Update to v3.3.5 (#4)

CMakeLists.txt

@@ -298,6 +298,7 @@ if(ENABLE_ASM)
 		elseif(CMAKE_SYSTEM_NAME STREQUAL "SunOS" AND "${CMAKE_SYSTEM_PROCESSOR}" STREQUAL "i386")
 			set(HOST_ASM_ELF_X86_64 true)
 		endif()
+		add_definitions(-DHAVE_GNU_STACK)
 	elseif(APPLE AND "${CMAKE_SYSTEM_PROCESSOR}" STREQUAL "x86_64")
 		set(HOST_ASM_MACOSX_X86_64 true)
 	elseif(MSVC AND ("${CMAKE_GENERATOR}" MATCHES "Win64" OR "${CMAKE_GENERATOR_PLATFORM}" STREQUAL "x64"))

ChangeLog

@@ -28,6 +28,24 @@ history is also available from Git.
 
 LibreSSL Portable Release Notes:
 
+3.3.5 - Security fix
+
+	* A stack overread could occur when checking X.509 name constraints.
+	  From GoldBinocle on GitHub.
+
+	* Enable X509_V_FLAG_TRUSTED_FIRST by default in the legacy verifier.
+	  This compensates for the expiry of the DST Root X3 certificate.
+
+3.3.4 - Security fix
+
+	* In LibreSSL, printing a certificate can result in a crash in
+	  X509_CERT_AUX_print().
+	  From Ingo Schwarze
+
+	* Ensure GNU-stack is set on ELF platforms when building with CMake to
+	  enable non-executable stack annotations for the GNU toolchain.
+	  From Tobias Heider
+
 3.3.3 - Stable release
 
 	* This is the first stable release from the 3.3.x series.

VERSION

@@ -1,2 +1,2 @@
-3.3.3.0
+3.3.5.0
 

cert.pem

@@ -1,4 +1,4 @@
-# $OpenBSD: cert.pem,v 1.22 2021/02/12 12:16:53 sthen Exp $
+# $OpenBSD: cert.pem,v 1.22.2.1 2021/09/30 18:28:20 deraadt Exp $
 ### /C=ES/CN=Autoridad de Certificacion Firmaprofesional CIF A62634068
 
 === /C=ES/CN=Autoridad de Certificacion Firmaprofesional CIF A62634068
@@ -1965,49 +1965,6 @@ r/OSmbaz5mEP0oUA51Aa5BuVnRmhuZyxm7EAHu/QD09CbMkKvO5D+jpxpchNJqU1
 gKDWHrO8Dw9TdSmq6hN35N6MgSGtBxBHEa2HPQfRdbzP82Z+
 -----END CERTIFICATE-----
 
-### Digital Signature Trust Co.
-
-=== /O=Digital Signature Trust Co./CN=DST Root CA X3
-Certificate:
-    Data:
-        Version: 3 (0x2)
-        Serial Number:
-            44:af:b0:80:d6:a3:27:ba:89:30:39:86:2e:f8:40:6b
-    Signature Algorithm: sha1WithRSAEncryption
-        Validity
-            Not Before: Sep 30 21:12:19 2000 GMT
-            Not After : Sep 30 14:01:15 2021 GMT
-        Subject: O=Digital Signature Trust Co., CN=DST Root CA X3
-        X509v3 extensions:
-            X509v3 Basic Constraints: critical
-                CA:TRUE
-            X509v3 Key Usage: critical
-                Certificate Sign, CRL Sign
-            X509v3 Subject Key Identifier: 
-                C4:A7:B1:A4:7B:2C:71:FA:DB:E1:4B:90:75:FF:C4:15:60:85:89:10
-SHA1 Fingerprint=DA:C9:02:4F:54:D8:F6:DF:94:93:5F:B1:73:26:38:CA:6A:D7:7C:13
-SHA256 Fingerprint=06:87:26:03:31:A7:24:03:D9:09:F1:05:E6:9B:CF:0D:32:E1:BD:24:93:FF:C6:D9:20:6D:11:BC:D6:77:07:39
------BEGIN CERTIFICATE-----
-MIIDSjCCAjKgAwIBAgIQRK+wgNajJ7qJMDmGLvhAazANBgkqhkiG9w0BAQUFADA/
-MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
-DkRTVCBSb290IENBIFgzMB4XDTAwMDkzMDIxMTIxOVoXDTIxMDkzMDE0MDExNVow
-PzEkMCIGA1UEChMbRGlnaXRhbCBTaWduYXR1cmUgVHJ1c3QgQ28uMRcwFQYDVQQD
-Ew5EU1QgUm9vdCBDQSBYMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
-AN+v6ZdQCINXtMxiZfaQguzH0yxrMMpb7NnDfcdAwRgUi+DoM3ZJKuM/IUmTrE4O
-rz5Iy2Xu/NMhD2XSKtkyj4zl93ewEnu1lcCJo6m67XMuegwGMoOifooUMM0RoOEq
-OLl5CjH9UL2AZd+3UWODyOKIYepLYYHsUmu5ouJLGiifSKOeDNoJjj4XLh7dIN9b
-xiqKqy69cK3FCxolkHRyxXtqqzTWMIn/5WgTe1QLyNau7Fqckh49ZLOMxt+/yUFw
-7BZy1SbsOFU5Q9D8/RhcQPGX69Wam40dutolucbY38EVAjqr2m7xPi71XAicPNaD
-aeQQmxkqtilX4+U9m5/wAl0CAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNV
-HQ8BAf8EBAMCAQYwHQYDVR0OBBYEFMSnsaR7LHH62+FLkHX/xBVghYkQMA0GCSqG
-SIb3DQEBBQUAA4IBAQCjGiybFwBcqR7uKGY3Or+Dxz9LwwmglSBd49lZRNI+DT69
-ikugdB/OEIKcdBodfpga3csTS7MgROSR6cz8faXbauX+5v3gTt23ADq1cEmv8uXr
-AvHRAosZy5Q6XkjEGB5YGV8eAlrwDPGxrancWYaLbumR9YbK+rlmM6pZW87ipxZz
-R8srzJmwN0jP41ZL9c8PDHIyh8bwRLtTcm1D9SZImlJnt1ir/md2cXjbDaJWFBM5
-JDGFoqgCWjBH4d1QB7wCCZAA62RjYJsWvIjJEubSfZGL+T0yjWW06XyxV3bqxbYo
-Ob8VZRzI9neWagqNdwvYkQsEjgfbKbYK7p2CNTUQ
------END CERTIFICATE-----
-
 ### Disig a.s.
 
 === /C=SK/L=Bratislava/O=Disig a.s./CN=CA Disig Root R2

configure

@@ -1,6 +1,6 @@
 #! /bin/sh
 # Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.69 for libressl 3.3.3.
+# Generated by GNU Autoconf 2.69 for libressl 3.3.5.
 #
 #
 # Copyright (C) 1992-1996, 1998-2012 Free Software Foundation, Inc.
@@ -587,8 +587,8 @@ MAKEFLAGS=
 # Identity of this package.
 PACKAGE_NAME='libressl'
 PACKAGE_TARNAME='libressl'
-PACKAGE_VERSION='3.3.3'
-PACKAGE_STRING='libressl 3.3.3'
+PACKAGE_VERSION='3.3.5'
+PACKAGE_STRING='libressl 3.3.5'
 PACKAGE_BUGREPORT=''
 PACKAGE_URL=''
 
@@ -1452,7 +1452,7 @@ if test "$ac_init_help" = "long"; then
   # Omit some internal or obsolete options to make the list less imposing.
   # This message is too long to be a string in the A/UX 3.1 sh.
   cat <<_ACEOF
-\`configure' configures libressl 3.3.3 to adapt to many kinds of systems.
+\`configure' configures libressl 3.3.5 to adapt to many kinds of systems.
 
 Usage: $0 [OPTION]... [VAR=VALUE]...
 
@@ -1523,7 +1523,7 @@ fi
 
 if test -n "$ac_init_help"; then
   case $ac_init_help in
-     short | recursive ) echo "Configuration of libressl 3.3.3:";;
+     short | recursive ) echo "Configuration of libressl 3.3.5:";;
    esac
   cat <<\_ACEOF
 
@@ -1641,7 +1641,7 @@ fi
 test -n "$ac_init_help" && exit $ac_status
 if $ac_init_version; then
   cat <<\_ACEOF
-libressl configure 3.3.3
+libressl configure 3.3.5
 generated by GNU Autoconf 2.69
 
 Copyright (C) 2012 Free Software Foundation, Inc.
@@ -2189,7 +2189,7 @@ cat >config.log <<_ACEOF
 This file contains any messages produced by compilers while
 running configure, to aid debugging if configure makes a mistake.
 
-It was created by libressl $as_me 3.3.3, which was
+It was created by libressl $as_me 3.3.5, which was
 generated by GNU Autoconf 2.69.  Invocation command line was
 
   $ $0 $@
@@ -3125,7 +3125,7 @@ fi
 
 # Define the identity of the package.
  PACKAGE='libressl'
- VERSION='3.3.3'
+ VERSION='3.3.5'
 
 
 cat >>confdefs.h <<_ACEOF
@@ -14945,7 +14945,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
 # report actual input values of CONFIG_FILES etc. instead of their
 # values after options handling.
 ac_log="
-This file was extended by libressl $as_me 3.3.3, which was
+This file was extended by libressl $as_me 3.3.5, which was
 generated by GNU Autoconf 2.69.  Invocation command line was
 
   CONFIG_FILES    = $CONFIG_FILES
@@ -15002,7 +15002,7 @@ _ACEOF
 cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`"
 ac_cs_version="\\
-libressl config.status 3.3.3
+libressl config.status 3.3.5
 configured by $0, generated by GNU Autoconf 2.69,
   with options \\"\$ac_cs_config\\"
 

crypto/asn1/t_x509a.c

@@ -1,4 +1,4 @@
-/* $OpenBSD: t_x509a.c,v 1.8 2014/07/11 08:44:47 jsing Exp $ */
+/* $OpenBSD: t_x509a.c,v 1.8.16.1 2021/08/20 19:54:59 benno Exp $ */
 /* Written by Dr Stephen N Henson ([email protected]) for the OpenSSL
  * project 1999.
  */
@@ -105,8 +105,8 @@ X509_CERT_AUX_print(BIO *out, X509_CERT_AUX *aux, int indent)
 	} else
 		BIO_printf(out, "%*sNo Rejected Uses.\n", indent, "");
 	if (aux->alias)
-		BIO_printf(out, "%*sAlias: %s\n", indent, "",
-		    aux->alias->data);
+		BIO_printf(out, "%*sAlias: %.*s\n", indent, "",
+		    aux->alias->length, aux->alias->data);
 	if (aux->keyid) {
 		BIO_printf(out, "%*sKey Id: ", indent, "");
 		for (i = 0; i < aux->keyid->length; i++)

crypto/x509/x509_constraints.c

@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_constraints.c,v 1.15 2021/03/12 15:57:30 tb Exp $ */
+/* $OpenBSD: x509_constraints.c,v 1.15.2.1 2021/09/26 14:07:40 deraadt Exp $ */
 /*
  * Copyright (c) 2020 Bob Beck <[email protected]>
  *
@@ -334,16 +334,16 @@ x509_constraints_parse_mailbox(uint8_t *candidate, size_t len,
 			if (c == '.')
 				goto bad;
 		}
-		if (wi > DOMAIN_PART_MAX_LEN)
-			goto bad;
 		if (accept) {
+			if (wi >= DOMAIN_PART_MAX_LEN)
+				goto bad;
 			working[wi++] = c;
 			accept = 0;
 			continue;
 		}
 		if (candidate_local != NULL) {
 			/* We are looking for the domain part */
-			if (wi > DOMAIN_PART_MAX_LEN)
+			if (wi >= DOMAIN_PART_MAX_LEN)
 				goto bad;
 			working[wi++] = c;
 			if (i == len - 1) {
@@ -358,7 +358,7 @@ x509_constraints_parse_mailbox(uint8_t *candidate, size_t len,
 			continue;
 		}
 		/* We are looking for the local part */
-		if (wi > LOCAL_PART_MAX_LEN)
+		if (wi >= LOCAL_PART_MAX_LEN)
 			break;
 
 		if (quoted) {
@@ -378,6 +378,8 @@ x509_constraints_parse_mailbox(uint8_t *candidate, size_t len,
 			 */
 			if (c == 9)
 				goto bad;
+			if (wi >= LOCAL_PART_MAX_LEN)
+				goto bad;
 			working[wi++] = c;
 			continue; /* all's good inside our quoted string */
 		}
@@ -407,6 +409,8 @@ x509_constraints_parse_mailbox(uint8_t *candidate, size_t len,
 		}
 		if (!local_part_ok(c))
 			goto bad;
+		if (wi >= LOCAL_PART_MAX_LEN)
+			goto bad;
 		working[wi++] = c;
 	}
 	if (candidate_local == NULL || candidate_domain == NULL)

crypto/x509/x509_vpm.c

@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_vpm.c,v 1.25 2021/04/15 14:15:03 tb Exp $ */
+/* $OpenBSD: x509_vpm.c,v 1.25.2.1 2021/09/30 18:25:43 deraadt Exp $ */
 /* Written by Dr Stephen N Henson ([email protected]) for the OpenSSL
  * project 2004.
  */
@@ -598,6 +598,7 @@ static const X509_VERIFY_PARAM_ID _empty_id = { NULL };
 static const X509_VERIFY_PARAM default_table[] = {
 	{
 		.name = "default",
+		.flags = X509_V_FLAG_TRUSTED_FIRST,
 		.depth = 100,
 		.trust = 0,  /* XXX This is not the default trust value */
 		.id = vpm_empty_id

include/openssl/opensslv.h

@@ -3,9 +3,9 @@
 #define HEADER_OPENSSLV_H
 
 /* These will change with each release of LibreSSL-portable */
-#define LIBRESSL_VERSION_NUMBER 0x3030300fL
+#define LIBRESSL_VERSION_NUMBER 0x3030500fL
 /*                                    ^ Patch starts here   */
-#define LIBRESSL_VERSION_TEXT   "LibreSSL 3.3.3"
+#define LIBRESSL_VERSION_TEXT   "LibreSSL 3.3.5"
 
 /* These will never change */
 #define OPENSSL_VERSION_NUMBER	0x20000000L