newer API functions from loading // older libraries that do not contain those required entries - if(LibAPIVersion <= AMISSL_V311 && OpenLib(&AmiSSLBase,"311") == NULL) + if(LibAPIVersion <= AMISSL_V312 && OpenLib(&AmiSSLBase,"312") == NULL + && OpenLib(&AmiSSLBase,"311") == NULL) if(LibAPIVersion <= AMISSL_V310 && OpenLib(&AmiSSLBase,"310") == NULL) if(LibAPIVersion <= AMISSL_V308 && OpenLib(&AmiSSLBase,"308") == NULL) if(LibAPIVersion <= AMISSL_V307 && OpenLib(&AmiSSLBase,"307") == NULL