packages/compat-openssl11
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

modify

Browse Source
This commit is contained in:
fangxiuning 2023-03-08 03:25:40 +00:00
parent 7a554dc1da
commit 76c90837f0
4 changed files with 255 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

80
backport-CVE-2023-0215-Check-CMS-failure-during-BIO-setup-with-stream-is-ha.patch Normal file
View File

@ -0,0 +1,80 @@
From f040f2577891d2bdb7610566c172233844cf673a Mon Sep 17 00:00:00 2001
From: Matt Caswell <matt@openssl.org>
Date: Wed, 14 Dec 2022 17:15:18 +0000
Subject: [PATCH] Check CMS failure during BIO setup with -stream is handled
correctly
Test for the issue fixed in the previous commit
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
---
test/recipes/80-test_cms.t | 15 +++++++++++++--
test/smime-certs/badrsa.pem | 18 ++++++++++++++++++
2 files changed, 31 insertions(+), 2 deletions(-)
create mode 100644 test/smime-certs/badrsa.pem
diff --git a/test/recipes/80-test_cms.t b/test/recipes/80-test_cms.t
index 5dc6a3aebe..ec11bfc253 100644
--- a/test/recipes/80-test_cms.t
+++ b/test/recipes/80-test_cms.t
@@ -13,7 +13,7 @@ use warnings;
use POSIX;
use File::Spec::Functions qw/catfile/;
use File::Compare qw/compare_text/;
-use OpenSSL::Test qw/:DEFAULT srctop_dir srctop_file/;
+use OpenSSL::Test qw/:DEFAULT srctop_dir srctop_file with/;
use OpenSSL::Test::Utils;
setup("test_cms");
@@ -27,7 +27,7 @@ my $smcont = srctop_file("test", "smcont.txt");
my ($no_des, $no_dh, $no_dsa, $no_ec, $no_ec2m, $no_rc2, $no_zlib)
= disabled qw/des dh dsa ec ec2m rc2 zlib/;
-plan tests => 6;
+plan tests => 7;
my @smime_pkcs7_tests = (
@@ -584,3 +584,14 @@ sub check_availability {
return "";
}
+
+# Check that we get the expected failure return code
+with({ exit_checker => sub { return shift == 6; } },
+ sub {
+ ok(run(app(['openssl', 'cms', '-encrypt',
+ '-in', srctop_file("test", "smcont.txt"),
+ '-stream', '-recip',
+ srctop_file("test/smime-certs", "badrsa.pem"),
+ ])),
+ "Check failure during BIO setup with -stream is handled correctly");
+ });
diff --git a/test/smime-certs/badrsa.pem b/test/smime-certs/badrsa.pem
new file mode 100644
index 0000000000..f824fc2267
--- /dev/null
+++ b/test/smime-certs/badrsa.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIDbTCCAlWgAwIBAgIToTV4Z0iuK08vZP20oTh//hC8BDANBgkqhkiG9w0BAQ0FADAtMSswKQYD
+VfcDEyJTYW1wbGUgTEFNUFMgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MCAXDTE5MTEyMDA2NTQxOFoY
+DzIwNTIwOTI3MDY1NDE4WjAZMRcwFQYDVQQDEw5BbGljZSBMb3ZlbGFjZTCCASIwDQYJKoZIhvcN
+AQEBBQADggEPADCCAQoCggEBALT0iehYOBY+TZp/T5K2KNI05Hwr+E3wP6XTvyi6WWyTgBK9LCOw
+I2juwdRrjFBmXkk7pWpjXwsA3A5GOtz0FpfgyC7OxsVcF7q4WHWZWleYXFKlQHJD73nQwXP968+A
+/3rBX7PhO0DBbZnfitOLPgPEwjTtdg0VQQ6Wz+CRQ/YbHPKaw7aRphZO63dKvIKp4cQVtkWQHi6s
+yTjGsgkLcLNau5LZDQUdsGV+SAo3nBdWCRYV+I65x8Kf4hCxqqmjV3d/2NKRu0BXnDe/N+iDz3X0
+zEoj0fqXgq4SWcC0nsG1lyyXt1TL270I6ATKRGJWiQVCCpDtc0NT6vdJ45bCSxgCAwEAAaOBlzCB
+lDAMBgNVHRMBAf8EAjAAMB4GA1UdEQQXMBWBE2FsaWNlQHNtaW1lLmV4YW1wbGUwEwYDVR0lBAww
+CgYIKwYBBQUHAwQwDwYDVR0PAQH/BAUDAwfAADAdBgNVHQ4EFgQUu/bMsi0dBhIcl64papAQ0yBm
+ZnMwHwYDVR0jBBgwFoAUeF8OWnjYa+RUcD2z3ez38fL6wEcwDQYJKoZIhvcNAQENBQADggEBABbW
+eonR6TMTckehDKNOabwaCIcekahAIL6l9tTzUX5ew6ufiAPlC6I/zQlmUaU0iSyFDG1NW14kNbFt
+5CAokyLhMtE4ASHBIHbiOp/ZSbUBTVYJZB61ot7w1/ol5QECSs08b8zrxIncf+t2DHGuVEy/Qq1d
+rBz8d4ay8zpqAE1tUyL5Da6ZiKUfWwZQXSI/JlbjQFzYQqTRDnzHWrg1xPeMTO1P2/cplFaseTiv
+yk4cYwOp/W9UAWymOZXF8WcJYCIUXkdcG/nEZxr057KlScrJmFXOoh7Y+8ON4iWYYcAfiNgpUFo/
+j8BAwrKKaFvdlZS9k1Ypb2+UQY75mKJE9Bg=
+-----END CERTIFICATE-----
--
2.17.1

106
backport-CVE-2023-0215-Fix-a-UAF-resulting-from-a-bug-in-BIO_new_NDEF.patch Normal file
View File

@ -0,0 +1,106 @@
From c3829dd8825c654652201e16f8a0a0c46ee3f344 Mon Sep 17 00:00:00 2001
From: Matt Caswell <matt@openssl.org>
Date: Wed, 14 Dec 2022 16:18:14 +0000
Subject: [PATCH] Fix a UAF resulting from a bug in BIO_new_NDEF
If the aux->asn1_cb() call fails in BIO_new_NDEF then the "out" BIO will
be part of an invalid BIO chain. This causes a "use after free" when the
BIO is eventually freed.
Based on an original patch by Viktor Dukhovni and an idea from Theo
Buehler.
Thanks to Octavio Galland for reporting this issue.
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
---
crypto/asn1/bio_ndef.c | 39 ++++++++++++++++++++++++++++++++-------
1 file changed, 32 insertions(+), 7 deletions(-)
diff --git a/crypto/asn1/bio_ndef.c b/crypto/asn1/bio_ndef.c
index 760e4846a4..f8d4b1b9aa 100644
--- a/crypto/asn1/bio_ndef.c
+++ b/crypto/asn1/bio_ndef.c
@@ -49,12 +49,19 @@ static int ndef_suffix(BIO *b, unsigned char **pbuf, int *plen, void *parg);
static int ndef_suffix_free(BIO *b, unsigned char **pbuf, int *plen,
void *parg);
+/*
+ * On success, the returned BIO owns the input BIO as part of its BIO chain.
+ * On failure, NULL is returned and the input BIO is owned by the caller.
+ *
+ * Unfortunately cannot constify this due to CMS_stream() and PKCS7_stream()
+ */
BIO *BIO_new_NDEF(BIO *out, ASN1_VALUE *val, const ASN1_ITEM *it)
{
NDEF_SUPPORT *ndef_aux = NULL;
BIO *asn_bio = NULL;
const ASN1_AUX *aux = it->funcs;
ASN1_STREAM_ARG sarg;
+ BIO *pop_bio = NULL;
if (!aux || !aux->asn1_cb) {
ASN1err(ASN1_F_BIO_NEW_NDEF, ASN1_R_STREAMING_NOT_SUPPORTED);
@@ -69,21 +76,39 @@ BIO *BIO_new_NDEF(BIO *out, ASN1_VALUE *val, const ASN1_ITEM *it)
out = BIO_push(asn_bio, out);
if (out == NULL)
goto err;
+ pop_bio = asn_bio;
- BIO_asn1_set_prefix(asn_bio, ndef_prefix, ndef_prefix_free);
- BIO_asn1_set_suffix(asn_bio, ndef_suffix, ndef_suffix_free);
+ if (BIO_asn1_set_prefix(asn_bio, ndef_prefix, ndef_prefix_free) <= 0
+ || BIO_asn1_set_suffix(asn_bio, ndef_suffix, ndef_suffix_free) <= 0
+ || BIO_ctrl(asn_bio, BIO_C_SET_EX_ARG, 0, ndef_aux) <= 0)
+ goto err;
/*
- * Now let callback prepends any digest, cipher etc BIOs ASN1 structure
- * needs.
+ * Now let the callback prepend any digest, cipher, etc., that the BIO's
+ * ASN1 structure needs.
*/
sarg.out = out;
sarg.ndef_bio = NULL;
sarg.boundary = NULL;
- if (aux->asn1_cb(ASN1_OP_STREAM_PRE, &val, it, &sarg) <= 0)
+ /*
+ * The asn1_cb(), must not have mutated asn_bio on error, leaving it in the
+ * middle of some partially built, but not returned BIO chain.
+ */
+ if (aux->asn1_cb(ASN1_OP_STREAM_PRE, &val, it, &sarg) <= 0) {
+ /*
+ * ndef_aux is now owned by asn_bio so we must not free it in the err
+ * clean up block
+ */
+ ndef_aux = NULL;
goto err;
+ }
+
+ /*
+ * We must not fail now because the callback has prepended additional
+ * BIOs to the chain
+ */
ndef_aux->val = val;
ndef_aux->it = it;
@@ -91,11 +116,11 @@ BIO *BIO_new_NDEF(BIO *out, ASN1_VALUE *val, const ASN1_ITEM *it)
ndef_aux->boundary = sarg.boundary;
ndef_aux->out = out;
- BIO_ctrl(asn_bio, BIO_C_SET_EX_ARG, 0, ndef_aux);
-
return sarg.ndef_bio;
err:
+ /* BIO_pop() is NULL safe */
+ (void)BIO_pop(pop_bio);
BIO_free(asn_bio);
OPENSSL_free(ndef_aux);
return NULL;
--
2.17.1

62
backport-CVE-2023-0286-Fix-GENERAL_NAME_cmp-for-x400Address-1.patch Normal file
View File

@ -0,0 +1,62 @@
From 2c6c9d439b484e1ba9830d8454a34fa4f80fdfe9 Mon Sep 17 00:00:00 2001
From: Hugo Landau <hlandau@openssl.org>
Date: Tue, 17 Jan 2023 17:45:42 +0000
Subject: [PATCH] CVE-2023-0286: Fix GENERAL_NAME_cmp for x400Address (1.1.1)
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
---
crypto/x509v3/v3_genn.c | 2 +-
include/openssl/x509v3.h | 2 +-
test/v3nametest.c | 8 ++++++++
4 files changed, 27 insertions(+), 3 deletions(-)
diff --git a/crypto/x509v3/v3_genn.c b/crypto/x509v3/v3_genn.c
index 87a5eff47c..e54ddc55c9 100644
--- a/crypto/x509v3/v3_genn.c
+++ b/crypto/x509v3/v3_genn.c
@@ -98,7 +98,7 @@ int GENERAL_NAME_cmp(GENERAL_NAME *a, GENERAL_NAME *b)
return -1;
switch (a->type) {
case GEN_X400:
- result = ASN1_TYPE_cmp(a->d.x400Address, b->d.x400Address);
+ result = ASN1_STRING_cmp(a->d.x400Address, b->d.x400Address);
break;
case GEN_EDIPARTY:
diff --git a/include/openssl/x509v3.h b/include/openssl/x509v3.h
index 90fa3592ce..e61c0f29d4 100644
--- a/include/openssl/x509v3.h
+++ b/include/openssl/x509v3.h
@@ -136,7 +136,7 @@ typedef struct GENERAL_NAME_st {
OTHERNAME *otherName; /* otherName */
ASN1_IA5STRING *rfc822Name;
ASN1_IA5STRING *dNSName;
- ASN1_TYPE *x400Address;
+ ASN1_STRING *x400Address;
X509_NAME *directoryName;
EDIPARTYNAME *ediPartyName;
ASN1_IA5STRING *uniformResourceIdentifier;
diff --git a/test/v3nametest.c b/test/v3nametest.c
index d1852190b8..37819da8fd 100644
--- a/test/v3nametest.c
+++ b/test/v3nametest.c
@@ -646,6 +646,14 @@ static struct gennamedata {
0xb7, 0x09, 0x02, 0x02
},
15
+ }, {
+ /*
+ * Regression test for CVE-2023-0286.
+ */
+ {
+ 0xa3, 0x00
+ },
+ 2
}
};
--
2.17.1

8
compat-openssl11.spec
View File

@ -1,7 +1,7 @@
%define soversion 1.1
Name: compat-openssl11
Version: 1.1.1m
Release: 3
Release: 4
Epoch: 1
Summary: Cryptography and SSL/TLS Toolkit
License: OpenSSL and SSLeay
@ -99,6 +99,9 @@ Patch88: backport-X509-x509_req.c-Set-modified-flag-when-X509_req_info.patch
Patch89: backport-ssl_cipher_process_rulestr-don-t-read-outside-rule_s.patch
Patch90: backport-CVE-2022-4304-Fix-Timing-Oracle-in-RSA-decryption.patch
Patch91: backport-CVE-2022-4450-Avoid-dangling-ptrs-in-header-and-data-params-for-PE.patch
Patch92: backport-CVE-2023-0215-Check-CMS-failure-during-BIO-setup-with-stream-is-ha.patch
Patch93: backport-CVE-2023-0215-Fix-a-UAF-resulting-from-a-bug-in-BIO_new_NDEF.patch
Patch94: backport-CVE-2023-0286-Fix-GENERAL_NAME_cmp-for-x400Address-1.patch
BuildRequires: gcc perl make lksctp-tools-devel coreutils util-linux zlib-devel
@ -232,6 +235,9 @@ make test || :
%ldconfig_scriptlets libs
%changelog
* Wed Mar 08 2023 fangxiuning <fangxiuning@huawei.com> - 1:1.1.1m-4
- Fix some cves
* Tue Mar 07 2023 fangxiuning <fangxiuning@huawei.com> - 1:1.1.1m-3
- Fix some cves