diff --git a/.github/workflows/macos_test.yml b/.github/workflows/macos_test.yml index 29e6cdc..6e7adac 100644 --- a/.github/workflows/macos_test.yml +++ b/.github/workflows/macos_test.yml @@ -6,7 +6,7 @@ jobs: build-native: strategy: matrix: - os: [macos-latest] + os: [macos-12, macos-11] compiler: [clang, gcc] runs-on: ${{ matrix.os }} continue-on-error: false diff --git a/ChangeLog b/ChangeLog index b58f52d..e4dc7ad 100644 --- a/ChangeLog +++ b/ChangeLog @@ -28,6 +28,63 @@ history is also available from Git. LibreSSL Portable Release Notes: +3.5.2 - Stable release + + * Bug fixes + - Avoid single byte overread in asn1_parse2(). + - Allow name constraints with a leading dot. From Alex Wilson. + - Relax a check in x509_constraints_dirname() to allow prefixes. + From Alex Wilson. + - Fix NULL dereferences in openssl(1) cms option parsing. + - Do not zero the computed cofactor on ec_guess_cofactor() success. + - Bound cofactor in EC_GROUP_set_generator() to reduce the number of + bogus groups that can be described with nonsensical parameters. + - Avoid various potential segfaults in EVP_PKEY_CTX_free() in low + memory conditions. Reported for HMAC by Masaru Masuda. + - Plug leak in ASN1_TIME_adj_internal(). + - Avoid infinite loop for custom curves of order 1. + Issue reported by Hanno Boeck, comments by David Benjamin. + - Avoid an infinite loop on parsing DSA private keys by validating + that the provided parameters conform to FIPS 186-4. + Issue reported by Hanno Boeck, comments by David Benjamin. + * Compatibility improvements + - Allow non-standard name constraints of the form @domain.com. + * Internal improvements + - Limit OID text conversion to 64 bits per arc. + - Clean up and simplify memory BIO code. + - Reduce number of memmove() calls in memory BIOs. + - Factor out alert handling code in the legacy stack. + - Add sanity checks on p and q in old_dsa_priv_decode() + - Cache the SHA-512 hash instead of the SHA-1 for CRLs. + - Suppress various compiler warnings for old gcc versions. + - Remove free_cont from asn1_d2i_ex_primitive()/asn1_ex_c2i(). + - Rework ownership handling in x509_constraints_validate(). + - Rework ASN1_STRING_set(). + - Remove const from tls1_transcript_hash_value(). + - Clean up and simplify ssl3_renegotiate{,_check}(). + - Rewrite legacy TLS and DTLS unexpected handshake message handling. + - Simplify SSL_do_handshake(). + - Rewrite ASCII/text to ASN.1 object conversion. + - Provide t2i_ASN1_OBJECT_internal() and use it for OBJ_txt2obj(). + - Split armv7 and aarch64 code into separate locations. + - Rewrote openssl(1) ts to use the new option handling and cleaned + up the C code. + - Provide asn1_get_primitive(). + - Convert {c2i,d2i}_ASN1_OBJECT() to CBS. + - Remove the minimum record length checks from dtls1_read_bytes(). + - Clean up {dtls1,ssl3}_read_bytes(). + - Be more careful with embedded and terminating NULs in the new + name constraints code. + - Check EVP_Digest* return codes in openssl(1) ts + - Various minor code cleanup in openssl(1) pkcs12 + - Use calloc() in pkey_hmac_init(). + - Simplify priv_key handling in d2i_ECPrivateKey(). + * Documentation improvements + - Update d2i_ASN1_OBJECT(3) documentation to reflect reality after + refactoring and bug fixes. + - Fixed numerous minor grammar, spelling, wording, and punctuation + issues. + 3.5.1 - Security release * A malicious certificate can cause an infinite loop. diff --git a/apps/nc/compat/sys/socket.h b/apps/nc/compat/sys/socket.h index 13eb380..2c7ee4f 100644 --- a/apps/nc/compat/sys/socket.h +++ b/apps/nc/compat/sys/socket.h @@ -6,8 +6,7 @@ #ifndef _WIN32 #include_next -#if !defined(SOCK_NONBLOCK) || !defined(SOCK_CLOEXEC) -#define NEED_SOCKET_FLAGS +#if defined(NEED_SOCKET_FLAGS) int _socket(int domain, int type, int protocol); #ifndef SOCKET_FLAGS_PRIV #define socket(d, t, p) _socket(d, t, p) diff --git a/appveyor.yml b/appveyor.yml index bdb8001..33a32da 100644 --- a/appveyor.yml +++ b/appveyor.yml @@ -1,26 +1,26 @@ image: - - Previous Visual Studio 2019 + - Visual Studio 2019 environment: PATH: C:\msys64\usr\bin;C:\msys64\mingw64\bin;C:\Windows\System32;C:\Windows;%PATH% matrix: - - APPVEYOR_BUILD_WORKER_IMAGE: Previous Visual Studio 2019 + - APPVEYOR_BUILD_WORKER_IMAGE: Visual Studio 2019 GENERATOR: Visual Studio 16 2019 ARCHITECTURE: Win32 CONFIG: Release SHARED_LIBS: ON - - APPVEYOR_BUILD_WORKER_IMAGE: Previous Visual Studio 2019 + - APPVEYOR_BUILD_WORKER_IMAGE: Visual Studio 2019 GENERATOR: Visual Studio 16 2019 ARCHITECTURE: Win32 CONFIG: Release SHARED_LIBS: OFF - - APPVEYOR_BUILD_WORKER_IMAGE: Previous Visual Studio 2019 + - APPVEYOR_BUILD_WORKER_IMAGE: Visual Studio 2019 GENERATOR: Visual Studio 16 2019 ARCHITECTURE: x64 CONFIG: Release SHARED_LIBS: ON - - APPVEYOR_BUILD_WORKER_IMAGE: Previous Visual Studio 2019 + - APPVEYOR_BUILD_WORKER_IMAGE: Visual Studio 2019 GENERATOR: Visual Studio 16 2019 ARCHITECTURE: x64 CONFIG: Release diff --git a/include/compat/sys/socket.h b/include/compat/sys/socket.h index 10eb05f..2f0b197 100644 --- a/include/compat/sys/socket.h +++ b/include/compat/sys/socket.h @@ -10,6 +10,7 @@ #endif #if !defined(SOCK_NONBLOCK) || !defined(SOCK_CLOEXEC) +#define NEED_SOCKET_FLAGS #define SOCK_CLOEXEC 0x8000 /* set FD_CLOEXEC */ #define SOCK_NONBLOCK 0x4000 /* set O_NONBLOCK */ int bsd_socketpair(int domain, int type, int protocol, int socket_vector[2]); diff --git a/scripts/test b/scripts/test index 80fa988..f2f0cb8 100755 --- a/scripts/test +++ b/scripts/test @@ -20,24 +20,24 @@ if [ "x$ARCH" = "xnative" ]; then # test cmake and ninja if [ `uname` = "Darwin" ]; then cmake .. - make + make -j 4 make test cd ../build-shared cmake -DBUILD_SHARED_LIBS=ON .. - make + make -j 4 make test else sudo apt-get update sudo apt-get install -y cmake ninja-build cmake -GNinja .. - ninja + ninja -j 4 ninja test cd ../build-shared cmake -GNinja -DBUILD_SHARED_LIBS=ON .. - ninja + ninja -j 4 ninja test fi @@ -58,21 +58,21 @@ elif [ "x$ARCH" = "xmingw32" -o "x$ARCH" = "xmingw64" ]; then fi ./configure --host=$CPU-w64-mingw32 - make -j + make -j 4 ( rm -fr build-static mkdir build-static cd build-static cmake -GNinja -DCMAKE_TOOLCHAIN_FILE=../scripts/$CPU-w64-mingw32.cmake .. - ninja + ninja -j 4 ) ( rm -fr build-shared mkdir build-shared cd build-shared cmake -GNinja -DCMAKE_TOOLCHAIN_FILE=../scripts/$CPU-w64-mingw32.cmake -DBUILD_SHARED_LIBS=ON .. - ninja + ninja -j 4 ) elif [ "x$ARCH" = "xarm32" -o "x$ARCH" = "xarm64" ]; then diff --git a/tests/CMakeLists.txt b/tests/CMakeLists.txt index 7c80002..e6cb2bc 100644 --- a/tests/CMakeLists.txt +++ b/tests/CMakeLists.txt @@ -341,6 +341,11 @@ add_executable(mont mont.c) target_link_libraries(mont ${OPENSSL_TEST_LIBS}) add_test(mont mont) +# objectstest +add_executable(objectstest objectstest.c) +target_link_libraries(objectstest ${OPENSSL_TEST_LIBS}) +add_test(objectstest objectstest) + # ocsp_test if(ENABLE_EXTRATESTS) add_executable(ocsp_test ocsp_test.c) diff --git a/tests/Makefile.am b/tests/Makefile.am index e58c0c0..6c88c90 100644 --- a/tests/Makefile.am +++ b/tests/Makefile.am @@ -354,6 +354,11 @@ TESTS += mont check_PROGRAMS += mont mont_SOURCES = mont.c +# objectstest +TESTS += objectstest +check_PROGRAMS += objectstest +objectstest_SOURCES = objectstest.c + # ocsp_test if ENABLE_EXTRATESTS TESTS += ocsptest.sh