packages/openssl
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

patchs

Browse Source
This commit is contained in:
fangxiuning 2022-11-07 11:02:18 +08:00
parent 614a65544c
commit 59b3a1464c
11 changed files with 882 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

157
backport-Add-test-for-empty-supported-groups-extension.patch Normal file
View File

@ -0,0 +1,157 @@
From c7d6c08290b67cbeef2b4f636f04788ea405520a Mon Sep 17 00:00:00 2001
From: Tomas Mraz <tomas@openssl.org>
Date: Fri, 29 Apr 2022 17:02:19 +0200
Subject: [PATCH] Add test for empty supported-groups extension
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18213)
---
test/recipes/80-test_ssl_new.t | 4 +-
test/ssl-tests/16-certstatus.conf | 0
test/ssl-tests/30-supported-groups.conf | 54 ++++++++++++++++++++++
test/ssl-tests/30-supported-groups.conf.in | 45 ++++++++++++++++++
4 files changed, 102 insertions(+), 1 deletion(-)
delete mode 100644 test/ssl-tests/16-certstatus.conf
create mode 100644 test/ssl-tests/30-supported-groups.conf
create mode 100644 test/ssl-tests/30-supported-groups.conf.in
diff --git a/test/recipes/80-test_ssl_new.t b/test/recipes/80-test_ssl_new.t
index 81d8f59a70..fa62b30850 100644
--- a/test/recipes/80-test_ssl_new.t
+++ b/test/recipes/80-test_ssl_new.t
@@ -28,7 +28,7 @@ map { s/\^// } @conf_files if $^O eq "VMS";
# We hard-code the number of tests to double-check that the globbing above
# finds all files as expected.
-plan tests => 29; # = scalar @conf_srcs
+plan tests => 30; # = scalar @conf_srcs
# Some test results depend on the configuration of enabled protocols. We only
# verify generated sources in the default configuration.
@@ -70,6 +70,8 @@ my %conf_dependent_tests = (
"25-cipher.conf" => disabled("poly1305") || disabled("chacha"),
"27-ticket-appdata.conf" => !$is_default_tls,
"28-seclevel.conf" => disabled("tls1_2") || $no_ec,
+ "30-supported-groups.conf" => disabled("tls1_2") || disabled("tls1_3")
+ || $no_ec || $no_ec2m
);
# Add your test here if it should be skipped for some compile-time
diff --git a/test/ssl-tests/16-certstatus.conf b/test/ssl-tests/16-certstatus.conf
deleted file mode 100644
index e69de29bb2..0000000000
diff --git a/test/ssl-tests/30-supported-groups.conf b/test/ssl-tests/30-supported-groups.conf
new file mode 100644
index 0000000000..4280db7114
--- /dev/null
+++ b/test/ssl-tests/30-supported-groups.conf
@@ -0,0 +1,54 @@
+# Generated with generate_ssl_tests.pl
+
+num_tests = 2
+
+test-0 = 0-Just a sanity test case
+test-1 = 1-Pass with empty groups with TLS1.2
+# ===========================================================
+
+[0-Just a sanity test case]
+ssl_conf = 0-Just a sanity test case-ssl
+
+[0-Just a sanity test case-ssl]
+server = 0-Just a sanity test case-server
+client = 0-Just a sanity test case-client
+
+[0-Just a sanity test case-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = DEFAULT
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+
+[0-Just a sanity test case-client]
+CipherString = DEFAULT
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyMode = Peer
+
+[test-0]
+ExpectedResult = Success
+
+
+# ===========================================================
+
+[1-Pass with empty groups with TLS1.2]
+ssl_conf = 1-Pass with empty groups with TLS1.2-ssl
+
+[1-Pass with empty groups with TLS1.2-ssl]
+server = 1-Pass with empty groups with TLS1.2-server
+client = 1-Pass with empty groups with TLS1.2-client
+
+[1-Pass with empty groups with TLS1.2-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = DEFAULT
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+
+[1-Pass with empty groups with TLS1.2-client]
+CipherString = DEFAULT
+Groups = sect163k1
+MaxProtocol = TLSv1.2
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyMode = Peer
+
+[test-1]
+ExpectedResult = Success
+
+
diff --git a/test/ssl-tests/30-supported-groups.conf.in b/test/ssl-tests/30-supported-groups.conf.in
new file mode 100644
index 0000000000..438a07a11f
--- /dev/null
+++ b/test/ssl-tests/30-supported-groups.conf.in
@@ -0,0 +1,45 @@
+# -*- mode: perl; -*-
+# Copyright 2016-2020 The OpenSSL Project Authors. All Rights Reserved.
+#
+# Licensed under the OpenSSL license (the "License"). You may not use
+# this file except in compliance with the License. You can obtain a copy
+# in the file LICENSE in the source distribution or at
+# https://www.openssl.org/source/license.html
+
+
+## SSL test configurations
+
+package ssltests;
+use OpenSSL::Test::Utils;
+
+our @tests = (
+ {
+ name => "Just a sanity test case",
+ server => { },
+ client => { },
+ test => { "ExpectedResult" => "Success" },
+ },
+);
+
+our @tests_tls1_3 = (
+ {
+ name => "Fail empty groups with TLS1.3",
+ server => { },
+ client => { "Groups" => "sect163k1" },
+ test => { "ExpectedResult" => "ClientFail" },
+ },
+);
+
+our @tests_tls1_2 = (
+ {
+ name => "Pass with empty groups with TLS1.2",
+ server => { },
+ client => { "Groups" => "sect163k1",
+ "MaxProtocol" => "TLSv1.2" },
+ test => { "ExpectedResult" => "Success" },
+ },
+);
+
+push @tests, @tests_tls1_3 unless disabled("tls1_3")
+ || !disabled("ec2m") || disabled("ec");
+push @tests, @tests_tls1_2 unless disabled("tls1_2") || disabled("ec");
--
2.17.1

54
backport-Do-not-send-an-empty-supported-groups-extension.patch Normal file
View File

@ -0,0 +1,54 @@
From bd164884f258d99ca876f6cdcdf9bd0dcceee6ad Mon Sep 17 00:00:00 2001
From: Tomas Mraz <tomas@openssl.org>
Date: Fri, 29 Apr 2022 16:36:36 +0200
Subject: [PATCH] Do not send an empty supported groups extension
This allows handshake to proceed if the maximum TLS version enabled is <1.3
Fixes #13583
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18213)
---
CHANGES | 24 ++++++++++++++----------
ssl/statem/extensions_clnt.c | 16 +++++++++++++++-
2 files changed, 29 insertions(+), 11 deletions(-)
diff --git a/ssl/statem/extensions_clnt.c b/ssl/statem/extensions_clnt.c
index 9d38ac23b5..036a9b3c48 100644
--- a/ssl/statem/extensions_clnt.c
+++ b/ssl/statem/extensions_clnt.c
@@ -118,6 +118,8 @@ static int use_ecc(SSL *s)
int i, end, ret = 0;
unsigned long alg_k, alg_a;
STACK_OF(SSL_CIPHER) *cipher_stack = NULL;
+ const uint16_t *pgroups = NULL;
+ size_t num_groups, j;
/* See if we support any ECC ciphersuites */
if (s->version == SSL3_VERSION)
@@ -139,7 +141,19 @@ static int use_ecc(SSL *s)
}
sk_SSL_CIPHER_free(cipher_stack);
- return ret;
+ if (!ret)
+ return 0;
+
+ /* Check we have at least one EC supported group */
+ tls1_get_supported_groups(s, &pgroups, &num_groups);
+ for (j = 0; j < num_groups; j++) {
+ uint16_t ctmp = pgroups[j];
+
+ if (tls_curve_allowed(s, ctmp, SSL_SECOP_CURVE_SUPPORTED))
+ return 1;
+ }
+
+ return 0;
}
EXT_RETURN tls_construct_ctos_ec_pt_formats(SSL *s, WPACKET *pkt,
--
2.17.1

93
backport-Fix-a-crash-in-asn1_item_embed_new.patch Normal file
View File

@ -0,0 +1,93 @@
From 8e60f41d064786f95440e4c56660ffe9777783d7 Mon Sep 17 00:00:00 2001
From: Bernd Edlinger <bernd.edlinger@hotmail.de>
Date: Fri, 20 May 2022 08:02:47 +0200
Subject: [PATCH] Fix a crash in asn1_item_embed_new
This happens usually if an template object is created
and there is an out of memory error before the ASN1_OP_NEW_POST
method is called, but asn1_item_embed_free calls now the
ASN1_OP_FREE_POST which may crash because the object is not
properly initialized. Apparently that is only an issue with
the ASN1_OP_FREE_POST handling of crypot/x509/x_crl.c, which
ought to be tolerant to incomplete initialized objects.
The error can be reproduced with the reproducible error injection patch:
$ ERROR_INJECT=1652890550 ../util/shlib_wrap.sh ./asn1-test ./corpora/asn1/0ff17293911f54d1538b9896563a4048d67d9ee4
#0 0x7faae9dbeeba in __sanitizer_print_stack_trace ../../../../gcc-trunk/libsanitizer/asan/asan_stack.cpp:87
#1 0x408dc4 in my_malloc fuzz/test-corpus.c:114
#2 0x7faae99f2430 in CRYPTO_zalloc crypto/mem.c:230
#3 0x7faae97f09e5 in ASN1_STRING_type_new crypto/asn1/asn1_lib.c:341
#4 0x7faae98118f7 in asn1_primitive_new crypto/asn1/tasn_new.c:318
#5 0x7faae9812401 in asn1_item_embed_new crypto/asn1/tasn_new.c:78
#6 0x7faae9812401 in asn1_template_new crypto/asn1/tasn_new.c:240
#7 0x7faae9812315 in asn1_item_embed_new crypto/asn1/tasn_new.c:137
#8 0x7faae9812315 in asn1_template_new crypto/asn1/tasn_new.c:240
#9 0x7faae9812a54 in asn1_item_embed_new crypto/asn1/tasn_new.c:137
#10 0x7faae9812a54 in ASN1_item_ex_new crypto/asn1/tasn_new.c:39
#11 0x7faae980be51 in asn1_item_embed_d2i crypto/asn1/tasn_dec.c:325
#12 0x7faae980c813 in asn1_template_noexp_d2i crypto/asn1/tasn_dec.c:611
#13 0x7faae980d288 in asn1_template_ex_d2i crypto/asn1/tasn_dec.c:518
#14 0x7faae980b9ce in asn1_item_embed_d2i crypto/asn1/tasn_dec.c:382
#15 0x7faae980caf5 in asn1_template_noexp_d2i crypto/asn1/tasn_dec.c:643
#16 0x7faae980d7d3 in asn1_template_ex_d2i crypto/asn1/tasn_dec.c:494
#17 0x7faae980b9ce in asn1_item_embed_d2i crypto/asn1/tasn_dec.c:382
#18 0x7faae980dd1f in ASN1_item_ex_d2i crypto/asn1/tasn_dec.c:124
#19 0x7faae980de35 in ASN1_item_d2i crypto/asn1/tasn_dec.c:114
#20 0x40712c in FuzzerTestOneInput fuzz/asn1.c:301
#21 0x40893b in testfile fuzz/test-corpus.c:182
#22 0x406b86 in main fuzz/test-corpus.c:226
#23 0x7faae8eb1f44 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21f44)
AddressSanitizer:DEADLYSIGNAL
=================================================================
==1194==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000010 (pc 0x7faae9b0625f bp 0x7fffffe41a00 sp 0x7fffffe41920 T0)
==1194==The signal is caused by a READ memory access.
==1194==Hint: address points to the zero page.
#0 0x7faae9b0625f in crl_cb crypto/x509/x_crl.c:258
#1 0x7faae9811255 in asn1_item_embed_free crypto/asn1/tasn_fre.c:113
#2 0x7faae9812a65 in asn1_item_embed_new crypto/asn1/tasn_new.c:150
#3 0x7faae9812a65 in ASN1_item_ex_new crypto/asn1/tasn_new.c:39
#4 0x7faae980be51 in asn1_item_embed_d2i crypto/asn1/tasn_dec.c:325
#5 0x7faae980c813 in asn1_template_noexp_d2i crypto/asn1/tasn_dec.c:611
#6 0x7faae980d288 in asn1_template_ex_d2i crypto/asn1/tasn_dec.c:518
#7 0x7faae980b9ce in asn1_item_embed_d2i crypto/asn1/tasn_dec.c:382
#8 0x7faae980caf5 in asn1_template_noexp_d2i crypto/asn1/tasn_dec.c:643
#9 0x7faae980d7d3 in asn1_template_ex_d2i crypto/asn1/tasn_dec.c:494
#10 0x7faae980b9ce in asn1_item_embed_d2i crypto/asn1/tasn_dec.c:382
#11 0x7faae980dd1f in ASN1_item_ex_d2i crypto/asn1/tasn_dec.c:124
#12 0x7faae980de35 in ASN1_item_d2i crypto/asn1/tasn_dec.c:114
#13 0x40712c in FuzzerTestOneInput fuzz/asn1.c:301
#14 0x40893b in testfile fuzz/test-corpus.c:182
#15 0x406b86 in main fuzz/test-corpus.c:226
#16 0x7faae8eb1f44 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21f44)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV crypto/x509/x_crl.c:258 in crl_cb
==1194==ABORTING
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18360)
(cherry picked from commit 557825acd622f98fc21423aba092e374db84f483)
---
crypto/x509/x_crl.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/crypto/x509/x_crl.c b/crypto/x509/x_crl.c
index c9762f9e23..9af39a45fc 100644
--- a/crypto/x509/x_crl.c
+++ b/crypto/x509/x_crl.c
@@ -255,7 +255,7 @@ static int crl_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it,
break;
case ASN1_OP_FREE_POST:
- if (crl->meth->crl_free) {
+ if (crl->meth != NULL && crl->meth->crl_free != NULL) {
if (!crl->meth->crl_free(crl))
return 0;
}
--
2.17.1

88
backport-Fix-a-crash-in-ssl_security_cert_chain.patch Normal file
View File

@ -0,0 +1,88 @@
From 4a28f8451fbc1848fd2d1b99203a7c75876123f6 Mon Sep 17 00:00:00 2001
From: Bernd Edlinger <bernd.edlinger@hotmail.de>
Date: Sun, 22 May 2022 20:12:56 +0200
Subject: [PATCH] Fix a crash in ssl_security_cert_chain
Prior to the crash there is an out of memory error
in X509_verify_cert which makes the chain NULL or
empty. The error is ignored by ssl_add_cert_chain,
and ssl_security_cert_chain crashes due to the
unchecked null pointer.
This is reproducible with my error injection patch.
The test vector has been validated on the 1.1.1 branch
but the issue is of course identical in all branches.
$ ERROR_INJECT=1652848273 ../util/shlib_wrap.sh ./server-test ./corpora/server/47c8e933c4ec66fa3c309422283dfe0f31aafae8# ./corpora/server/47c8e933c4ec66fa3c309422283dfe0f31aafae8
#0 0x7f3a8f766eba in __sanitizer_print_stack_trace ../../../../gcc-trunk/libsanitizer/asan/asan_stack.cpp:87
#1 0x403ba4 in my_malloc fuzz/test-corpus.c:114
#2 0x7f3a8f39a430 in CRYPTO_zalloc crypto/mem.c:230
#3 0x7f3a8f46bd3b in sk_reserve crypto/stack/stack.c:180
#4 0x7f3a8f46bd3b in OPENSSL_sk_insert crypto/stack/stack.c:242
#5 0x7f3a8f4a4fd8 in sk_X509_push include/openssl/x509.h:99
#6 0x7f3a8f4a4fd8 in X509_verify_cert crypto/x509/x509_vfy.c:286
#7 0x7f3a8fed726e in ssl_add_cert_chain ssl/statem/statem_lib.c:959
#8 0x7f3a8fed726e in ssl3_output_cert_chain ssl/statem/statem_lib.c:1015
#9 0x7f3a8fee1c50 in tls_construct_server_certificate ssl/statem/statem_srvr.c:3812
#10 0x7f3a8feb8b0a in write_state_machine ssl/statem/statem.c:843
#11 0x7f3a8feb8b0a in state_machine ssl/statem/statem.c:443
#12 0x7f3a8fe84b3f in SSL_do_handshake ssl/ssl_lib.c:3718
#13 0x403202 in FuzzerTestOneInput fuzz/server.c:740
#14 0x40371b in testfile fuzz/test-corpus.c:182
#15 0x402856 in main fuzz/test-corpus.c:226
#16 0x7f3a8e859f44 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21f44)
#17 0x402936 (/home/ed/OPC/openssl/fuzz/server-test+0x402936)
AddressSanitizer:DEADLYSIGNAL
=================================================================
==8400==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000158 (pc 0x7f3a8f4d822f bp 0x7ffc39b76190 sp 0x7ffc39b760a0 T0)
==8400==The signal is caused by a READ memory access.
==8400==Hint: address points to the zero page.
#0 0x7f3a8f4d822f in x509v3_cache_extensions crypto/x509v3/v3_purp.c:386
#1 0x7f3a8f4d9d3a in X509_check_purpose crypto/x509v3/v3_purp.c:84
#2 0x7f3a8f4da02a in X509_get_extension_flags crypto/x509v3/v3_purp.c:921
#3 0x7f3a8feff7d2 in ssl_security_cert_sig ssl/t1_lib.c:2518
#4 0x7f3a8feff7d2 in ssl_security_cert ssl/t1_lib.c:2542
#5 0x7f3a8feffa03 in ssl_security_cert_chain ssl/t1_lib.c:2562
#6 0x7f3a8fed728d in ssl_add_cert_chain ssl/statem/statem_lib.c:963
#7 0x7f3a8fed728d in ssl3_output_cert_chain ssl/statem/statem_lib.c:1015
#8 0x7f3a8fee1c50 in tls_construct_server_certificate ssl/statem/statem_srvr.c:3812
#9 0x7f3a8feb8b0a in write_state_machine ssl/statem/statem.c:843
#10 0x7f3a8feb8b0a in state_machine ssl/statem/statem.c:443
#11 0x7f3a8fe84b3f in SSL_do_handshake ssl/ssl_lib.c:3718
#12 0x403202 in FuzzerTestOneInput fuzz/server.c:740
#13 0x40371b in testfile fuzz/test-corpus.c:182
#14 0x402856 in main fuzz/test-corpus.c:226
#15 0x7f3a8e859f44 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21f44)
#16 0x402936 (/home/ed/OPC/openssl/fuzz/server-test+0x402936)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV crypto/x509v3/v3_purp.c:386 in x509v3_cache_extensions
==8400==ABORTING
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18376)
(cherry picked from commit dc0ef292f7df4ce0c49c64b47726a6768f9ac044)
---
ssl/t1_lib.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
index b1d3add187..4de4623a49 100644
--- a/ssl/t1_lib.c
+++ b/ssl/t1_lib.c
@@ -2555,6 +2555,8 @@ int ssl_security_cert_chain(SSL *s, STACK_OF(X509) *sk, X509 *x, int vfy)
int rv, start_idx, i;
if (x == NULL) {
x = sk_X509_value(sk, 0);
+ if (x == NULL)
+ return ERR_R_INTERNAL_ERROR;
start_idx = 1;
} else
start_idx = 0;
--
2.17.1

118
backport-Fix-a-memory-leak-in-crl_set_issuers.patch Normal file
View File

@ -0,0 +1,118 @@
From 8754fa5f60ac4fdb5127f2eded9c7bbe0651c880 Mon Sep 17 00:00:00 2001
From: Bernd Edlinger <bernd.edlinger@hotmail.de>
Date: Sat, 21 May 2022 07:50:46 +0200
Subject: [PATCH] Fix a memory leak in crl_set_issuers
This can be reproduced with my error injection patch.
The test vector has been validated on the 1.1.1 branch
but the issue is of course identical in all branches.
$ ERROR_INJECT=1653520461 ../util/shlib_wrap.sh ./cms-test ./corpora/cms/3eff1d2f1232bd66d5635db2c3f9e7f23830dfd1
log file: cms-3eff1d2f1232bd66d5635db2c3f9e7f23830dfd1-32454-test.out
ERROR_INJECT=1653520461
#0 0x7fd5d8b8eeba in __sanitizer_print_stack_trace ../../../../gcc-trunk/libsanitizer/asan/asan_stack.cpp:87
#1 0x402fc4 in my_realloc fuzz/test-corpus.c:129
#2 0x7fd5d8893c49 in sk_reserve crypto/stack/stack.c:198
#3 0x7fd5d8893c49 in OPENSSL_sk_insert crypto/stack/stack.c:242
#4 0x7fd5d88d6d7f in sk_GENERAL_NAMES_push include/openssl/x509v3.h:168
#5 0x7fd5d88d6d7f in crl_set_issuers crypto/x509/x_crl.c:111
#6 0x7fd5d88d6d7f in crl_cb crypto/x509/x_crl.c:246
#7 0x7fd5d85dc032 in asn1_item_embed_d2i crypto/asn1/tasn_dec.c:432
#8 0x7fd5d85dcaf5 in asn1_template_noexp_d2i crypto/asn1/tasn_dec.c:643
#9 0x7fd5d85dd288 in asn1_template_ex_d2i crypto/asn1/tasn_dec.c:518
#10 0x7fd5d85db2b5 in asn1_item_embed_d2i crypto/asn1/tasn_dec.c:259
#11 0x7fd5d85dc813 in asn1_template_noexp_d2i crypto/asn1/tasn_dec.c:611
#12 0x7fd5d85dd288 in asn1_template_ex_d2i crypto/asn1/tasn_dec.c:518
#13 0x7fd5d85db9ce in asn1_item_embed_d2i crypto/asn1/tasn_dec.c:382
#14 0x7fd5d85dca28 in asn1_template_noexp_d2i crypto/asn1/tasn_dec.c:633
#15 0x7fd5d85dd288 in asn1_template_ex_d2i crypto/asn1/tasn_dec.c:518
#16 0x7fd5d85db9ce in asn1_item_embed_d2i crypto/asn1/tasn_dec.c:382
#17 0x7fd5d85dcaf5 in asn1_template_noexp_d2i crypto/asn1/tasn_dec.c:643
#18 0x7fd5d85dd7d3 in asn1_template_ex_d2i crypto/asn1/tasn_dec.c:494
#19 0x7fd5d85db9ce in asn1_item_embed_d2i crypto/asn1/tasn_dec.c:382
#20 0x7fd5d85ddd1f in ASN1_item_ex_d2i crypto/asn1/tasn_dec.c:124
#21 0x7fd5d85dde35 in ASN1_item_d2i crypto/asn1/tasn_dec.c:114
#22 0x7fd5d85a77e0 in ASN1_item_d2i_bio crypto/asn1/a_d2i_fp.c:69
#23 0x402845 in FuzzerTestOneInput fuzz/cms.c:43
#24 0x402bbb in testfile fuzz/test-corpus.c:182
#25 0x402626 in main fuzz/test-corpus.c:226
#26 0x7fd5d7c81f44 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21f44)
#27 0x402706 (/home/ed/OPC/openssl/fuzz/cms-test+0x402706)
=================================================================
==29625==ERROR: LeakSanitizer: detected memory leaks
Direct leak of 32 byte(s) in 1 object(s) allocated from:
#0 0x7fd5d8b8309f in __interceptor_malloc ../../../../gcc-trunk/libsanitizer/asan/asan_malloc_linux.cpp:69
#1 0x7fd5d87c2430 in CRYPTO_zalloc crypto/mem.c:230
#2 0x7fd5d889501f in OPENSSL_sk_new_reserve crypto/stack/stack.c:209
#3 0x7fd5d85dcbc3 in sk_ASN1_VALUE_new_null include/openssl/asn1t.h:928
#4 0x7fd5d85dcbc3 in asn1_template_noexp_d2i crypto/asn1/tasn_dec.c:577
#5 0x7fd5d85dd288 in asn1_template_ex_d2i crypto/asn1/tasn_dec.c:518
#6 0x7fd5d85db104 in asn1_item_embed_d2i crypto/asn1/tasn_dec.c:178
#7 0x7fd5d85ddd1f in ASN1_item_ex_d2i crypto/asn1/tasn_dec.c:124
#8 0x7fd5d85dde35 in ASN1_item_d2i crypto/asn1/tasn_dec.c:114
#9 0x7fd5d88f86d9 in X509V3_EXT_d2i crypto/x509v3/v3_lib.c:142
#10 0x7fd5d88d6d3c in crl_set_issuers crypto/x509/x_crl.c:97
#11 0x7fd5d88d6d3c in crl_cb crypto/x509/x_crl.c:246
#12 0x7fd5d85dc032 in asn1_item_embed_d2i crypto/asn1/tasn_dec.c:432
#13 0x7fd5d85dcaf5 in asn1_template_noexp_d2i crypto/asn1/tasn_dec.c:643
#14 0x7fd5d85dd288 in asn1_template_ex_d2i crypto/asn1/tasn_dec.c:518
#15 0x7fd5d85db2b5 in asn1_item_embed_d2i crypto/asn1/tasn_dec.c:259
#16 0x7fd5d85dc813 in asn1_template_noexp_d2i crypto/asn1/tasn_dec.c:611
#17 0x7fd5d85dd288 in asn1_template_ex_d2i crypto/asn1/tasn_dec.c:518
#18 0x7fd5d85db9ce in asn1_item_embed_d2i crypto/asn1/tasn_dec.c:382
#19 0x7fd5d85dca28 in asn1_template_noexp_d2i crypto/asn1/tasn_dec.c:633
#20 0x7fd5d85dd288 in asn1_template_ex_d2i crypto/asn1/tasn_dec.c:518
#21 0x7fd5d85db9ce in asn1_item_embed_d2i crypto/asn1/tasn_dec.c:382
#22 0x7fd5d85dcaf5 in asn1_template_noexp_d2i crypto/asn1/tasn_dec.c:643
#23 0x7fd5d85dd7d3 in asn1_template_ex_d2i crypto/asn1/tasn_dec.c:494
#24 0x7fd5d85db9ce in asn1_item_embed_d2i crypto/asn1/tasn_dec.c:382
#25 0x7fd5d85ddd1f in ASN1_item_ex_d2i crypto/asn1/tasn_dec.c:124
#26 0x7fd5d85dde35 in ASN1_item_d2i crypto/asn1/tasn_dec.c:114
#27 0x7fd5d85a77e0 in ASN1_item_d2i_bio crypto/asn1/a_d2i_fp.c:69
#28 0x402845 in FuzzerTestOneInput fuzz/cms.c:43
#29 0x402bbb in testfile fuzz/test-corpus.c:182
#30 0x402626 in main fuzz/test-corpus.c:226
#31 0x7fd5d7c81f44 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21f44)
SUMMARY: AddressSanitizer: 32 byte(s) leaked in 1 allocation(s).
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18391)
(cherry picked from commit e9007e09792e3735d4973743634ff55d354fc7d8)
---
crypto/x509/x_crl.c | 10 +++++++---
1 file changed, 7 insertions(+), 3 deletions(-)
diff --git a/crypto/x509/x_crl.c b/crypto/x509/x_crl.c
index 9af39a45fc..a4e4a415de 100644
--- a/crypto/x509/x_crl.c
+++ b/crypto/x509/x_crl.c
@@ -103,13 +103,17 @@ static int crl_set_issuers(X509_CRL *crl)
if (gtmp) {
gens = gtmp;
- if (!crl->issuers) {
+ if (crl->issuers == NULL) {
crl->issuers = sk_GENERAL_NAMES_new_null();
- if (!crl->issuers)
+ if (crl->issuers == NULL) {
+ GENERAL_NAMES_free(gtmp);
return 0;
+ }
}
- if (!sk_GENERAL_NAMES_push(crl->issuers, gtmp))
+ if (!sk_GENERAL_NAMES_push(crl->issuers, gtmp)) {
+ GENERAL_NAMES_free(gtmp);
return 0;
+ }
}
rev->issuer = gens;
--
2.17.1

61
backport-Fix-a-memory-leak-in-ec_key_simple_oct2priv.patch Normal file
View File

@ -0,0 +1,61 @@
From 8e1ece20cdb4a584be5311370256c4e813c09826 Mon Sep 17 00:00:00 2001
From: Bernd Edlinger <bernd.edlinger@hotmail.de>
Date: Fri, 20 May 2022 16:15:44 +0200
Subject: [PATCH] Fix a memory leak in ec_key_simple_oct2priv
This is reproducible with my error injection patch:
$ ERROR_INJECT=1652710284 ../util/shlib_wrap.sh ./server-test ./corpora/server/4e48da8aecce6b9b58e8e4dbbf0523e6d2dd56dc
140587884632000:error:03078041:bignum routines:bn_expand_internal:malloc failure:crypto/bn/bn_lib.c:282:
140587884632000:error:10103003:elliptic curve routines:ec_key_simple_oct2priv:BN lib:crypto/ec/ec_key.c:662:
140587884632000:error:100DE08E:elliptic curve routines:old_ec_priv_decode:decode error:crypto/ec/ec_ameth.c:464:
140587884632000:error:0D0680A8:asn1 encoding routines:asn1_check_tlen:wrong tag:crypto/asn1/tasn_dec.c:1149:
140587884632000:error:0D07803A:asn1 encoding routines:asn1_item_embed_d2i:nested asn1 error:crypto/asn1/tasn_dec.c:309:Type=X509_ALGOR
140587884632000:error:0D08303A:asn1 encoding routines:asn1_template_noexp_d2i:nested asn1 error:crypto/asn1/tasn_dec.c:646:Field=pkeyalg, Type=PKCS8_PRIV_KEY_INFO
140587884632000:error:0907B00D:PEM routines:PEM_read_bio_PrivateKey:ASN1 lib:crypto/pem/pem_pkey.c:88:
=================================================================
==19676==ERROR: LeakSanitizer: detected memory leaks
Direct leak of 24 byte(s) in 1 object(s) allocated from:
#0 0x7fdd2a6bb09f in __interceptor_malloc ../../../../gcc-trunk/libsanitizer/asan/asan_malloc_linux.cpp:69
#1 0x7fdd2a2fa430 in CRYPTO_zalloc crypto/mem.c:230
#2 0x7fdd2a15df11 in BN_new crypto/bn/bn_lib.c:246
#3 0x7fdd2a15df88 in BN_secure_new crypto/bn/bn_lib.c:257
#4 0x7fdd2a247390 in ec_key_simple_oct2priv crypto/ec/ec_key.c:655
#5 0x7fdd2a241fc5 in d2i_ECPrivateKey crypto/ec/ec_asn1.c:1030
#6 0x7fdd2a23dac5 in old_ec_priv_decode crypto/ec/ec_ameth.c:463
#7 0x7fdd2a109db7 in d2i_PrivateKey crypto/asn1/d2i_pr.c:46
#8 0x7fdd2a33ab16 in PEM_read_bio_PrivateKey crypto/pem/pem_pkey.c:84
#9 0x7fdd2a3330b6 in PEM_read_bio_ECPrivateKey crypto/pem/pem_all.c:151
#10 0x402dba in FuzzerTestOneInput fuzz/server.c:592
#11 0x40370b in testfile fuzz/test-corpus.c:182
#12 0x402846 in main fuzz/test-corpus.c:226
#13 0x7fdd297b9f44 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21f44)
SUMMARY: AddressSanitizer: 24 byte(s) leaked in 1 allocation(s).
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18361)
---
crypto/ec/ec_key.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/crypto/ec/ec_key.c b/crypto/ec/ec_key.c
index 23efbd015c..27d5a43b5f 100644
--- a/crypto/ec/ec_key.c
+++ b/crypto/ec/ec_key.c
@@ -657,8 +657,7 @@ int ec_key_simple_oct2priv(EC_KEY *eckey, const unsigned char *buf, size_t len)
ECerr(EC_F_EC_KEY_SIMPLE_OCT2PRIV, ERR_R_MALLOC_FAILURE);
return 0;
}
- eckey->priv_key = BN_bin2bn(buf, len, eckey->priv_key);
- if (eckey->priv_key == NULL) {
+ if (BN_bin2bn(buf, len, eckey->priv_key) == NULL) {
ECerr(EC_F_EC_KEY_SIMPLE_OCT2PRIV, ERR_R_BN_LIB);
return 0;
}
--
2.17.1

61
backport-Fix-leakage-when-the-cacheline-is-32-bytes-in-CBC_MA.patch Normal file
View File

@ -0,0 +1,61 @@
From 6ef91d8153e04a2302bff11b29caf7e888b62fe8 Mon Sep 17 00:00:00 2001
From: basavesh <basavesh.shivakumar@gmail.com>
Date: Tue, 5 Apr 2022 17:49:09 +0200
Subject: [PATCH] Fix leakage when the cacheline is 32-bytes in
CBC_MAC_ROTATE_IN_PLACE
rotated_mac is a 64-byte aligned buffer of size 64 and rotate_offset is secret.
Consider a weaker leakage model(CL) where only cacheline base address is leaked,
i.e address/32 for 32-byte cacheline(CL32).
Previous code used to perform two loads
1. rotated_mac[rotate_offset ^ 32] and
2. rotated_mac[rotate_offset++]
which would leak 2q + 1, 2q for 0 <= rotate_offset < 32
and 2q, 2q + 1 for 32 <= rotate_offset < 64
The proposed fix performs load operations which will always leak 2q, 2q + 1 and
selects the appropriate value in constant-time.
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18050)
---
ssl/record/ssl3_record.c | 14 +++++++++++---
1 file changed, 11 insertions(+), 3 deletions(-)
diff --git a/ssl/record/ssl3_record.c b/ssl/record/ssl3_record.c
index f158544789..69f1a64cb3 100644
--- a/ssl/record/ssl3_record.c
+++ b/ssl/record/ssl3_record.c
@@ -1532,6 +1532,7 @@ int ssl3_cbc_copy_mac(unsigned char *out,
#if defined(CBC_MAC_ROTATE_IN_PLACE)
unsigned char rotated_mac_buf[64 + EVP_MAX_MD_SIZE];
unsigned char *rotated_mac;
+ char aux1, aux2, aux3, mask;
#else
unsigned char rotated_mac[EVP_MAX_MD_SIZE];
#endif
@@ -1581,9 +1582,16 @@ int ssl3_cbc_copy_mac(unsigned char *out,
#if defined(CBC_MAC_ROTATE_IN_PLACE)
j = 0;
for (i = 0; i < md_size; i++) {
- /* in case cache-line is 32 bytes, touch second line */
- ((volatile unsigned char *)rotated_mac)[rotate_offset ^ 32];
- out[j++] = rotated_mac[rotate_offset++];
+ /*
+ * in case cache-line is 32 bytes,
+ * load from both lines and select appropriately
+ */
+ aux1 = rotated_mac[rotate_offset & ~32];
+ aux2 = rotated_mac[rotate_offset | 32];
+ mask = constant_time_eq_8(rotate_offset & ~32, rotate_offset);
+ aux3 = constant_time_select_8(mask, aux1, aux2);
+ out[j++] = aux3;
+ rotate_offset++;
rotate_offset &= constant_time_lt_s(rotate_offset, md_size);
}
#else
--
2.17.1

41
backport-Fix-undefined-behaviour-in-EC_GROUP_new_from_ecparam.patch Normal file
View File

@ -0,0 +1,41 @@
From e4b84b7514e5cbcbfc80e31b4ce609c7584e14bb Mon Sep 17 00:00:00 2001
From: Bernd Edlinger <bernd.edlinger@hotmail.de>
Date: Fri, 20 May 2022 16:54:41 +0200
Subject: [PATCH] Fix undefined behaviour in EC_GROUP_new_from_ecparameters
This happens for instance with
fuzz/corpora/asn1/65cf44e85614c62f10cf3b7a7184c26293a19e4a
and causes the OPENSSL_malloc below to choke on the
zero length allocation request.
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18363)
---
crypto/ec/ec_asn1.c | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/crypto/ec/ec_asn1.c b/crypto/ec/ec_asn1.c
index 4335b3da1a..ad9a54dc50 100644
--- a/crypto/ec/ec_asn1.c
+++ b/crypto/ec/ec_asn1.c
@@ -751,6 +751,16 @@ EC_GROUP *EC_GROUP_new_from_ecparameters(const ECPARAMETERS *params)
/* extract seed (optional) */
if (params->curve->seed != NULL) {
+ /*
+ * This happens for instance with
+ * fuzz/corpora/asn1/65cf44e85614c62f10cf3b7a7184c26293a19e4a
+ * and causes the OPENSSL_malloc below to choke on the
+ * zero length allocation request.
+ */
+ if (params->curve->seed->length == 0) {
+ ECerr(EC_F_EC_GROUP_NEW_FROM_ECPARAMETERS, EC_R_ASN1_ERROR);
+ goto err;
+ }
OPENSSL_free(ret->seed);
if ((ret->seed = OPENSSL_malloc(params->curve->seed->length)) == NULL) {
ECerr(EC_F_EC_GROUP_NEW_FROM_ECPARAMETERS, ERR_R_MALLOC_FAILURE);
--
2.17.1

156
backport-ticket_lifetime_hint-may-exceed-1-week-in-TLSv1.3.patch Normal file
View File

@ -0,0 +1,156 @@
From 79dbd85fe27ebabc278417af64ab8e3eb43d2d40 Mon Sep 17 00:00:00 2001
From: Todd Short <todd.short@me.com>
Date: Wed, 23 Mar 2022 18:55:10 -0400
Subject: [PATCH] ticket_lifetime_hint may exceed 1 week in TLSv1.3
For TLSv1.3, limit ticket lifetime hint to 1 week per RFC8446
Fixes #17948
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17952)
(cherry picked from commit 0089cc7f9d42f6e39872161199fb8b6a99da2492)
---
doc/man3/SSL_CTX_set_timeout.pod | 10 ++++++
ssl/statem/statem_srvr.c | 21 ++++++++----
test/sslapitest.c | 59 ++++++++++++++++++++++++++++++++
3 files changed, 84 insertions(+), 6 deletions(-)
diff --git a/doc/man3/SSL_CTX_set_timeout.pod b/doc/man3/SSL_CTX_set_timeout.pod
index c32585e45f..54592654ff 100644
--- a/doc/man3/SSL_CTX_set_timeout.pod
+++ b/doc/man3/SSL_CTX_set_timeout.pod
@@ -42,6 +42,16 @@ basis, see L<SSL_get_default_timeout(3)>.
All currently supported protocols have the same default timeout value
of 300 seconds.
+This timeout value is used as the ticket lifetime hint for stateless session
+tickets. It is also used as the timeout value within the ticket itself.
+
+For TLSv1.3, RFC8446 limits transmission of this value to 1 week (604800
+seconds).
+
+For TLSv1.2, tickets generated during an initial handshake use the value
+as specified. Tickets generated during a resumed handshake have a value
+of 0 for the ticket lifetime hint.
+
=head1 RETURN VALUES
SSL_CTX_set_timeout() returns the previously set timeout value.
diff --git a/ssl/statem/statem_srvr.c b/ssl/statem/statem_srvr.c
index d701c46b43..79cfd1d835 100644
--- a/ssl/statem/statem_srvr.c
+++ b/ssl/statem/statem_srvr.c
@@ -3820,15 +3820,24 @@ int tls_construct_server_certificate(SSL *s, WPACKET *pkt)
static int create_ticket_prequel(SSL *s, WPACKET *pkt, uint32_t age_add,
unsigned char *tick_nonce)
{
+ uint32_t timeout = (uint32_t)s->session->timeout;
+
/*
- * Ticket lifetime hint: For TLSv1.2 this is advisory only and we leave this
- * unspecified for resumed session (for simplicity).
+ * Ticket lifetime hint:
* In TLSv1.3 we reset the "time" field above, and always specify the
- * timeout.
+ * timeout, limited to a 1 week period per RFC8446.
+ * For TLSv1.2 this is advisory only and we leave this unspecified for
+ * resumed session (for simplicity).
*/
- if (!WPACKET_put_bytes_u32(pkt,
- (s->hit && !SSL_IS_TLS13(s))
- ? 0 : s->session->timeout)) {
+#define ONE_WEEK_SEC (7 * 24 * 60 * 60)
+
+ if (SSL_IS_TLS13(s)) {
+ if (s->session->timeout > ONE_WEEK_SEC)
+ timeout = ONE_WEEK_SEC;
+ } else if (s->hit)
+ timeout = 0;
+
+ if (!WPACKET_put_bytes_u32(pkt, timeout)) {
SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_CREATE_TICKET_PREQUEL,
ERR_R_INTERNAL_ERROR);
return 0;
diff --git a/test/sslapitest.c b/test/sslapitest.c
index 21322ceec5..09a732f577 100644
--- a/test/sslapitest.c
+++ b/test/sslapitest.c
@@ -6734,6 +6734,64 @@ end:
SSL_CTX_free(cctx);
return testresult;
}
+
+/*
+ * Test that the lifetime hint of a TLSv1.3 ticket is no more than 1 week
+ * 0 = TLSv1.2
+ * 1 = TLSv1.3
+ */
+static int test_ticket_lifetime(int idx)
+{
+ SSL_CTX *cctx = NULL, *sctx = NULL;
+ SSL *clientssl = NULL, *serverssl = NULL;
+ int testresult = 0;
+ int version = TLS1_3_VERSION;
+
+#define ONE_WEEK_SEC (7 * 24 * 60 * 60)
+#define TWO_WEEK_SEC (2 * ONE_WEEK_SEC)
+
+ if (idx == 0) {
+ version = TLS1_2_VERSION;
+ }
+
+ if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
+ TLS_client_method(), version, version,
+ &sctx, &cctx, cert, privkey)))
+ goto end;
+
+ if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
+ &clientssl, NULL, NULL)))
+ goto end;
+
+ /*
+ * Set the timeout to be more than 1 week
+ * make sure the returned value is the default
+ */
+ if (!TEST_long_eq(SSL_CTX_set_timeout(sctx, TWO_WEEK_SEC),
+ SSL_get_default_timeout(serverssl)))
+ goto end;
+
+ if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
+ goto end;
+
+ if (idx == 0) {
+ /* TLSv1.2 uses the set value */
+ if (!TEST_ulong_eq(SSL_SESSION_get_ticket_lifetime_hint(SSL_get_session(clientssl)), TWO_WEEK_SEC))
+ goto end;
+ } else {
+ /* TLSv1.3 uses the limited value */
+ if (!TEST_ulong_le(SSL_SESSION_get_ticket_lifetime_hint(SSL_get_session(clientssl)), ONE_WEEK_SEC))
+ goto end;
+ }
+ testresult = 1;
+
+end:
+ SSL_free(serverssl);
+ SSL_free(clientssl);
+ SSL_CTX_free(sctx);
+ SSL_CTX_free(cctx);
+ return testresult;
+}
#endif
/*
* Test that setting an ALPN does not violate RFC
@@ -6973,6 +7031,7 @@ int setup_tests(void)
#endif
#ifndef OPENSSL_NO_TLS1_3
ADD_TEST(test_sni_tls13);
+ ADD_ALL_TESTS(test_ticket_lifetime, 2);
#endif
ADD_TEST(test_set_alpn);
ADD_TEST(test_inherit_verify_param);
--
2.17.1

39
backport-x509-use-actual-issuer-name-if-a-CA-is-used.patch Normal file
View File

@ -0,0 +1,39 @@
From 91db522f31981b3fafdec4120de1027e8bc4d792 Mon Sep 17 00:00:00 2001
From: Daniel Fiala <daniel@openssl.org>
Date: Mon, 18 Apr 2022 11:30:13 +0200
Subject: [PATCH] x509: use actual issuer name if a CA is used
Fixes openssl#16080.
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18129)
---
apps/x509.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/apps/x509.c b/apps/x509.c
index 1043eba0c8..2329d9b2d4 100644
--- a/apps/x509.c
+++ b/apps/x509.c
@@ -590,6 +590,8 @@ int x509_main(int argc, char **argv)
xca = load_cert(CAfile, CAformat, "CA Certificate");
if (xca == NULL)
goto end;
+ if (!X509_set_issuer_name(x, X509_get_subject_name(xca)))
+ goto end;
}
out = bio_open_default(outfile, 'w', outformat);
@@ -987,8 +989,6 @@ static int x509_certify(X509_STORE *ctx, const char *CAfile, const EVP_MD *diges
goto end;
}
- if (!X509_set_issuer_name(x, X509_get_subject_name(xca)))
- goto end;
if (!X509_set_serialNumber(x, bs))
goto end;
--
2.17.1

15
openssl.spec
View File

@ -2,7 +2,7 @@
Name: openssl
Epoch: 1
Version: 1.1.1m
Release: 14
Release: 15
Summary: Cryptography and SSL/TLS Toolkit
License: OpenSSL and SSLeay
URL: https://www.openssl.org/
@ -53,6 +53,16 @@ Patch42: backport-Fix-coverity-1498607-uninitialised-value.patch
Patch43: backport-Check-password-length-only-when-verify-is-enabled.patch
Patch44: backport-Fix-issue-where-OBJ_nid2obj-doesn-t-always-raise-an-.patch
Patch45: backport-Set-protocol-in-init_client.patch
Patch46: backport-Fix-a-crash-in-ssl_security_cert_chain.patch
Patch47: backport-Fix-undefined-behaviour-in-EC_GROUP_new_from_ecparam.patch
Patch48: backport-Fix-a-memory-leak-in-ec_key_simple_oct2priv.patch
Patch49: backport-Fix-a-crash-in-asn1_item_embed_new.patch
Patch50: backport-Fix-leakage-when-the-cacheline-is-32-bytes-in-CBC_MA.patch
Patch51: backport-Add-test-for-empty-supported-groups-extension.patch
Patch52: backport-Do-not-send-an-empty-supported-groups-extension.patch
Patch53: backport-x509-use-actual-issuer-name-if-a-CA-is-used.patch
Patch54: backport-ticket_lifetime_hint-may-exceed-1-week-in-TLSv1.3.patch
Patch55: backport-Fix-a-memory-leak-in-crl_set_issuers.patch
BuildRequires: gcc perl make lksctp-tools-devel coreutils util-linux zlib-devel
Requires: coreutils %{name}-libs%{?_isa} = %{epoch}:%{version}-%{release}
@ -255,6 +265,9 @@ make test || :
%ldconfig_scriptlets libs
%changelog
* Mon Nov 7 2022 fangxiuning<fangxiuning@huawei.com> - 1:1.1.1m-15
- backport some patches
* Mon Nov 7 2022 fangxiuning<fangxiuning@huawei.com> - 1:1.1.1m-14
- backport some patches