Solaris/dbpware-for-solaris
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

openssl: add security patches

Browse Source 
Fixes all relevant CVEs with patches from RHEL 7.

Additionally made one further tweak for parallel install installation
with OpenSSL 3.x.
This commit is contained in:
Tom G. Christensen 2022-03-31 18:32:06 +02:00
parent cdba37fb86
commit 867fa0b486
8 changed files with 1037 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
openssl/build.sh
View File

@ -7,10 +7,14 @@
# Check the following 4 variables before running the script
topdir=openssl
version=1.0.2u
pkgver=7
pkgver=8
source[0]=https://openssl.org/source/$topdir-$version.tar.gz
# If there are no patches, simply comment this
#patch[0]=
patch[0]=openssl-1.0.2u-cve-2020-1971.patch
patch[1]=openssl-1.0.2u-cve-2021-23840.patch
patch[2]=openssl-1.0.2u-cve-2021-23841.patch
patch[3]=openssl-1.0.2u-cve-2021-3712.patch
patch[4]=openssl-1.0.2u-cve-2022-0778.patch
# Source function library
. ${BUILDPKG_SCRIPTS}/buildpkg.functions
@ -24,7 +28,7 @@ shortver=102
pname=openssl${shortver}
make_check_target="test"
__configure="./Configure"
configure_args=(--prefix=$prefix --openssldir=${prefix}/${_sharedir}/ssl zlib shared)
configure_args=(--prefix=$prefix --openssldir=${prefix}/${_sharedir}/ssl${shortver} zlib shared)
if [ "$arch" = "sparc" ]; then
configure_args+=(solaris-sparc${gcc_arch}-gcc)
else
@ -85,7 +89,6 @@ install()
${__mv} ${stagedir}${prefix}/${_includedir}/{openssl,$pname/openssl}
${__mv} ${stagedir}${prefix}/${_bindir}/{openssl,$pname}
${__rm} -rf ${stagedir}${prefix}/{${_sharedir}/ssl/misc,{${_bindir},${_mandir}/man1}/{CA.pl,c_rehash,*tsget}*}
${__rm} -f ${stagedir}${prefix}/${_sharedir}/ssl/openssl.cnf
${__rm} -f ${stagedir}${prefix}/${_libdir}/*.so
ln -s ../libcrypto.so.${sover} ${stagedir}${prefix}/${_libdir}/${pname}/libcrypto.so
ln -s ../libssl.so.${sover} ${stagedir}${prefix}/${_libdir}/${pname}/libssl.so
@ -129,6 +132,7 @@ install()
compat openssl 1.0.2p 1 4
compat openssl 1.0.2r 1 5
compat openssl 1.0.2u 1 6
compat openssl 1.0.2u 1 7
}
reg pack

6
openssl/meta/ChangeLog
View File

@ -1,5 +1,11 @@
CHANGELOG
---------
* Tue Mar 29 2022 Tom G. Christensen <swpkg@jupiterrise.com> - 1.0.2u-8
- Relocate ssldir to avoid conflicts
- Forward port CVE fixes from RHEL 7 (openssl 1.0.2k)
- Fixes CVE-2020-1971, CVE-2021-23840, CVE-2021-23841, CVE-2021-3712,
CVE-2022-0778
* Sat Nov 20 2021 Tom G. Christensen <swpkg@jupiterrise.com> - 1.0.2u-7
- Rebuild as parallel installable with OpenSSL 3.0
- Move utils into their own package

2
openssl/meta/pkgdef
View File

@ -9,7 +9,7 @@ files(-,root,bin)
default_docs
$_libdir/*.so.*
$_libdir/engines/*.so
$_sharedir/ssl
$_sharedir/ssl${shortver}
[openssl-utils]
pkgname="${pkgprefix}osslu"

572
openssl/src/openssl-1.0.2u-cve-2020-1971.patch Normal file
View File

@ -0,0 +1,572 @@
--- openssl-1.0.2u/crypto/asn1/asn1_err.c.cve-2020-1971 2019-12-20 14:02:41.000000000 +0000
+++ openssl-1.0.2u/crypto/asn1/asn1_err.c 2022-04-04 20:54:37.545142000 +0000
@@ -1,6 +1,6 @@
/* crypto/asn1/asn1_err.c */
/* ====================================================================
- * Copyright (c) 1999-2018 The OpenSSL Project. All rights reserved.
+ * Copyright (c) 1999-2020 The OpenSSL Project. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -103,6 +103,7 @@
{ERR_FUNC(ASN1_F_ASN1_ITEM_DUP), "ASN1_item_dup"},
{ERR_FUNC(ASN1_F_ASN1_ITEM_EX_COMBINE_NEW), "ASN1_ITEM_EX_COMBINE_NEW"},
{ERR_FUNC(ASN1_F_ASN1_ITEM_EX_D2I), "ASN1_ITEM_EX_D2I"},
+ {ERR_PACK(ERR_LIB_ASN1, ASN1_F_ASN1_ITEM_EX_I2D, 0), "ASN1_item_ex_i2d"},
{ERR_FUNC(ASN1_F_ASN1_ITEM_I2D_BIO), "ASN1_item_i2d_bio"},
{ERR_FUNC(ASN1_F_ASN1_ITEM_I2D_FP), "ASN1_item_i2d_fp"},
{ERR_FUNC(ASN1_F_ASN1_ITEM_PACK), "ASN1_item_pack"},
@@ -205,6 +206,7 @@
{ERR_REASON(ASN1_R_AUX_ERROR), "aux error"},
{ERR_REASON(ASN1_R_BAD_CLASS), "bad class"},
{ERR_REASON(ASN1_R_BAD_OBJECT_HEADER), "bad object header"},
+ {ERR_PACK(ERR_LIB_ASN1, 0, ASN1_R_BAD_TEMPLATE), "bad template"},
{ERR_REASON(ASN1_R_BAD_PASSWORD_READ), "bad password read"},
{ERR_REASON(ASN1_R_BAD_TAG), "bad tag"},
{ERR_REASON(ASN1_R_BMPSTRING_IS_WRONG_LENGTH),
--- openssl-1.0.2u/crypto/asn1/asn1.h.cve-2020-1971 2019-12-20 14:02:41.000000000 +0000
+++ openssl-1.0.2u/crypto/asn1/asn1.h 2022-04-04 20:53:46.574728000 +0000
@@ -1203,6 +1203,7 @@
# define ASN1_F_ASN1_ITEM_DUP 191
# define ASN1_F_ASN1_ITEM_EX_COMBINE_NEW 121
# define ASN1_F_ASN1_ITEM_EX_D2I 120
+# define ASN1_F_ASN1_ITEM_EX_I2D 231
# define ASN1_F_ASN1_ITEM_I2D_BIO 192
# define ASN1_F_ASN1_ITEM_I2D_FP 193
# define ASN1_F_ASN1_ITEM_PACK 198
@@ -1302,6 +1303,7 @@
# define ASN1_R_AUX_ERROR 100
# define ASN1_R_BAD_CLASS 101
# define ASN1_R_BAD_OBJECT_HEADER 102
+# define ASN1_R_BAD_TEMPLATE 230
# define ASN1_R_BAD_PASSWORD_READ 103
# define ASN1_R_BAD_TAG 104
# define ASN1_R_BMPSTRING_IS_WRONG_LENGTH 214
--- openssl-1.0.2u/crypto/asn1/tasn_dec.c.cve-2020-1971 2019-12-20 14:02:41.000000000 +0000
+++ openssl-1.0.2u/crypto/asn1/tasn_dec.c 2022-04-04 20:53:46.654737000 +0000
@@ -223,6 +223,15 @@
break;
case ASN1_ITYPE_MSTRING:
+ /*
+ * It never makes sense for multi-strings to have implicit tagging, so
+ * if tag != -1, then this looks like an error in the template.
+ */
+ if (tag != -1) {
+ ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, ASN1_R_BAD_TEMPLATE);
+ goto err;
+ }
+
p = *in;
/* Just read in tag and class */
ret = asn1_check_tlen(NULL, &otag, &oclass, NULL, NULL,
@@ -240,6 +249,7 @@
ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, ASN1_R_MSTRING_NOT_UNIVERSAL);
goto err;
}
+
/* Check tag matches bit map */
if (!(ASN1_tag2bit(otag) & it->utype)) {
/* If OPTIONAL, assume this is OK */
@@ -316,6 +326,15 @@
goto err;
case ASN1_ITYPE_CHOICE:
+ /*
+ * It never makes sense for CHOICE types to have implicit tagging, so
+ * if tag != -1, then this looks like an error in the template.
+ */
+ if (tag != -1) {
+ ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, ASN1_R_BAD_TEMPLATE);
+ goto err;
+ }
+
if (asn1_cb && !asn1_cb(ASN1_OP_D2I_PRE, pval, it, NULL))
goto auxerr;
if (*pval) {
--- openssl-1.0.2u/crypto/asn1/tasn_enc.c.cve-2020-1971 2019-12-20 14:02:41.000000000 +0000
+++ openssl-1.0.2u/crypto/asn1/tasn_enc.c 2022-04-04 20:53:46.724730000 +0000
@@ -151,9 +151,25 @@
break;
case ASN1_ITYPE_MSTRING:
+ /*
+ * It never makes sense for multi-strings to have implicit tagging, so
+ * if tag != -1, then this looks like an error in the template.
+ */
+ if (tag != -1) {
+ ASN1err(ASN1_F_ASN1_ITEM_EX_I2D, ASN1_R_BAD_TEMPLATE);
+ return -1;
+ }
return asn1_i2d_ex_primitive(pval, out, it, -1, aclass);
case ASN1_ITYPE_CHOICE:
+ /*
+ * It never makes sense for CHOICE types to have implicit tagging, so
+ * if tag != -1, then this looks like an error in the template.
+ */
+ if (tag != -1) {
+ ASN1err(ASN1_F_ASN1_ITEM_EX_I2D, ASN1_R_BAD_TEMPLATE);
+ return -1;
+ }
if (asn1_cb && !asn1_cb(ASN1_OP_I2D_PRE, pval, it, NULL))
return 0;
i = asn1_get_choice_selector(pval, it);
--- openssl-1.0.2u/crypto/x509v3/v3_genn.c.cve-2020-1971 2019-12-20 14:02:41.000000000 +0000
+++ openssl-1.0.2u/crypto/x509v3/v3_genn.c 2022-04-04 20:53:46.824739000 +0000
@@ -72,8 +72,9 @@
IMPLEMENT_ASN1_FUNCTIONS(OTHERNAME)
ASN1_SEQUENCE(EDIPARTYNAME) = {
- ASN1_IMP_OPT(EDIPARTYNAME, nameAssigner, DIRECTORYSTRING, 0),
- ASN1_IMP_OPT(EDIPARTYNAME, partyName, DIRECTORYSTRING, 1)
+ /* DirectoryString is a CHOICE type so use explicit tagging */
+ ASN1_EXP_OPT(EDIPARTYNAME, nameAssigner, DIRECTORYSTRING, 0),
+ ASN1_EXP(EDIPARTYNAME, partyName, DIRECTORYSTRING, 1)
} ASN1_SEQUENCE_END(EDIPARTYNAME)
IMPLEMENT_ASN1_FUNCTIONS(EDIPARTYNAME)
@@ -107,6 +108,37 @@
(char *)a);
}
+static int edipartyname_cmp(const EDIPARTYNAME *a, const EDIPARTYNAME *b)
+{
+ int res;
+
+ if (a == NULL || b == NULL) {
+ /*
+ * Shouldn't be possible in a valid GENERAL_NAME, but we handle it
+ * anyway. OTHERNAME_cmp treats NULL != NULL so we do the same here
+ */
+ return -1;
+ }
+ if (a->nameAssigner == NULL && b->nameAssigner != NULL)
+ return -1;
+ if (a->nameAssigner != NULL && b->nameAssigner == NULL)
+ return 1;
+ /* If we get here then both have nameAssigner set, or both unset */
+ if (a->nameAssigner != NULL) {
+ res = ASN1_STRING_cmp(a->nameAssigner, b->nameAssigner);
+ if (res != 0)
+ return res;
+ }
+ /*
+ * partyName is required, so these should never be NULL. We treat it in
+ * the same way as the a == NULL || b == NULL case above
+ */
+ if (a->partyName == NULL || b->partyName == NULL)
+ return -1;
+
+ return ASN1_STRING_cmp(a->partyName, b->partyName);
+}
+
/* Returns 0 if they are equal, != 0 otherwise. */
int GENERAL_NAME_cmp(GENERAL_NAME *a, GENERAL_NAME *b)
{
@@ -116,8 +148,11 @@
return -1;
switch (a->type) {
case GEN_X400:
+ result = ASN1_TYPE_cmp(a->d.x400Address, b->d.x400Address);
+ break;
+
case GEN_EDIPARTY:
- result = ASN1_TYPE_cmp(a->d.other, b->d.other);
+ result = edipartyname_cmp(a->d.ediPartyName, b->d.ediPartyName);
break;
case GEN_OTHERNAME:
@@ -164,8 +199,11 @@
{
switch (type) {
case GEN_X400:
+ a->d.x400Address = value;
+ break;
+
case GEN_EDIPARTY:
- a->d.other = value;
+ a->d.ediPartyName = value;
break;
case GEN_OTHERNAME:
@@ -199,8 +237,10 @@
*ptype = a->type;
switch (a->type) {
case GEN_X400:
+ return a->d.x400Address;
+
case GEN_EDIPARTY:
- return a->d.other;
+ return a->d.ediPartyName;
case GEN_OTHERNAME:
return a->d.otherName;
--- openssl-1.0.2u/crypto/x509v3/v3nametest.c.cve-2020-1971 2019-12-20 14:02:41.000000000 +0000
+++ openssl-1.0.2u/crypto/x509v3/v3nametest.c 2022-04-04 20:53:46.894736000 +0000
@@ -321,6 +321,356 @@
}
}
+struct gennamedata {
+ const unsigned char der[22];
+ size_t derlen;
+} gennames[] = {
+ {
+ /*
+ * [0] {
+ * OBJECT_IDENTIFIER { 1.2.840.113554.4.1.72585.2.1 }
+ * [0] {
+ * SEQUENCE {}
+ * }
+ * }
+ */
+ {
+ 0xa0, 0x13, 0x06, 0x0d, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x12, 0x04,
+ 0x01, 0x84, 0xb7, 0x09, 0x02, 0x01, 0xa0, 0x02, 0x30, 0x00
+ },
+ 21
+ }, {
+ /*
+ * [0] {
+ * OBJECT_IDENTIFIER { 1.2.840.113554.4.1.72585.2.1 }
+ * [0] {
+ * [APPLICATION 0] {}
+ * }
+ * }
+ */
+ {
+ 0xa0, 0x13, 0x06, 0x0d, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x12, 0x04,
+ 0x01, 0x84, 0xb7, 0x09, 0x02, 0x01, 0xa0, 0x02, 0x60, 0x00
+ },
+ 21
+ }, {
+ /*
+ * [0] {
+ * OBJECT_IDENTIFIER { 1.2.840.113554.4.1.72585.2.1 }
+ * [0] {
+ * UTF8String { "a" }
+ * }
+ * }
+ */
+ {
+ 0xa0, 0x14, 0x06, 0x0d, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x12, 0x04,
+ 0x01, 0x84, 0xb7, 0x09, 0x02, 0x01, 0xa0, 0x03, 0x0c, 0x01, 0x61
+ },
+ 22
+ }, {
+ /*
+ * [0] {
+ * OBJECT_IDENTIFIER { 1.2.840.113554.4.1.72585.2.2 }
+ * [0] {
+ * UTF8String { "a" }
+ * }
+ * }
+ */
+ {
+ 0xa0, 0x14, 0x06, 0x0d, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x12, 0x04,
+ 0x01, 0x84, 0xb7, 0x09, 0x02, 0x02, 0xa0, 0x03, 0x0c, 0x01, 0x61
+ },
+ 22
+ }, {
+ /*
+ * [0] {
+ * OBJECT_IDENTIFIER { 1.2.840.113554.4.1.72585.2.1 }
+ * [0] {
+ * UTF8String { "b" }
+ * }
+ * }
+ */
+ {
+ 0xa0, 0x14, 0x06, 0x0d, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x12, 0x04,
+ 0x01, 0x84, 0xb7, 0x09, 0x02, 0x01, 0xa0, 0x03, 0x0c, 0x01, 0x62
+ },
+ 22
+ }, {
+ /*
+ * [0] {
+ * OBJECT_IDENTIFIER { 1.2.840.113554.4.1.72585.2.1 }
+ * [0] {
+ * BOOLEAN { TRUE }
+ * }
+ * }
+ */
+ {
+ 0xa0, 0x14, 0x06, 0x0d, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x12, 0x04,
+ 0x01, 0x84, 0xb7, 0x09, 0x02, 0x01, 0xa0, 0x03, 0x01, 0x01, 0xff
+ },
+ 22
+ }, {
+ /*
+ * [0] {
+ * OBJECT_IDENTIFIER { 1.2.840.113554.4.1.72585.2.1 }
+ * [0] {
+ * BOOLEAN { FALSE }
+ * }
+ * }
+ */
+ {
+ 0xa0, 0x14, 0x06, 0x0d, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x12, 0x04,
+ 0x01, 0x84, 0xb7, 0x09, 0x02, 0x01, 0xa0, 0x03, 0x01, 0x01, 0x00
+ },
+ 22
+ }, {
+ /* [1 PRIMITIVE] { "a" } */
+ {
+ 0x81, 0x01, 0x61
+ },
+ 3
+ }, {
+ /* [1 PRIMITIVE] { "b" } */
+ {
+ 0x81, 0x01, 0x62
+ },
+ 3
+ }, {
+ /* [2 PRIMITIVE] { "a" } */
+ {
+ 0x82, 0x01, 0x61
+ },
+ 3
+ }, {
+ /* [2 PRIMITIVE] { "b" } */
+ {
+ 0x82, 0x01, 0x62
+ },
+ 3
+ }, {
+ /*
+ * [4] {
+ * SEQUENCE {
+ * SET {
+ * SEQUENCE {
+ * # commonName
+ * OBJECT_IDENTIFIER { 2.5.4.3 }
+ * UTF8String { "a" }
+ * }
+ * }
+ * }
+ * }
+ */
+ {
+ 0xa4, 0x0e, 0x30, 0x0c, 0x31, 0x0a, 0x30, 0x08, 0x06, 0x03, 0x55,
+ 0x04, 0x03, 0x0c, 0x01, 0x61
+ },
+ 16
+ }, {
+ /*
+ * [4] {
+ * SEQUENCE {
+ * SET {
+ * SEQUENCE {
+ * # commonName
+ * OBJECT_IDENTIFIER { 2.5.4.3 }
+ * UTF8String { "b" }
+ * }
+ * }
+ * }
+ * }
+ */
+ {
+ 0xa4, 0x0e, 0x30, 0x0c, 0x31, 0x0a, 0x30, 0x08, 0x06, 0x03, 0x55,
+ 0x04, 0x03, 0x0c, 0x01, 0x62
+ },
+ 16
+ }, {
+ /*
+ * [5] {
+ * [1] {
+ * UTF8String { "a" }
+ * }
+ * }
+ */
+ {
+ 0xa5, 0x05, 0xa1, 0x03, 0x0c, 0x01, 0x61
+ },
+ 7
+ }, {
+ /*
+ * [5] {
+ * [1] {
+ * UTF8String { "b" }
+ * }
+ * }
+ */
+ {
+ 0xa5, 0x05, 0xa1, 0x03, 0x0c, 0x01, 0x62
+ },
+ 7
+ }, {
+ /*
+ * [5] {
+ * [0] {
+ * UTF8String {}
+ * }
+ * [1] {
+ * UTF8String { "a" }
+ * }
+ * }
+ */
+ {
+ 0xa5, 0x09, 0xa0, 0x02, 0x0c, 0x00, 0xa1, 0x03, 0x0c, 0x01, 0x61
+ },
+ 11
+ }, {
+ /*
+ * [5] {
+ * [0] {
+ * UTF8String { "a" }
+ * }
+ * [1] {
+ * UTF8String { "a" }
+ * }
+ * }
+ */
+ {
+ 0xa5, 0x0a, 0xa0, 0x03, 0x0c, 0x01, 0x61, 0xa1, 0x03, 0x0c, 0x01,
+ 0x61
+ },
+ 12
+ }, {
+ /*
+ * [5] {
+ * [0] {
+ * UTF8String { "b" }
+ * }
+ * [1] {
+ * UTF8String { "a" }
+ * }
+ * }
+ */
+ {
+ 0xa5, 0x0a, 0xa0, 0x03, 0x0c, 0x01, 0x62, 0xa1, 0x03, 0x0c, 0x01,
+ 0x61
+ },
+ 12
+ }, {
+ /* [6 PRIMITIVE] { "a" } */
+ {
+ 0x86, 0x01, 0x61
+ },
+ 3
+ }, {
+ /* [6 PRIMITIVE] { "b" } */
+ {
+ 0x86, 0x01, 0x62
+ },
+ 3
+ }, {
+ /* [7 PRIMITIVE] { `11111111` } */
+ {
+ 0x87, 0x04, 0x11, 0x11, 0x11, 0x11
+ },
+ 6
+ }, {
+ /* [7 PRIMITIVE] { `22222222`} */
+ {
+ 0x87, 0x04, 0x22, 0x22, 0x22, 0x22
+ },
+ 6
+ }, {
+ /* [7 PRIMITIVE] { `11111111111111111111111111111111` } */
+ {
+ 0x87, 0x10, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11,
+ 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11
+ },
+ 18
+ }, {
+ /* [7 PRIMITIVE] { `22222222222222222222222222222222` } */
+ {
+ 0x87, 0x10, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22,
+ 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22
+ },
+ 18
+ }, {
+ /* [8 PRIMITIVE] { 1.2.840.113554.4.1.72585.2.1 } */
+ {
+ 0x88, 0x0d, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x12, 0x04, 0x01, 0x84,
+ 0xb7, 0x09, 0x02, 0x01
+ },
+ 15
+ }, {
+ /* [8 PRIMITIVE] { 1.2.840.113554.4.1.72585.2.2 } */
+ {
+ 0x88, 0x0d, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x12, 0x04, 0x01, 0x84,
+ 0xb7, 0x09, 0x02, 0x02
+ },
+ 15
+ }
+};
+
+#define OSSL_NELEM(x) (sizeof(x)/sizeof((x)[0]))
+
+static int test_GENERAL_NAME_cmp(void)
+{
+ size_t i, j;
+ GENERAL_NAME **namesa = OPENSSL_malloc(sizeof(*namesa)
+ * OSSL_NELEM(gennames));
+ GENERAL_NAME **namesb = OPENSSL_malloc(sizeof(*namesb)
+ * OSSL_NELEM(gennames));
+ int testresult = 0;
+
+ if (namesa == NULL || namesb == NULL)
+ goto end;
+
+ for (i = 0; i < OSSL_NELEM(gennames); i++) {
+ const unsigned char *derp = gennames[i].der;
+
+ /*
+ * We create two versions of each GENERAL_NAME so that we ensure when
+ * we compare them they are always different pointers.
+ */
+ namesa[i] = d2i_GENERAL_NAME(NULL, &derp, gennames[i].derlen);
+ derp = gennames[i].der;
+ namesb[i] = d2i_GENERAL_NAME(NULL, &derp, gennames[i].derlen);
+ if (namesa[i] == NULL || namesb[i] == NULL)
+ goto end;
+ }
+
+ /* Every name should be equal to itself and not equal to any others. */
+ for (i = 0; i < OSSL_NELEM(gennames); i++) {
+ for (j = 0; j < OSSL_NELEM(gennames); j++) {
+ if (i == j) {
+ if (GENERAL_NAME_cmp(namesa[i], namesb[j]) != 0)
+ goto end;
+ } else {
+ if (GENERAL_NAME_cmp(namesa[i], namesb[j]) == 0)
+ goto end;
+ }
+ }
+ }
+ testresult = 1;
+
+ end:
+ for (i = 0; i < OSSL_NELEM(gennames); i++) {
+ if (namesa != NULL)
+ GENERAL_NAME_free(namesa[i]);
+ if (namesb != NULL)
+ GENERAL_NAME_free(namesb[i]);
+ }
+ OPENSSL_free(namesa);
+ OPENSSL_free(namesb);
+
+ if (!testresult)
+ fprintf(stderr, "test of GENERAL_NAME_cmp failed\n");
+
+ return testresult;
+}
+
+
+
int main(void)
{
const struct set_name_fn *pfn = name_fns;
@@ -342,5 +692,8 @@
}
++pfn;
}
+
+ errors += !test_GENERAL_NAME_cmp();
+
return errors > 0 ? 1 : 0;
}

94
openssl/src/openssl-1.0.2u-cve-2021-23840.patch Normal file
View File

@ -0,0 +1,94 @@
--- openssl-1.0.2u/crypto/evp/evp_enc.c.cve-2021-23840 2019-12-20 14:02:41.000000000 +0000
+++ openssl-1.0.2u/crypto/evp/evp_enc.c 2022-04-04 21:29:34.804011000 +0000
@@ -57,6 +57,7 @@
*/
#include <stdio.h>
+#include <limits.h>
#include "cryptlib.h"
#include <openssl/evp.h>
#include <openssl/err.h>
@@ -357,6 +358,18 @@
return 1;
} else {
j = bl - i;
+ /*
+ * Once we've processed the first j bytes from in, the amount of
+ * data left that is a multiple of the block length is:
+ * (inl - j) & ~(bl - 1)
+ * We must ensure that this amount of data, plus the one block that
+ * we process from ctx->buf does not exceed INT_MAX
+ */
+ if (((inl - j) & ~(bl - 1)) > INT_MAX - bl) {
+ EVPerr(EVP_F_EVP_ENCRYPTUPDATE,
+ EVP_R_OUTPUT_WOULD_OVERFLOW);
+ return 0;
+ }
memcpy(&(ctx->buf[i]), in, j);
if (!M_do_cipher(ctx, out, ctx->buf, bl))
return 0;
@@ -482,6 +495,19 @@
OPENSSL_assert(b <= sizeof(ctx->final));
if (ctx->final_used) {
+ /*
+ * final_used is only ever set if buf_len is 0. Therefore the maximum
+ * length output we will ever see from evp_EncryptDecryptUpdate is
+ * the maximum multiple of the block length that is <= inl, or just:
+ * inl & ~(b - 1)
+ * Since final_used has been set then the final output length is:
+ * (inl & ~(b - 1)) + b
+ * This must never exceed INT_MAX
+ */
+ if ((inl & ~(b - 1)) > INT_MAX - b) {
+ EVPerr(EVP_F_EVP_DECRYPTUPDATE, EVP_R_OUTPUT_WOULD_OVERFLOW);
+ return 0;
+ }
memcpy(out, ctx->final, b);
out += b;
fix_len = 1;
--- openssl-1.0.2u/crypto/evp/evp_err.c.cve-2021-23840 2019-12-20 14:02:41.000000000 +0000
+++ openssl-1.0.2u/crypto/evp/evp_err.c 2022-04-04 21:29:34.874013000 +0000
@@ -1,6 +1,6 @@
/* crypto/evp/evp_err.c */
/* ====================================================================
- * Copyright (c) 1999-2019 The OpenSSL Project. All rights reserved.
+ * Copyright (c) 1999-2021 The OpenSSL Project. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -94,6 +94,8 @@
{ERR_FUNC(EVP_F_EVP_DECRYPTFINAL_EX), "EVP_DecryptFinal_ex"},
{ERR_FUNC(EVP_F_EVP_DECRYPTUPDATE), "EVP_DecryptUpdate"},
{ERR_FUNC(EVP_F_EVP_DIGESTINIT_EX), "EVP_DigestInit_ex"},
+ {ERR_FUNC(EVP_F_EVP_DECRYPTUPDATE), "EVP_DecryptUpdate"},
+ {ERR_FUNC(EVP_F_EVP_ENCRYPTUPDATE), "EVP_EncryptUpdate"},
{ERR_FUNC(EVP_F_EVP_ENCRYPTFINAL_EX), "EVP_EncryptFinal_ex"},
{ERR_FUNC(EVP_F_EVP_ENCRYPTUPDATE), "EVP_EncryptUpdate"},
{ERR_FUNC(EVP_F_EVP_MD_CTX_COPY_EX), "EVP_MD_CTX_copy_ex"},
@@ -215,6 +217,8 @@
{ERR_REASON(EVP_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE),
"operation not supported for this keytype"},
{ERR_REASON(EVP_R_OPERATON_NOT_INITIALIZED), "operaton not initialized"},
+ {ERR_REASON(EVP_R_OUTPUT_WOULD_OVERFLOW),
+ "output would overflow"},
{ERR_REASON(EVP_R_PKCS8_UNKNOWN_BROKEN_TYPE),
"pkcs8 unknown broken type"},
{ERR_REASON(EVP_R_PRIVATE_KEY_DECODE_ERROR), "private key decode error"},
--- openssl-1.0.2u/crypto/evp/evp.h.cve-2021-23840 2019-12-20 14:02:41.000000000 +0000
+++ openssl-1.0.2u/crypto/evp/evp.h 2022-04-04 21:30:38.124534000 +0000
@@ -1,5 +1,5 @@
/* crypto/evp/evp.h */
-/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+/* Copyright (C) 1995-2021 Eric Young (eay@cryptsoft.com)
* All rights reserved.
*
* This package is an SSL implementation written
@@ -1602,6 +1602,7 @@
# define EVP_R_NO_VERIFY_FUNCTION_CONFIGURED 105
# define EVP_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE 150
# define EVP_R_OPERATON_NOT_INITIALIZED 151
+# define EVP_R_OUTPUT_WOULD_OVERFLOW 184
# define EVP_R_PKCS8_UNKNOWN_BROKEN_TYPE 117
# define EVP_R_PRIVATE_KEY_DECODE_ERROR 145
# define EVP_R_PRIVATE_KEY_ENCODE_ERROR 146

11
openssl/src/openssl-1.0.2u-cve-2021-23841.patch Normal file
View File

@ -0,0 +1,11 @@
--- openssl-1.0.2u/crypto/x509/x509_cmp.c.cve-2021-23841 2019-12-20 14:02:41.000000000 +0000
+++ openssl-1.0.2u/crypto/x509/x509_cmp.c 2022-04-04 20:58:23.996994000 +0000
@@ -87,6 +87,8 @@
EVP_MD_CTX_init(&ctx);
f = X509_NAME_oneline(a->cert_info->issuer, NULL, 0);
+ if (f == NULL)
+ goto err;
if (!EVP_DigestInit_ex(&ctx, EVP_md5(), NULL))
goto err;
if (!EVP_DigestUpdate(&ctx, (unsigned char *)f, strlen(f)))

298
openssl/src/openssl-1.0.2u-cve-2021-3712.patch Normal file
View File

@ -0,0 +1,298 @@
--- openssl-1.0.2u/crypto/asn1/t_spki.c.cve-2021-3712 2019-12-20 14:02:41.000000000 +0000
+++ openssl-1.0.2u/crypto/asn1/t_spki.c 2022-04-04 20:59:04.817330000 +0000
@@ -90,7 +90,7 @@
}
chal = spki->spkac->challenge;
if (chal->length)
- BIO_printf(out, " Challenge String: %s\n", chal->data);
+ BIO_printf(out, " Challenge String: %.*s\n", chal->length, chal->data);
i = OBJ_obj2nid(spki->sig_algor->algorithm);
BIO_printf(out, " Signature Algorithm: %s",
(i == NID_undef) ? "UNKNOWN" : OBJ_nid2ln(i));
--- openssl-1.0.2u/crypto/ec/ec_asn1.c.cve-2021-3712 2019-12-20 14:02:41.000000000 +0000
+++ openssl-1.0.2u/crypto/ec/ec_asn1.c 2022-04-04 20:59:04.967334000 +0000
@@ -867,7 +867,10 @@
ret->seed_len = params->curve->seed->length;
}
- if (!params->order || !params->base || !params->base->data) {
+ if (params->order == NULL
+ || params->base == NULL
+ || params->base->data == NULL
+ || params->base->length == 0) {
ECerr(EC_F_EC_ASN1_PARAMETERS2GROUP, EC_R_ASN1_ERROR);
goto err;
}
--- openssl-1.0.2u/crypto/x509v3/v3_cpols.c.cve-2021-3712 2019-12-20 14:02:41.000000000 +0000
+++ openssl-1.0.2u/crypto/x509v3/v3_cpols.c 2022-04-04 20:59:05.187339000 +0000
@@ -423,7 +423,8 @@
qualinfo = sk_POLICYQUALINFO_value(quals, i);
switch (OBJ_obj2nid(qualinfo->pqualid)) {
case NID_id_qt_cps:
- BIO_printf(out, "%*sCPS: %s\n", indent, "",
+ BIO_printf(out, "%*sCPS: %.*s\n", indent, "",
+ qualinfo->d.cpsuri->length,
qualinfo->d.cpsuri->data);
break;
@@ -448,7 +449,8 @@
if (notice->noticeref) {
NOTICEREF *ref;
ref = notice->noticeref;
- BIO_printf(out, "%*sOrganization: %s\n", indent, "",
+ BIO_printf(out, "%*sOrganization: %.*s\n", indent, "",
+ ref->organization->length,
ref->organization->data);
BIO_printf(out, "%*sNumber%s: ", indent, "",
sk_ASN1_INTEGER_num(ref->noticenos) > 1 ? "s" : "");
@@ -471,7 +473,8 @@
BIO_puts(out, "\n");
}
if (notice->exptext)
- BIO_printf(out, "%*sExplicit Text: %s\n", indent, "",
+ BIO_printf(out, "%*sExplicit Text: %.*s\n", indent, "",
+ notice->exptext->length,
notice->exptext->data);
}
--- openssl-1.0.2u/crypto/x509v3/v3_ncons.c.cve-2021-3712 2019-12-20 14:02:41.000000000 +0000
+++ openssl-1.0.2u/crypto/x509v3/v3_ncons.c 2022-04-04 21:09:06.382040000 +0000
@@ -148,6 +148,27 @@
return ia5ncasecmp(s1, s2, (size_t)(-1));
}
+#define IA5_OFFSET_LEN(ia5base, offset) \
+ ((ia5base)->length - ((unsigned char *)(offset) - (ia5base)->data))
+
+/* Like memchr but for ASN1_IA5STRING. Additionally you can specify the
+ * starting point to search from
+ */
+# define ia5memchr(str, start, c) memchr(start, c, IA5_OFFSET_LEN(str, start))
+
+/* Like memrrchr but for ASN1_IA5STRING */
+static char *ia5memrchr(ASN1_IA5STRING *str, int c)
+{
+ int i;
+
+ for (i = str->length; i > 0 && str->data[i - 1] != c; i--);
+
+ if (i == 0)
+ return NULL;
+
+ return (char *)&str->data[i - 1];
+}
+
static void *v2i_NAME_CONSTRAINTS(const X509V3_EXT_METHOD *method,
X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval)
{
@@ -413,8 +434,12 @@
char *baseptr = (char *)base->data;
char *dnsptr = (char *)dns->data;
/* Empty matches everything */
- if (!*baseptr)
+ if (base->length == 0)
return X509_V_OK;
+
+ if (dns->length < base->length)
+ return X509_V_ERR_PERMITTED_VIOLATION;
+
/*
* Otherwise can add zero or more components on the left so compare RHS
* and if dns is longer and expect '.' as preceding character.
@@ -425,7 +450,7 @@
return X509_V_ERR_PERMITTED_VIOLATION;
}
- if (ia5casecmp(baseptr, dnsptr))
+ if (ia5ncasecmp(baseptr, dnsptr, base->length))
return X509_V_ERR_PERMITTED_VIOLATION;
return X509_V_OK;
@@ -436,16 +461,17 @@
{
const char *baseptr = (char *)base->data;
const char *emlptr = (char *)eml->data;
+ const char *baseat = ia5memrchr(base, '@');
+ const char *emlat = ia5memrchr(eml, '@');
+ size_t basehostlen, emlhostlen;
- const char *baseat = strchr(baseptr, '@');
- const char *emlat = strchr(emlptr, '@');
if (!emlat)
return X509_V_ERR_UNSUPPORTED_NAME_SYNTAX;
/* Special case: inital '.' is RHS match */
- if (!baseat && (*baseptr == '.')) {
+ if (!baseat && base->length > 0 && (*baseptr == '.')) {
if (eml->length > base->length) {
emlptr += eml->length - base->length;
- if (ia5casecmp(baseptr, emlptr) == 0)
+ if (ia5ncasecmp(baseptr, emlptr, base->length) == 0)
return X509_V_OK;
}
return X509_V_ERR_PERMITTED_VIOLATION;
@@ -465,8 +491,10 @@
baseptr = baseat + 1;
}
emlptr = emlat + 1;
+ basehostlen = IA5_OFFSET_LEN(base, baseptr);
+ emlhostlen = IA5_OFFSET_LEN(eml, emlptr);
/* Just have hostname left to match: case insensitive */
- if (ia5casecmp(baseptr, emlptr))
+ if (basehostlen != emlhostlen || ia5ncasecmp(baseptr, emlptr, emlhostlen))
return X509_V_ERR_PERMITTED_VIOLATION;
return X509_V_OK;
@@ -477,10 +505,13 @@
{
const char *baseptr = (char *)base->data;
const char *hostptr = (char *)uri->data;
- const char *p = strchr(hostptr, ':');
+ const char *p = ia5memchr(uri, (char *)uri->data, ':');
int hostlen;
/* Check for foo:// and skip past it */
- if (!p || (p[1] != '/') || (p[2] != '/'))
+ if (p == NULL
+ || IA5_OFFSET_LEN(uri, p) < 3
+ || p[1] != '/'
+ || p[2] != '/')
return X509_V_ERR_UNSUPPORTED_NAME_SYNTAX;
hostptr = p + 3;
@@ -488,10 +519,10 @@
/* Look for a port indicator as end of hostname first */
- p = strchr(hostptr, ':');
+ p = ia5memchr(uri, hostptr, ':');
/* Otherwise look for trailing slash */
- if (!p)
- p = strchr(hostptr, '/');
+ if (p == NULL)
+ p = ia5memchr(uri, hostptr, '/');
if (!p)
hostlen = strlen(hostptr);
@@ -502,7 +533,7 @@
return X509_V_ERR_UNSUPPORTED_NAME_SYNTAX;
/* Special case: inital '.' is RHS match */
- if (*baseptr == '.') {
+ if (base->length > 0 && *baseptr == '.') {
if (hostlen > base->length) {
p = hostptr + hostlen - base->length;
if (ia5ncasecmp(p, baseptr, base->length) == 0)
--- openssl-1.0.2u/crypto/x509v3/v3_pci.c.cve-2021-3712 2019-12-20 14:02:41.000000000 +0000
+++ openssl-1.0.2u/crypto/x509v3/v3_pci.c 2022-04-04 20:59:05.377335000 +0000
@@ -68,7 +68,8 @@
i2a_ASN1_OBJECT(out, pci->proxyPolicy->policyLanguage);
BIO_puts(out, "\n");
if (pci->proxyPolicy->policy && pci->proxyPolicy->policy->data)
- BIO_printf(out, "%*sPolicy Text: %s\n", indent, "",
+ BIO_printf(out, "%*sPolicy Text: %.*s\n", indent, "",
+ pci->proxyPolicy->policy->length,
pci->proxyPolicy->policy->data);
return 1;
}
--- openssl-1.0.2u/crypto/x509v3/v3_utl.c.cve-2021-3712 2019-12-20 14:02:41.000000000 +0000
+++ openssl-1.0.2u/crypto/x509v3/v3_utl.c 2022-04-04 20:59:05.447340000 +0000
@@ -609,17 +609,26 @@
/* First some sanity checks */
if (email->type != V_ASN1_IA5STRING)
return 1;
- if (!email->data || !email->length)
+ if (email->data == NULL || email->length == 0)
+ return 1;
+ if (memchr(email->data, 0, email->length) != NULL)
return 1;
if (!*sk)
*sk = sk_OPENSSL_STRING_new(sk_strcmp);
if (!*sk)
return 0;
+
+ emtmp = OPENSSL_strndup((char *)email->data, email->length);
+ if (emtmp == NULL)
+ return 0;
+
/* Don't add duplicates */
- if (sk_OPENSSL_STRING_find(*sk, (char *)email->data) != -1)
+ if (sk_OPENSSL_STRING_find(*sk, emtmp) != -1) {
+ OPENSSL_free(emtmp);
return 1;
- emtmp = BUF_strdup((char *)email->data);
- if (!emtmp || !sk_OPENSSL_STRING_push(*sk, emtmp)) {
+ }
+ if (!sk_OPENSSL_STRING_push(*sk, emtmp)) {
+ OPENSSL_free(emtmp); /* free on push failure */
X509_email_free(*sk);
*sk = NULL;
return 0;
--- openssl-1.0.2u/crypto/crypto.h.cve-2021-3712 2019-12-20 14:02:41.000000000 +0000
+++ openssl-1.0.2u/crypto/crypto.h 2022-04-04 20:59:04.887339000 +0000
@@ -380,6 +380,8 @@
# define OPENSSL_malloc(num) CRYPTO_malloc((int)num,__FILE__,__LINE__)
# define OPENSSL_strdup(str) CRYPTO_strdup((str),__FILE__,__LINE__)
+# define OPENSSL_strndup(str, n) \
+ CRYPTO_strndup((str), n, __FILE__, __LINE__)
# define OPENSSL_realloc(addr,num) \
CRYPTO_realloc((char *)addr,(int)num,__FILE__,__LINE__)
# define OPENSSL_realloc_clean(addr,old_num,num) \
@@ -393,6 +395,8 @@
CRYPTO_malloc_locked((int)num,__FILE__,__LINE__)
# define OPENSSL_free_locked(addr) CRYPTO_free_locked(addr)
+size_t OPENSSL_strnlen(const char *str, size_t maxlen);
+
const char *SSLeay_version(int type);
unsigned long SSLeay(void);
@@ -533,6 +537,7 @@
void CRYPTO_free_locked(void *ptr);
void *CRYPTO_malloc(int num, const char *file, int line);
char *CRYPTO_strdup(const char *str, const char *file, int line);
+char *CRYPTO_strndup(const char *str, size_t s, const char *file, int line);
void CRYPTO_free(void *ptr);
void *CRYPTO_realloc(void *addr, int num, const char *file, int line);
void *CRYPTO_realloc_clean(void *addr, int old_num, int num, const char *file,
--- openssl-1.0.2u/crypto/mem.c.cve-2021-3712 2019-12-20 14:02:41.000000000 +0000
+++ openssl-1.0.2u/crypto/mem.c 2022-04-04 20:59:05.037333000 +0000
@@ -364,6 +364,24 @@
return ret;
}
+char *CRYPTO_strndup(const char *str, size_t s, const char* file, int line)
+{
+ size_t maxlen;
+ char *ret;
+
+ if (str == NULL)
+ return NULL;
+
+ maxlen = OPENSSL_strnlen(str, s);
+
+ ret = CRYPTO_malloc(maxlen + 1, file, line);
+ if (ret) {
+ memcpy(ret, str, maxlen);
+ ret[maxlen] = '\0';
+ }
+ return ret;
+}
+
void *CRYPTO_realloc(void *str, int num, const char *file, int line)
{
void *ret = NULL;
--- openssl-1.0.2u/crypto/o_str.c.cve-2021-3712 2019-12-20 14:02:41.000000000 +0000
+++ openssl-1.0.2u/crypto/o_str.c 2022-04-04 20:59:05.107331000 +0000
@@ -114,3 +114,12 @@
return ret;
}
+
+size_t OPENSSL_strnlen(const char *str, size_t maxlen)
+{
+ const char *p;
+
+ for (p = str; maxlen-- != 0 && *p != '\0'; ++p) ;
+
+ return p - str;
+}

47
openssl/src/openssl-1.0.2u-cve-2022-0778.patch Normal file
View File

@ -0,0 +1,47 @@
--- openssl-1.0.2u/crypto/bn/bn_sqrt.c.cve-2022-0778 2019-12-20 14:02:41.000000000 +0000
+++ openssl-1.0.2u/crypto/bn/bn_sqrt.c 2022-04-04 21:09:50.952408000 +0000
@@ -64,7 +64,8 @@
/*
* Returns 'ret' such that ret^2 == a (mod p), using the Tonelli/Shanks
* algorithm (cf. Henri Cohen, "A Course in Algebraic Computational Number
- * Theory", algorithm 1.5.1). 'p' must be prime!
+ * Theory", algorithm 1.5.1). 'p' must be prime, otherwise an error or
+ * an incorrect "result" will be returned.
*/
{
BIGNUM *ret = in;
@@ -350,18 +351,23 @@
goto vrfy;
}
- /* find smallest i such that b^(2^i) = 1 */
- i = 1;
- if (!BN_mod_sqr(t, b, p, ctx))
- goto end;
- while (!BN_is_one(t)) {
- i++;
- if (i == e) {
- BNerr(BN_F_BN_MOD_SQRT, BN_R_NOT_A_SQUARE);
- goto end;
+ /* Find the smallest i, 0 < i < e, such that b^(2^i) = 1. */
+ for (i = 1; i < e; i++) {
+ if (i == 1) {
+ if (!BN_mod_sqr(t, b, p, ctx))
+ goto end;
+
+ } else {
+ if (!BN_mod_mul(t, t, t, p, ctx))
+ goto end;
}
- if (!BN_mod_mul(t, t, t, p, ctx))
- goto end;
+ if (BN_is_one(t))
+ break;
+ }
+ /* If not found, a is not a square or p is not prime. */
+ if (i >= e) {
+ BNerr(BN_F_BN_MOD_SQRT, BN_R_NOT_A_SQUARE);
+ goto end;
}
/* t := y^2^(e - i - 1) */