packages/openssl
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

update 1.1.1f to 1.1.1m

Browse Source
This commit is contained in:
duyiwei 2022-03-24 09:24:22 +08:00
parent e08ed1a210
commit c8f921a28f
32 changed files with 622 additions and 2726 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

48
CVE-2020-1967.patch
View File

@ -1,48 +0,0 @@
From a87f3fe01a5a894aa27ccd6a239155fd129988e4 Mon Sep 17 00:00:00 2001
From: Benjamin Kaduk <kaduk@mit.edu>
Date: Fri Apr 10 12:27:28 2020 -0700
Subject: Fix NULL dereference in SSL_check_chain() for TLS 1.3
In the tls1_check_sig_alg() helper function, we loop through the list of
"signature_algorithms_cert" values received from the client and attempt
to look up each one in turn in our internal table that maps wire
codepoint to string-form name, digest and/or signature NID, etc., in
order to compare the signature scheme from the peer's list against what
is used to sign the certificates in the certificate chain we're
checking. Unfortunately, when the peer sends a value that we don't
support, the lookup returns NULL, but we unconditionally dereference the
lookup result for the comparison, leading to an application crash
triggerable by an unauthenticated client.
Since we will not be able to say anything about algorithms we don't
recognize, treat NULL return from lookup as "does not match".
We currently only apply the "signature_algorithm_cert" checks on TLS 1.3
connections, so previous TLS versions are unaffected. SSL_check_chain()
is not called directly from libssl, but may be used by the application
inside a callback (e.g., client_hello or cert callback) to verify that a
candidate certificate chain will be acceptable to the client.
CVE-2020-1967
Reviewed-by: Matt Caswell <matt@openssl.org>
---
openssl-1.1.1f/ssl/t1_lib.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
index 0ff0d37..5a4389c 100644
--- a/ssl/t1_lib.c
+++ b/ssl/t1_lib.c
@@ -2132,7 +2132,7 @@ static int tls1_check_sig_alg(SSL *s, X509 *x, int default_nid)
sigalg = use_pc_sigalgs
? tls1_lookup_sigalg(s->s3->tmp.peer_cert_sigalgs[i])
: s->shared_sigalgs[i];
- if (sig_nid == sigalg->sigandhash)
+ if (sigalg != NULL && sig_nid == sigalg->sigandhash)
return 1;
}
return 0;
--
1.8.3.1

41
CVE-2020-1971-0001-DirectoryString-is-a-CHOICE-type-and-therefore-uses-.patch
View File

@ -1,41 +0,0 @@
From aa0ad2011d3e7ad8a611da274ef7d9c7706e289b Mon Sep 17 00:00:00 2001
From: Matt Caswell <matt@openssl.org>
Date: Wed, 11 Nov 2020 15:19:34 +0000
Subject: [PATCH 01/31] DirectoryString is a CHOICE type and therefore uses
explicit tagging
EDIPartyName has 2 fields that use a DirectoryString. However they were
marked as implicit tagging - which is not correct for a CHOICE type.
Additionally the partyName field was marked as Optional when, according to
RFC5280 it is not.
Many thanks to github user @filipnavara for reporting this issue. Also to
David Benjamin from Google who independently identified and reported it.
Fixes #6859
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
---
crypto/x509v3/v3_genn.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/crypto/x509v3/v3_genn.c b/crypto/x509v3/v3_genn.c
index 23e3bc4..b483f35 100644
--- a/crypto/x509v3/v3_genn.c
+++ b/crypto/x509v3/v3_genn.c
@@ -22,8 +22,9 @@ ASN1_SEQUENCE(OTHERNAME) = {
IMPLEMENT_ASN1_FUNCTIONS(OTHERNAME)
ASN1_SEQUENCE(EDIPARTYNAME) = {
- ASN1_IMP_OPT(EDIPARTYNAME, nameAssigner, DIRECTORYSTRING, 0),
- ASN1_IMP_OPT(EDIPARTYNAME, partyName, DIRECTORYSTRING, 1)
+ /* DirectoryString is a CHOICE type so use explicit tagging */
+ ASN1_EXP_OPT(EDIPARTYNAME, nameAssigner, DIRECTORYSTRING, 0),
+ ASN1_EXP(EDIPARTYNAME, partyName, DIRECTORYSTRING, 1)
} ASN1_SEQUENCE_END(EDIPARTYNAME)
IMPLEMENT_ASN1_FUNCTIONS(EDIPARTYNAME)
--
1.8.3.1

101
CVE-2020-1971-0002-Correctly-compare-EdiPartyName-in-GENERAL_NAME_cmp.patch
View File

@ -1,101 +0,0 @@
From f960d81215ebf3f65e03d4d5d857fb9b666d6920 Mon Sep 17 00:00:00 2001
From: Matt Caswell <matt@openssl.org>
Date: Wed, 11 Nov 2020 16:12:58 +0000
Subject: [PATCH 02/31] Correctly compare EdiPartyName in GENERAL_NAME_cmp()
If a GENERAL_NAME field contained EdiPartyName data then it was
incorrectly being handled as type "other". This could lead to a
segmentation fault.
Many thanks to David Benjamin from Google for reporting this issue.
CVE-2020-1971
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
---
crypto/x509v3/v3_genn.c | 45 ++++++++++++++++++++++++++++++++++++++++++---
1 file changed, 42 insertions(+), 3 deletions(-)
diff --git a/crypto/x509v3/v3_genn.c b/crypto/x509v3/v3_genn.c
index b483f35..6f0a347 100644
--- a/crypto/x509v3/v3_genn.c
+++ b/crypto/x509v3/v3_genn.c
@@ -58,6 +58,37 @@ GENERAL_NAME *GENERAL_NAME_dup(GENERAL_NAME *a)
(char *)a);
}
+static int edipartyname_cmp(const EDIPARTYNAME *a, const EDIPARTYNAME *b)
+{
+ int res;
+
+ if (a == NULL || b == NULL) {
+ /*
+ * Shouldn't be possible in a valid GENERAL_NAME, but we handle it
+ * anyway. OTHERNAME_cmp treats NULL != NULL so we do the same here
+ */
+ return -1;
+ }
+ if (a->nameAssigner == NULL && b->nameAssigner != NULL)
+ return -1;
+ if (a->nameAssigner != NULL && b->nameAssigner == NULL)
+ return 1;
+ /* If we get here then both have nameAssigner set, or both unset */
+ if (a->nameAssigner != NULL) {
+ res = ASN1_STRING_cmp(a->nameAssigner, b->nameAssigner);
+ if (res != 0)
+ return res;
+ }
+ /*
+ * partyName is required, so these should never be NULL. We treat it in
+ * the same way as the a == NULL || b == NULL case above
+ */
+ if (a->partyName == NULL || b->partyName == NULL)
+ return -1;
+
+ return ASN1_STRING_cmp(a->partyName, b->partyName);
+}
+
/* Returns 0 if they are equal, != 0 otherwise. */
int GENERAL_NAME_cmp(GENERAL_NAME *a, GENERAL_NAME *b)
{
@@ -67,8 +98,11 @@ int GENERAL_NAME_cmp(GENERAL_NAME *a, GENERAL_NAME *b)
return -1;
switch (a->type) {
case GEN_X400:
+ result = ASN1_TYPE_cmp(a->d.x400Address, b->d.x400Address);
+ break;
+
case GEN_EDIPARTY:
- result = ASN1_TYPE_cmp(a->d.other, b->d.other);
+ result = edipartyname_cmp(a->d.ediPartyName, b->d.ediPartyName);
break;
case GEN_OTHERNAME:
@@ -115,8 +149,11 @@ void GENERAL_NAME_set0_value(GENERAL_NAME *a, int type, void *value)
{
switch (type) {
case GEN_X400:
+ a->d.x400Address = value;
+ break;
+
case GEN_EDIPARTY:
- a->d.other = value;
+ a->d.ediPartyName = value;
break;
case GEN_OTHERNAME:
@@ -150,8 +187,10 @@ void *GENERAL_NAME_get0_value(const GENERAL_NAME *a, int *ptype)
*ptype = a->type;
switch (a->type) {
case GEN_X400:
+ return a->d.x400Address;
+
case GEN_EDIPARTY:
- return a->d.other;
+ return a->d.ediPartyName;
case GEN_OTHERNAME:
return a->d.otherName;
--
1.8.3.1

103
CVE-2020-1971-0003-Check-that-multi-strings-CHOICE-types-don-t-use-impl.patch
View File

@ -1,103 +0,0 @@
From 1ecc76f6746cefd502c7e9000bdfa4e5d7911386 Mon Sep 17 00:00:00 2001
From: Matt Caswell <matt@openssl.org>
Date: Thu, 12 Nov 2020 11:58:12 +0000
Subject: [PATCH 03/31] Check that multi-strings/CHOICE types don't use
implicit tagging
It never makes sense for multi-string or CHOICE types to use implicit
tagging since the content would be ambiguous. It is an error in the
template if this ever happens. If we detect it we should stop parsing.
Thanks to David Benjamin from Google for reporting this issue.
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
---
crypto/asn1/asn1_err.c | 1 +
crypto/asn1/tasn_dec.c | 19 +++++++++++++++++++
crypto/err/openssl.txt | 1 +
include/openssl/asn1err.h | 1 +
4 files changed, 22 insertions(+)
diff --git a/crypto/asn1/asn1_err.c b/crypto/asn1/asn1_err.c
index 613f9ae..99a087d 100644
--- a/crypto/asn1/asn1_err.c
+++ b/crypto/asn1/asn1_err.c
@@ -160,6 +160,7 @@ static const ERR_STRING_DATA ASN1_str_reasons[] = {
"asn1 sig parse error"},
{ERR_PACK(ERR_LIB_ASN1, 0, ASN1_R_AUX_ERROR), "aux error"},
{ERR_PACK(ERR_LIB_ASN1, 0, ASN1_R_BAD_OBJECT_HEADER), "bad object header"},
+ {ERR_PACK(ERR_LIB_ASN1, 0, ASN1_R_BAD_TEMPLATE), "bad template"},
{ERR_PACK(ERR_LIB_ASN1, 0, ASN1_R_BMPSTRING_IS_WRONG_LENGTH),
"bmpstring is wrong length"},
{ERR_PACK(ERR_LIB_ASN1, 0, ASN1_R_BN_LIB), "bn lib"},
diff --git a/crypto/asn1/tasn_dec.c b/crypto/asn1/tasn_dec.c
index 2332b20..1021705 100644
--- a/crypto/asn1/tasn_dec.c
+++ b/crypto/asn1/tasn_dec.c
@@ -182,6 +182,15 @@ static int asn1_item_embed_d2i(ASN1_VALUE **pval, const unsigned char **in,
tag, aclass, opt, ctx);
case ASN1_ITYPE_MSTRING:
+ /*
+ * It never makes sense for multi-strings to have implicit tagging, so
+ * if tag != -1, then this looks like an error in the template.
+ */
+ if (tag != -1) {
+ ASN1err(ASN1_F_ASN1_ITEM_EMBED_D2I, ASN1_R_BAD_TEMPLATE);
+ goto err;
+ }
+
p = *in;
/* Just read in tag and class */
ret = asn1_check_tlen(NULL, &otag, &oclass, NULL, NULL,
@@ -199,6 +208,7 @@ static int asn1_item_embed_d2i(ASN1_VALUE **pval, const unsigned char **in,
ASN1err(ASN1_F_ASN1_ITEM_EMBED_D2I, ASN1_R_MSTRING_NOT_UNIVERSAL);
goto err;
}
+
/* Check tag matches bit map */
if (!(ASN1_tag2bit(otag) & it->utype)) {
/* If OPTIONAL, assume this is OK */
@@ -215,6 +225,15 @@ static int asn1_item_embed_d2i(ASN1_VALUE **pval, const unsigned char **in,
return ef->asn1_ex_d2i(pval, in, len, it, tag, aclass, opt, ctx);
case ASN1_ITYPE_CHOICE:
+ /*
+ * It never makes sense for CHOICE types to have implicit tagging, so
+ * if tag != -1, then this looks like an error in the template.
+ */
+ if (tag != -1) {
+ ASN1err(ASN1_F_ASN1_ITEM_EMBED_D2I, ASN1_R_BAD_TEMPLATE);
+ goto err;
+ }
+
if (asn1_cb && !asn1_cb(ASN1_OP_D2I_PRE, pval, it, NULL))
goto auxerr;
if (*pval) {
diff --git a/crypto/err/openssl.txt b/crypto/err/openssl.txt
index 0b5873e..2f93221 100644
--- a/crypto/err/openssl.txt
+++ b/crypto/err/openssl.txt
@@ -1771,6 +1771,7 @@ ASN1_R_ASN1_PARSE_ERROR:203:asn1 parse error
ASN1_R_ASN1_SIG_PARSE_ERROR:204:asn1 sig parse error
ASN1_R_AUX_ERROR:100:aux error
ASN1_R_BAD_OBJECT_HEADER:102:bad object header
+ASN1_R_BAD_TEMPLATE:230:bad template
ASN1_R_BMPSTRING_IS_WRONG_LENGTH:214:bmpstring is wrong length
ASN1_R_BN_LIB:105:bn lib
ASN1_R_BOOLEAN_IS_WRONG_LENGTH:106:boolean is wrong length
diff --git a/include/openssl/asn1err.h b/include/openssl/asn1err.h
index faed5a5..9070e26 100644
--- a/include/openssl/asn1err.h
+++ b/include/openssl/asn1err.h
@@ -145,6 +145,7 @@ int ERR_load_ASN1_strings(void);
# define ASN1_R_ASN1_SIG_PARSE_ERROR 204
# define ASN1_R_AUX_ERROR 100
# define ASN1_R_BAD_OBJECT_HEADER 102
+# define ASN1_R_BAD_TEMPLATE 230
# define ASN1_R_BMPSTRING_IS_WRONG_LENGTH 214
# define ASN1_R_BN_LIB 105
# define ASN1_R_BOOLEAN_IS_WRONG_LENGTH 106
--
1.8.3.1

116
CVE-2020-1971-0004-Complain-if-we-are-attempting-to-encode-with-an-inva.patch
View File

@ -1,116 +0,0 @@
From 41d62636fd996c031c0c7cef746476278583dc9e Mon Sep 17 00:00:00 2001
From: Matt Caswell <matt@openssl.org>
Date: Thu, 12 Nov 2020 14:55:31 +0000
Subject: [PATCH 04/31] Complain if we are attempting to encode with an invalid
ASN.1 template
It never makes sense for multi-string or CHOICE types to have implicit
tagging. If we have a template that uses the in this way then we
should immediately fail.
Thanks to David Benjamin from Google for reporting this issue.
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
---
crypto/asn1/asn1_err.c | 3 ++-
crypto/asn1/tasn_enc.c | 16 ++++++++++++++++
crypto/err/openssl.txt | 1 +
include/openssl/asn1err.h | 7 +++----
4 files changed, 22 insertions(+), 5 deletions(-)
diff --git a/crypto/asn1/asn1_err.c b/crypto/asn1/asn1_err.c
index 99a087d..cc0a59c 100644
--- a/crypto/asn1/asn1_err.c
+++ b/crypto/asn1/asn1_err.c
@@ -1,6 +1,6 @@
/*
* Generated by util/mkerr.pl DO NOT EDIT
- * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -49,6 +49,7 @@ static const ERR_STRING_DATA ASN1_str_functs[] = {
"asn1_item_embed_d2i"},
{ERR_PACK(ERR_LIB_ASN1, ASN1_F_ASN1_ITEM_EMBED_NEW, 0),
"asn1_item_embed_new"},
+ {ERR_PACK(ERR_LIB_ASN1, ASN1_F_ASN1_ITEM_EX_I2D, 0), "ASN1_item_ex_i2d"},
{ERR_PACK(ERR_LIB_ASN1, ASN1_F_ASN1_ITEM_FLAGS_I2D, 0),
"asn1_item_flags_i2d"},
{ERR_PACK(ERR_LIB_ASN1, ASN1_F_ASN1_ITEM_I2D_BIO, 0), "ASN1_item_i2d_bio"},
diff --git a/crypto/asn1/tasn_enc.c b/crypto/asn1/tasn_enc.c
index d600c7a..52a051d 100644
--- a/crypto/asn1/tasn_enc.c
+++ b/crypto/asn1/tasn_enc.c
@@ -103,9 +103,25 @@ int ASN1_item_ex_i2d(ASN1_VALUE **pval, unsigned char **out,
return asn1_i2d_ex_primitive(pval, out, it, tag, aclass);
case ASN1_ITYPE_MSTRING:
+ /*
+ * It never makes sense for multi-strings to have implicit tagging, so
+ * if tag != -1, then this looks like an error in the template.
+ */
+ if (tag != -1) {
+ ASN1err(ASN1_F_ASN1_ITEM_EX_I2D, ASN1_R_BAD_TEMPLATE);
+ return -1;
+ }
return asn1_i2d_ex_primitive(pval, out, it, -1, aclass);
case ASN1_ITYPE_CHOICE:
+ /*
+ * It never makes sense for CHOICE types to have implicit tagging, so
+ * if tag != -1, then this looks like an error in the template.
+ */
+ if (tag != -1) {
+ ASN1err(ASN1_F_ASN1_ITEM_EX_I2D, ASN1_R_BAD_TEMPLATE);
+ return -1;
+ }
if (asn1_cb && !asn1_cb(ASN1_OP_I2D_PRE, pval, it, NULL))
return 0;
i = asn1_get_choice_selector(pval, it);
diff --git a/crypto/err/openssl.txt b/crypto/err/openssl.txt
index 2f93221..815460b 100644
--- a/crypto/err/openssl.txt
+++ b/crypto/err/openssl.txt
@@ -36,6 +36,7 @@ ASN1_F_ASN1_ITEM_D2I_FP:206:ASN1_item_d2i_fp
ASN1_F_ASN1_ITEM_DUP:191:ASN1_item_dup
ASN1_F_ASN1_ITEM_EMBED_D2I:120:asn1_item_embed_d2i
ASN1_F_ASN1_ITEM_EMBED_NEW:121:asn1_item_embed_new
+ASN1_F_ASN1_ITEM_EX_I2D:144:ASN1_item_ex_i2d
ASN1_F_ASN1_ITEM_FLAGS_I2D:118:asn1_item_flags_i2d
ASN1_F_ASN1_ITEM_I2D_BIO:192:ASN1_item_i2d_bio
ASN1_F_ASN1_ITEM_I2D_FP:193:ASN1_item_i2d_fp
diff --git a/include/openssl/asn1err.h b/include/openssl/asn1err.h
index 9070e26..e1ad1fe 100644
--- a/include/openssl/asn1err.h
+++ b/include/openssl/asn1err.h
@@ -1,6 +1,6 @@
/*
* Generated by util/mkerr.pl DO NOT EDIT
- * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -11,9 +11,7 @@
#ifndef HEADER_ASN1ERR_H
# define HEADER_ASN1ERR_H
-# ifndef HEADER_SYMHACKS_H
-# include <openssl/symhacks.h>
-# endif
+# include <openssl/symhacks.h>
# ifdef __cplusplus
extern "C"
@@ -53,6 +51,7 @@ int ERR_load_ASN1_strings(void);
# define ASN1_F_ASN1_ITEM_DUP 191
# define ASN1_F_ASN1_ITEM_EMBED_D2I 120
# define ASN1_F_ASN1_ITEM_EMBED_NEW 121
+# define ASN1_F_ASN1_ITEM_EX_I2D 144
# define ASN1_F_ASN1_ITEM_FLAGS_I2D 118
# define ASN1_F_ASN1_ITEM_I2D_BIO 192
# define ASN1_F_ASN1_ITEM_I2D_FP 193
--
1.8.3.1

372
CVE-2020-1971-0005-Add-a-test-for-GENERAL_NAME_cmp.patch
View File

@ -1,372 +0,0 @@
From 94ece6af0c89d596f9c5221b7df7d6582168c8ba Mon Sep 17 00:00:00 2001
From: Matt Caswell <matt@openssl.org>
Date: Mon, 30 Nov 2020 13:50:52 +0000
Subject: [PATCH 05/31] Add a test for GENERAL_NAME_cmp
Based on a boringssl test contributed by David Benjamin
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
---
test/v3nametest.c | 344 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 344 insertions(+)
diff --git a/test/v3nametest.c b/test/v3nametest.c
index 86f3829..4c8af92 100644
--- a/test/v3nametest.c
+++ b/test/v3nametest.c
@@ -359,8 +359,352 @@ static int call_run_cert(int i)
return failed == 0;
}
+struct gennamedata {
+ const unsigned char der[22];
+ size_t derlen;
+} gennames[] = {
+ {
+ /*
+ * [0] {
+ * OBJECT_IDENTIFIER { 1.2.840.113554.4.1.72585.2.1 }
+ * [0] {
+ * SEQUENCE {}
+ * }
+ * }
+ */
+ {
+ 0xa0, 0x13, 0x06, 0x0d, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x12, 0x04,
+ 0x01, 0x84, 0xb7, 0x09, 0x02, 0x01, 0xa0, 0x02, 0x30, 0x00
+ },
+ 21
+ }, {
+ /*
+ * [0] {
+ * OBJECT_IDENTIFIER { 1.2.840.113554.4.1.72585.2.1 }
+ * [0] {
+ * [APPLICATION 0] {}
+ * }
+ * }
+ */
+ {
+ 0xa0, 0x13, 0x06, 0x0d, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x12, 0x04,
+ 0x01, 0x84, 0xb7, 0x09, 0x02, 0x01, 0xa0, 0x02, 0x60, 0x00
+ },
+ 21
+ }, {
+ /*
+ * [0] {
+ * OBJECT_IDENTIFIER { 1.2.840.113554.4.1.72585.2.1 }
+ * [0] {
+ * UTF8String { "a" }
+ * }
+ * }
+ */
+ {
+ 0xa0, 0x14, 0x06, 0x0d, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x12, 0x04,
+ 0x01, 0x84, 0xb7, 0x09, 0x02, 0x01, 0xa0, 0x03, 0x0c, 0x01, 0x61
+ },
+ 22
+ }, {
+ /*
+ * [0] {
+ * OBJECT_IDENTIFIER { 1.2.840.113554.4.1.72585.2.2 }
+ * [0] {
+ * UTF8String { "a" }
+ * }
+ * }
+ */
+ {
+ 0xa0, 0x14, 0x06, 0x0d, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x12, 0x04,
+ 0x01, 0x84, 0xb7, 0x09, 0x02, 0x02, 0xa0, 0x03, 0x0c, 0x01, 0x61
+ },
+ 22
+ }, {
+ /*
+ * [0] {
+ * OBJECT_IDENTIFIER { 1.2.840.113554.4.1.72585.2.1 }
+ * [0] {
+ * UTF8String { "b" }
+ * }
+ * }
+ */
+ {
+ 0xa0, 0x14, 0x06, 0x0d, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x12, 0x04,
+ 0x01, 0x84, 0xb7, 0x09, 0x02, 0x01, 0xa0, 0x03, 0x0c, 0x01, 0x62
+ },
+ 22
+ }, {
+ /*
+ * [0] {
+ * OBJECT_IDENTIFIER { 1.2.840.113554.4.1.72585.2.1 }
+ * [0] {
+ * BOOLEAN { TRUE }
+ * }
+ * }
+ */
+ {
+ 0xa0, 0x14, 0x06, 0x0d, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x12, 0x04,
+ 0x01, 0x84, 0xb7, 0x09, 0x02, 0x01, 0xa0, 0x03, 0x01, 0x01, 0xff
+ },
+ 22
+ }, {
+ /*
+ * [0] {
+ * OBJECT_IDENTIFIER { 1.2.840.113554.4.1.72585.2.1 }
+ * [0] {
+ * BOOLEAN { FALSE }
+ * }
+ * }
+ */
+ {
+ 0xa0, 0x14, 0x06, 0x0d, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x12, 0x04,
+ 0x01, 0x84, 0xb7, 0x09, 0x02, 0x01, 0xa0, 0x03, 0x01, 0x01, 0x00
+ },
+ 22
+ }, {
+ /* [1 PRIMITIVE] { "a" } */
+ {
+ 0x81, 0x01, 0x61
+ },
+ 3
+ }, {
+ /* [1 PRIMITIVE] { "b" } */
+ {
+ 0x81, 0x01, 0x62
+ },
+ 3
+ }, {
+ /* [2 PRIMITIVE] { "a" } */
+ {
+ 0x82, 0x01, 0x61
+ },
+ 3
+ }, {
+ /* [2 PRIMITIVE] { "b" } */
+ {
+ 0x82, 0x01, 0x62
+ },
+ 3
+ }, {
+ /*
+ * [4] {
+ * SEQUENCE {
+ * SET {
+ * SEQUENCE {
+ * # commonName
+ * OBJECT_IDENTIFIER { 2.5.4.3 }
+ * UTF8String { "a" }
+ * }
+ * }
+ * }
+ * }
+ */
+ {
+ 0xa4, 0x0e, 0x30, 0x0c, 0x31, 0x0a, 0x30, 0x08, 0x06, 0x03, 0x55,
+ 0x04, 0x03, 0x0c, 0x01, 0x61
+ },
+ 16
+ }, {
+ /*
+ * [4] {
+ * SEQUENCE {
+ * SET {
+ * SEQUENCE {
+ * # commonName
+ * OBJECT_IDENTIFIER { 2.5.4.3 }
+ * UTF8String { "b" }
+ * }
+ * }
+ * }
+ * }
+ */
+ {
+ 0xa4, 0x0e, 0x30, 0x0c, 0x31, 0x0a, 0x30, 0x08, 0x06, 0x03, 0x55,
+ 0x04, 0x03, 0x0c, 0x01, 0x62
+ },
+ 16
+ }, {
+ /*
+ * [5] {
+ * [1] {
+ * UTF8String { "a" }
+ * }
+ * }
+ */
+ {
+ 0xa5, 0x05, 0xa1, 0x03, 0x0c, 0x01, 0x61
+ },
+ 7
+ }, {
+ /*
+ * [5] {
+ * [1] {
+ * UTF8String { "b" }
+ * }
+ * }
+ */
+ {
+ 0xa5, 0x05, 0xa1, 0x03, 0x0c, 0x01, 0x62
+ },
+ 7
+ }, {
+ /*
+ * [5] {
+ * [0] {
+ * UTF8String {}
+ * }
+ * [1] {
+ * UTF8String { "a" }
+ * }
+ * }
+ */
+ {
+ 0xa5, 0x09, 0xa0, 0x02, 0x0c, 0x00, 0xa1, 0x03, 0x0c, 0x01, 0x61
+ },
+ 11
+ }, {
+ /*
+ * [5] {
+ * [0] {
+ * UTF8String { "a" }
+ * }
+ * [1] {
+ * UTF8String { "a" }
+ * }
+ * }
+ */
+ {
+ 0xa5, 0x0a, 0xa0, 0x03, 0x0c, 0x01, 0x61, 0xa1, 0x03, 0x0c, 0x01,
+ 0x61
+ },
+ 12
+ }, {
+ /*
+ * [5] {
+ * [0] {
+ * UTF8String { "b" }
+ * }
+ * [1] {
+ * UTF8String { "a" }
+ * }
+ * }
+ */
+ {
+ 0xa5, 0x0a, 0xa0, 0x03, 0x0c, 0x01, 0x62, 0xa1, 0x03, 0x0c, 0x01,
+ 0x61
+ },
+ 12
+ }, {
+ /* [6 PRIMITIVE] { "a" } */
+ {
+ 0x86, 0x01, 0x61
+ },
+ 3
+ }, {
+ /* [6 PRIMITIVE] { "b" } */
+ {
+ 0x86, 0x01, 0x62
+ },
+ 3
+ }, {
+ /* [7 PRIMITIVE] { `11111111` } */
+ {
+ 0x87, 0x04, 0x11, 0x11, 0x11, 0x11
+ },
+ 6
+ }, {
+ /* [7 PRIMITIVE] { `22222222`} */
+ {
+ 0x87, 0x04, 0x22, 0x22, 0x22, 0x22
+ },
+ 6
+ }, {
+ /* [7 PRIMITIVE] { `11111111111111111111111111111111` } */
+ {
+ 0x87, 0x10, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11,
+ 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11
+ },
+ 18
+ }, {
+ /* [7 PRIMITIVE] { `22222222222222222222222222222222` } */
+ {
+ 0x87, 0x10, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22,
+ 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22
+ },
+ 18
+ }, {
+ /* [8 PRIMITIVE] { 1.2.840.113554.4.1.72585.2.1 } */
+ {
+ 0x88, 0x0d, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x12, 0x04, 0x01, 0x84,
+ 0xb7, 0x09, 0x02, 0x01
+ },
+ 15
+ }, {
+ /* [8 PRIMITIVE] { 1.2.840.113554.4.1.72585.2.2 } */
+ {
+ 0x88, 0x0d, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x12, 0x04, 0x01, 0x84,
+ 0xb7, 0x09, 0x02, 0x02
+ },
+ 15
+ }
+};
+
+static int test_GENERAL_NAME_cmp(void)
+{
+ size_t i, j;
+ GENERAL_NAME **namesa = OPENSSL_malloc(sizeof(*namesa)
+ * OSSL_NELEM(gennames));
+ GENERAL_NAME **namesb = OPENSSL_malloc(sizeof(*namesb)
+ * OSSL_NELEM(gennames));
+ int testresult = 0;
+
+ if (!TEST_ptr(namesa) || !TEST_ptr(namesb))
+ goto end;
+
+ for (i = 0; i < OSSL_NELEM(gennames); i++) {
+ const unsigned char *derp = gennames[i].der;
+
+ /*
+ * We create two versions of each GENERAL_NAME so that we ensure when
+ * we compare them they are always different pointers.
+ */
+ namesa[i] = d2i_GENERAL_NAME(NULL, &derp, gennames[i].derlen);
+ derp = gennames[i].der;
+ namesb[i] = d2i_GENERAL_NAME(NULL, &derp, gennames[i].derlen);
+ if (!TEST_ptr(namesa[i]) || !TEST_ptr(namesb[i]))
+ goto end;
+ }
+
+ /* Every name should be equal to itself and not equal to any others. */
+ for (i = 0; i < OSSL_NELEM(gennames); i++) {
+ for (j = 0; j < OSSL_NELEM(gennames); j++) {
+ if (i == j) {
+ if (!TEST_int_eq(GENERAL_NAME_cmp(namesa[i], namesb[j]), 0))
+ goto end;
+ } else {
+ if (!TEST_int_ne(GENERAL_NAME_cmp(namesa[i], namesb[j]), 0))
+ goto end;
+ }
+ }
+ }
+ testresult = 1;
+
+ end:
+ for (i = 0; i < OSSL_NELEM(gennames); i++) {
+ if (namesa != NULL)
+ GENERAL_NAME_free(namesa[i]);
+ if (namesb != NULL)
+ GENERAL_NAME_free(namesb[i]);
+ }
+ OPENSSL_free(namesa);
+ OPENSSL_free(namesb);
+
+ return testresult;
+}
+
int setup_tests(void)
{
ADD_ALL_TESTS(call_run_cert, OSSL_NELEM(name_fns));
+ ADD_TEST(test_GENERAL_NAME_cmp);
return 1;
}
--
1.8.3.1

121
CVE-2020-1971-0006-Add-a-test-for-encoding-decoding-using-an-invalid-AS.patch
View File

@ -1,121 +0,0 @@
From 433974af7b188d55b1da049b84f3fdeca320cb6a Mon Sep 17 00:00:00 2001
From: Matt Caswell <matt@openssl.org>
Date: Mon, 30 Nov 2020 14:46:47 +0000
Subject: [PATCH 06/31] Add a test for encoding/decoding using an invalid ASN.1
Template
If you have a CHOICE type that it must use explicit tagging - otherwise
the template is invalid. We add tests for this.
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
---
test/asn1_decode_test.c | 36 ++++++++++++++++++++++++++++++++++++
test/asn1_encode_test.c | 33 +++++++++++++++++++++++++++++++++
2 files changed, 69 insertions(+)
diff --git a/test/asn1_decode_test.c b/test/asn1_decode_test.c
index 369023d..94a22c6 100644
--- a/test/asn1_decode_test.c
+++ b/test/asn1_decode_test.c
@@ -160,6 +160,41 @@ static int test_uint64(void)
return 1;
}
+typedef struct {
+ ASN1_STRING *invalidDirString;
+} INVALIDTEMPLATE;
+
+ASN1_SEQUENCE(INVALIDTEMPLATE) = {
+ /*
+ * DirectoryString is a CHOICE type so it must use explicit tagging -
+ * but we deliberately use implicit here, which makes this template invalid.
+ */
+ ASN1_IMP(INVALIDTEMPLATE, invalidDirString, DIRECTORYSTRING, 12)
+} static_ASN1_SEQUENCE_END(INVALIDTEMPLATE)
+
+IMPLEMENT_STATIC_ASN1_ENCODE_FUNCTIONS(INVALIDTEMPLATE)
+IMPLEMENT_STATIC_ASN1_ALLOC_FUNCTIONS(INVALIDTEMPLATE)
+
+/* Empty sequence for invalid template test */
+static unsigned char t_invalid_template[] = {
+ 0x30, 0x03, /* SEQUENCE tag + length */
+ 0x0c, 0x01, 0x41 /* UTF8String, length 1, "A" */
+};
+
+static int test_invalid_template(void)
+{
+ const unsigned char *p = t_invalid_template;
+ INVALIDTEMPLATE *tmp = d2i_INVALIDTEMPLATE(NULL, &p,
+ sizeof(t_invalid_template));
+
+ /* We expect a NULL pointer return */
+ if (TEST_ptr_null(tmp))
+ return 1;
+
+ INVALIDTEMPLATE_free(tmp);
+ return 0;
+}
+
int setup_tests(void)
{
#if OPENSSL_API_COMPAT < 0x10200000L
@@ -169,5 +204,6 @@ int setup_tests(void)
ADD_TEST(test_uint32);
ADD_TEST(test_int64);
ADD_TEST(test_uint64);
+ ADD_TEST(test_invalid_template);
return 1;
}
diff --git a/test/asn1_encode_test.c b/test/asn1_encode_test.c
index ed920a4..afbd18b 100644
--- a/test/asn1_encode_test.c
+++ b/test/asn1_encode_test.c
@@ -856,6 +856,38 @@ static int test_uint64(void)
return test_intern(&uint64_test_package);
}
+typedef struct {
+ ASN1_STRING *invalidDirString;
+} INVALIDTEMPLATE;
+
+ASN1_SEQUENCE(INVALIDTEMPLATE) = {
+ /*
+ * DirectoryString is a CHOICE type so it must use explicit tagging -
+ * but we deliberately use implicit here, which makes this template invalid.
+ */
+ ASN1_IMP(INVALIDTEMPLATE, invalidDirString, DIRECTORYSTRING, 12)
+} static_ASN1_SEQUENCE_END(INVALIDTEMPLATE)
+
+IMPLEMENT_STATIC_ASN1_ENCODE_FUNCTIONS(INVALIDTEMPLATE)
+IMPLEMENT_STATIC_ASN1_ALLOC_FUNCTIONS(INVALIDTEMPLATE)
+
+static int test_invalid_template(void)
+{
+ INVALIDTEMPLATE *temp = INVALIDTEMPLATE_new();
+ int ret;
+
+ if (!TEST_ptr(temp))
+ return 0;
+
+ ret = i2d_INVALIDTEMPLATE(temp, NULL);
+
+ INVALIDTEMPLATE_free(temp);
+
+ /* We expect the i2d operation to fail */
+ return ret < 0;
+}
+
+
int setup_tests(void)
{
#if OPENSSL_API_COMPAT < 0x10200000L
@@ -866,5 +898,6 @@ int setup_tests(void)
ADD_TEST(test_uint32);
ADD_TEST(test_int64);
ADD_TEST(test_uint64);
+ ADD_TEST(test_invalid_template);
return 1;
}
--
1.8.3.1

140
CVE-2021-23840.patch
View File

@ -1,140 +0,0 @@
From 6a51b9e1d0cf0bf8515f7201b68fb0a3482b3dc1 Mon Sep 17 00:00:00 2001
From: Matt Caswell <matt@openssl.org>
Date: Tue, 2 Feb 2021 17:17:23 +0000
Subject: [PATCH] Don't overflow the output length in EVP_CipherUpdate calls
CVE-2021-23840
Reviewed-by: Paul Dale <pauli@openssl.org>
---
crypto/err/openssl.txt | 3 ++-
crypto/evp/evp_enc.c | 27 +++++++++++++++++++++++++++
crypto/evp/evp_err.c | 4 +++-
include/openssl/evperr.h | 7 +++----
4 files changed, 35 insertions(+), 6 deletions(-)
diff --git a/crypto/err/openssl.txt b/crypto/err/openssl.txt
index 815460b..7e17763 100644
--- a/crypto/err/openssl.txt
+++ b/crypto/err/openssl.txt
@@ -1,4 +1,4 @@
-# Copyright 1999-2020 The OpenSSL Project Authors. All Rights Reserved.
+# Copyright 1999-2021 The OpenSSL Project Authors. All Rights Reserved.
#
# Licensed under the OpenSSL license (the "License"). You may not use
# this file except in compliance with the License. You can obtain a copy
@@ -2283,6 +2283,7 @@ EVP_R_ONLY_ONESHOT_SUPPORTED:177:only oneshot supported
EVP_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE:150:\
operation not supported for this keytype
EVP_R_OPERATON_NOT_INITIALIZED:151:operaton not initialized
+EVP_R_OUTPUT_WOULD_OVERFLOW:184:output would overflow
EVP_R_PARTIALLY_OVERLAPPING:162:partially overlapping buffers
EVP_R_PBKDF2_ERROR:181:pbkdf2 error
EVP_R_PKEY_APPLICATION_ASN1_METHOD_ALREADY_REGISTERED:179:\
diff --git a/crypto/evp/evp_enc.c b/crypto/evp/evp_enc.c
index b9b6490..0843caf 100644
--- a/crypto/evp/evp_enc.c
+++ b/crypto/evp/evp_enc.c
@@ -8,6 +8,7 @@
*/
#include <stdio.h>
+#include <limits.h>
#include <assert.h>
#include "internal/cryptlib.h"
#include <openssl/evp.h>
@@ -355,6 +356,19 @@ static int evp_EncryptDecryptUpdate(EVP_CIPHER_CTX *ctx,
return 1;
} else {
j = bl - i;
+
+ /*
+ * Once we've processed the first j bytes from in, the amount of
+ * data left that is a multiple of the block length is:
+ * (inl - j) & ~(bl - 1)
+ * We must ensure that this amount of data, plus the one block that
+ * we process from ctx->buf does not exceed INT_MAX
+ */
+ if (((inl - j) & ~(bl - 1)) > INT_MAX - bl) {
+ EVPerr(EVP_F_EVP_ENCRYPTDECRYPTUPDATE,
+ EVP_R_OUTPUT_WOULD_OVERFLOW);
+ return 0;
+ }
memcpy(&(ctx->buf[i]), in, j);
inl -= j;
in += j;
@@ -502,6 +516,19 @@ int EVP_DecryptUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl,
EVPerr(EVP_F_EVP_DECRYPTUPDATE, EVP_R_PARTIALLY_OVERLAPPING);
return 0;
}
+ /*
+ * final_used is only ever set if buf_len is 0. Therefore the maximum
+ * length output we will ever see from evp_EncryptDecryptUpdate is
+ * the maximum multiple of the block length that is <= inl, or just:
+ * inl & ~(b - 1)
+ * Since final_used has been set then the final output length is:
+ * (inl & ~(b - 1)) + b
+ * This must never exceed INT_MAX
+ */
+ if ((inl & ~(b - 1)) > INT_MAX - b) {
+ EVPerr(EVP_F_EVP_DECRYPTUPDATE, EVP_R_OUTPUT_WOULD_OVERFLOW);
+ return 0;
+ }
memcpy(out, ctx->final, b);
out += b;
fix_len = 1;
diff --git a/crypto/evp/evp_err.c b/crypto/evp/evp_err.c
index 05481d8..32ac012 100644
--- a/crypto/evp/evp_err.c
+++ b/crypto/evp/evp_err.c
@@ -1,6 +1,6 @@
/*
* Generated by util/mkerr.pl DO NOT EDIT
- * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -239,6 +239,8 @@ static const ERR_STRING_DATA EVP_str_reasons[] = {
"operation not supported for this keytype"},
{ERR_PACK(ERR_LIB_EVP, 0, EVP_R_OPERATON_NOT_INITIALIZED),
"operaton not initialized"},
+ {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_OUTPUT_WOULD_OVERFLOW),
+ "output would overflow"},
{ERR_PACK(ERR_LIB_EVP, 0, EVP_R_PARTIALLY_OVERLAPPING),
"partially overlapping buffers"},
{ERR_PACK(ERR_LIB_EVP, 0, EVP_R_PBKDF2_ERROR), "pbkdf2 error"},
diff --git a/include/openssl/evperr.h b/include/openssl/evperr.h
index d2b26ea..b4ea90a 100644
--- a/include/openssl/evperr.h
+++ b/include/openssl/evperr.h
@@ -1,6 +1,6 @@
/*
* Generated by util/mkerr.pl DO NOT EDIT
- * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -11,9 +11,7 @@
#ifndef HEADER_EVPERR_H
# define HEADER_EVPERR_H
-# ifndef HEADER_SYMHACKS_H
-# include <openssl/symhacks.h>
-# endif
+# include <openssl/symhacks.h>
# ifdef __cplusplus
extern "C"
@@ -179,6 +177,7 @@ int ERR_load_EVP_strings(void);
# define EVP_R_ONLY_ONESHOT_SUPPORTED 177
# define EVP_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE 150
# define EVP_R_OPERATON_NOT_INITIALIZED 151
+# define EVP_R_OUTPUT_WOULD_OVERFLOW 184
# define EVP_R_PARTIALLY_OVERLAPPING 162
# define EVP_R_PBKDF2_ERROR 181
# define EVP_R_PKEY_APPLICATION_ASN1_METHOD_ALREADY_REGISTERED 179
--
1.8.3.1

43
CVE-2021-23841.patch
View File

@ -1,43 +0,0 @@
From 122a19ab48091c657f7cb1fb3af9fc07bd557bbf Mon Sep 17 00:00:00 2001
From: Matt Caswell <matt@openssl.org>
Date: Wed, 10 Feb 2021 16:10:36 +0000
Subject: [PATCH] Fix Null pointer deref in X509_issuer_and_serial_hash()
The OpenSSL public API function X509_issuer_and_serial_hash() attempts
to create a unique hash value based on the issuer and serial number data
contained within an X509 certificate. However it fails to correctly
handle any errors that may occur while parsing the issuer field (which
might occur if the issuer field is maliciously constructed). This may
subsequently result in a NULL pointer deref and a crash leading to a
potential denial of service attack.
The function X509_issuer_and_serial_hash() is never directly called by
OpenSSL itself so applications are only vulnerable if they use this
function directly and they use it on certificates that may have been
obtained from untrusted sources.
CVE-2021-23841
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(cherry picked from commit 8130d654d1de922ea224fa18ee3bc7262edc39c0)
---
crypto/x509/x509_cmp.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/crypto/x509/x509_cmp.c b/crypto/x509/x509_cmp.c
index c9d8933..a964bbf 100644
--- a/crypto/x509/x509_cmp.c
+++ b/crypto/x509/x509_cmp.c
@@ -39,6 +39,8 @@ unsigned long X509_issuer_and_serial_hash(X509 *a)
if (ctx == NULL)
goto err;
f = X509_NAME_oneline(a->cert_info.issuer, NULL, 0);
+ if (f == NULL)
+ goto err;
if (!EVP_DigestInit_ex(ctx, EVP_md5(), NULL))
goto err;
if (!EVP_DigestUpdate(ctx, (unsigned char *)f, strlen(f)))
--
1.8.3.1

47
CVE-2021-3449.patch
View File

@ -1,47 +0,0 @@
From fb9fa6b51defd48157eeb207f52181f735d96148 Mon Sep 17 00:00:00 2001
From: Peter Kaestle <peter.kaestle@nokia.com>
Date: Mon, 15 Mar 2021 13:19:56 +0100
Subject: [PATCH] ssl sigalg extension: fix NULL pointer dereference
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
As the variable peer_sigalgslen is not cleared on ssl rehandshake, it's
possible to crash an openssl tls secured server remotely by sending a
manipulated hello message in a rehandshake.
On such a manipulated rehandshake, tls1_set_shared_sigalgs() calls
tls12_shared_sigalgs() with the peer_sigalgslen of the previous
handshake, while the peer_sigalgs has been freed.
As a result tls12_shared_sigalgs() walks over the available
peer_sigalgs and tries to access data of a NULL pointer.
This issue was introduced by c589c34e61 (Add support for the TLS 1.3
signature_algorithms_cert extension, 2018-01-11).
Signed-off-by: Peter Kästle <peter.kaestle@nokia.com>
Signed-off-by: Samuel Sapalski <samuel.sapalski@nokia.com>
CVE-2021-3449
CLA: trivial
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
---
ssl/statem/extensions.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/ssl/statem/extensions.c b/ssl/statem/extensions.c
index b055935d697b..4aed508d0f03 100644
--- a/ssl/statem/extensions.c
+++ b/ssl/statem/extensions.c
@@ -1139,6 +1139,7 @@ static int init_sig_algs(SSL *s, unsigned int context)
/* Clear any signature algorithms extension received */
OPENSSL_free(s->s3->tmp.peer_sigalgs);
s->s3->tmp.peer_sigalgs = NULL;
+ s->s3->tmp.peer_sigalgslen = 0;
return 1;
}

37
CVE-2021-3711-0001-Check-the-plaintext-buffer-is-large-enough-when-decr.patch
View File

@ -1,37 +0,0 @@
From 515ac8b5e544dd713a2b4cabfc54b722d122c218 Mon Sep 17 00:00:00 2001
From: Matt Caswell <matt@openssl.org>
Date: Fri, 13 Aug 2021 16:58:21 +0100
Subject: [PATCH] Check the plaintext buffer is large enough when decrypting
SM2
Previously there was no check that the supplied buffer was large enough.
It was just assumed to be sufficient. Instead we should check and fail if
not.
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
Reference: https://github.com/openssl/openssl/commit/515ac8b5e544dd713a2b4cabfc54b722d122c218
Conflict: NA
---
crypto/sm2/sm2_crypt.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/crypto/sm2/sm2_crypt.c b/crypto/sm2/sm2_crypt.c
index 1188abfc6b..00055a4e51 100644
--- a/crypto/sm2/sm2_crypt.c
+++ b/crypto/sm2/sm2_crypt.c
@@ -294,6 +294,10 @@ int sm2_decrypt(const EC_KEY *key,
C2 = sm2_ctext->C2->data;
C3 = sm2_ctext->C3->data;
msg_len = sm2_ctext->C2->length;
+ if (*ptext_len < (size_t)msg_len) {
+ SM2err(SM2_F_SM2_DECRYPT, SM2_R_BUFFER_TOO_SMALL);
+ goto done;
+ }
ctx = BN_CTX_new();
if (ctx == NULL) {
--
2.23.0

124
CVE-2021-3711-0002-Correctly-calculate-the-length-of-SM2-plaintext-give.patch
View File

@ -1,124 +0,0 @@
From 59f5e75f3bced8fc0e130d72a3f582cf7b480b46 Mon Sep 17 00:00:00 2001
From: Matt Caswell <matt@openssl.org>
Date: Fri, 13 Aug 2021 14:14:51 +0100
Subject: [PATCH] Correctly calculate the length of SM2 plaintext given the
ciphertext
Previously the length of the SM2 plaintext could be incorrectly calculated.
The plaintext length was calculated by taking the ciphertext length and
taking off an "overhead" value.
The overhead value was assumed to have a "fixed" element of 10 bytes.
This is incorrect since in some circumstances it can be more than 10 bytes.
Additionally the overhead included the length of two integers C1x and C1y,
which were assumed to be the same length as the field size (32 bytes for
the SM2 curve). However in some cases these integers can have an additional
padding byte when the msb is set, to disambiguate them from negative
integers. Additionally the integers can also be less than 32 bytes in
length in some cases.
If the calculated overhead is incorrect and larger than the actual value
this can result in the calculated plaintext length being too small.
Applications are likely to allocate buffer sizes based on this and therefore
a buffer overrun can occur.
CVE-2021-3711
Issue reported by John Ouyang.
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
Reference: https://github.com/openssl/openssl/commit/59f5e75f3bced8fc0e130d72a3f582cf7b480b46
Conflict: NA
---
crypto/sm2/sm2_crypt.c | 23 +++++++----------------
crypto/sm2/sm2_pmeth.c | 2 +-
include/crypto/sm2.h | 3 +--
test/sm2_internal_test.c | 2 +-
4 files changed, 10 insertions(+), 20 deletions(-)
diff --git a/crypto/sm2/sm2_crypt.c b/crypto/sm2/sm2_crypt.c
index ef505f6441..1188abfc6b 100644
--- a/crypto/sm2/sm2_crypt.c
+++ b/crypto/sm2/sm2_crypt.c
@@ -61,29 +61,20 @@ static size_t ec_field_size(const EC_GROUP *group)
return field_size;
}
-int sm2_plaintext_size(const EC_KEY *key, const EVP_MD *digest, size_t msg_len,
- size_t *pt_size)
+int sm2_plaintext_size(const unsigned char *ct, size_t ct_size, size_t *pt_size)
{
- const size_t field_size = ec_field_size(EC_KEY_get0_group(key));
- const int md_size = EVP_MD_size(digest);
- size_t overhead;
+ struct SM2_Ciphertext_st *sm2_ctext = NULL;
- if (md_size < 0) {
- SM2err(SM2_F_SM2_PLAINTEXT_SIZE, SM2_R_INVALID_DIGEST);
- return 0;
- }
- if (field_size == 0) {
- SM2err(SM2_F_SM2_PLAINTEXT_SIZE, SM2_R_INVALID_FIELD);
- return 0;
- }
+ sm2_ctext = d2i_SM2_Ciphertext(NULL, &ct, ct_size);
- overhead = 10 + 2 * field_size + (size_t)md_size;
- if (msg_len <= overhead) {
+ if (sm2_ctext == NULL) {
SM2err(SM2_F_SM2_PLAINTEXT_SIZE, SM2_R_INVALID_ENCODING);
return 0;
}
- *pt_size = msg_len - overhead;
+ *pt_size = sm2_ctext->C2->length;
+ SM2_Ciphertext_free(sm2_ctext);
+
return 1;
}
diff --git a/crypto/sm2/sm2_pmeth.c b/crypto/sm2/sm2_pmeth.c
index b42a14c32f..27025fbf3a 100644
--- a/crypto/sm2/sm2_pmeth.c
+++ b/crypto/sm2/sm2_pmeth.c
@@ -151,7 +151,7 @@ static int pkey_sm2_decrypt(EVP_PKEY_CTX *ctx,
const EVP_MD *md = (dctx->md == NULL) ? EVP_sm3() : dctx->md;
if (out == NULL) {
- if (!sm2_plaintext_size(ec, md, inlen, outlen))
+ if (!sm2_plaintext_size(in, inlen, outlen))
return -1;
else
return 1;
diff --git a/include/crypto/sm2.h b/include/crypto/sm2.h
index 76ee80baff..50851a83ce 100644
--- a/include/crypto/sm2.h
+++ b/include/crypto/sm2.h
@@ -60,8 +60,7 @@ int sm2_verify(const unsigned char *dgst, int dgstlen,
int sm2_ciphertext_size(const EC_KEY *key, const EVP_MD *digest, size_t msg_len,
size_t *ct_size);
-int sm2_plaintext_size(const EC_KEY *key, const EVP_MD *digest, size_t msg_len,
- size_t *pt_size);
+int sm2_plaintext_size(const unsigned char *ct, size_t ct_size, size_t *pt_size);
int sm2_encrypt(const EC_KEY *key,
const EVP_MD *digest,
diff --git a/test/sm2_internal_test.c b/test/sm2_internal_test.c
index 2bb73947ff..41827bb82f 100644
--- a/test/sm2_internal_test.c
+++ b/test/sm2_internal_test.c
@@ -185,7 +185,7 @@ static int test_sm2_crypt(const EC_GROUP *group,
if (!TEST_mem_eq(ctext, ctext_len, expected, ctext_len))
goto done;
- if (!TEST_true(sm2_plaintext_size(key, digest, ctext_len, &ptext_len))
+ if (!TEST_true(sm2_plaintext_size(ctext, ctext_len, &ptext_len))
|| !TEST_int_eq(ptext_len, msg_len))
goto done;
--
2.23.0

42
CVE-2021-3711-0003-Extend-tests-for-SM2-decryption.patch
View File

@ -1,42 +0,0 @@
From 733fa41c3fc4bcac37f94aa917f7242420f8a5a6 Mon Sep 17 00:00:00 2001
From: Matt Caswell <matt@openssl.org>
Date: Fri, 13 Aug 2021 14:49:47 +0100
Subject: [PATCH] Extend tests for SM2 decryption
Check the case where C1y < 32 bytes in length (i.e. short overhead), and
also the case with longer plaintext and C1x and C1y > 32 bytes in length
(i.e. long overhead)
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
Reference: https://github.com/openssl/openssl/commit/733fa41c3fc4bcac37f94aa917f7242420f8a5a6
Conflict: NA
---
test/recipes/30-test_evp_data/evppkey.txt | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/test/recipes/30-test_evp_data/evppkey.txt b/test/recipes/30-test_evp_data/evppkey.txt
index 736e0ce4d3..c3947cb000 100644
--- a/test/recipes/30-test_evp_data/evppkey.txt
+++ b/test/recipes/30-test_evp_data/evppkey.txt
@@ -18444,6 +18444,16 @@ Decrypt = SM2_key1
Input = 30818A0220466BE2EF5C11782EC77864A0055417F407A5AFC11D653C6BCE69E417BB1D05B6022062B572E21FF0DDF5C726BD3F9FF2EAE56E6294713A607E9B9525628965F62CC804203C1B5713B5DB2728EB7BF775E44F4689FC32668BDC564F52EA45B09E8DF2A5F40422084A9D0CC2997092B7D3C404FCE95956EB604D732B2307A8E5B8900ED6608CA5B197
Output = "The floofy bunnies hop at midnight"
+# Test with an C1y value < 32 bytes in length (self generated)
+Decrypt = SM2_key1
+Input = 3072022070DAD60CDA7C30D64CF4F278A849003581223F5324BFEC9BB329229BFFAD21A6021F18AFAB2B35459D2643243B242BE4EA80C6FA5071D2D847340CC57EB9309E5D04200B772E4DB664B2601E3B85E39C4AA8C2C1910308BE13B331E009C5A9258C29FD040B6D588BE9260A94DA18E0E6
+Output = "Hello World"
+
+# Test with an C1x and C1y valuey > 32 bytes in length, and longer plaintext (self generated)
+Decrypt = SM2_key1
+Input = 3081DD022100CD49634BBCB21CAFFFA6D33669A5A867231CB2A942A14352EF4CAF6DC3344D54022100C35B41D4DEBB3A2735EFEE821B9EBA566BD86900176A0C06672E30EE5CC04E930420C4190A3D80D86C4BD20E99F7E4B59BF6427C6808793533EEA9591D1188EC56B50473747295470E81D951BED279AC1B86A1AFE388CD2833FA9632799EC199C7D364E5663D5A94888BB2358CFCBF6283184DE0CBC41CCEA91D24746E99D231A1DA77AFD83CDF908190ED628B7369724494568A27C782A1D1D7294BCAD80C34569ED22859896301128A8118F48924D8CCD43E998D9533
+Output = "Some longer plaintext for testing SM2 decryption. Blah blah blah blah blah blah blah blah blah blah blah blah blah."
+
# This is a "fake" test as it does only verify that the SM2 EVP_PKEY interface
# is capable of creating a signature without failing, but it does not say
# anything about the generated signature being valid, nor does it test the
--
2.23.0

63
CVE-2021-3712-0001-Fix-a-read-buffer-overrun-in-X509_aux_print.patch
View File

@ -1,63 +0,0 @@
From d9d838ddc0ed083fb4c26dd067e71aad7c65ad16 Mon Sep 17 00:00:00 2001
From: Ingo Schwarze <schwarze@openbsd.org>
Date: Sun, 18 Jul 2021 17:48:06 +0200
Subject: [PATCH] Fix a read buffer overrun in X509_aux_print().
The ASN1_STRING_get0_data(3) manual explitely cautions the reader
that the data is not necessarily NUL-terminated, and the function
X509_alias_set1(3) does not sanitize the data passed into it in any
way either, so we must assume the return value from X509_alias_get0(3)
is merely a byte array and not necessarily a string in the sense
of the C language.
I found this bug while writing manual pages for X509_print_ex(3)
and related functions. Theo Buehler <tb@openbsd.org> checked my
patch to fix the same bug in LibreSSL, see
http://cvsweb.openbsd.org/src/lib/libcrypto/asn1/t_x509a.c#rev1.9
As an aside, note that the function still produces incomplete and
misleading results when the data contains a NUL byte in the middle
and that error handling is consistently absent throughout, even
though the function provides an "int" return value obviously intended
to be 1 for success and 0 for failure, and even though this function
is called by another function that also wants to return 1 for success
and 0 for failure and even does so in many of its code paths, though
not in others. But let's stay focussed. Many things would be nice
to have in the wide wild world, but a buffer overflow must not be
allowed to remain in our backyard.
CLA: trivial
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16108)
(cherry picked from commit c5dc9ab965f2a69bca964c709e648158f3e4cd67)
Reference: https://github.com/openssl/openssl/commit/d9d838ddc0ed083fb4c26dd067e71aad7c65ad16
Conflict: NA
---
crypto/x509/t_x509.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/crypto/x509/t_x509.c b/crypto/x509/t_x509.c
index 12d807f705..3ba0b3a045 100644
--- a/crypto/x509/t_x509.c
+++ b/crypto/x509/t_x509.c
@@ -365,9 +365,9 @@ int X509_aux_print(BIO *out, X509 *x, int indent)
BIO_puts(out, "\n");
} else
BIO_printf(out, "%*sNo Rejected Uses.\n", indent, "");
- alias = X509_alias_get0(x, NULL);
+ alias = X509_alias_get0(x, &i);
if (alias)
- BIO_printf(out, "%*sAlias: %s\n", indent, "", alias);
+ BIO_printf(out, "%*sAlias: %.*s\n", indent, "", i, alias);
keyid = X509_keyid_get0(x, &keyidlen);
if (keyid) {
BIO_printf(out, "%*sKey Id: ", indent, "");
--
2.23.0

38
CVE-2021-3712-0002-Fix-EC_GROUP_new_from_ecparameters-to-check-the-base.patch
View File

@ -1,38 +0,0 @@
From 94d23fcff9b2a7a8368dfe52214d5c2569882c11 Mon Sep 17 00:00:00 2001
From: Matt Caswell <matt@openssl.org>
Date: Thu, 19 Aug 2021 12:24:17 +0100
Subject: [PATCH] Fix EC_GROUP_new_from_ecparameters to check the base length
Check that there's at least one byte in params->base before trying to
read it.
CVE-2021-3712
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reference: https://github.com/openssl/openssl/commit/94d23fcff9b2a7a8368dfe52214d5c2569882c11
Conflict: NA
---
crypto/ec/ec_asn1.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/crypto/ec/ec_asn1.c b/crypto/ec/ec_asn1.c
index 7b7c75ce84..e497a25909 100644
--- a/crypto/ec/ec_asn1.c
+++ b/crypto/ec/ec_asn1.c
@@ -761,7 +761,10 @@ EC_GROUP *EC_GROUP_new_from_ecparameters(const ECPARAMETERS *params)
ret->seed_len = params->curve->seed->length;
}
- if (!params->order || !params->base || !params->base->data) {
+ if (params->order == NULL
+ || params->base == NULL
+ || params->base->data == NULL
+ || params->base->length == 0) {
ECerr(EC_F_EC_GROUP_NEW_FROM_ECPARAMETERS, EC_R_ASN1_ERROR);
goto err;
}
--
2.23.0

58
CVE-2022-0778-Add-a-negative-testcase-for-BN_mod_sqrt.patch Normal file
View File

@ -0,0 +1,58 @@
From 3ef5c3034e5c545f34d6929568f3f2b10ac4bdf0 Mon Sep 17 00:00:00 2001
From: Tomas Mraz <tomas@openssl.org>
Date: Mon, 28 Feb 2022 18:26:35 +0100
Subject: [PATCH] Add a negative testcase for BN_mod_sqrt
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
---
test/bntest.c | 11 ++++++++++-
test/recipes/10-test_bn_data/bnmod.txt | 12 ++++++++++++
2 files changed, 22 insertions(+), 1 deletion(-)
diff --git a/test/bntest.c b/test/bntest.c
index 390dd80073..1cab660bca 100644
--- a/test/bntest.c
+++ b/test/bntest.c
@@ -1729,8 +1729,17 @@ static int file_modsqrt(STANZA *s)
|| !TEST_ptr(ret2 = BN_new()))
goto err;
+ if (BN_is_negative(mod_sqrt)) {
+ /* A negative testcase */
+ if (!TEST_ptr_null(BN_mod_sqrt(ret, a, p, ctx)))
+ goto err;
+
+ st = 1;
+ goto err;
+ }
+
/* There are two possible answers. */
- if (!TEST_true(BN_mod_sqrt(ret, a, p, ctx))
+ if (!TEST_ptr(BN_mod_sqrt(ret, a, p, ctx))
|| !TEST_true(BN_sub(ret2, p, ret)))
goto err;
diff --git a/test/recipes/10-test_bn_data/bnmod.txt b/test/recipes/10-test_bn_data/bnmod.txt
index 5ea4d031f2..e28cc6bfb0 100644
--- a/test/recipes/10-test_bn_data/bnmod.txt
+++ b/test/recipes/10-test_bn_data/bnmod.txt
@@ -2799,3 +2799,15 @@ P = 9df9d6cc20b8540411af4e5357ef2b0353cb1f2ab5ffc3e246b41c32f71e951f
ModSqrt = a1d52989f12f204d3d2167d9b1e6c8a6174c0c786a979a5952383b7b8bd186
A = 2eee37cf06228a387788188e650bc6d8a2ff402931443f69156a29155eca07dcb45f3aac238d92943c0c25c896098716baa433f25bd696a142f5a69d5d937e81
P = 9df9d6cc20b8540411af4e5357ef2b0353cb1f2ab5ffc3e246b41c32f71e951f
+
+# Negative testcases for BN_mod_sqrt()
+
+# This one triggers an infinite loop with unfixed implementation
+# It should just fail.
+ModSqrt = -1
+A = 20a7ee
+P = 460201
+
+ModSqrt = -1
+A = 65bebdb00a96fc814ec44b81f98b59fba3c30203928fa5214c51e0a97091645280c947b005847f239758482b9bfc45b066fde340d1fe32fc9c1bf02e1b2d0ed
+P = 9df9d6cc20b8540411af4e5357ef2b0353cb1f2ab5ffc3e246b41c32f71e951f
--
2.27.0

69
CVE-2022-0778-Fix-possible-infinite-loop-in-BN_mod_sqrt.patch Normal file
View File

@ -0,0 +1,69 @@
From 3118eb64934499d93db3230748a452351d1d9a65 Mon Sep 17 00:00:00 2001
From: Tomas Mraz <tomas@openssl.org>
Date: Mon, 28 Feb 2022 18:26:21 +0100
Subject: [PATCH] Fix possible infinite loop in BN_mod_sqrt()
The calculation in some cases does not finish for non-prime p.
This fixes CVE-2022-0778.
Based on patch by David Benjamin <davidben@google.com>.
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
---
crypto/bn/bn_sqrt.c | 30 ++++++++++++++++++------------
1 file changed, 18 insertions(+), 12 deletions(-)
diff --git a/crypto/bn/bn_sqrt.c b/crypto/bn/bn_sqrt.c
index 1723d5ded5..53b0f55985 100644
--- a/crypto/bn/bn_sqrt.c
+++ b/crypto/bn/bn_sqrt.c
@@ -14,7 +14,8 @@ BIGNUM *BN_mod_sqrt(BIGNUM *in, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx)
/*
* Returns 'ret' such that ret^2 == a (mod p), using the Tonelli/Shanks
* algorithm (cf. Henri Cohen, "A Course in Algebraic Computational Number
- * Theory", algorithm 1.5.1). 'p' must be prime!
+ * Theory", algorithm 1.5.1). 'p' must be prime, otherwise an error or
+ * an incorrect "result" will be returned.
*/
{
BIGNUM *ret = in;
@@ -301,18 +302,23 @@ BIGNUM *BN_mod_sqrt(BIGNUM *in, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx)
goto vrfy;
}
- /* find smallest i such that b^(2^i) = 1 */
- i = 1;
- if (!BN_mod_sqr(t, b, p, ctx))
- goto end;
- while (!BN_is_one(t)) {
- i++;
- if (i == e) {
- BNerr(BN_F_BN_MOD_SQRT, BN_R_NOT_A_SQUARE);
- goto end;
+ /* Find the smallest i, 0 < i < e, such that b^(2^i) = 1. */
+ for (i = 1; i < e; i++) {
+ if (i == 1) {
+ if (!BN_mod_sqr(t, b, p, ctx))
+ goto end;
+
+ } else {
+ if (!BN_mod_mul(t, t, t, p, ctx))
+ goto end;
}
- if (!BN_mod_mul(t, t, t, p, ctx))
- goto end;
+ if (BN_is_one(t))
+ break;
+ }
+ /* If not found, a is not a square or p is not prime. */
+ if (i >= e) {
+ BNerr(BN_F_BN_MOD_SQRT, BN_R_NOT_A_SQUARE);
+ goto end;
}
/* t := y^2^(e - i - 1) */
--
2.27.0

31
backport-Avoid-using-undefined-value-in-generate_stateless_co.patch
View File

@ -1,31 +0,0 @@
From cf2b1d6f11aa7ec4aa909ff1ecb9bee6892285d9 Mon Sep 17 00:00:00 2001
From: Bernd Edlinger <bernd.edlinger@hotmail.de>
Date: Mon, 23 Aug 2021 11:11:29 +0200
Subject: [PATCH] Avoid using undefined value in
generate_stateless_cookie_callback
Reviewed-by: Paul Yang <kaishen.yy@antfin.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16381)
---
apps/s_cb.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/apps/s_cb.c b/apps/s_cb.c
index dee1b2e5b4..d066a423de 100644
--- a/apps/s_cb.c
+++ b/apps/s_cb.c
@@ -819,7 +819,9 @@ int generate_stateless_cookie_callback(SSL *ssl, unsigned char *cookie,
{
unsigned int temp;
int res = generate_cookie_callback(ssl, cookie, &temp);
- *cookie_len = temp;
+
+ if (res != 0)
+ *cookie_len = temp;
return res;
}
--

31
backport-Fix-NETSCAPE_SPKI_print-function-to-not-assume-NUL-t.patch
View File

@ -1,31 +0,0 @@
From 2d0e5d4a4a5d4332325b5e5cea492fad2be633e1 Mon Sep 17 00:00:00 2001
From: Matt Caswell <matt@openssl.org>
Date: Thu, 19 Aug 2021 12:23:38 +0100
Subject: [PATCH] Fix NETSCAPE_SPKI_print function to not assume NUL terminated
strings
ASN.1 strings may not be NUL terminated. Don't assume they are.
CVE-2021-3712
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
---
crypto/asn1/t_spki.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/crypto/asn1/t_spki.c b/crypto/asn1/t_spki.c
index 51b56d0aa9..64ee77eeec 100644
--- a/crypto/asn1/t_spki.c
+++ b/crypto/asn1/t_spki.c
@@ -38,7 +38,7 @@ int NETSCAPE_SPKI_print(BIO *out, NETSCAPE_SPKI *spki)
}
chal = spki->spkac->challenge;
if (chal->length)
- BIO_printf(out, " Challenge String: %s\n", chal->data);
+ BIO_printf(out, " Challenge String: %.*s\n", chal->length, chal->data);
i = OBJ_obj2nid(spki->sig_algor.algorithm);
BIO_printf(out, " Signature Algorithm: %s",
(i == NID_undef) ? "UNKNOWN" : OBJ_nid2ln(i));
--

51
backport-Fix-POLICYINFO-printing-to-not-assume-NUL-terminated.patch
View File

@ -1,51 +0,0 @@
From 5f54e57406ca17731b9ade3afd561d3c652e07f2 Mon Sep 17 00:00:00 2001
From: Matt Caswell <matt@openssl.org>
Date: Wed, 18 Aug 2021 12:31:38 +0100
Subject: [PATCH] Fix POLICYINFO printing to not assume NUL terminated strings
ASN.1 strings may not be NUL terminated. Don't assume they are.
CVE-2021-3712
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
---
crypto/x509v3/v3_cpols.c | 9 ++++++---
1 file changed, 6 insertions(+), 3 deletions(-)
diff --git a/crypto/x509v3/v3_cpols.c b/crypto/x509v3/v3_cpols.c
index 1d12c89912..861e8455dd 100644
--- a/crypto/x509v3/v3_cpols.c
+++ b/crypto/x509v3/v3_cpols.c
@@ -422,7 +422,8 @@ static void print_qualifiers(BIO *out, STACK_OF(POLICYQUALINFO) *quals,
qualinfo = sk_POLICYQUALINFO_value(quals, i);
switch (OBJ_obj2nid(qualinfo->pqualid)) {
case NID_id_qt_cps:
- BIO_printf(out, "%*sCPS: %s\n", indent, "",
+ BIO_printf(out, "%*sCPS: %.*s\n", indent, "",
+ qualinfo->d.cpsuri->length,
qualinfo->d.cpsuri->data);
break;
@@ -447,7 +448,8 @@ static void print_notice(BIO *out, USERNOTICE *notice, int indent)
if (notice->noticeref) {
NOTICEREF *ref;
ref = notice->noticeref;
- BIO_printf(out, "%*sOrganization: %s\n", indent, "",
+ BIO_printf(out, "%*sOrganization: %.*s\n", indent, "",
+ ref->organization->length,
ref->organization->data);
BIO_printf(out, "%*sNumber%s: ", indent, "",
sk_ASN1_INTEGER_num(ref->noticenos) > 1 ? "s" : "");
@@ -470,7 +472,8 @@ static void print_notice(BIO *out, USERNOTICE *notice, int indent)
BIO_puts(out, "\n");
}
if (notice->exptext)
- BIO_printf(out, "%*sExplicit Text: %s\n", indent, "",
+ BIO_printf(out, "%*sExplicit Text: %.*s\n", indent, "",
+ notice->exptext->length,
notice->exptext->data);
}
--

53
backport-Fix-append_ia5-function-to-not-assume-NUL-terminated.patch
View File

@ -1,53 +0,0 @@
From bb4d2ed4091408404e18b3326e3df67848ef63d0 Mon Sep 17 00:00:00 2001
From: Matt Caswell <matt@openssl.org>
Date: Wed, 18 Aug 2021 17:58:23 +0100
Subject: [PATCH] Fix append_ia5 function to not assume NUL terminated strings
ASN.1 strings may not be NUL terminated. Don't assume they are.
CVE-2021-3712
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
---
crypto/x509v3/v3_utl.c | 18 +++++++++++++-----
1 file changed, 13 insertions(+), 5 deletions(-)
diff --git a/crypto/x509v3/v3_utl.c b/crypto/x509v3/v3_utl.c
index 004ef55df9..513dc68b08 100644
--- a/crypto/x509v3/v3_utl.c
+++ b/crypto/x509v3/v3_utl.c
@@ -528,18 +528,26 @@ static int append_ia5(STACK_OF(OPENSSL_STRING) **sk, const ASN1_IA5STRING *email
/* First some sanity checks */
if (email->type != V_ASN1_IA5STRING)
return 1;
- if (!email->data || !email->length)
+ if (email->data == NULL || email->length == 0)
+ return 1;
+ if (memchr(email->data, 0, email->length) != NULL)
return 1;
if (*sk == NULL)
*sk = sk_OPENSSL_STRING_new(sk_strcmp);
if (*sk == NULL)
return 0;
+
+ emtmp = OPENSSL_strndup((char *)email->data, email->length);
+ if (emtmp == NULL)
+ return 0;
+
/* Don't add duplicates */
- if (sk_OPENSSL_STRING_find(*sk, (char *)email->data) != -1)
+ if (sk_OPENSSL_STRING_find(*sk, emtmp) != -1) {
+ OPENSSL_free(emtmp);
return 1;
- emtmp = OPENSSL_strdup((char *)email->data);
- if (emtmp == NULL || !sk_OPENSSL_STRING_push(*sk, emtmp)) {
- OPENSSL_free(emtmp); /* free on push failure */
+ }
+ if (!sk_OPENSSL_STRING_push(*sk, emtmp)) {
+ OPENSSL_free(emtmp); /* free on push failure */
X509_email_free(*sk);
*sk = NULL;
return 0;
--

147
backport-Fix-i2v_GENERAL_NAME-to-not-assume-NUL-terminated-st.patch
View File

@ -1,147 +0,0 @@
From 174ba8048a7f2f5e1fca31cfb93b1730d9db8300 Mon Sep 17 00:00:00 2001
From: Matt Caswell <matt@openssl.org>
Date: Wed, 18 Aug 2021 12:24:22 +0100
Subject: [PATCH] Fix i2v_GENERAL_NAME to not assume NUL terminated strings
ASN.1 strings may not be NUL terminated. Don't assume they are.
CVE-2021-3712
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
---
crypto/x509v3/v3_alt.c | 10 +++++++---
crypto/x509v3/v3_utl.c | 38 ++++++++++++++++++++++++++++++++------
include/crypto/x509.h | 5 +++++
3 files changed, 44 insertions(+), 9 deletions(-)
diff --git a/crypto/x509v3/v3_alt.c b/crypto/x509v3/v3_alt.c
index 4dce004101..6e5f9f8b0e 100644
--- a/crypto/x509v3/v3_alt.c
+++ b/crypto/x509v3/v3_alt.c
@@ -9,6 +9,7 @@
#include <stdio.h>
#include "internal/cryptlib.h"
+#include "crypto/x509.h"
#include <openssl/conf.h>
#include <openssl/x509v3.h>
#include "ext_dat.h"
@@ -99,17 +100,20 @@ STACK_OF(CONF_VALUE) *i2v_GENERAL_NAME(X509V3_EXT_METHOD *method,
break;
case GEN_EMAIL:
- if (!X509V3_add_value_uchar("email", gen->d.ia5->data, &ret))
+ if (!x509v3_add_len_value_uchar("email", gen->d.ia5->data,
+ gen->d.ia5->length, &ret))
return NULL;
break;
case GEN_DNS:
- if (!X509V3_add_value_uchar("DNS", gen->d.ia5->data, &ret))
+ if (!x509v3_add_len_value_uchar("DNS", gen->d.ia5->data,
+ gen->d.ia5->length, &ret))
return NULL;
break;
case GEN_URI:
- if (!X509V3_add_value_uchar("URI", gen->d.ia5->data, &ret))
+ if (!x509v3_add_len_value_uchar("URI", gen->d.ia5->data,
+ gen->d.ia5->length, &ret))
return NULL;
break;
diff --git a/crypto/x509v3/v3_utl.c b/crypto/x509v3/v3_utl.c
index 7281a7b917..004ef55df9 100644
--- a/crypto/x509v3/v3_utl.c
+++ b/crypto/x509v3/v3_utl.c
@@ -12,6 +12,7 @@
#include "e_os.h"
#include "internal/cryptlib.h"
#include <stdio.h>
+#include <string.h>
#include "crypto/ctype.h"
#include <openssl/conf.h>
#include <openssl/crypto.h>
@@ -34,17 +35,26 @@ static int ipv6_hex(unsigned char *out, const char *in, int inlen);
/* Add a CONF_VALUE name value pair to stack */
-int X509V3_add_value(const char *name, const char *value,
- STACK_OF(CONF_VALUE) **extlist)
+static int x509v3_add_len_value(const char *name, const char *value,
+ size_t vallen, STACK_OF(CONF_VALUE) **extlist)
{
CONF_VALUE *vtmp = NULL;
char *tname = NULL, *tvalue = NULL;
int sk_allocated = (*extlist == NULL);
- if (name && (tname = OPENSSL_strdup(name)) == NULL)
- goto err;
- if (value && (tvalue = OPENSSL_strdup(value)) == NULL)
+ if (name != NULL && (tname = OPENSSL_strdup(name)) == NULL)
goto err;
+ if (value != NULL && vallen > 0) {
+ /*
+ * We tolerate a single trailing NUL character, but otherwise no
+ * embedded NULs
+ */
+ if (memchr(value, 0, vallen - 1) != NULL)
+ goto err;
+ tvalue = OPENSSL_strndup(value, vallen);
+ if (tvalue == NULL)
+ goto err;
+ }
if ((vtmp = OPENSSL_malloc(sizeof(*vtmp))) == NULL)
goto err;
if (sk_allocated && (*extlist = sk_CONF_VALUE_new_null()) == NULL)
@@ -67,10 +77,26 @@ int X509V3_add_value(const char *name, const char *value,
return 0;
}
+int X509V3_add_value(const char *name, const char *value,
+ STACK_OF(CONF_VALUE) **extlist)
+{
+ return x509v3_add_len_value(name, value,
+ value != NULL ? strlen((const char *)value) : 0,
+ extlist);
+}
+
int X509V3_add_value_uchar(const char *name, const unsigned char *value,
STACK_OF(CONF_VALUE) **extlist)
{
- return X509V3_add_value(name, (const char *)value, extlist);
+ return x509v3_add_len_value(name, (const char *)value,
+ value != NULL ? strlen((const char *)value) : 0,
+ extlist);
+}
+
+int x509v3_add_len_value_uchar(const char *name, const unsigned char *value,
+ size_t vallen, STACK_OF(CONF_VALUE) **extlist)
+{
+ return x509v3_add_len_value(name, (const char *)value, vallen, extlist);
}
/* Free function for STACK_OF(CONF_VALUE) */
diff --git a/include/crypto/x509.h b/include/crypto/x509.h
index b53c2b03c3..7ffb8abfe7 100644
--- a/include/crypto/x509.h
+++ b/include/crypto/x509.h
@@ -8,6 +8,8 @@
*/
#include "internal/refcount.h"
+#include <openssl/x509.h>
+#include <openssl/conf.h>
/* Internal X509 structures and functions: not for application use */
@@ -284,3 +286,6 @@ int a2i_ipadd(unsigned char *ipout, const char *ipasc);
int x509_set1_time(ASN1_TIME **ptm, const ASN1_TIME *tm);
void x509_init_sig_info(X509 *x);
+
+int x509v3_add_len_value_uchar(const char *name, const unsigned char *value,
+ size_t vallen, STACK_OF(CONF_VALUE) **extlist);
--

42
backport-Fix-potential-double-free.patch
View File

@ -1,42 +0,0 @@
From 75a4f263ba9d3ec1e9d55ca5024aee62aec70475 Mon Sep 17 00:00:00 2001
From: Todd Short <tshort@akamai.com>
Date: Fri, 13 Aug 2021 09:59:59 -0400
Subject: [PATCH] Fix potential double-free
The `sk` variable is assigned to `s->session->peer_chain`.
If `ssl3_digest_cached_records()` were to fail, then `sk` would still be
non-NULL, and subsequently freed on the error return. When the session
is freed, it will then attempt to free `s->session->peer_chain`,
resulting in a double-free (of `sk`).
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16309)
(cherry picked from commit 0449702abc95a3af24c049cb02c01ca6a8015cef)
---
ssl/statem/statem_srvr.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/ssl/statem/statem_srvr.c b/ssl/statem/statem_srvr.c
index 30d20f1297..d701c46b43 100644
--- a/ssl/statem/statem_srvr.c
+++ b/ssl/statem/statem_srvr.c
@@ -3753,6 +3753,7 @@ MSG_PROCESS_RETURN tls_process_client_certificate(SSL *s, PACKET *pkt)
sk_X509_pop_free(s->session->peer_chain, X509_free);
s->session->peer_chain = sk;
+ sk = NULL;
/*
* Freeze the handshake buffer. For <TLS1.3 we do this after the CKE
@@ -3767,7 +3768,6 @@ MSG_PROCESS_RETURN tls_process_client_certificate(SSL *s, PACKET *pkt)
* Inconsistency alert: cert_chain does *not* include the peer's own
* certificate, while we do include it in statem_clnt.c
*/
- sk = NULL;
/* Save the current hash state for when we receive the CertificateVerify */
if (SSL_IS_TLS13(s)) {
--

32
backport-Fix-printing-of-PROXY_CERT_INFO_EXTENSION-to-not-ass.patch
View File

@ -1,32 +0,0 @@
From 23446958685a593d4d9434475734b99138902ed2 Mon Sep 17 00:00:00 2001
From: Matt Caswell <matt@openssl.org>
Date: Wed, 18 Aug 2021 14:02:40 +0100
Subject: [PATCH] Fix printing of PROXY_CERT_INFO_EXTENSION to not assume NUL
terminated strings
ASN.1 strings may not be NUL terminated. Don't assume they are.
CVE-2021-3712
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
---
crypto/x509v3/v3_pci.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/crypto/x509v3/v3_pci.c b/crypto/x509v3/v3_pci.c
index 3d124fa6d9..98b6ef25e2 100644
--- a/crypto/x509v3/v3_pci.c
+++ b/crypto/x509v3/v3_pci.c
@@ -77,7 +77,8 @@ static int i2r_pci(X509V3_EXT_METHOD *method, PROXY_CERT_INFO_EXTENSION *pci,
i2a_ASN1_OBJECT(out, pci->proxyPolicy->policyLanguage);
BIO_puts(out, "\n");
if (pci->proxyPolicy->policy && pci->proxyPolicy->policy->data)
- BIO_printf(out, "%*sPolicy Text: %s\n", indent, "",
+ BIO_printf(out, "%*sPolicy Text: %.*s\n", indent, "",
+ pci->proxyPolicy->policy->length,
pci->proxyPolicy->policy->data);
return 1;
}
--

189
backport-Fix-the-name-constraints-code-to-not-assume-NUL-term.patch
View File

@ -1,189 +0,0 @@
From 8393de42498f8be75cf0353f5c9f906a43a748d2 Mon Sep 17 00:00:00 2001
From: Matt Caswell <matt@openssl.org>
Date: Wed, 18 Aug 2021 17:08:58 +0100
Subject: [PATCH] Fix the name constraints code to not assume NUL terminated
strings
ASN.1 strings may not be NUL terminated. Don't assume they are.
CVE-2021-3712
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
---
crypto/x509v3/v3_ncons.c | 77 +++++++++++++++++++++++++++-------------
1 file changed, 52 insertions(+), 25 deletions(-)
diff --git a/crypto/x509v3/v3_ncons.c b/crypto/x509v3/v3_ncons.c
index 2a7b4f0992..cb701c4d84 100644
--- a/crypto/x509v3/v3_ncons.c
+++ b/crypto/x509v3/v3_ncons.c
@@ -63,8 +63,31 @@ ASN1_SEQUENCE(NAME_CONSTRAINTS) = {
IMPLEMENT_ASN1_ALLOC_FUNCTIONS(GENERAL_SUBTREE)
IMPLEMENT_ASN1_ALLOC_FUNCTIONS(NAME_CONSTRAINTS)
+
+#define IA5_OFFSET_LEN(ia5base, offset) \
+ ((ia5base)->length - ((unsigned char *)(offset) - (ia5base)->data))
+
+/* Like memchr but for ASN1_IA5STRING. Additionally you can specify the
+ * starting point to search from
+ */
+# define ia5memchr(str, start, c) memchr(start, c, IA5_OFFSET_LEN(str, start))
+
+/* Like memrrchr but for ASN1_IA5STRING */
+static char *ia5memrchr(ASN1_IA5STRING *str, int c)
+{
+ int i;
+
+ for (i = str->length; i > 0 && str->data[i - 1] != c; i--);
+
+ if (i == 0)
+ return NULL;
+
+ return (char *)&str->data[i - 1];
+}
+
/*
- * We cannot use strncasecmp here because that applies locale specific rules.
+ * We cannot use strncasecmp here because that applies locale specific rules. It
+ * also doesn't work with ASN1_STRINGs that may have embedded NUL characters.
* For example in Turkish 'I' is not the uppercase character for 'i'. We need to
* do a simple ASCII case comparison ignoring the locale (that is why we use
* numeric constants below).
@@ -89,20 +112,12 @@ static int ia5ncasecmp(const char *s1, const char *s2, size_t n)
/* c1 > c2 */
return 1;
- } else if (*s1 == 0) {
- /* If we get here we know that *s2 == 0 too */
- return 0;
}
}
return 0;
}
-static int ia5casecmp(const char *s1, const char *s2)
-{
- return ia5ncasecmp(s1, s2, SIZE_MAX);
-}
-
static void *v2i_NAME_CONSTRAINTS(const X509V3_EXT_METHOD *method,
X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval)
{
@@ -337,7 +352,7 @@ static int cn2dnsid(ASN1_STRING *cn, unsigned char **dnsid, size_t *idlen)
--utf8_length;
/* Reject *embedded* NULs */
- if ((size_t)utf8_length != strlen((char *)utf8_value)) {
+ if (memchr(utf8_value, 0, utf8_length) != NULL) {
OPENSSL_free(utf8_value);
return X509_V_ERR_UNSUPPORTED_NAME_SYNTAX;
}
@@ -536,9 +551,14 @@ static int nc_dns(ASN1_IA5STRING *dns, ASN1_IA5STRING *base)
{
char *baseptr = (char *)base->data;
char *dnsptr = (char *)dns->data;
+
/* Empty matches everything */
- if (!*baseptr)
+ if (base->length == 0)
return X509_V_OK;
+
+ if (dns->length < base->length)
+ return X509_V_ERR_PERMITTED_VIOLATION;
+
/*
* Otherwise can add zero or more components on the left so compare RHS
* and if dns is longer and expect '.' as preceding character.
@@ -549,7 +569,7 @@ static int nc_dns(ASN1_IA5STRING *dns, ASN1_IA5STRING *base)
return X509_V_ERR_PERMITTED_VIOLATION;
}
- if (ia5casecmp(baseptr, dnsptr))
+ if (ia5ncasecmp(baseptr, dnsptr, base->length))
return X509_V_ERR_PERMITTED_VIOLATION;
return X509_V_OK;
@@ -560,16 +580,17 @@ static int nc_email(ASN1_IA5STRING *eml, ASN1_IA5STRING *base)
{
const char *baseptr = (char *)base->data;
const char *emlptr = (char *)eml->data;
+ const char *baseat = ia5memrchr(base, '@');
+ const char *emlat = ia5memrchr(eml, '@');
+ size_t basehostlen, emlhostlen;
- const char *baseat = strchr(baseptr, '@');
- const char *emlat = strchr(emlptr, '@');
if (!emlat)
return X509_V_ERR_UNSUPPORTED_NAME_SYNTAX;
/* Special case: initial '.' is RHS match */
- if (!baseat && (*baseptr == '.')) {
+ if (!baseat && base->length > 0 && (*baseptr == '.')) {
if (eml->length > base->length) {
emlptr += eml->length - base->length;
- if (ia5casecmp(baseptr, emlptr) == 0)
+ if (ia5ncasecmp(baseptr, emlptr, base->length) == 0)
return X509_V_OK;
}
return X509_V_ERR_PERMITTED_VIOLATION;
@@ -589,8 +610,10 @@ static int nc_email(ASN1_IA5STRING *eml, ASN1_IA5STRING *base)
baseptr = baseat + 1;
}
emlptr = emlat + 1;
+ basehostlen = IA5_OFFSET_LEN(base, baseptr);
+ emlhostlen = IA5_OFFSET_LEN(eml, emlptr);
/* Just have hostname left to match: case insensitive */
- if (ia5casecmp(baseptr, emlptr))
+ if (basehostlen != emlhostlen || ia5ncasecmp(baseptr, emlptr, emlhostlen))
return X509_V_ERR_PERMITTED_VIOLATION;
return X509_V_OK;
@@ -601,10 +624,14 @@ static int nc_uri(ASN1_IA5STRING *uri, ASN1_IA5STRING *base)
{
const char *baseptr = (char *)base->data;
const char *hostptr = (char *)uri->data;
- const char *p = strchr(hostptr, ':');
+ const char *p = ia5memchr(uri, (char *)uri->data, ':');
int hostlen;
+
/* Check for foo:// and skip past it */
- if (!p || (p[1] != '/') || (p[2] != '/'))
+ if (p == NULL
+ || IA5_OFFSET_LEN(uri, p) < 3
+ || p[1] != '/'
+ || p[2] != '/')
return X509_V_ERR_UNSUPPORTED_NAME_SYNTAX;
hostptr = p + 3;
@@ -612,13 +639,13 @@ static int nc_uri(ASN1_IA5STRING *uri, ASN1_IA5STRING *base)
/* Look for a port indicator as end of hostname first */
- p = strchr(hostptr, ':');
+ p = ia5memchr(uri, hostptr, ':');
/* Otherwise look for trailing slash */
- if (!p)
- p = strchr(hostptr, '/');
+ if (p == NULL)
+ p = ia5memchr(uri, hostptr, '/');
- if (!p)
- hostlen = strlen(hostptr);
+ if (p == NULL)
+ hostlen = IA5_OFFSET_LEN(uri, hostptr);
else
hostlen = p - hostptr;
@@ -626,7 +653,7 @@ static int nc_uri(ASN1_IA5STRING *uri, ASN1_IA5STRING *base)
return X509_V_ERR_UNSUPPORTED_NAME_SYNTAX;
/* Special case: initial '.' is RHS match */
- if (*baseptr == '.') {
+ if (base->length > 0 && *baseptr == '.') {
if (hostlen > base->length) {
p = hostptr + hostlen - base->length;
if (ia5ncasecmp(p, baseptr, base->length) == 0)
--

30
backport-pkcs12-check-for-zero-length-digest-to-avoid-divisio.patch
View File

@ -1,30 +0,0 @@
From 9d868840b821fddf895e3bf6b589ecf6be7b1b13 Mon Sep 17 00:00:00 2001
From: Pauli <pauli@openssl.org>
Date: Tue, 17 Aug 2021 13:19:32 +1000
Subject: [PATCH] pkcs12: check for zero length digest to avoid division by
zero
Fixes #16331
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/16333)
---
crypto/pkcs12/p12_key.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/crypto/pkcs12/p12_key.c b/crypto/pkcs12/p12_key.c
index ab31a61295..b814f79216 100644
--- a/crypto/pkcs12/p12_key.c
+++ b/crypto/pkcs12/p12_key.c
@@ -101,7 +101,7 @@ int PKCS12_key_gen_uni(unsigned char *pass, int passlen, unsigned char *salt,
#endif
v = EVP_MD_block_size(md_type);
u = EVP_MD_size(md_type);
- if (u < 0 || v <= 0)
+ if (u <= 0 || v <= 0)
goto err;
D = OPENSSL_malloc(v);
Ai = OPENSSL_malloc(u);
--

53
bugfix-Don-t-Overflow-when-printing-Thawte-Strong-Extranet-.patch
View File

@ -1,53 +0,0 @@
From 61b0fead5e6079ca826594df5b9ca00e65883cb0 Mon Sep 17 00:00:00 2001
From: Matt Caswell <matt@openssl.org>
Date: Thu, 19 Nov 2020 13:58:21 +0000
Subject: [PATCH] Don't Overflow when printing Thawte Strong Extranet Version
When printing human readable info on the Thawte Strong Extranet extension
the version number could overflow if the version number == LONG_MAX. This
is undefined behaviour.
Issue found by OSSFuzz.
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/13452)
---
crypto/x509v3/v3_sxnet.c | 18 +++++++++++++++---
1 files changed, 15 insertions(+), 3 deletions(-)
diff --git a/crypto/x509v3/v3_sxnet.c b/crypto/x509v3/v3_sxnet.c
index 76f5eafc73..6e2b796a38 100644
--- a/crypto/x509v3/v3_sxnet.c
+++ b/crypto/x509v3/v3_sxnet.c
@@ -57,12 +57,24 @@ IMPLEMENT_ASN1_FUNCTIONS(SXNET)
static int sxnet_i2r(X509V3_EXT_METHOD *method, SXNET *sx, BIO *out,
int indent)
{
- long v;
+ int64_t v;
char *tmp;
SXNETID *id;
int i;
- v = ASN1_INTEGER_get(sx->version);
- BIO_printf(out, "%*sVersion: %ld (0x%lX)", indent, "", v + 1, v);
+
+ /*
+ * Since we add 1 to the version number to display it, we don't support
+ * LONG_MAX since that would cause on overflow.
+ */
+ if (!ASN1_INTEGER_get_int64(&v, sx->version)
+ || v >= LONG_MAX
+ || v < LONG_MIN) {
+ BIO_printf(out, "%*sVersion: <unsupported>", indent, "");
+ } else {
+ long vl = (long)v;
+
+ BIO_printf(out, "%*sVersion: %ld (0x%lX)", indent, "", vl + 1, vl);
+ }
for (i = 0; i < sk_SXNETID_num(sx->ids); i++) {
id = sk_SXNETID_value(sx->ids, i);
tmp = i2s_ASN1_INTEGER(NULL, id->zone);
--
2.23.0

52
openssl-1.1.1-build.patch
View File

@ -1,28 +1,7 @@
#diff -up openssl-1.1.1-pre8/Configurations/unix-Makefile.tmpl.build openssl-1.1.1-pre8/Configurations/unix-Makefile.tmpl
#--- openssl-1.1.1-pre8/Configurations/unix-Makefile.tmpl.build 2018-06-20 16:48:09.000000000 +0200
#+++ openssl-1.1.1-pre8/Configurations/unix-Makefile.tmpl 2018-07-16 17:15:38.108831031 +0200
#@@ -680,7 +680,7 @@ uninstall_runtime:
# install_man_docs:
# @[ -n "$(INSTALLTOP)" ] || (echo INSTALLTOP should not be empty; exit 1)
# @$(ECHO) "*** Installing manpages"
#- $(PERL) $(SRCDIR)/util/process_docs.pl \
#+ TZ=UTC $(PERL) $(SRCDIR)/util/process_docs.pl \
# --destdir=$(DESTDIR)$(MANDIR) --type=man --suffix=$(MANSUFFIX)
#
# uninstall_man_docs:
#@@ -692,7 +692,7 @@ uninstall_man_docs:
# install_html_docs:
# @[ -n "$(INSTALLTOP)" ] || (echo INSTALLTOP should not be empty; exit 1)
# @$(ECHO) "*** Installing HTML manpages"
#- $(PERL) $(SRCDIR)/util/process_docs.pl \
#+ TZ=UTC $(PERL) $(SRCDIR)/util/process_docs.pl \
# --destdir=$(DESTDIR)$(HTMLDIR) --type=html
#
# uninstall_html_docs:
diff -up openssl-1.1.1-pre8/Configurations/10-main.conf.build openssl-1.1.1-pre8/Configurations/10-main.conf
--- openssl-1.1.1-pre8/Configurations/10-main.conf.build 2018-06-20 16:48:09.000000000 +0200
+++ openssl-1.1.1-pre8/Configurations/10-main.conf 2018-07-16 17:17:10.312045203 +0200
@@ -693,6 +693,7 @@ my %targets = (
diff -up openssl-1.1.1f/Configurations/10-main.conf.build openssl-1.1.1f/Configurations/10-main.conf
--- openssl-1.1.1f/Configurations/10-main.conf.build 2020-03-31 14:17:45.000000000 +0200
+++ openssl-1.1.1f/Configurations/10-main.conf 2020-04-07 16:42:10.920546387 +0200
@@ -678,6 +678,7 @@ my %targets = (
cxxflags => add("-m64"),
lib_cppflags => add("-DL_ENDIAN"),
perlasm_scheme => "linux64le",
@ -30,7 +9,7 @@ diff -up openssl-1.1.1-pre8/Configurations/10-main.conf.build openssl-1.1.1-pre8
},
"linux-armv4" => {
@@ -733,6 +734,7 @@ my %targets = (
@@ -718,6 +719,7 @@ my %targets = (
"linux-aarch64" => {
inherit_from => [ "linux-generic64", asm("aarch64_asm") ],
perlasm_scheme => "linux64",
@ -38,3 +17,24 @@ diff -up openssl-1.1.1-pre8/Configurations/10-main.conf.build openssl-1.1.1-pre8
},
"linux-arm64ilp32" => { # https://wiki.linaro.org/Platform/arm64-ilp32
inherit_from => [ "linux-generic32", asm("aarch64_asm") ],
diff -up openssl-1.1.1f/Configurations/unix-Makefile.tmpl.build openssl-1.1.1f/Configurations/unix-Makefile.tmpl
--- openssl-1.1.1f/Configurations/unix-Makefile.tmpl.build 2020-04-07 16:42:10.920546387 +0200
+++ openssl-1.1.1f/Configurations/unix-Makefile.tmpl 2020-04-07 16:44:23.539142108 +0200
@@ -823,7 +823,7 @@ uninstall_runtime_libs:
install_man_docs:
@[ -n "$(INSTALLTOP)" ] || (echo INSTALLTOP should not be empty; exit 1)
@$(ECHO) "*** Installing manpages"
- $(PERL) $(SRCDIR)/util/process_docs.pl \
+ TZ=UTC $(PERL) $(SRCDIR)/util/process_docs.pl \
"--destdir=$(DESTDIR)$(MANDIR)" --type=man --suffix=$(MANSUFFIX)
uninstall_man_docs:
@@ -835,7 +835,7 @@ uninstall_man_docs:
install_html_docs:
@[ -n "$(INSTALLTOP)" ] || (echo INSTALLTOP should not be empty; exit 1)
@$(ECHO) "*** Installing HTML manpages"
- $(PERL) $(SRCDIR)/util/process_docs.pl \
+ TZ=UTC $(PERL) $(SRCDIR)/util/process_docs.pl \
"--destdir=$(DESTDIR)$(HTMLDIR)" --type=html
uninstall_html_docs:

981
openssl-1.1.1-fips.patch
View File

File diff suppressed because it is too large Load Diff

BIN
openssl-1.1.1f.tar.gz
View File

Binary file not shown.

BIN
openssl-1.1.1m.tar.gz Normal file
View File

Binary file not shown.

93
openssl.spec
View File

@ -1,47 +1,20 @@
%define soversion 1.1
Name: openssl
Epoch: 1
Version: 1.1.1f
Release: 9
Version: 1.1.1m
Release: 1
Summary: Cryptography and SSL/TLS Toolkit
License: OpenSSL and SSLeay
URL: https://www.openssl.org/
Source0: https://www.openssl.org/source/old/1.1.1/%{name}-%{version}.tar.gz
Source0: https://www.openssl.org/source/%{name}-%{version}.tar.gz
Source1: Makefile.certificate
Patch1: openssl-1.1.1-build.patch
Patch2: openssl-1.1.1-fips.patch
Patch3: CVE-2020-1967.patch
Patch4: CVE-2020-1971-0001-DirectoryString-is-a-CHOICE-type-and-therefore-uses-.patch
Patch5: CVE-2020-1971-0002-Correctly-compare-EdiPartyName-in-GENERAL_NAME_cmp.patch
Patch6: CVE-2020-1971-0003-Check-that-multi-strings-CHOICE-types-don-t-use-impl.patch
Patch7: CVE-2020-1971-0004-Complain-if-we-are-attempting-to-encode-with-an-inva.patch
Patch8: CVE-2020-1971-0005-Add-a-test-for-GENERAL_NAME_cmp.patch
Patch9: CVE-2020-1971-0006-Add-a-test-for-encoding-decoding-using-an-invalid-AS.patch
Patch10: CVE-2021-23840.patch
Patch11: CVE-2021-23841.patch
Patch12: CVE-2021-3449.patch
Patch13: CVE-2021-3711-0001-Check-the-plaintext-buffer-is-large-enough-when-decr.patch
Patch14: CVE-2021-3711-0002-Correctly-calculate-the-length-of-SM2-plaintext-give.patch
Patch15: CVE-2021-3711-0003-Extend-tests-for-SM2-decryption.patch
Patch16: CVE-2021-3712-0001-Fix-a-read-buffer-overrun-in-X509_aux_print.patch
Patch17: CVE-2021-3712-0002-Fix-EC_GROUP_new_from_ecparameters-to-check-the-base.patch
Patch18: bugfix-Don-t-Overflow-when-printing-Thawte-Strong-Extranet-.patch
Patch19: backport-Avoid-using-undefined-value-in-generate_stateless_co.patch
Patch20: backport-Fix-append_ia5-function-to-not-assume-NUL-terminated.patch
Patch21: backport-Fix-i2v_GENERAL_NAME-to-not-assume-NUL-terminated-st.patch
Patch22: backport-Fix-NETSCAPE_SPKI_print-function-to-not-assume-NUL-t.patch
Patch23: backport-Fix-POLICYINFO-printing-to-not-assume-NUL-terminated.patch
Patch24: backport-Fix-potential-double-free.patch
Patch25: backport-Fix-printing-of-PROXY_CERT_INFO_EXTENSION-to-not-ass.patch
Patch26: backport-Fix-the-name-constraints-code-to-not-assume-NUL-term.patch
Patch27: backport-pkcs12-check-for-zero-length-digest-to-avoid-divisio.patch
Patch3: CVE-2022-0778-Add-a-negative-testcase-for-BN_mod_sqrt.patch
Patch4: CVE-2022-0778-Fix-possible-infinite-loop-in-BN_mod_sqrt.patch
BuildRequires: gcc perl make lksctp-tools-devel coreutils util-linux zlib-devel
Requires: coreutils perl %{name}-libs%{?_isa} = %{epoch}:%{version}-%{release}
Obsoletes: openssl-perl < %{epoch}:%{version}-%{release}
Provides: openssl-perl = %{epoch}:%{version}-%{release}
Provides: openssl-perl%{_isa} = %{epoch}:%{version}-%{release}
Requires: coreutils %{name}-libs%{?_isa} = %{epoch}:%{version}-%{release}
%description
OpenSSL is a robust, commercial-grade, and full-featured toolkit for the
@ -62,6 +35,16 @@ The openssl-libs package contains the libraries that are used
by various applications which support cryptographic algorithms
and protocols.
%package perl
Summary: Perl scripts provided with OpenSSL
Requires: perl-interpreter
Requires: %{name}%{?_isa} = %{epoch}:%{version}-%{release}
%description perl
OpenSSL is a toolkit for supporting cryptography. The openssl-perl
package provides Perl scripts for converting certificates and keys
from other formats to the formats used by the OpenSSL toolkit.
%package devel
Summary: Development files for openssl
Requires: %{name}-libs%{?_isa} = %{epoch}:%{version}-%{release}
@ -146,6 +129,13 @@ for manpage in man*/* ; do
done
popd
# Next step of gradual disablement of ssl3.
# Make SSL3 disappear to newly built dependencies.
sed -i '/^\#ifndef OPENSSL_NO_SSL_TRACE/i\
#ifndef OPENSSL_NO_SSL3\
# define OPENSSL_NO_SSL3\
#endif' $RPM_BUILD_ROOT/%{_prefix}/include/openssl/opensslconf.h
rm -f $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/*.dist
%check
@ -170,12 +160,7 @@ make test || :
%license LICENSE
%doc AUTHORS CHANGES FAQ NEWS README
%{_pkgdocdir}/Makefile.certificate
%dir %{_sysconfdir}/pki/CA
%dir %{_sysconfdir}/pki/CA/private
%dir %{_sysconfdir}/pki/CA/certs
%dir %{_sysconfdir}/pki/CA/crl
%dir %{_sysconfdir}/pki/CA/newcerts
%{_bindir}/*
%{_bindir}/openssl
%files libs
%defattr(-,root,root)
@ -210,13 +195,33 @@ make test || :
%{_mandir}/man7/*
%{_pkgdocdir}/html/
%changelog
* Sat Dec 25 2021 steven_ygui <steven_ygui@163.com> - 1:1.1.1f-9
- backport upstream patches
%files perl
%{_bindir}/c_rehash
%{_bindir}/*.pl
%{_bindir}/tsget
%dir %{_sysconfdir}/pki/CA
%dir %{_sysconfdir}/pki/CA/private
%dir %{_sysconfdir}/pki/CA/certs
%dir %{_sysconfdir}/pki/CA/crl
%dir %{_sysconfdir}/pki/CA/newcerts
* Fri Sep 24 2021 openEuler Buildteam <buildteam@openeuler.org> - 1:1.1.1f-8
%ldconfig_scriptlets libs
%changelog
* Thu Mar 24 2022 duyiwei <duyiwei@kylinos.cn> - 1:1.1.1m-1
- update openssl-1.1.1f to openssl-1.1.1m
- add subpackage openssl-perl
- fix the cve-2022-0778
* Wed Dec 8 2021 lujie42 <lujie42@huawei.com> - 1:1.1.1l-1
- update openssl-1.1.1f to openssl-1.1.1l
* Fri Sep 24 2021 openEuler Buildteam <buildteam@openeuler.org> - 1:1.1.1f-9
- bugfix Overflow when printing Thawte Strong Extranet
* Sat Sep 18 2021 zhuyan <zhuyan34@huawei.com> - 1:1.1.1f-8
- fix software package format problem
* Mon Aug 30 2021 openEuler Buildteam <buildteam@openeuler.org> - 1:1.1.1f-7
- fix the CVE-2021-3711 and CVE-2021-3712
@ -229,7 +234,7 @@ make test || :
* Wed Mar 10 2021 openEuler Buildteam <buildteam@openeuler.org> - 1:1.1.1f-4
- fix CVE-2021-23840 and CVE-2021-23841
* Mon Jan 19 2021 openEuler Buildteam <buildteam@openeuler.org> - 1:1.1.1f-3
* Tue Jan 19 2021 openEuler Buildteam <buildteam@openeuler.org> - 1:1.1.1f-3
- fix CVE-2020-1971
* Fri Sep 11 2020 Liquor <lirui130@huawei.com> - 1:1.1.1f-2