!48 fix CVE-2021-3711 and CVE-2021-3712

From: @hzero1996
Reviewed-by: @zhujianwei001
Signed-off-by: @zhujianwei001

CVE-2021-3711-0001-Check-the-plaintext-buffer-is-large-enough-when-decr.patch

@@ -0,0 +1,37 @@
+From 515ac8b5e544dd713a2b4cabfc54b722d122c218 Mon Sep 17 00:00:00 2001
+From: Matt Caswell <matt@openssl.org>
+Date: Fri, 13 Aug 2021 16:58:21 +0100
+Subject: [PATCH] Check the plaintext buffer is large enough when decrypting
+ SM2
+
+Previously there was no check that the supplied buffer was large enough.
+It was just assumed to be sufficient. Instead we should check and fail if
+not.
+
+Reviewed-by: Paul Dale <pauli@openssl.org>
+Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
+
+Reference: https://github.com/openssl/openssl/commit/515ac8b5e544dd713a2b4cabfc54b722d122c218
+Conflict: NA
+---
+ crypto/sm2/sm2_crypt.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/crypto/sm2/sm2_crypt.c b/crypto/sm2/sm2_crypt.c
+index 1188abfc6b..00055a4e51 100644
+--- a/crypto/sm2/sm2_crypt.c
++++ b/crypto/sm2/sm2_crypt.c
+@@ -294,6 +294,10 @@ int sm2_decrypt(const EC_KEY *key,
+     C2 = sm2_ctext->C2->data;
+     C3 = sm2_ctext->C3->data;
+     msg_len = sm2_ctext->C2->length;
++    if (*ptext_len < (size_t)msg_len) {
++        SM2err(SM2_F_SM2_DECRYPT, SM2_R_BUFFER_TOO_SMALL);
++        goto done;
++    }
+ 
+     ctx = BN_CTX_new();
+     if (ctx == NULL) {
+-- 
+2.23.0
+

CVE-2021-3711-0002-Correctly-calculate-the-length-of-SM2-plaintext-give.patch

@@ -0,0 +1,124 @@
+From 59f5e75f3bced8fc0e130d72a3f582cf7b480b46 Mon Sep 17 00:00:00 2001
+From: Matt Caswell <matt@openssl.org>
+Date: Fri, 13 Aug 2021 14:14:51 +0100
+Subject: [PATCH] Correctly calculate the length of SM2 plaintext given the
+ ciphertext
+
+Previously the length of the SM2 plaintext could be incorrectly calculated.
+The plaintext length was calculated by taking the ciphertext length and
+taking off an "overhead" value.
+
+The overhead value was assumed to have a "fixed" element of 10 bytes.
+This is incorrect since in some circumstances it can be more than 10 bytes.
+Additionally the overhead included the length of two integers C1x and C1y,
+which were assumed to be the same length as the field size (32 bytes for
+the SM2 curve). However in some cases these integers can have an additional
+padding byte when the msb is set, to disambiguate them from negative
+integers. Additionally the integers can also be less than 32 bytes in
+length in some cases.
+
+If the calculated overhead is incorrect and larger than the actual value
+this can result in the calculated plaintext length being too small.
+Applications are likely to allocate buffer sizes based on this and therefore
+a buffer overrun can occur.
+
+CVE-2021-3711
+
+Issue reported by John Ouyang.
+
+Reviewed-by: Paul Dale <pauli@openssl.org>
+Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
+
+Reference: https://github.com/openssl/openssl/commit/59f5e75f3bced8fc0e130d72a3f582cf7b480b46
+Conflict: NA
+---
+ crypto/sm2/sm2_crypt.c   | 23 +++++++----------------
+ crypto/sm2/sm2_pmeth.c   |  2 +-
+ include/crypto/sm2.h     |  3 +--
+ test/sm2_internal_test.c |  2 +-
+ 4 files changed, 10 insertions(+), 20 deletions(-)
+
+diff --git a/crypto/sm2/sm2_crypt.c b/crypto/sm2/sm2_crypt.c
+index ef505f6441..1188abfc6b 100644
+--- a/crypto/sm2/sm2_crypt.c
++++ b/crypto/sm2/sm2_crypt.c
+@@ -61,29 +61,20 @@ static size_t ec_field_size(const EC_GROUP *group)
+     return field_size;
+ }
+ 
+-int sm2_plaintext_size(const EC_KEY *key, const EVP_MD *digest, size_t msg_len,
+-                       size_t *pt_size)
++int sm2_plaintext_size(const unsigned char *ct, size_t ct_size, size_t *pt_size)
+ {
+-    const size_t field_size = ec_field_size(EC_KEY_get0_group(key));
+-    const int md_size = EVP_MD_size(digest);
+-    size_t overhead;
++    struct SM2_Ciphertext_st *sm2_ctext = NULL;
+ 
+-    if (md_size < 0) {
+-        SM2err(SM2_F_SM2_PLAINTEXT_SIZE, SM2_R_INVALID_DIGEST);
+-        return 0;
+-    }
+-    if (field_size == 0) {
+-        SM2err(SM2_F_SM2_PLAINTEXT_SIZE, SM2_R_INVALID_FIELD);
+-        return 0;
+-    }
++    sm2_ctext = d2i_SM2_Ciphertext(NULL, &ct, ct_size);
+ 
+-    overhead = 10 + 2 * field_size + (size_t)md_size;
+-    if (msg_len <= overhead) {
++    if (sm2_ctext == NULL) {
+         SM2err(SM2_F_SM2_PLAINTEXT_SIZE, SM2_R_INVALID_ENCODING);
+         return 0;
+     }
+ 
+-    *pt_size = msg_len - overhead;
++    *pt_size = sm2_ctext->C2->length;
++    SM2_Ciphertext_free(sm2_ctext);
++
+     return 1;
+ }
+ 
+diff --git a/crypto/sm2/sm2_pmeth.c b/crypto/sm2/sm2_pmeth.c
+index b42a14c32f..27025fbf3a 100644
+--- a/crypto/sm2/sm2_pmeth.c
++++ b/crypto/sm2/sm2_pmeth.c
+@@ -151,7 +151,7 @@ static int pkey_sm2_decrypt(EVP_PKEY_CTX *ctx,
+     const EVP_MD *md = (dctx->md == NULL) ? EVP_sm3() : dctx->md;
+ 
+     if (out == NULL) {
+-        if (!sm2_plaintext_size(ec, md, inlen, outlen))
++        if (!sm2_plaintext_size(in, inlen, outlen))
+             return -1;
+         else
+             return 1;
+diff --git a/include/crypto/sm2.h b/include/crypto/sm2.h
+index 76ee80baff..50851a83ce 100644
+--- a/include/crypto/sm2.h
++++ b/include/crypto/sm2.h
+@@ -60,8 +60,7 @@ int sm2_verify(const unsigned char *dgst, int dgstlen,
+ int sm2_ciphertext_size(const EC_KEY *key, const EVP_MD *digest, size_t msg_len,
+                         size_t *ct_size);
+ 
+-int sm2_plaintext_size(const EC_KEY *key, const EVP_MD *digest, size_t msg_len,
+-                       size_t *pt_size);
++int sm2_plaintext_size(const unsigned char *ct, size_t ct_size, size_t *pt_size);
+ 
+ int sm2_encrypt(const EC_KEY *key,
+                 const EVP_MD *digest,
+diff --git a/test/sm2_internal_test.c b/test/sm2_internal_test.c
+index 2bb73947ff..41827bb82f 100644
+--- a/test/sm2_internal_test.c
++++ b/test/sm2_internal_test.c
+@@ -185,7 +185,7 @@ static int test_sm2_crypt(const EC_GROUP *group,
+     if (!TEST_mem_eq(ctext, ctext_len, expected, ctext_len))
+         goto done;
+ 
+-    if (!TEST_true(sm2_plaintext_size(key, digest, ctext_len, &ptext_len))
++    if (!TEST_true(sm2_plaintext_size(ctext, ctext_len, &ptext_len))
+             || !TEST_int_eq(ptext_len, msg_len))
+         goto done;
+ 
+-- 
+2.23.0
+

CVE-2021-3711-0003-Extend-tests-for-SM2-decryption.patch

@@ -0,0 +1,42 @@
+From 733fa41c3fc4bcac37f94aa917f7242420f8a5a6 Mon Sep 17 00:00:00 2001
+From: Matt Caswell <matt@openssl.org>
+Date: Fri, 13 Aug 2021 14:49:47 +0100
+Subject: [PATCH] Extend tests for SM2 decryption
+
+Check the case where C1y < 32 bytes in length (i.e. short overhead), and
+also the case with longer plaintext and C1x and C1y > 32 bytes in length
+(i.e. long overhead)
+
+Reviewed-by: Paul Dale <pauli@openssl.org>
+Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
+
+Reference: https://github.com/openssl/openssl/commit/733fa41c3fc4bcac37f94aa917f7242420f8a5a6 
+Conflict: NA
+---
+ test/recipes/30-test_evp_data/evppkey.txt | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/test/recipes/30-test_evp_data/evppkey.txt b/test/recipes/30-test_evp_data/evppkey.txt
+index 736e0ce4d3..c3947cb000 100644
+--- a/test/recipes/30-test_evp_data/evppkey.txt
++++ b/test/recipes/30-test_evp_data/evppkey.txt
+@@ -18444,6 +18444,16 @@ Decrypt = SM2_key1
+ Input = 30818A0220466BE2EF5C11782EC77864A0055417F407A5AFC11D653C6BCE69E417BB1D05B6022062B572E21FF0DDF5C726BD3F9FF2EAE56E6294713A607E9B9525628965F62CC804203C1B5713B5DB2728EB7BF775E44F4689FC32668BDC564F52EA45B09E8DF2A5F40422084A9D0CC2997092B7D3C404FCE95956EB604D732B2307A8E5B8900ED6608CA5B197
+ Output = "The floofy bunnies hop at midnight"
+ 
++# Test with an C1y value < 32 bytes in length (self generated)
++Decrypt = SM2_key1
++Input = 3072022070DAD60CDA7C30D64CF4F278A849003581223F5324BFEC9BB329229BFFAD21A6021F18AFAB2B35459D2643243B242BE4EA80C6FA5071D2D847340CC57EB9309E5D04200B772E4DB664B2601E3B85E39C4AA8C2C1910308BE13B331E009C5A9258C29FD040B6D588BE9260A94DA18E0E6
++Output = "Hello World"
++
++# Test with an C1x and C1y valuey > 32 bytes in length, and longer plaintext (self generated)
++Decrypt = SM2_key1
++Input = 3081DD022100CD49634BBCB21CAFFFA6D33669A5A867231CB2A942A14352EF4CAF6DC3344D54022100C35B41D4DEBB3A2735EFEE821B9EBA566BD86900176A0C06672E30EE5CC04E930420C4190A3D80D86C4BD20E99F7E4B59BF6427C6808793533EEA9591D1188EC56B50473747295470E81D951BED279AC1B86A1AFE388CD2833FA9632799EC199C7D364E5663D5A94888BB2358CFCBF6283184DE0CBC41CCEA91D24746E99D231A1DA77AFD83CDF908190ED628B7369724494568A27C782A1D1D7294BCAD80C34569ED22859896301128A8118F48924D8CCD43E998D9533
++Output = "Some longer plaintext for testing SM2 decryption. Blah blah blah blah blah blah blah blah blah blah blah blah blah."
++
+ # This is a "fake" test as it does only verify that the SM2 EVP_PKEY interface
+ # is capable of creating a signature without failing, but it does not say
+ # anything about the generated signature being valid, nor does it test the
+-- 
+2.23.0
+

CVE-2021-3712-0001-Fix-a-read-buffer-overrun-in-X509_aux_print.patch

@@ -0,0 +1,63 @@
+From d9d838ddc0ed083fb4c26dd067e71aad7c65ad16 Mon Sep 17 00:00:00 2001
+From: Ingo Schwarze <schwarze@openbsd.org>
+Date: Sun, 18 Jul 2021 17:48:06 +0200
+Subject: [PATCH] Fix a read buffer overrun in X509_aux_print().
+
+The ASN1_STRING_get0_data(3) manual explitely cautions the reader
+that the data is not necessarily NUL-terminated, and the function
+X509_alias_set1(3) does not sanitize the data passed into it in any
+way either, so we must assume the return value from X509_alias_get0(3)
+is merely a byte array and not necessarily a string in the sense
+of the C language.
+
+I found this bug while writing manual pages for X509_print_ex(3)
+and related functions.  Theo Buehler <tb@openbsd.org> checked my
+patch to fix the same bug in LibreSSL, see
+
+http://cvsweb.openbsd.org/src/lib/libcrypto/asn1/t_x509a.c#rev1.9
+
+As an aside, note that the function still produces incomplete and
+misleading results when the data contains a NUL byte in the middle
+and that error handling is consistently absent throughout, even
+though the function provides an "int" return value obviously intended
+to be 1 for success and 0 for failure, and even though this function
+is called by another function that also wants to return 1 for success
+and 0 for failure and even does so in many of its code paths, though
+not in others.  But let's stay focussed.  Many things would be nice
+to have in the wide wild world, but a buffer overflow must not be
+allowed to remain in our backyard.
+
+CLA: trivial
+
+Reviewed-by: Tim Hudson <tjh@openssl.org>
+Reviewed-by: Paul Dale <pauli@openssl.org>
+Reviewed-by: Tomas Mraz <tomas@openssl.org>
+(Merged from https://github.com/openssl/openssl/pull/16108)
+
+(cherry picked from commit c5dc9ab965f2a69bca964c709e648158f3e4cd67)
+
+Reference: https://github.com/openssl/openssl/commit/d9d838ddc0ed083fb4c26dd067e71aad7c65ad16
+Conflict: NA
+---
+ crypto/x509/t_x509.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/crypto/x509/t_x509.c b/crypto/x509/t_x509.c
+index 12d807f705..3ba0b3a045 100644
+--- a/crypto/x509/t_x509.c
++++ b/crypto/x509/t_x509.c
+@@ -365,9 +365,9 @@ int X509_aux_print(BIO *out, X509 *x, int indent)
+         BIO_puts(out, "\n");
+     } else
+         BIO_printf(out, "%*sNo Rejected Uses.\n", indent, "");
+-    alias = X509_alias_get0(x, NULL);
++    alias = X509_alias_get0(x, &i);
+     if (alias)
+-        BIO_printf(out, "%*sAlias: %s\n", indent, "", alias);
++        BIO_printf(out, "%*sAlias: %.*s\n", indent, "", i, alias);
+     keyid = X509_keyid_get0(x, &keyidlen);
+     if (keyid) {
+         BIO_printf(out, "%*sKey Id: ", indent, "");
+-- 
+2.23.0
+

CVE-2021-3712-0002-Fix-EC_GROUP_new_from_ecparameters-to-check-the-base.patch

@@ -0,0 +1,38 @@
+From 94d23fcff9b2a7a8368dfe52214d5c2569882c11 Mon Sep 17 00:00:00 2001
+From: Matt Caswell <matt@openssl.org>
+Date: Thu, 19 Aug 2021 12:24:17 +0100
+Subject: [PATCH] Fix EC_GROUP_new_from_ecparameters to check the base length
+
+Check that there's at least one byte in params->base before trying to
+read it.
+
+CVE-2021-3712
+
+Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
+Reviewed-by: Paul Dale <pauli@openssl.org>
+
+Reference: https://github.com/openssl/openssl/commit/94d23fcff9b2a7a8368dfe52214d5c2569882c11
+Conflict: NA
+---
+ crypto/ec/ec_asn1.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/crypto/ec/ec_asn1.c b/crypto/ec/ec_asn1.c
+index 7b7c75ce84..e497a25909 100644
+--- a/crypto/ec/ec_asn1.c
++++ b/crypto/ec/ec_asn1.c
+@@ -761,7 +761,10 @@ EC_GROUP *EC_GROUP_new_from_ecparameters(const ECPARAMETERS *params)
+         ret->seed_len = params->curve->seed->length;
+     }
+ 
+-    if (!params->order || !params->base || !params->base->data) {
++    if (params->order == NULL
++            || params->base == NULL
++            || params->base->data == NULL
++            || params->base->length == 0) {
+         ECerr(EC_F_EC_GROUP_NEW_FROM_ECPARAMETERS, EC_R_ASN1_ERROR);
+         goto err;
+     }
+-- 
+2.23.0
+

openssl.spec

@@ -2,7 +2,7 @@
 Name:        openssl
 Epoch:       1
 Version:     1.1.1f
-Release:     6
+Release:     7
 Summary:     Cryptography and SSL/TLS Toolkit
 License:     OpenSSL and SSLeay
 URL:         https://www.openssl.org/
@@ -20,6 +20,11 @@ Patch9:      CVE-2020-1971-0006-Add-a-test-for-encoding-decoding-using-an-invali
 Patch10:     CVE-2021-23840.patch
 Patch11:     CVE-2021-23841.patch
 Patch12:     CVE-2021-3449.patch
+Patch13:     CVE-2021-3711-0001-Check-the-plaintext-buffer-is-large-enough-when-decr.patch
+Patch14:     CVE-2021-3711-0002-Correctly-calculate-the-length-of-SM2-plaintext-give.patch
+Patch15:     CVE-2021-3711-0003-Extend-tests-for-SM2-decryption.patch
+Patch16:     CVE-2021-3712-0001-Fix-a-read-buffer-overrun-in-X509_aux_print.patch
+Patch17:     CVE-2021-3712-0002-Fix-EC_GROUP_new_from_ecparameters-to-check-the-base.patch
 
 BuildRequires: gcc perl make lksctp-tools-devel coreutils util-linux zlib-devel
 
@@ -196,6 +201,9 @@ make test || :
 %{_pkgdocdir}/html/
 
 %changelog
+* Mon Aug 30 2021 openEuler Buildteam <buildteam@openeuler.org> - 1:1.1.1f-7
+- fix the CVE-2021-3711 and CVE-2021-3712
+
 * Tue Jun 29 2021 openEuler Buildteam <buildteam@openeuler.org> - 1:1.1.1f-6
 - add perl BuildRequires