1. photon
  2. Commit 7f4c42b40b295ceb3e341909d0bc44a615beb8ed
Browse code

openssl: add openssl-libs subpackage

Modify docker image creation script accordingly and tweak the specs to
use openssl-libs

Change-Id: I0c279d399e74f65ca7f130bb9fff900ed15016c6
Signed-off-by: Shreenidhi Shedi <sshedi@vmware.com>
Reviewed-on: http://photon-jenkins.eng.vmware.com:8082/19933
Tested-by: gerrit-photon <photon-checkins@vmware.com>
Reviewed-by: Tapas Kundu <tkundu@vmware.com>

Shreenidhi Shedi authored on 2023/03/07 00:50:47
Showing 33 changed files
SPECS/ca-certificates/ca-certificates.spec
History View file @ 7f4c42b
... ... 
@@ -1,22 +1,22 @@
1 
-Summary:             Certificate Authority certificates
2 
-Name:                ca-certificates
3 
-Version:             20220706
4 
-Release:             1%{?dist}
5 
-License:             Custom
6 
-URL:                 http://anduin.linuxfromscratch.org/BLFS/other/
7 
-Group:               System Environment/Security
8 
-Vendor:              VMware, Inc.
9 
-Distribution:        Photon
1 
+Summary:        Certificate Authority certificates
2 
+Name:           ca-certificates
3 
+Version:        20220706
4 
+Release:        2%{?dist}
5 
+License:        Custom
6 
+URL:            http://anduin.linuxfromscratch.org/BLFS/other
7 
+Group:          System Environment/Security
8 
+Vendor:         VMware, Inc.
9 
+Distribution:   Photon
10 10
11 
-Source0:             certdata.txt
11 
+Source0: certdata.txt
12 12
13 
-Requires:            openssl
14 
-Requires:            ca-certificates-pki = %{version}-%{release}
13 
+Requires: openssl-libs
14 
+Requires: ca-certificates-pki = %{version}-%{release}
15 15 
 Requires(posttrans): /usr/bin/ln
16 16
17 
-BuildRequires:       openssl
17 
+BuildRequires: openssl
18 18
19 
-Provides:            ca-certificates-mozilla
19 
+Provides: ca-certificates-mozilla = %{version}-%{release}
20 20
21 21 
 %description
22 22 
 The Public Key Inrastructure is used for many security issues in a
... ... 
@@ -241,6 +241,7 @@ done
241 241 
 exit 0
242 242
243 243 
 %clean
244 
+rm -rf %{buildroot}
244 245
245 246 
 %files
246 247 
 %defattr(-,root,root)
... ... 
@@ -254,6 +255,8 @@ exit 0
254 254 
 %{_sysconfdir}/pki/tls/certs/ca-bundle.crt
255 255
256 256 
 %changelog
257 
+* Wed Mar 08 2023 Shreenidhi Shedi <sshedi@vmware.com> 20220706-2
258 
+- Require openssl-libs
257 259 
 * Mon Jul 11 2022 Gerrit Photon <photon-checkins@vmware.com> 20220706-1
258 260 
 - Automatic Version Bump
259 261 
 * Wed Feb 23 2022 Shreenidhi Shedi <sshedi@vmware.com> 20210429-2
SPECS/curl/curl.spec
History View file @ 7f4c42b
... ... 
@@ -1,23 +1,26 @@
1 1 
 Summary:        An URL retrieval utility and library
2 2 
 Name:           curl
3 3 
 Version:        7.86.0
4 
-Release:        2%{?dist}
4 
+Release:        3%{?dist}
5 5 
 License:        MIT
6 6 
 URL:            http://curl.haxx.se
7 7 
 Group:          System Environment/NetworkingLibraries
8 8 
 Vendor:         VMware, Inc.
9 9 
 Distribution:   Photon
10 
-Source0:        http://curl.haxx.se/download/%{name}-%{version}.tar.gz
11 
-%define sha512  curl=b2d30b4d145a3621862a0f5e6378b5099ba92f4be6e92f4e070ec1299fc5eacba851bf993efd613b366fb81642f3f5cccb6e02adcd472dccc9c5e65c1a51812c
10 
+
11 
+Source0: http://curl.haxx.se/download/%{name}-%{version}.tar.gz
12 
+%define sha512 %{name}=b2d30b4d145a3621862a0f5e6378b5099ba92f4be6e92f4e070ec1299fc5eacba851bf993efd613b366fb81642f3f5cccb6e02adcd472dccc9c5e65c1a51812c
13 
+
12 14 
 BuildRequires:  ca-certificates
13 15 
 BuildRequires:  openssl-devel
14 16 
 BuildRequires:  krb5-devel
15 17 
 BuildRequires:  libssh2-devel
18 
+
16 19 
 Requires:       ca-certificates
17 
-Requires:       openssl
20 
+Requires:       openssl-libs
18 21 
 Requires:       krb5
19 22 
 Requires:       libssh2
20 
-Requires:       curl-libs = %{version}-%{release}
23 
+Requires:       %{name}-libs = %{version}-%{release}
21 24
22 25 
 %description
23 26 
 The cURL package contains an utility and a library used for
... ... 
@@ -55,14 +58,13 @@ This package contains minimal set of shared curl libraries.
55 55 
     --with-ssl \
56 56 
     --with-gssapi \
57 57 
     --with-libssh2 \
58 
-    --with-ca-bundle=/etc/pki/tls/certs/ca-bundle.crt
59 
-make %{?_smp_mflags}
58 
+    --with-ca-bundle=%{_sysconfdir}/pki/tls/certs/ca-bundle.crt
59 
+
60 
+%make_build
60 61
61 62 
 %install
62 
-[ %{buildroot} != "/"] && rm -rf %{buildroot}/*
63 
-%make_install
63 
+%make_install %{?_smp_mflags}
64 64 
 install -v -d -m755 %{buildroot}/%{_docdir}/%{name}-%{version}
65 
-find %{buildroot}/%{_libdir} -name '*.la' -delete
66 65 
 %{_fixperms} %{buildroot}/*
67 66
68 67 
 %check
... ... 
@@ -89,9 +91,12 @@ rm -rf %{buildroot}/*
89 89 
 %{_docdir}/%{name}-%{version}
90 90
91 91 
 %files libs
92 
+%defattr(-,root,root)
92 93 
 %{_libdir}/libcurl.so.*
93 94
94 95 
 %changelog
96 
+* Wed Mar 08 2023 Shreenidhi Shedi <sshedi@vmware.com> 7.86.0-3
97 
+- Require openssl-libs
95 98 
 * Thu Jan 26 2023 Ashwin Dayanand Kamat <kashwindayan@vmware.com> 7.86.0-2
96 99 
 - Bump version as a part of krb5 upgrade
97 100 
 * Fri Oct 28 2022 Gerrit Photon <photon-checkins@vmware.com> 7.86.0-1
SPECS/krb5/krb5.spec
History View file @ 7f4c42b
... ... 
@@ -1,19 +1,23 @@
1 1 
 Summary:        The Kerberos newtork authentication system
2 2 
 Name:           krb5
3 3 
 Version:        1.20.1
4 
-Release:        2%{?dist}
4 
+Release:        3%{?dist}
5 5 
 License:        MIT
6 
-URL:            http://web.mit.edu/kerberos/
6 
+URL:            http://web.mit.edu/kerberos
7 7 
 Group:          System Environment/Security
8 8 
 Vendor:         VMware, Inc.
9 9 
 Distribution:   Photon
10 
-Source0:        http://web.mit.edu/kerberos/www/dist/%{name}/1.17/%{name}-%{version}.tar.gz
11 
-%define sha512  %{name}=6f57479f13f107cd84f30de5c758eb6b9fc59171329c13e5da6073b806755f8d163eb7bd84767ea861ad6458ea0c9eeb00ee044d3bcad01ef136e9888564b6a2
12 
-Requires:       openssl
10 
+
11 
+Source0: http://web.mit.edu/kerberos/www/dist/%{name}/1.17/%{name}-%{version}.tar.gz
12 
+%define sha512 %{name}=6f57479f13f107cd84f30de5c758eb6b9fc59171329c13e5da6073b806755f8d163eb7bd84767ea861ad6458ea0c9eeb00ee044d3bcad01ef136e9888564b6a2
13 
+
14 
+Requires:       openssl-libs
13 15 
 Requires:       e2fsprogs-libs
16 
+
14 17 
 BuildRequires:  bison
15 18 
 BuildRequires:  openssl-devel
16 19 
 BuildRequires:  e2fsprogs-devel
20 
+
17 21 
 Provides:       pkgconfig(mit-krb5)
18 22 
 Provides:       pkgconfig(mit-krb5-gssapi)
19 23
... ... 
@@ -121,49 +125,51 @@ rm -rf %{buildroot}/*
121 121 
 %{_datarootdir}/locale/*
122 122
123 123 
 %changelog
124 
-*   Mon Feb 20 2023 Tapas Kundu <tkundu@vmware.com> 1.20.1-2
125 
--   Add Bison in buildrequires
126 
-*   Thu Jan 26 2023 Ashwin Dayanand Kamat <kashwindayan@vmware.com> 1.20.1-1
127 
--   Upgrade to version 1.20.1
128 
-*   Fri Sep 17 2021 Satya Naga Vasamsetty <svasamsetty@vmware.com> 1.17.2-2
129 
--   Bump up release for openssl
130 
-*   Tue Apr 13 2021 Gerrit Photon <photon-checkins@vmware.com> 1.17.2-1
131 
--   Downgrade to 1.17 since PMD RPC call getting failed.
132 
-*   Tue Apr 13 2021 Gerrit Photon <photon-checkins@vmware.com> 1.18.3-1
133 
--   Automatic Version Bump
134 
-*   Mon Nov 02 2020 Tapas Kundu <tkundu@vmware.com> 1.17-4
135 
--   Fix krb5 build.
136 
-*   Thu Oct 29 2020 Shreyas B. <shreyasb@vmware.com> 1.17-3
137 
--   krb5 v1.18.2 is not stable, creating panic for PMD-Client, so downgrading to v1.17.
138 
-*   Thu Oct 01 2020 Gerrit Photon <photon-checkins@vmware.com> 1.18.2-1
139 
--   Automatic Version Bump
140 
-*   Tue Sep 29 2020 Satya Naga Vasamsetty <svasamsetty@vmware.com> 1.17-3
141 
--   openssl 1.1.1
142 
-*   Fri Nov 01 2019 Alexey Makhalov <amakhalov@vmware.com> 1.17-2
143 
--   Cross compilation support
144 
-*   Thu Oct 03 2019 Satya Naga Vasamsetty <svasamsetty@vmware.com> 1.17-1
145 
--   Update to version 1.17
146 
-*   Fri Sep 14 2018 Ankit Jain <ankitja@vmware.com> 1.16.1-1
147 
--   Update to version 1.16.1
148 
-*   Wed Dec 13 2017 Xiaolin Li <xiaolinl@vmware.com> 1.16-1
149 
--   Update to version 1.16 to address CVE-2017-15088
150 
-*   Thu Sep 28 2017 Xiaolin Li <xiaolinl@vmware.com> 1.15.2-1
151 
--   Update to version 1.15.2
152 
-*   Mon Jul 10 2017 Alexey Makhalov <amakhalov@vmware.com> 1.15.1-2
153 
--   Fix make check: add /etc/hosts entry, deactivate parallel check
154 
-*   Mon Apr 03 2017 Divya Thaluru <dthaluru@vmware.com> 1.15.1-1
155 
--   Updated to version 1.51.1
156 
-*   Wed Nov 23 2016 Alexey Makhalov <amakhalov@vmware.com> 1.14-6
157 
--   Added -lang and -devel subpackages
158 
-*   Wed Nov 16 2016 Alexey Makhalov <amakhalov@vmware.com> 1.14-5
159 
--   Use e2fsprogs-libs as runtime deps
160 
-*   Tue May 24 2016 Priyesh Padmavilasom <ppadmavilasom@vmware.com> 1.14-4
161 
--   GA - Bump release of all rpms
162 
-*   Mon Mar 21 2016 Priyesh Padmavilasom <ppadmavilasom@vmware.com>  1.14-3
163 
--   Add patch to never unload gssapi mechanisms
164 
-*   Fri Mar 18 2016 Anish Swaminathan <anishs@vmware.com>  1.14-2
165 
--   Add patch for skipping unnecessary mech calls in gss_inquire_cred
166 
-*   Thu Jan 21 2016 Anish Swaminathan <anishs@vmware.com> 1.14-1
167 
--   Upgrade version
168 
-*   Tue Oct 07 2014 Divya Thaluru <dthaluru@vmware.com> 1.12.2-1
169 
--   Initial build. First version
124 
+* Wed Mar 08 2023 Shreenidhi Shedi <sshedi@vmware.com> 1.20.1-3
125 
+- Require openssl-libs
126 
+* Mon Feb 20 2023 Tapas Kundu <tkundu@vmware.com> 1.20.1-2
127 
+- Add Bison in buildrequires
128 
+* Thu Jan 26 2023 Ashwin Dayanand Kamat <kashwindayan@vmware.com> 1.20.1-1
129 
+- Upgrade to version 1.20.1
130 
+* Fri Sep 17 2021 Satya Naga Vasamsetty <svasamsetty@vmware.com> 1.17.2-2
131 
+- Bump up release for openssl
132 
+* Tue Apr 13 2021 Gerrit Photon <photon-checkins@vmware.com> 1.17.2-1
133 
+- Downgrade to 1.17 since PMD RPC call getting failed.
134 
+* Tue Apr 13 2021 Gerrit Photon <photon-checkins@vmware.com> 1.18.3-1
135 
+- Automatic Version Bump
136 
+* Mon Nov 02 2020 Tapas Kundu <tkundu@vmware.com> 1.17-4
137 
+- Fix krb5 build.
138 
+* Thu Oct 29 2020 Shreyas B. <shreyasb@vmware.com> 1.17-3
139 
+- krb5 v1.18.2 is not stable, creating panic for PMD-Client, so downgrading to v1.17.
140 
+* Thu Oct 01 2020 Gerrit Photon <photon-checkins@vmware.com> 1.18.2-1
141 
+- Automatic Version Bump
142 
+* Tue Sep 29 2020 Satya Naga Vasamsetty <svasamsetty@vmware.com> 1.17-3
143 
+- openssl 1.1.1
144 
+* Fri Nov 01 2019 Alexey Makhalov <amakhalov@vmware.com> 1.17-2
145 
+- Cross compilation support
146 
+* Thu Oct 03 2019 Satya Naga Vasamsetty <svasamsetty@vmware.com> 1.17-1
147 
+- Update to version 1.17
148 
+* Fri Sep 14 2018 Ankit Jain <ankitja@vmware.com> 1.16.1-1
149 
+- Update to version 1.16.1
150 
+* Wed Dec 13 2017 Xiaolin Li <xiaolinl@vmware.com> 1.16-1
151 
+- Update to version 1.16 to address CVE-2017-15088
152 
+* Thu Sep 28 2017 Xiaolin Li <xiaolinl@vmware.com> 1.15.2-1
153 
+- Update to version 1.15.2
154 
+* Mon Jul 10 2017 Alexey Makhalov <amakhalov@vmware.com> 1.15.1-2
155 
+- Fix make check: add /etc/hosts entry, deactivate parallel check
156 
+* Mon Apr 03 2017 Divya Thaluru <dthaluru@vmware.com> 1.15.1-1
157 
+- Updated to version 1.51.1
158 
+* Wed Nov 23 2016 Alexey Makhalov <amakhalov@vmware.com> 1.14-6
159 
+- Added -lang and -devel subpackages
160 
+* Wed Nov 16 2016 Alexey Makhalov <amakhalov@vmware.com> 1.14-5
161 
+- Use e2fsprogs-libs as runtime deps
162 
+* Tue May 24 2016 Priyesh Padmavilasom <ppadmavilasom@vmware.com> 1.14-4
163 
+- GA - Bump release of all rpms
164 
+* Mon Mar 21 2016 Priyesh Padmavilasom <ppadmavilasom@vmware.com>  1.14-3
165 
+- Add patch to never unload gssapi mechanisms
166 
+* Fri Mar 18 2016 Anish Swaminathan <anishs@vmware.com>  1.14-2
167 
+- Add patch for skipping unnecessary mech calls in gss_inquire_cred
168 
+* Thu Jan 21 2016 Anish Swaminathan <anishs@vmware.com> 1.14-1
169 
+- Upgrade version
170 
+* Tue Oct 07 2014 Divya Thaluru <dthaluru@vmware.com> 1.12.2-1
171 
+- Initial build. First version
SPECS/libssh2/libssh2.spec
History View file @ 7f4c42b
... ... 
@@ -1,18 +1,21 @@
1 1 
 Summary:        libssh2 is a library implementing the SSH2 protocol.
2 2 
 Name:           libssh2
3 3 
 Version:        1.10.0
4 
-Release:        1%{?dist}
4 
+Release:        2%{?dist}
5 5 
 License:        BSD
6 
-URL:            https://www.libssh2.org/
6 
+URL:            https://www.libssh2.org
7 7 
 Group:          System Environment/NetworkingLibraries
8 8 
 Vendor:         VMware, Inc.
9 9 
 Distribution:   Photon
10 
-Source0:        https://www.libssh2.org/download/libssh2-%{version}.tar.gz
10 
+
11 
+Source0: https://www.libssh2.org/download/libssh2-%{version}.tar.gz
11 12 
 %define sha512  libssh2=e064ee1089eb8e6cd5fa2617f4fd8ff56c2721c5476775a98bdb68c6c4ee4d05c706c3bb0eb479a27a8ec0b17a8a5ef43e1d028ad3f134519aa582d3981a3a30
13 
+
12 14 
 BuildRequires:  openssl-devel
13 15 
 BuildRequires:  zlib-devel
14 16 
 BuildRequires:  pkg-config
15 
-Requires:       openssl
17 
+
18 
+Requires:       openssl-libs
16 19 
 Requires:       zlib
17 20
18 21 
 %description
... ... 
@@ -21,7 +24,7 @@ libssh2 is a client-side C library implementing the SSH2 protocol.
21 21 
 %package        devel
22 22 
 Summary:        Header files for libssh2
23 23 
 Group:          System Environment/NetworkingLibraries
24 
-Requires:       libssh2
24 
+Requires:       %{name} = %{version}-%{release}
25 25
26 26 
 %description    devel
27 27 
 These are the header files of libssh2.
... ... 
@@ -39,11 +42,11 @@ fi
39 39 
     --disable-static \
40 40 
     --enable-shared \
41 41 
     $PREFIXES
42 
-make %{?_smp_mflags}
42 
+
43 
+%make_build
43 44
44 45 
 %install
45 
-make DESTDIR=%{buildroot} install %{?_smp_mflags}
46 
-find %{buildroot} -name '*.la' -exec rm -f {} ';'
46 
+%make_install %{?_smp_mflags}
47 47
48 48 
 %files
49 49 
 %defattr(-,root,root)
... ... 
@@ -57,19 +60,21 @@ find %{buildroot} -name '*.la' -exec rm -f {} ';'
57 57 
 %{_mandir}/man3/*
58 58
59 59 
 %changelog
60 
-*   Thu Apr 21 2022 Gerrit Photon <photon-checkins@vmware.com> 1.10.0-1
61 
--   Automatic Version Bump
62 
-*   Wed Aug 04 2021 Satya Naga Vasamsetty <svasamsetty@vmware.com> 1.9.0-4
63 
--   Bump up release for openssl
64 
-*   Tue Dec 15 2020 Shreenidhi Shedi <sshedi@vmware.com> 1.9.0-3
65 
--   Fix build with new rpm
66 
-*   Tue Sep 29 2020 Satya Naga Vasamsetty <svasamsetty@vmware.com> 1.9.0-2
67 
--   openssl 1.1.1
68 
-*   Mon Mar 16 2020 Sujay G <gsujay@vmware.com> 1.9.0-1
69 
--   Bump version to 1.9.0 and add patch to fix CVE-2019-17498
70 
-*   Wed Jul 03 2019 Alexey Makhalov <amakhalov@vmware.com> 1.8.0-3
71 
--   Cross compilation support
72 
-*   Thu Mar 28 2019 Tapas Kundu <tkundu@vmware.com> 1.8.0-2
73 
--   Fix for CVE-2019-3855
74 
-*   Wed Nov 30 2016 Xiaolin Li <xiaolinl@vmware.com> 1.8.0-1
75 
--   Add libssh2 1.8.0 package.
60 
+* Wed Mar 08 2023 Shreenidhi Shedi <sshedi@vmware.com> 1.10.0-2
61 
+- Require openssl-libs
62 
+* Thu Apr 21 2022 Gerrit Photon <photon-checkins@vmware.com> 1.10.0-1
63 
+- Automatic Version Bump
64 
+* Wed Aug 04 2021 Satya Naga Vasamsetty <svasamsetty@vmware.com> 1.9.0-4
65 
+- Bump up release for openssl
66 
+* Tue Dec 15 2020 Shreenidhi Shedi <sshedi@vmware.com> 1.9.0-3
67 
+- Fix build with new rpm
68 
+* Tue Sep 29 2020 Satya Naga Vasamsetty <svasamsetty@vmware.com> 1.9.0-2
69 
+- openssl 1.1.1
70 
+* Mon Mar 16 2020 Sujay G <gsujay@vmware.com> 1.9.0-1
71 
+- Bump version to 1.9.0 and add patch to fix CVE-2019-17498
72 
+* Wed Jul 03 2019 Alexey Makhalov <amakhalov@vmware.com> 1.8.0-3
73 
+- Cross compilation support
74 
+* Thu Mar 28 2019 Tapas Kundu <tkundu@vmware.com> 1.8.0-2
75 
+- Fix for CVE-2019-3855
76 
+* Wed Nov 30 2016 Xiaolin Li <xiaolinl@vmware.com> 1.8.0-1
77 
+- Add libssh2 1.8.0 package.
SPECS/openssl/0001-x509-fix-double-locking-problem.patch
History View file @ 7f4c42b
76 78 
deleted file mode 100644
... ... 
@@ -1,39 +0,0 @@
1 
-From 7725e7bfe6f2ce8146b6552b44e0d226be7638e7 Mon Sep 17 00:00:00 2001
2 
-From: Pauli <pauli@openssl.org>
3 
-Date: Fri, 11 Nov 2022 09:40:19 +1100
4 
-Subject: [PATCH] x509: fix double locking problem
5 
-
6 
-This reverts commit 9aa4be691f5c73eb3c68606d824c104550c053f7 and removed the
7 
-redundant flag setting.
8 
-
9 
-Fixes #19643
10 
-
11 
-Fixes LOW CVE-2022-3996
12 
-
13 
-Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
14 
-Reviewed-by: Tomas Mraz <tomas@openssl.org>
15 
-(Merged from https://github.com/openssl/openssl/pull/19652)
16 
-
17 
-(cherry picked from commit 4d0340a6d2f327700a059f0b8f954d6160f8eef5)
18 
- crypto/x509/pcy_map.c | 4 ----
19 
- 1 file changed, 4 deletions(-)
20 
-
21 
-diff --git a/crypto/x509/pcy_map.c b/crypto/x509/pcy_map.c
22 
-index 05406c6493..60dfd1e320 100644
23 
-+++ b/crypto/x509/pcy_map.c
24 
-@@ -73,10 +73,6 @@ int ossl_policy_cache_set_mapping(X509 *x, POLICY_MAPPINGS *maps)
25 
-
26 
-     ret = 1;
27 
-  bad_mapping:
28 
--    if (ret == -1 && CRYPTO_THREAD_write_lock(x->lock)) {
29 
--        x->ex_flags |= EXFLAG_INVALID_POLICY;
30 
--        CRYPTO_THREAD_unlock(x->lock);
31 
--    }
32 
-     sk_POLICY_MAPPING_pop_free(maps, POLICY_MAPPING_free);
33 
-     return ret;
34 
-
35 
-2.23.3
36 
-
SPECS/openssl/CVE/0215/0001-Fix-a-UAF-resulting-from-a-bug-in-BIO_new_NDEF.patch
History View file @ 7f4c42b
37 1 
deleted file mode 100644
... ... 
@@ -1,108 +0,0 @@
1 
-From a1447d7e8c0b734c5662eb3e8a215bf1c7499c89 Mon Sep 17 00:00:00 2001
2 
-From: Matt Caswell <matt@openssl.org>
3 
-Date: Wed, 14 Dec 2022 16:18:14 +0000
4 
-Subject: [PATCH 1/4] Fix a UAF resulting from a bug in BIO_new_NDEF
5 
-
6 
-If the aux->asn1_cb() call fails in BIO_new_NDEF then the "out" BIO will
7 
-be part of an invalid BIO chain. This causes a "use after free" when the
8 
-BIO is eventually freed.
9 
-
10 
-Based on an original patch by Viktor Dukhovni.
11 
-
12 
-Thanks to Octavio Galland for reporting this issue.
13 
- crypto/asn1/bio_ndef.c | 52 +++++++++++++++++++++++++-----------------
14 
- 1 file changed, 31 insertions(+), 21 deletions(-)
15 
-
16 
-diff --git a/crypto/asn1/bio_ndef.c b/crypto/asn1/bio_ndef.c
17 
-index d94e3a3644..434fd35d61 100644
18 
-+++ b/crypto/asn1/bio_ndef.c
19 
-@@ -49,7 +49,12 @@ static int ndef_suffix(BIO *b, unsigned char **pbuf, int *plen, void *parg);
20 
- static int ndef_suffix_free(BIO *b, unsigned char **pbuf, int *plen,
21 
-                             void *parg);
22 
-
23 
--/* unfortunately cannot constify this due to CMS_stream() and PKCS7_stream() */
24 
-+/*
25 
-+ * On success, the returned BIO owns the input BIO as part of its BIO chain.
26 
-+ * On failure, NULL is returned and the input BIO is owned by the caller.
27 
-+ *
28 
-+ * Unfortunately cannot constify this due to CMS_stream() and PKCS7_stream()
29 
-+ */
30 
- BIO *BIO_new_NDEF(BIO *out, ASN1_VALUE *val, const ASN1_ITEM *it)
31 
- {
32 
-     NDEF_SUPPORT *ndef_aux = NULL;
33 
-@@ -61,45 +66,50 @@ BIO *BIO_new_NDEF(BIO *out, ASN1_VALUE *val, const ASN1_ITEM *it)
34 
-         ERR_raise(ERR_LIB_ASN1, ASN1_R_STREAMING_NOT_SUPPORTED);
35 
-         return NULL;
36 
-     }
37 
--    ndef_aux = OPENSSL_zalloc(sizeof(*ndef_aux));
38 
-     asn_bio = BIO_new(BIO_f_asn1());
39 
--    if (ndef_aux == NULL || asn_bio == NULL)
40 
--        goto err;
41 
--
42 
--    /* ASN1 bio needs to be next to output BIO */
43 
--    out = BIO_push(asn_bio, out);
44 
--    if (out == NULL)
45 
--        goto err;
46 
-+    if (asn_bio == NULL)
47 
-+        return NULL;
48 
-
49 
-     BIO_asn1_set_prefix(asn_bio, ndef_prefix, ndef_prefix_free);
50 
-     BIO_asn1_set_suffix(asn_bio, ndef_suffix, ndef_suffix_free);
51 
-
52 
-+    /* ASN1 bio needs to be next to output BIO */
53 
-+    if (BIO_push(asn_bio, out) == NULL) {
54 
-+        BIO_free(asn_bio);
55 
-+        return NULL;
56 
-+    }
57 
-+
58 
-     /*
59 
--     * Now let callback prepends any digest, cipher etc BIOs ASN1 structure
60 
--     * needs.
61 
-+     * Now let the callback prepend any digest, cipher, etc., that the BIO's
62 
-+     * ASN1 structure needs.
63 
-      */
64 
--
65 
--    sarg.out = out;
66 
-+    sarg.out = asn_bio;
67 
-     sarg.ndef_bio = NULL;
68 
-     sarg.boundary = NULL;
69 
-
70 
--    if (aux->asn1_cb(ASN1_OP_STREAM_PRE, &val, it, &sarg) <= 0)
71 
--        goto err;
72 
-+    /*
73 
-+     * On error, restore input BIO to head of its BIO chain.
74 
-+     *
75 
-+     * The asn1_cb(), must not have mutated asn_bio on error, leaving it in the
76 
-+     * middle of some partially built, but not returned BIO chain.
77 
-+     */
78 
-+    if (aux->asn1_cb(ASN1_OP_STREAM_PRE, &val, it, &sarg) <= 0
79 
-+        || (ndef_aux = OPENSSL_zalloc(sizeof(*ndef_aux))) == NULL) {
80 
-+        /* Assumed head of BIO chain with "out" as immediate successor */
81 
-+        (void)BIO_pop(asn_bio);
82 
-+        BIO_free(asn_bio);
83 
-+        return NULL;
84 
-+    }
85 
-
86 
-     ndef_aux->val = val;
87 
-     ndef_aux->it = it;
88 
-     ndef_aux->ndef_bio = sarg.ndef_bio;
89 
-     ndef_aux->boundary = sarg.boundary;
90 
--    ndef_aux->out = out;
91 
-+    ndef_aux->out = asn_bio;
92 
-
93 
-     BIO_ctrl(asn_bio, BIO_C_SET_EX_ARG, 0, ndef_aux);
94 
-
95 
-     return sarg.ndef_bio;
96 
--
97 
-- err:
98 
--    BIO_free(asn_bio);
99 
--    OPENSSL_free(ndef_aux);
100 
--    return NULL;
101 
- }
102 
-
103 
- static int ndef_prefix(BIO *b, unsigned char **pbuf, int *plen, void *parg)
104 
-2.32.0 (Apple Git-132)
105 
-
SPECS/openssl/CVE/0215/0002-Check-CMS-failure-during-BIO-setup-with-stream-is-ha.patch
History View file @ 7f4c42b
106 1 
deleted file mode 100644
... ... 
@@ -1,80 +0,0 @@
1 
-From 2430f0c015f351865e97ec5f75acd685f8ecf373 Mon Sep 17 00:00:00 2001
2 
-From: Matt Caswell <matt@openssl.org>
3 
-Date: Wed, 14 Dec 2022 17:15:18 +0000
4 
-Subject: [PATCH] Check CMS failure during BIO setup with -stream is handled
5 
- correctly
6 
-
7 
-Test for the issue fixed in the previous commit
8 
- test/recipes/80-test_cms.t  | 15 +++++++++++++--
9 
- test/smime-certs/badrsa.pem | 18 ++++++++++++++++++
10 
- 2 files changed, 31 insertions(+), 2 deletions(-)
11 
- create mode 100644 test/smime-certs/badrsa.pem
12 
-
13 
-diff --git a/test/recipes/80-test_cms.t b/test/recipes/80-test_cms.t
14 
-index 48a92f735d..2276c5491a 100644
15 
-+++ b/test/recipes/80-test_cms.t
16 
-@@ -13,7 +13,7 @@ use warnings;
17 
- use POSIX;
18 
- use File::Spec::Functions qw/catfile/;
19 
- use File::Compare qw/compare_text compare/;
20 
--use OpenSSL::Test qw/:DEFAULT srctop_dir srctop_file bldtop_dir bldtop_file/;
21 
-+use OpenSSL::Test qw/:DEFAULT srctop_dir srctop_file bldtop_dir bldtop_file with/;
22 
-
23 
- use OpenSSL::Test::Utils;
24 
-
25 
-@@ -50,7 +50,7 @@ my ($no_des, $no_dh, $no_dsa, $no_ec, $no_ec2m, $no_rc2, $no_zlib)
26 
-
27 
- $no_rc2 = 1 if disabled("legacy");
28 
-
29 
--plan tests => 12;
30 
-+plan tests => 13;
31 
-
32 
- ok(run(test(["pkcs7_test"])), "test pkcs7");
33 
-
34 
-@@ -845,6 +845,17 @@ subtest "CMS binary input tests\n" => sub {
35 
-     ok(!run(app(["openssl", "cms", "-verify", "-CAfile", $smroot,
36 
-                 "-binary", "-in", $signed.".crlf", "-out", $verified.".crlf2"])),
37 
-        "verify binary input with -binary missing -crlfeol");
38 
-+
39 
-+    # Check that we get the expected failure return code
40 
-+    with({ exit_checker => sub { return shift == 6; } },
41 
-+        sub {
42 
-+            ok(run(app(['openssl', 'cms', '-encrypt',
43 
-+                        '-in', srctop_file("test", "smcont.txt"),
44 
-+                        '-stream', '-recip',
45 
-+                        srctop_file("test/smime-certs", "badrsa.pem"),
46 
-+                       ])),
47 
-+                "Check failure during BIO setup with -stream is handled correctly");
48 
-+        });
49 
- };
50 
-
51 
- sub check_availability {
52 
-diff --git a/test/smime-certs/badrsa.pem b/test/smime-certs/badrsa.pem
53 
-new file mode 100644
54 
-index 0000000000..f824fc2267
55 
-+++ b/test/smime-certs/badrsa.pem
56 
-@@ -0,0 +1,18 @@
57 
-+-----BEGIN CERTIFICATE-----
58 
-+MIIDbTCCAlWgAwIBAgIToTV4Z0iuK08vZP20oTh//hC8BDANBgkqhkiG9w0BAQ0FADAtMSswKQYD
59 
-+VfcDEyJTYW1wbGUgTEFNUFMgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MCAXDTE5MTEyMDA2NTQxOFoY
60 
-+DzIwNTIwOTI3MDY1NDE4WjAZMRcwFQYDVQQDEw5BbGljZSBMb3ZlbGFjZTCCASIwDQYJKoZIhvcN
61 
-+AQEBBQADggEPADCCAQoCggEBALT0iehYOBY+TZp/T5K2KNI05Hwr+E3wP6XTvyi6WWyTgBK9LCOw
62 
-+I2juwdRrjFBmXkk7pWpjXwsA3A5GOtz0FpfgyC7OxsVcF7q4WHWZWleYXFKlQHJD73nQwXP968+A
63 
-+/3rBX7PhO0DBbZnfitOLPgPEwjTtdg0VQQ6Wz+CRQ/YbHPKaw7aRphZO63dKvIKp4cQVtkWQHi6s
64 
-+yTjGsgkLcLNau5LZDQUdsGV+SAo3nBdWCRYV+I65x8Kf4hCxqqmjV3d/2NKRu0BXnDe/N+iDz3X0
65 
-+zEoj0fqXgq4SWcC0nsG1lyyXt1TL270I6ATKRGJWiQVCCpDtc0NT6vdJ45bCSxgCAwEAAaOBlzCB
66 
-+lDAMBgNVHRMBAf8EAjAAMB4GA1UdEQQXMBWBE2FsaWNlQHNtaW1lLmV4YW1wbGUwEwYDVR0lBAww
67 
-+CgYIKwYBBQUHAwQwDwYDVR0PAQH/BAUDAwfAADAdBgNVHQ4EFgQUu/bMsi0dBhIcl64papAQ0yBm
68 
-+ZnMwHwYDVR0jBBgwFoAUeF8OWnjYa+RUcD2z3ez38fL6wEcwDQYJKoZIhvcNAQENBQADggEBABbW
69 
-+eonR6TMTckehDKNOabwaCIcekahAIL6l9tTzUX5ew6ufiAPlC6I/zQlmUaU0iSyFDG1NW14kNbFt
70 
-+5CAokyLhMtE4ASHBIHbiOp/ZSbUBTVYJZB61ot7w1/ol5QECSs08b8zrxIncf+t2DHGuVEy/Qq1d
71 
-+rBz8d4ay8zpqAE1tUyL5Da6ZiKUfWwZQXSI/JlbjQFzYQqTRDnzHWrg1xPeMTO1P2/cplFaseTiv
72 
-+yk4cYwOp/W9UAWymOZXF8WcJYCIUXkdcG/nEZxr057KlScrJmFXOoh7Y+8ON4iWYYcAfiNgpUFo/
73 
-+j8BAwrKKaFvdlZS9k1Ypb2+UQY75mKJE9Bg=
74 
-+-----END CERTIFICATE-----
75 
-2.23.3
76 
-
SPECS/openssl/CVE/0215/0003-squash-Fix-a-UAF-resulting-from-a-bug-in-BIO_new_NDE.patch
History View file @ 7f4c42b
77 1 
deleted file mode 100644
... ... 
@@ -1,104 +0,0 @@
1 
-From 655fb2614742e922039b8997a81c277540c7d71b Mon Sep 17 00:00:00 2001
2 
-From: Matt Caswell <matt@openssl.org>
3 
-Date: Fri, 27 Jan 2023 13:49:32 +0000
4 
-Subject: [PATCH 3/4] squash! Fix a UAF resulting from a bug in BIO_new_NDEF
5 
-
6 
-If the aux->asn1_cb() call fails in BIO_new_NDEF then the "out" BIO will
7 
-be part of an invalid BIO chain. This causes a "use after free" when the
8 
-BIO is eventually freed.
9 
-
10 
-Based on an original patch by Viktor Dukhovni and an idea from Theo
11 
-Buehler.
12 
-
13 
-Thanks to Octavio Galland for reporting this issue.
14 
- crypto/asn1/bio_ndef.c | 44 +++++++++++++++++++++++-------------------
15 
- 1 file changed, 24 insertions(+), 20 deletions(-)
16 
-
17 
-diff --git a/crypto/asn1/bio_ndef.c b/crypto/asn1/bio_ndef.c
18 
-index 434fd35d61..ea2c9055cf 100644
19 
-+++ b/crypto/asn1/bio_ndef.c
20 
-@@ -61,55 +61,59 @@ BIO *BIO_new_NDEF(BIO *out, ASN1_VALUE *val, const ASN1_ITEM *it)
21 
-     BIO *asn_bio = NULL;
22 
-     const ASN1_AUX *aux = it->funcs;
23 
-     ASN1_STREAM_ARG sarg;
24 
-+    BIO *pop_bio = NULL;
25 
-
26 
-     if (!aux || !aux->asn1_cb) {
27 
-         ERR_raise(ERR_LIB_ASN1, ASN1_R_STREAMING_NOT_SUPPORTED);
28 
-         return NULL;
29 
-     }
30 
-+    ndef_aux = OPENSSL_zalloc(sizeof(*ndef_aux));
31 
-     asn_bio = BIO_new(BIO_f_asn1());
32 
--    if (asn_bio == NULL)
33 
--        return NULL;
34 
-+    if (ndef_aux == NULL || asn_bio == NULL)
35 
-+        goto err;
36 
-+
37 
-+    /* ASN1 bio needs to be next to output BIO */
38 
-+    out = BIO_push(asn_bio, out);
39 
-+    if (out == NULL)
40 
-+        goto err;
41 
-+    pop_bio = asn_bio;
42 
-
43 
-     BIO_asn1_set_prefix(asn_bio, ndef_prefix, ndef_prefix_free);
44 
-     BIO_asn1_set_suffix(asn_bio, ndef_suffix, ndef_suffix_free);
45 
-
46 
--    /* ASN1 bio needs to be next to output BIO */
47 
--    if (BIO_push(asn_bio, out) == NULL) {
48 
--        BIO_free(asn_bio);
49 
--        return NULL;
50 
--    }
51 
--
52 
-     /*
53 
-      * Now let the callback prepend any digest, cipher, etc., that the BIO's
54 
-      * ASN1 structure needs.
55 
-      */
56 
--    sarg.out = asn_bio;
57 
-+
58 
-+    sarg.out = out;
59 
-     sarg.ndef_bio = NULL;
60 
-     sarg.boundary = NULL;
61 
-
62 
-     /*
63 
--     * On error, restore input BIO to head of its BIO chain.
64 
--     *
65 
-      * The asn1_cb(), must not have mutated asn_bio on error, leaving it in the
66 
-      * middle of some partially built, but not returned BIO chain.
67 
-      */
68 
--    if (aux->asn1_cb(ASN1_OP_STREAM_PRE, &val, it, &sarg) <= 0
69 
--        || (ndef_aux = OPENSSL_zalloc(sizeof(*ndef_aux))) == NULL) {
70 
--        /* Assumed head of BIO chain with "out" as immediate successor */
71 
--        (void)BIO_pop(asn_bio);
72 
--        BIO_free(asn_bio);
73 
--        return NULL;
74 
--    }
75 
-+    if (aux->asn1_cb(ASN1_OP_STREAM_PRE, &val, it, &sarg) <= 0)
76 
-+        goto err;
77 
-
78 
-     ndef_aux->val = val;
79 
-     ndef_aux->it = it;
80 
-     ndef_aux->ndef_bio = sarg.ndef_bio;
81 
-     ndef_aux->boundary = sarg.boundary;
82 
--    ndef_aux->out = asn_bio;
83 
-+    ndef_aux->out = out;
84 
-
85 
--    BIO_ctrl(asn_bio, BIO_C_SET_EX_ARG, 0, ndef_aux);
86 
-+    if (BIO_ctrl(asn_bio, BIO_C_SET_EX_ARG, 0, ndef_aux) <= 0)
87 
-+        goto err;
88 
-
89 
-     return sarg.ndef_bio;
90 
-+
91 
-+ err:
92 
-+    /* BIO_pop() is NULL safe */
93 
-+    (void)BIO_pop(pop_bio);
94 
-+    BIO_free(asn_bio);
95 
-+    OPENSSL_free(ndef_aux);
96 
-+    return NULL;
97 
- }
98 
-
99 
- static int ndef_prefix(BIO *b, unsigned char **pbuf, int *plen, void *parg)
100 
-2.32.0 (Apple Git-132)
101 
-
SPECS/openssl/CVE/0215/0004-fixup-Fix-a-UAF-resulting-from-a-bug-in-BIO_new_NDEF.patch
History View file @ 7f4c42b
102 1 
deleted file mode 100644
... ... 
@@ -1,60 +0,0 @@
1 
-From e76921222941bae85627d7031cdc4912c17926b2 Mon Sep 17 00:00:00 2001
2 
-From: Matt Caswell <matt@openssl.org>
3 
-Date: Tue, 31 Jan 2023 11:54:18 +0000
4 
-Subject: [PATCH 4/4] fixup! Fix a UAF resulting from a bug in BIO_new_NDEF
5 
-
6 
- crypto/asn1/bio_ndef.c | 22 ++++++++++++++++------
7 
- 1 file changed, 16 insertions(+), 6 deletions(-)
8 
-
9 
-diff --git a/crypto/asn1/bio_ndef.c b/crypto/asn1/bio_ndef.c
10 
-index ea2c9055cf..b9df3a7a47 100644
11 
-+++ b/crypto/asn1/bio_ndef.c
12 
-@@ -78,8 +78,10 @@ BIO *BIO_new_NDEF(BIO *out, ASN1_VALUE *val, const ASN1_ITEM *it)
13 
-         goto err;
14 
-     pop_bio = asn_bio;
15 
-
16 
--    BIO_asn1_set_prefix(asn_bio, ndef_prefix, ndef_prefix_free);
17 
--    BIO_asn1_set_suffix(asn_bio, ndef_suffix, ndef_suffix_free);
18 
-+    if (BIO_asn1_set_prefix(asn_bio, ndef_prefix, ndef_prefix_free) <= 0
19 
-+            || BIO_asn1_set_suffix(asn_bio, ndef_suffix, ndef_suffix_free) <= 0
20 
-+            || BIO_ctrl(asn_bio, BIO_C_SET_EX_ARG, 0, ndef_aux) <= 0)
21 
-+        goto err;
22 
-
23 
-     /*
24 
-      * Now let the callback prepend any digest, cipher, etc., that the BIO's
25 
-@@ -94,8 +96,19 @@ BIO *BIO_new_NDEF(BIO *out, ASN1_VALUE *val, const ASN1_ITEM *it)
26 
-      * The asn1_cb(), must not have mutated asn_bio on error, leaving it in the
27 
-      * middle of some partially built, but not returned BIO chain.
28 
-      */
29 
--    if (aux->asn1_cb(ASN1_OP_STREAM_PRE, &val, it, &sarg) <= 0)
30 
-+    if (aux->asn1_cb(ASN1_OP_STREAM_PRE, &val, it, &sarg) <= 0) {
31 
-+        /*
32 
-+         * ndef_aux is now owned by asn_bio so we must not free it in the err
33 
-+         * clean up block
34 
-+         */
35 
-+        ndef_aux = NULL;
36 
-         goto err;
37 
-+    }
38 
-+
39 
-+    /*
40 
-+     * We must not fail now because the callback has prepended additional
41 
-+     * BIOs to the chain
42 
-+     */
43 
-
44 
-     ndef_aux->val = val;
45 
-     ndef_aux->it = it;
46 
-@@ -103,9 +116,6 @@ BIO *BIO_new_NDEF(BIO *out, ASN1_VALUE *val, const ASN1_ITEM *it)
47 
-     ndef_aux->boundary = sarg.boundary;
48 
-     ndef_aux->out = out;
49 
-
50 
--    if (BIO_ctrl(asn_bio, BIO_C_SET_EX_ARG, 0, ndef_aux) <= 0)
51 
--        goto err;
52 
--
53 
-     return sarg.ndef_bio;
54 
-
55 
-  err:
56 
-2.32.0 (Apple Git-132)
57 
-
SPECS/openssl/CVE/0216/0001-Do-not-dereference-PKCS7-object-data-if-not-set.patch
History View file @ 7f4c42b
58 1 
deleted file mode 100644
... ... 
@@ -1,57 +0,0 @@
1 
-From ef16eee060be97e5ee5f9a6a501eb61487ed21f6 Mon Sep 17 00:00:00 2001
2 
-From: Tomas Mraz <tomas@openssl.org>
3 
-Date: Mon, 16 Jan 2023 19:45:23 +0100
4 
-Subject: [PATCH 1/2] Do not dereference PKCS7 object data if not set
5 
-
6 
-Fixes CVE-2023-0216
7 
- crypto/pkcs7/pk7_lib.c | 16 ++++++++++++----
8 
- 1 file changed, 12 insertions(+), 4 deletions(-)
9 
-
10 
-diff --git a/crypto/pkcs7/pk7_lib.c b/crypto/pkcs7/pk7_lib.c
11 
-index 753f1276e6..936e50da54 100644
12 
-+++ b/crypto/pkcs7/pk7_lib.c
13 
-@@ -414,6 +414,8 @@ PKCS7_SIGNER_INFO *PKCS7_add_signature(PKCS7 *p7, X509 *x509, EVP_PKEY *pkey,
14 
-
15 
- static STACK_OF(X509) *pkcs7_get_signer_certs(const PKCS7 *p7)
16 
- {
17 
-+    if (p7->d.ptr == NULL)
18 
-+        return NULL;
19 
-     if (PKCS7_type_is_signed(p7))
20 
-         return p7->d.sign->cert;
21 
-     if (PKCS7_type_is_signedAndEnveloped(p7))
22 
-@@ -423,6 +425,8 @@ static STACK_OF(X509) *pkcs7_get_signer_certs(const PKCS7 *p7)
23 
-
24 
- static STACK_OF(PKCS7_RECIP_INFO) *pkcs7_get_recipient_info(const PKCS7 *p7)
25 
- {
26 
-+    if (p7->d.ptr == NULL)
27 
-+        return NULL;
28 
-     if (PKCS7_type_is_signedAndEnveloped(p7))
29 
-         return p7->d.signed_and_enveloped->recipientinfo;
30 
-     if (PKCS7_type_is_enveloped(p7))
31 
-@@ -440,13 +444,17 @@ void ossl_pkcs7_resolve_libctx(PKCS7 *p7)
32 
-     const PKCS7_CTX *ctx = ossl_pkcs7_get0_ctx(p7);
33 
-     OSSL_LIB_CTX *libctx = ossl_pkcs7_ctx_get0_libctx(ctx);
34 
-     const char *propq = ossl_pkcs7_ctx_get0_propq(ctx);
35 
--    STACK_OF(PKCS7_RECIP_INFO) *rinfos = pkcs7_get_recipient_info(p7);
36 
--    STACK_OF(PKCS7_SIGNER_INFO) *sinfos = PKCS7_get_signer_info(p7);
37 
--    STACK_OF(X509) *certs = pkcs7_get_signer_certs(p7);
38 
-+    STACK_OF(PKCS7_RECIP_INFO) *rinfos;
39 
-+    STACK_OF(PKCS7_SIGNER_INFO) *sinfos;
40 
-+    STACK_OF(X509) *certs;
41 
-
42 
--    if (ctx == NULL)
43 
-+    if (ctx == NULL || p7->d.ptr == NULL)
44 
-         return;
45 
-
46 
-+    rinfos = pkcs7_get_recipient_info(p7);
47 
-+    sinfos = PKCS7_get_signer_info(p7);
48 
-+    certs = pkcs7_get_signer_certs(p7);
49 
-+
50 
-     for (i = 0; i < sk_X509_num(certs); i++)
51 
-         ossl_x509_set0_libctx(sk_X509_value(certs, i), libctx, propq);
52 
-
53 
-2.32.0 (Apple Git-132)
54 
-
SPECS/openssl/CVE/0216/0002-Add-test-for-d2i_PKCS7-NULL-dereference.patch
History View file @ 7f4c42b
55 1 
deleted file mode 100644
... ... 
@@ -1,48 +0,0 @@
1 
-From cc5a157afcf4c7b1d3c8dceba10ab5c5d979d21e Mon Sep 17 00:00:00 2001
2 
-From: Tomas Mraz <tomas@openssl.org>
3 
-Date: Mon, 16 Jan 2023 19:56:20 +0100
4 
-Subject: [PATCH 2/2] Add test for d2i_PKCS7 NULL dereference
5 
-
6 
- test/recipes/25-test_pkcs7.t                    | 7 +++++--
7 
- test/recipes/25-test_pkcs7_data/malformed.pkcs7 | 3 +++
8 
- 2 files changed, 8 insertions(+), 2 deletions(-)
9 
- create mode 100644 test/recipes/25-test_pkcs7_data/malformed.pkcs7
10 
-
11 
-diff --git a/test/recipes/25-test_pkcs7.t b/test/recipes/25-test_pkcs7.t
12 
-index 37cd43dc6b..d61cd6abad 100644
13 
-+++ b/test/recipes/25-test_pkcs7.t
14 
-@@ -11,11 +11,11 @@ use strict;
15 
- use warnings;
16 
-
17 
- use File::Spec;
18 
--use OpenSSL::Test qw/:DEFAULT srctop_file/;
19 
-+use OpenSSL::Test qw/:DEFAULT srctop_file data_file/;
20 
-
21 
- setup("test_pkcs7");
22 
-
23 
--plan tests => 3;
24 
-+plan tests => 4;
25 
-
26 
- require_ok(srctop_file('test','recipes','tconversion.pl'));
27 
-
28 
-@@ -27,3 +27,6 @@ subtest 'pkcs7 conversions -- pkcs7d' => sub {
29 
-     tconversion( -type => 'p7d', -in => srctop_file("test", "pkcs7-1.pem"),
30 
-                  -args => ["pkcs7"] );
31 
- };
32 
-+
33 
-+my $malformed = data_file('malformed.pkcs7');
34 
-+ok(run(app(["openssl", "pkcs7", "-in", $malformed])));
35 
-diff --git a/test/recipes/25-test_pkcs7_data/malformed.pkcs7 b/test/recipes/25-test_pkcs7_data/malformed.pkcs7
36 
-new file mode 100644
37 
-index 0000000000..e30d1b582c
38 
-+++ b/test/recipes/25-test_pkcs7_data/malformed.pkcs7
39 
-@@ -0,0 +1,3 @@
40 
-+-----BEGIN PKCS7-----
41 
-+MAsGCSqGSIb3DQEHAg==
42 
-+-----END PKCS7-----
43 
-2.32.0 (Apple Git-132)
44 
-
SPECS/openssl/CVE/0217/0001-Fix-NULL-deference-when-validating-FFC-public-key.patch
History View file @ 7f4c42b
45 1 
deleted file mode 100644
... ... 
@@ -1,110 +0,0 @@
1 
-From 1847f547089890a03f4f2548f57929bef8db3647 Mon Sep 17 00:00:00 2001
2 
-From: slontis <shane.lontis@oracle.com>
3 
-Date: Wed, 11 Jan 2023 11:05:04 +1000
4 
-Subject: [PATCH 1/4] Fix NULL deference when validating FFC public key.
5 
-
6 
-Fixes CVE-2023-0217
7 
-
8 
-When attempting to do a BN_Copy of params->p there was no NULL check.
9 
-Since BN_copy does not check for NULL this is a NULL reference.
10 
-
11 
-As an aside BN_cmp() does do a NULL check, so there are other checks
12 
-that fail because a NULL is passed. A more general check for NULL params
13 
-has been added for both FFC public and private key validation instead.
14 
- crypto/ffc/ffc_key_validate.c |  9 +++++++++
15 
- include/internal/ffc.h        |  1 +
16 
- test/ffc_internal_test.c      | 31 +++++++++++++++++++++++++++++++
17 
- 3 files changed, 41 insertions(+)
18 
-
19 
-diff --git a/crypto/ffc/ffc_key_validate.c b/crypto/ffc/ffc_key_validate.c
20 
-index 9f6525a2c8..442303e4b3 100644
21 
-+++ b/crypto/ffc/ffc_key_validate.c
22 
-@@ -24,6 +24,11 @@ int ossl_ffc_validate_public_key_partial(const FFC_PARAMS *params,
23 
-     BN_CTX *ctx = NULL;
24 
-
25 
-     *ret = 0;
26 
-+    if (params == NULL || pub_key == NULL || params->p == NULL) {
27 
-+        *ret = FFC_ERROR_PASSED_NULL_PARAM;
28 
-+        return 0;
29 
-+    }
30 
-+
31 
-     ctx = BN_CTX_new_ex(NULL);
32 
-     if (ctx == NULL)
33 
-         goto err;
34 
-@@ -107,6 +112,10 @@ int ossl_ffc_validate_private_key(const BIGNUM *upper, const BIGNUM *priv,
35 
-
36 
-     *ret = 0;
37 
-
38 
-+    if (priv == NULL || upper == NULL) {
39 
-+        *ret = FFC_ERROR_PASSED_NULL_PARAM;
40 
-+        goto err;
41 
-+    }
42 
-     if (BN_cmp(priv, BN_value_one()) < 0) {
43 
-         *ret |= FFC_ERROR_PRIVKEY_TOO_SMALL;
44 
-         goto err;
45 
-diff --git a/include/internal/ffc.h b/include/internal/ffc.h
46 
-index 732514a6c2..b8b7140857 100644
47 
-+++ b/include/internal/ffc.h
48 
-@@ -76,6 +76,7 @@
49 
- # define FFC_ERROR_NOT_SUITABLE_GENERATOR 0x08
50 
- # define FFC_ERROR_PRIVKEY_TOO_SMALL      0x10
51 
- # define FFC_ERROR_PRIVKEY_TOO_LARGE      0x20
52 
-+# define FFC_ERROR_PASSED_NULL_PARAM      0x40
53 
-
54 
- /*
55 
-  * Finite field cryptography (FFC) domain parameters are used by DH and DSA.
56 
-diff --git a/test/ffc_internal_test.c b/test/ffc_internal_test.c
57 
-index 2c97293573..9f67bd29b9 100644
58 
-+++ b/test/ffc_internal_test.c
59 
-@@ -510,6 +510,27 @@ static int ffc_public_validate_test(void)
60 
-     if (!TEST_true(ossl_ffc_validate_public_key(params, pub, &res)))
61 
-         goto err;
62 
-
63 
-+    /* Fail if params is NULL */
64 
-+    if (!TEST_false(ossl_ffc_validate_public_key(NULL, pub, &res)))
65 
-+        goto err;
66 
-+    if (!TEST_int_eq(FFC_ERROR_PASSED_NULL_PARAM, res))
67 
-+        goto err;
68 
-+    res = -1;
69 
-+    /* Fail if pubkey is NULL */
70 
-+    if (!TEST_false(ossl_ffc_validate_public_key(params, NULL, &res)))
71 
-+        goto err;
72 
-+    if (!TEST_int_eq(FFC_ERROR_PASSED_NULL_PARAM, res))
73 
-+        goto err;
74 
-+    res = -1;
75 
-+
76 
-+    BN_free(params->p);
77 
-+    params->p = NULL;
78 
-+    /* Fail if params->p is NULL */
79 
-+    if (!TEST_false(ossl_ffc_validate_public_key(params, pub, &res)))
80 
-+        goto err;
81 
-+    if (!TEST_int_eq(FFC_ERROR_PASSED_NULL_PARAM, res))
82 
-+        goto err;
83 
-+
84 
-     ret = 1;
85 
- err:
86 
-     DH_free(dh);
87 
-@@ -567,6 +588,16 @@ static int ffc_private_validate_test(void)
88 
-     if (!TEST_true(ossl_ffc_validate_private_key(params->q, priv, &res)))
89 
-         goto err;
90 
-
91 
-+    if (!TEST_false(ossl_ffc_validate_private_key(NULL, priv, &res)))
92 
-+        goto err;
93 
-+    if (!TEST_int_eq(FFC_ERROR_PASSED_NULL_PARAM, res))
94 
-+        goto err;
95 
-+    res = -1;
96 
-+    if (!TEST_false(ossl_ffc_validate_private_key(params->q, NULL, &res)))
97 
-+        goto err;
98 
-+    if (!TEST_int_eq(FFC_ERROR_PASSED_NULL_PARAM, res))
99 
-+        goto err;
100 
-+
101 
-     ret = 1;
102 
- err:
103 
-     DH_free(dh);
104 
-2.32.0 (Apple Git-132)
105 
-
SPECS/openssl/CVE/0217/0002-Prevent-creating-DSA-and-DH-keys-without-parameters-.patch
History View file @ 7f4c42b
106 1 
deleted file mode 100644
... ... 
@@ -1,45 +0,0 @@
1 
-From 8386d224589c66d8471a5986743824eff8e447f2 Mon Sep 17 00:00:00 2001
2 
-From: Tomas Mraz <tomas@openssl.org>
3 
-Date: Fri, 13 Jan 2023 17:57:59 +0100
4 
-Subject: [PATCH 2/4] Prevent creating DSA and DH keys without parameters
5 
- through import
6 
-
7 
- providers/implementations/keymgmt/dh_kmgmt.c  | 4 ++--
8 
- providers/implementations/keymgmt/dsa_kmgmt.c | 5 +++--
9 
- 2 files changed, 5 insertions(+), 4 deletions(-)
10 
-
11 
-diff --git a/providers/implementations/keymgmt/dh_kmgmt.c b/providers/implementations/keymgmt/dh_kmgmt.c
12 
-index 58a5fd009f..c2d87b4a7f 100644
13 
-+++ b/providers/implementations/keymgmt/dh_kmgmt.c
14 
-@@ -198,8 +198,8 @@ static int dh_import(void *keydata, int selection, const OSSL_PARAM params[])
15 
-     if ((selection & DH_POSSIBLE_SELECTIONS) == 0)
16 
-         return 0;
17 
-
18 
--    if ((selection & OSSL_KEYMGMT_SELECT_ALL_PARAMETERS) != 0)
19 
--        ok = ok && ossl_dh_params_fromdata(dh, params);
20 
-+    /* a key without parameters is meaningless */
21 
-+    ok = ok && ossl_dh_params_fromdata(dh, params);
22 
-
23 
-     if ((selection & OSSL_KEYMGMT_SELECT_KEYPAIR) != 0) {
24 
-         int include_private =
25 
-diff --git a/providers/implementations/keymgmt/dsa_kmgmt.c b/providers/implementations/keymgmt/dsa_kmgmt.c
26 
-index 100e917167..881680c085 100644
27 
-+++ b/providers/implementations/keymgmt/dsa_kmgmt.c
28 
-@@ -199,8 +199,9 @@ static int dsa_import(void *keydata, int selection, const OSSL_PARAM params[])
29 
-     if ((selection & DSA_POSSIBLE_SELECTIONS) == 0)
30 
-         return 0;
31 
-
32 
--    if ((selection & OSSL_KEYMGMT_SELECT_ALL_PARAMETERS) != 0)
33 
--        ok = ok && ossl_dsa_ffc_params_fromdata(dsa, params);
34 
-+    /* a key without parameters is meaningless */
35 
-+    ok = ok && ossl_dsa_ffc_params_fromdata(dsa, params);
36 
-+
37 
-     if ((selection & OSSL_KEYMGMT_SELECT_KEYPAIR) != 0) {
38 
-         int include_private =
39 
-             selection & OSSL_KEYMGMT_SELECT_PRIVATE_KEY ? 1 : 0;
40 
-2.32.0 (Apple Git-132)
41 
-
SPECS/openssl/CVE/0217/0003-Do-not-create-DSA-keys-without-parameters-by-decoder.patch
History View file @ 7f4c42b
42 1 
deleted file mode 100644
... ... 
@@ -1,76 +0,0 @@
1 
-From 7e0f058ef1e392945609c3922ec92b32569c1e92 Mon Sep 17 00:00:00 2001
2 
-From: Tomas Mraz <tomas@openssl.org>
3 
-Date: Fri, 13 Jan 2023 17:59:52 +0100
4 
-Subject: [PATCH 3/4] Do not create DSA keys without parameters by decoder
5 
-
6 
- crypto/x509/x_pubkey.c                        | 24 +++++++++++++++++++
7 
- include/crypto/x509.h                         |  3 +++
8 
- .../encode_decode/decode_der2key.c            |  2 +-
9 
- 3 files changed, 28 insertions(+), 1 deletion(-)
10 
-
11 
-diff --git a/crypto/x509/x_pubkey.c b/crypto/x509/x_pubkey.c
12 
-index bc90ddd89b..77790faa1f 100644
13 
-+++ b/crypto/x509/x_pubkey.c
14 
-@@ -745,6 +745,30 @@ DSA *d2i_DSA_PUBKEY(DSA **a, const unsigned char **pp, long length)
15 
-     return key;
16 
- }
17 
-
18 
-+/* Called from decoders; disallows provided DSA keys without parameters. */
19 
-+DSA *ossl_d2i_DSA_PUBKEY(DSA **a, const unsigned char **pp, long length)
20 
-+{
21 
-+    DSA *key = NULL;
22 
-+    const unsigned char *data;
23 
-+    const BIGNUM *p, *q, *g;
24 
-+
25 
-+    data = *pp;
26 
-+    key = d2i_DSA_PUBKEY(NULL, &data, length);
27 
-+    if (key == NULL)
28 
-+        return NULL;
29 
-+    DSA_get0_pqg(key, &p, &q, &g);
30 
-+    if (p == NULL || q == NULL || g == NULL) {
31 
-+        DSA_free(key);
32 
-+        return NULL;
33 
-+    }
34 
-+    *pp = data;
35 
-+    if (a != NULL) {
36 
-+        DSA_free(*a);
37 
-+        *a = key;
38 
-+    }
39 
-+    return key;
40 
-+}
41 
-+
42 
- int i2d_DSA_PUBKEY(const DSA *a, unsigned char **pp)
43 
- {
44 
-     EVP_PKEY *pktmp;
45 
-diff --git a/include/crypto/x509.h b/include/crypto/x509.h
46 
-index 1f00178e89..0c42730ee9 100644
47 
-+++ b/include/crypto/x509.h
48 
-@@ -339,6 +339,9 @@ void ossl_X509_PUBKEY_INTERNAL_free(X509_PUBKEY *xpub);
49 
-
50 
- RSA *ossl_d2i_RSA_PSS_PUBKEY(RSA **a, const unsigned char **pp, long length);
51 
- int ossl_i2d_RSA_PSS_PUBKEY(const RSA *a, unsigned char **pp);
52 
-+# ifndef OPENSSL_NO_DSA
53 
-+DSA *ossl_d2i_DSA_PUBKEY(DSA **a, const unsigned char **pp, long length);
54 
-+# endif /* OPENSSL_NO_DSA */
55 
- # ifndef OPENSSL_NO_DH
56 
- DH *ossl_d2i_DH_PUBKEY(DH **a, const unsigned char **pp, long length);
57 
- int ossl_i2d_DH_PUBKEY(const DH *a, unsigned char **pp);
58 
-diff --git a/providers/implementations/encode_decode/decode_der2key.c b/providers/implementations/encode_decode/decode_der2key.c
59 
-index ebc2d24833..d6ad738ef3 100644
60 
-+++ b/providers/implementations/encode_decode/decode_der2key.c
61 
-@@ -374,7 +374,7 @@ static void *dsa_d2i_PKCS8(void **key, const unsigned char **der, long der_len,
62 
-                              (key_from_pkcs8_t *)ossl_dsa_key_from_pkcs8);
63 
- }
64 
-
65 
--# define dsa_d2i_PUBKEY                 (d2i_of_void *)d2i_DSA_PUBKEY
66 
-+# define dsa_d2i_PUBKEY                 (d2i_of_void *)ossl_d2i_DSA_PUBKEY
67 
- # define dsa_free                       (free_key_fn *)DSA_free
68 
- # define dsa_check                      NULL
69 
-
70 
-2.32.0 (Apple Git-132)
71 
-
SPECS/openssl/CVE/0217/0004-Add-test-for-DSA-pubkey-without-param-import-and-che.patch
History View file @ 7f4c42b
72 1 
deleted file mode 100644
... ... 
@@ -1,124 +0,0 @@
1 
-From c5255f06978a6537e69669d914df7a7316c53fe6 Mon Sep 17 00:00:00 2001
2 
-From: Tomas Mraz <tomas@openssl.org>
3 
-Date: Fri, 13 Jan 2023 18:46:15 +0100
4 
-Subject: [PATCH 4/4] Add test for DSA pubkey without param import and check
5 
-
6 
- test/recipes/91-test_pkey_check.t             |  48 ++++++++++++++----
7 
- .../91-test_pkey_check_data/dsapub.pem        |  12 +++++
8 
- .../dsapub_noparam.der                        | Bin 0 -> 108 bytes
9 
- 3 files changed, 49 insertions(+), 11 deletions(-)
10 
- create mode 100644 test/recipes/91-test_pkey_check_data/dsapub.pem
11 
- create mode 100644 test/recipes/91-test_pkey_check_data/dsapub_noparam.der
12 
-
13 
-diff --git a/test/recipes/91-test_pkey_check.t b/test/recipes/91-test_pkey_check.t
14 
-index 612a3e3d6c..015d7805db 100644
15 
-+++ b/test/recipes/91-test_pkey_check.t
16 
-@@ -11,19 +11,24 @@ use strict;
17 
- use warnings;
18 
-
19 
- use File::Spec;
20 
--use OpenSSL::Test qw/:DEFAULT data_file/;
21 
-+use OpenSSL::Test qw/:DEFAULT data_file with/;
22 
- use OpenSSL::Test::Utils;
23 
-
24 
- sub pkey_check {
25 
-     my $f = shift;
26 
-+    my $pubcheck = shift;
27 
-+    my @checkopt = ('-check');
28 
-
29 
--    return run(app(['openssl', 'pkey', '-check', '-text',
30 
-+    @checkopt = ('-pubcheck', '-pubin') if $pubcheck;
31 
-+
32 
-+    return run(app(['openssl', 'pkey', @checkopt, '-text',
33 
-                     '-in', $f]));
34 
- }
35 
-
36 
- sub check_key {
37 
-     my $f = shift;
38 
-     my $should_fail = shift;
39 
-+    my $pubcheck = shift;
40 
-     my $str;
41 
-
42 
-
43 
-@@ -33,11 +38,10 @@ sub check_key {
44 
-     $f = data_file($f);
45 
-
46 
-     if ( -s $f ) {
47 
--        if ($should_fail) {
48 
--            ok(!pkey_check($f), $str);
49 
--        } else {
50 
--            ok(pkey_check($f), $str);
51 
--        }
52 
-+        with({ exit_checker => sub { return shift == $should_fail; } },
53 
-+            sub {
54 
-+                ok(pkey_check($f, $pubcheck), $str);
55 
-+            });
56 
-     } else {
57 
-         fail("Missing file $f");
58 
-     }
59 
-@@ -66,15 +70,37 @@ push(@positive_tests, (
60 
-     "dhpkey.pem"
61 
-     )) unless disabled("dh");
62 
-
63 
-+my @negative_pubtests = ();
64 
-+
65 
-+push(@negative_pubtests, (
66 
-+    "dsapub_noparam.der"
67 
-+    )) unless disabled("dsa");
68 
-+
69 
-+my @positive_pubtests = ();
70 
-+
71 
-+push(@positive_pubtests, (
72 
-+    "dsapub.pem"
73 
-+    )) unless disabled("dsa");
74 
-+
75 
- plan skip_all => "No tests within the current enabled feature set"
76 
--    unless @negative_tests && @positive_tests;
77 
-+    unless @negative_tests && @positive_tests
78 
-+           && @negative_pubtests && @positive_pubtests;
79 
-
80 
--plan tests => scalar(@negative_tests) + scalar(@positive_tests);
81 
-+plan tests => scalar(@negative_tests) + scalar(@positive_tests)
82 
-+              + scalar(@negative_pubtests) + scalar(@positive_pubtests);
83 
-
84 
- foreach my $t (@negative_tests) {
85 
--    check_key($t, 1);
86 
-+    check_key($t, 1, 0);
87 
- }
88 
-
89 
- foreach my $t (@positive_tests) {
90 
--    check_key($t, 0);
91 
-+    check_key($t, 0, 0);
92 
-+}
93 
-+
94 
-+foreach my $t (@negative_pubtests) {
95 
-+    check_key($t, 1, 1);
96 
-+}
97 
-+
98 
-+foreach my $t (@positive_pubtests) {
99 
-+    check_key($t, 0, 1);
100 
- }
101 
-diff --git a/test/recipes/91-test_pkey_check_data/dsapub.pem b/test/recipes/91-test_pkey_check_data/dsapub.pem
102 
-new file mode 100644
103 
-index 0000000000..0ff4bd83ed
104 
-+++ b/test/recipes/91-test_pkey_check_data/dsapub.pem
105 
-@@ -0,0 +1,12 @@
106 
-+-----BEGIN PUBLIC KEY-----
107 
-+MIIBvzCCATQGByqGSM44BAEwggEnAoGBAIjbXpOVVciVNuagg26annKkghIIZFI4
108 
-+4WdMomnV+I/oXyxHbZTBBBpW9xy/E1+yMjbp4GmX+VxyDj3WxUWxXllzL+miEkzD
109 
-+9Xz638VzIBhjFbMvk1/N4kS4bKVUd9yk7HfvYzAdnRphk0WI+RoDiDrBNPPxSoQD
110 
-+CEWgvwgsLIDhAh0A6dbz1IQpQwGF4+Ca28x6OO+UfJJv3ggeZ++fNwKBgQCA9XKV
111 
-+lRrTY8ALBxS0KbZjpaIXuUj5nr3i1lIDyP3ISksDF0ekyLtn6eK9VijX6Pm65Np+
112 
-+4ic9Nr5WKLKhPaUSpLNRx1gDqo3sd92hYgiEUifzEuhLYfK/CsgFED+l2hDXtJUq
113 
-+bISNSHVwI5lsyNXLu7HI1Fk8F5UO3LqsboFAngOBhAACgYATxFY89nEYcUhgHGgr
114 
-+YDHhXBQfMKnTKYdvon4DN7WQ9ip+t4VUsLpTD1ZE9zrM2R/B04+8C6KGoViwyeER
115 
-+kS4dxWOkX71x4X2DlNpYevcR53tNcTDqmMD7YKfDDmrb0lftMyfW8aESaiymVMys
116 
-+DRjhKHBjdo0rZeSM8DAk3ctrXA==
117 
-+-----END PUBLIC KEY-----
118 
-
119 
-2.32.0 (Apple Git-132)
120 
-
SPECS/openssl/CVE/0217/dsapub_noparam.der
History View file @ 7f4c42b
121 1 
deleted file mode 100644
122 2 
Binary files a/SPECS/openssl/CVE/0217/dsapub_noparam.der and /dev/null differ
SPECS/openssl/CVE/0286/0001-CVE-2023-0286-Fix-GENERAL_NAME_cmp-for-x400Address-3.patch
History View file @ 7f4c42b
123 3 
deleted file mode 100644
... ... 
@@ -1,99 +0,0 @@
1 
-From 295f32bcf462fa6114b540d5c590ef213d99a5cd Mon Sep 17 00:00:00 2001
2 
-From: Hugo Landau <hlandau@openssl.org>
3 
-Date: Tue, 17 Jan 2023 17:45:42 +0000
4 
-Subject: [PATCH] CVE-2023-0286: Fix GENERAL_NAME_cmp for x400Address (3.0)
5 
-
6 
- CHANGES.md                  | 19 +++++++++++++++++++
7 
- crypto/x509/v3_genn.c       |  2 +-
8 
- include/openssl/x509v3.h.in |  2 +-
9 
- test/v3nametest.c           | 10 ++++++++++
10 
- 4 files changed, 31 insertions(+), 2 deletions(-)
11 
-
12 
-diff --git a/CHANGES.md b/CHANGES.md
13 
-index 84933a874b..ae1189b6f5 100644
14 
-+++ b/CHANGES.md
15 
-@@ -28,6 +28,24 @@ breaking changes, and mappings for the large list of deprecated functions.
16 
-
17 
- [Migration guide]: https://github.com/openssl/openssl/tree/master/doc/man7/migration_guide.pod
18 
-
19 
-+ * Fixed a type confusion vulnerability relating to X.400 address processing
20 
-+   inside an X.509 GeneralName. X.400 addresses were parsed as an `ASN1_STRING`
21 
-+   but subsequently interpreted by `GENERAL_NAME_cmp` as an `ASN1_TYPE`. This
22 
-+   vulnerability may allow an attacker who can provide a certificate chain and
23 
-+   CRL (neither of which need have a valid signature) to pass arbitrary pointers
24 
-+   to a `memcmp` call, creating a possible read primitive, subject to some
25 
-+   constraints. Refer to the advisory for more information. Thanks to David
26 
-+   Benjamin for discovering this issue. ([CVE-2023-0286])
27 
-+
28 
-+   This issue has been fixed by changing the public header file definition of
29 
-+   `GENERAL_NAME` so that `x400Address` reflects the implementation. It was not
30 
-+   possible for any existing application to successfully use the existing
31 
-+   definition; however, if any application references the `x400Address` field
32 
-+   (e.g. in dead code), note that the type of this field has changed. There is
33 
-+   no ABI change.
34 
-+
35 
-+   *Hugo Landau*
36 
-+
37 
- ### Changes between 3.0.6 and 3.0.7 [1 Nov 2022]
38 
-
39 
-  * Fixed two buffer overflows in punycode decoding functions.
40 
-@@ -19415,6 +19433,7 @@ ndif
41 
-
42 
- <!-- Links -->
43 
-
44 
-+[CVE-2023-0286]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0286
45 
- [CVE-2022-2274]: https://www.openssl.org/news/vulnerabilities.html#CVE-2022-2274
46 
- [CVE-2022-2097]: https://www.openssl.org/news/vulnerabilities.html#CVE-2022-2274
47 
- [CVE-2020-1971]: https://www.openssl.org/news/vulnerabilities.html#CVE-2020-1971
48 
-diff --git a/crypto/x509/v3_genn.c b/crypto/x509/v3_genn.c
49 
-index c0a7166cd0..1741c2d2f6 100644
50 
-+++ b/crypto/x509/v3_genn.c
51 
-@@ -98,7 +98,7 @@ int GENERAL_NAME_cmp(GENERAL_NAME *a, GENERAL_NAME *b)
52 
-         return -1;
53 
-     switch (a->type) {
54 
-     case GEN_X400:
55 
--        result = ASN1_TYPE_cmp(a->d.x400Address, b->d.x400Address);
56 
-+        result = ASN1_STRING_cmp(a->d.x400Address, b->d.x400Address);
57 
-         break;
58 
-
59 
-     case GEN_EDIPARTY:
60 
-diff --git a/include/openssl/x509v3.h.in b/include/openssl/x509v3.h.in
61 
-index d00a66a343..c087e3cf92 100644
62 
-+++ b/include/openssl/x509v3.h.in
63 
-@@ -154,7 +154,7 @@ typedef struct GENERAL_NAME_st {
64 
-         OTHERNAME *otherName;   /* otherName */
65 
-         ASN1_IA5STRING *rfc822Name;
66 
-         ASN1_IA5STRING *dNSName;
67 
--        ASN1_TYPE *x400Address;
68 
-+        ASN1_STRING *x400Address;
69 
-         X509_NAME *directoryName;
70 
-         EDIPARTYNAME *ediPartyName;
71 
-         ASN1_IA5STRING *uniformResourceIdentifier;
72 
-diff --git a/test/v3nametest.c b/test/v3nametest.c
73 
-index 6d2e2f8e27..c75cbef7a6 100644
74 
-+++ b/test/v3nametest.c
75 
-@@ -644,6 +644,16 @@ static struct gennamedata {
76 
-             0xb7, 0x09, 0x02, 0x02
77 
-         },
78 
-         15
79 
-+    }, {
80 
-+        /*
81 
-+         * Malformed encoding of a `[3] ORAddress`.
82 
-+         * Regression test for CVE-2023-0286.
83 
-+         */
84 
-+        {
85 
-+            0xa3, 0x0e, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0c,
86 
-+            0xef, 0xcd, 0xab, 0x89, 0x67, 0x45, 0x23, 0x01,
87 
-+        },
88 
-+        16
89 
-     }
90 
- };
91 
-
92 
-2.23.3
93 
-
SPECS/openssl/CVE/0401/0001-pk7_doit.c-Check-return-of-BIO_set_md-calls.patch
History View file @ 7f4c42b
94 1 
deleted file mode 100644
... ... 
@@ -1,61 +0,0 @@
1 
-From 570d2d6693f35a2f46f1406471d0a991537675b5 Mon Sep 17 00:00:00 2001
2 
-From: Tomas Mraz <tomas@openssl.org>
3 
-Date: Wed, 18 Jan 2023 09:27:53 +0100
4 
-Subject: [PATCH 1/2] pk7_doit.c: Check return of BIO_set_md() calls
5 
-
6 
-These calls invoke EVP_DigestInit() which can fail for digests
7 
-with implicit fetches. Subsequent EVP_DigestUpdate() from BIO_write()
8 
-or EVP_DigestFinal() from BIO_read() will segfault on NULL
9 
-dereference. This can be triggered by an attacker providing
10 
-PKCS7 data digested with MD4 for example if the legacy provider
11 
-is not loaded.
12 
-
13 
-If BIO_set_md() fails the md BIO cannot be used.
14 
-
15 
-CVE-2023-0401
16 
- crypto/pkcs7/pk7_doit.c | 13 +++++++++++--
17 
- 1 file changed, 11 insertions(+), 2 deletions(-)
18 
-
19 
-diff --git a/crypto/pkcs7/pk7_doit.c b/crypto/pkcs7/pk7_doit.c
20 
-index f116e46411..a4897f8ff7 100644
21 
-+++ b/crypto/pkcs7/pk7_doit.c
22 
-@@ -84,8 +84,12 @@ static int pkcs7_bio_add_digest(BIO **pbio, X509_ALGOR *alg,
23 
-     }
24 
-     (void)ERR_pop_to_mark();
25 
-
26 
--    BIO_set_md(btmp, md);
27 
-+    if (BIO_set_md(btmp, md) <= 0) {
28 
-+        ERR_raise(ERR_LIB_PKCS7, ERR_R_BIO_LIB);
29 
-+        goto err;
30 
-+    }
31 
-     EVP_MD_free(fetched);
32 
-+    fetched = NULL;
33 
-     if (*pbio == NULL)
34 
-         *pbio = btmp;
35 
-     else if (!BIO_push(*pbio, btmp)) {
36 
-@@ -98,6 +102,7 @@ static int pkcs7_bio_add_digest(BIO **pbio, X509_ALGOR *alg,
37 
-
38 
-  err:
39 
-     BIO_free(btmp);
40 
-+    EVP_MD_free(fetched);
41 
-     return 0;
42 
- }
43 
-
44 
-@@ -522,7 +527,11 @@ BIO *PKCS7_dataDecode(PKCS7 *p7, EVP_PKEY *pkey, BIO *in_bio, X509 *pcert)
45 
-             }
46 
-             (void)ERR_pop_to_mark();
47 
-
48 
--            BIO_set_md(btmp, md);
49 
-+            if (BIO_set_md(btmp, md) <= 0) {
50 
-+                EVP_MD_free(evp_md);
51 
-+                ERR_raise(ERR_LIB_PKCS7, ERR_R_BIO_LIB);
52 
-+                goto err;
53 
-+            }
54 
-             EVP_MD_free(evp_md);
55 
-             if (out == NULL)
56 
-                 out = btmp;
57 
-2.32.0 (Apple Git-132)
58 
-
SPECS/openssl/CVE/0401/0002-Add-testcase-for-missing-return-check-of-BIO_set_md-.patch
History View file @ 7f4c42b
59 1 
deleted file mode 100644
... ... 
@@ -1,83 +0,0 @@
1 
-From 52ebd5f790fb886d3ac920df93d3be8b1f9168ab Mon Sep 17 00:00:00 2001
2 
-From: Tomas Mraz <tomas@openssl.org>
3 
-Date: Wed, 18 Jan 2023 17:07:24 +0100
4 
-Subject: [PATCH] Add testcase for missing return check of BIO_set_md() calls
5 
-
6 
- test/recipes/80-test_cms.t                  | 13 ++++++++-
7 
- test/recipes/80-test_cms_data/pkcs7-md4.pem | 32 +++++++++++++++++++++
8 
- 2 files changed, 44 insertions(+), 1 deletion(-)
9 
- create mode 100644 test/recipes/80-test_cms_data/pkcs7-md4.pem
10 
-
11 
-diff --git a/test/recipes/80-test_cms.t b/test/recipes/80-test_cms.t
12 
-index 2276c5491a..10e5b6f13f 100644
13 
-+++ b/test/recipes/80-test_cms.t
14 
-@@ -50,7 +50,7 @@ my ($no_des, $no_dh, $no_dsa, $no_ec, $no_ec2m, $no_rc2, $no_zlib)
15 
-
16 
- $no_rc2 = 1 if disabled("legacy");
17 
-
18 
--plan tests => 13;
19 
-+plan tests => 14;
20 
-
21 
- ok(run(test(["pkcs7_test"])), "test pkcs7");
22 
-
23 
-@@ -856,6 +856,17 @@ subtest "CMS binary input tests\n" => sub {
24 
-                        ])),
25 
-                 "Check failure during BIO setup with -stream is handled correctly");
26 
-         });
27 
-+
28 
-+
29 
-+    # Test case for missing MD algorithm (must not segfault)
30 
-+    with({ exit_checker => sub { return shift == 4; } },
31 
-+        sub {
32 
-+                ok(run(app(['openssl', 'smime', '-verify', '-noverify',
33 
-+                        '-inform', 'PEM',
34 
-+                        '-in', data_file("pkcs7-md4.pem"),
35 
-+                       ])),
36 
-+                "Check failure of EVP_DigestInit is handled correctly");
37 
-+        });
38 
- };
39 
-
40 
- sub check_availability {
41 
-diff --git a/test/recipes/80-test_cms_data/pkcs7-md4.pem b/test/recipes/80-test_cms_data/pkcs7-md4.pem
42 
-new file mode 100644
43 
-index 0000000000..ecff611deb
44 
-+++ b/test/recipes/80-test_cms_data/pkcs7-md4.pem
45 
-@@ -0,0 +1,32 @@
46 
-+-----BEGIN PKCS7-----
47 
-+MIIFhAYJKoZIhvcNAQcCoIIFdTCCBXECAQExDjAMBggqhkiG9w0CBAUAMB0GCSqG
48 
-+SIb3DQEHAaAQBA5UZXN0IGNvbnRlbnQNCqCCAyQwggMgMIICCKADAgECAgECMA0G
49 
-+CSqGSIb3DQEBCwUAMA0xCzAJBgNVBAMMAkNBMCAXDTE2MDExNTA4MTk0OVoYDzIx
50 
-+MTYwMTE2MDgxOTQ5WjAZMRcwFQYDVQQDDA5zZXJ2ZXIuZXhhbXBsZTCCASIwDQYJ
51 
-+KoZIhvcNAQEBBQADggEPADCCAQoCggEBAKj/iVhhha7e2ywP1XP74reoG3p1YCvU
52 
-+fTxzdrWu3pMvfySQbckc9Io4zZ+igBZWy7Qsu5PlFx//DcZD/jE0+CjYdemju4iC
53 
-+76Ny4lNiBUVN4DGX76qdENJYDZ4GnjK7GwhWXWUPP2aOwjagEf/AWTX9SRzdHEIz
54 
-+BniuBDgj5ed1Z9OUrVqpQB+sWRD1DMFkrUrExjVTs5ZqghsVi9GZq+Seb5Sq0pbl
55 
-+V/uMkWSKPCQWxtIZvoJgEztisO0+HbPK+WvfMbl6nktHaKcpxz9K4iIntO+QY9fv
56 
-+0HJJPlutuRvUK2+GaN3VcxK4Q8ncQQ+io0ZPi2eIhA9h/nk0H0qJH7cCAwEAAaN9
57 
-+MHswHQYDVR0OBBYEFOeb4iqtimw6y3ZR5Y4HmCKX4XOiMB8GA1UdIwQYMBaAFLQR
58 
-+M/HX4l73U54gIhBPhga/H8leMAkGA1UdEwQCMAAwEwYDVR0lBAwwCgYIKwYBBQUH
59 
-+AwEwGQYDVR0RBBIwEIIOc2VydmVyLmV4YW1wbGUwDQYJKoZIhvcNAQELBQADggEB
60 
-+AEG0PE9hQuXlvtUULv9TQ2BXy9MmTjOk+dQwxDhAXYBYMUB6TygsqvPXwpDwz8MS
61 
-+EPGCRqh5cQwtPoElQRU1i4URgcQMZquXScwNFcvE6AATF/PdN/+mOwtqFrlpYfs3
62 
-+IJIpYL6ViQg4n8pv+b/pCwMmhewQLwCGs9+omHNTOwKjEiVoNaprAfj5Lxt15fS2
63 
-++zZW0mT9Y4kfEypetrqSAjh8CDK+vaQhkeKdDfJyBfjS4ALfxvCkT3mQnsWFJ9CU
64 
-+TVG3uw6ylSPT3wN3RE0Ofa4rI5PESogQsd/DgBc7dcDO3yoPKGjycR3/GJDqqCxC
65 
-+e9dr6FJEnDjaDf9zNWyTFHExggITMIICDwIBATASMA0xCzAJBgNVBAMMAkNBAgEC
66 
-+MAwGCCqGSIb3DQIEBQCggdQwGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkq
67 
-+hkiG9w0BCQUxDxcNMjMwMTE4MTU0NzExWjAfBgkqhkiG9w0BCQQxEgQQRXO4TKpp
68 
-+RgA4XHb8bD1pczB5BgkqhkiG9w0BCQ8xbDBqMAsGCWCGSAFlAwQBKjALBglghkgB
69 
-+ZQMEARYwCwYJYIZIAWUDBAECMAoGCCqGSIb3DQMHMA4GCCqGSIb3DQMCAgIAgDAN
70 
-+BggqhkiG9w0DAgIBQDAHBgUrDgMCBzANBggqhkiG9w0DAgIBKDANBgkqhkiG9w0B
71 
-+AQEFAASCAQAe+xlm/TGg/s/7b0xBc3FFnmmUDEe7ljkehIx61OnBV9ZWA+LcBX/7
72 
-+kmMSMdaHjRq4w8FmwBMLzn0ttXVqf0QuPbBF/E6X5EqK9lpOdkUQhNiN2v+ZfY6c
73 
-+lrH4ADsSD9D+UHw0sxo5KEF+PPuneUfYCJZosFUJosBbuSEXK0C9yfJoDKVE8Syp
74 
-+0vdqh73ogLeNgZLAUGSSB66OmHDxwgAj4qPAv6FHFBy1Xs4uFZER5vniYrH9OrAk
75 
-+Z6XdvzDoYZC4XcGMDtcOpOM6D4owqy5svHPDw8wIlM4GVhrTw7CQmuBz5uRNnf6a
76 
-+ZK3jZIxG1hr/INaNWheHoPIhPblYaVc6
77 
-+-----END PKCS7-----
78 
-2.23.3
79 
-
SPECS/openssl/CVE/4203/0001-Fix-type-confusion-in-nc_match_single.patch
History View file @ 7f4c42b
80 1 
deleted file mode 100644
... ... 
@@ -1,125 +0,0 @@
1 
-From 836b7f8a1af3d89feb02deb081501f94cf98017a Mon Sep 17 00:00:00 2001
2 
-From: Viktor Dukhovni <openssl-users@dukhovni.org>
3 
-Date: Tue, 13 Dec 2022 08:49:13 +0100
4 
-Subject: [PATCH 1/2] Fix type confusion in nc_match_single()
5 
-
6 
-This function assumes that if the "gen" is an OtherName, then the "base"
7 
-is a rfc822Name constraint. This assumption is not true in all cases.
8 
-If the end-entity certificate contains an OtherName SAN of any type besides
9 
-SmtpUtf8Mailbox and the CA certificate contains a name constraint of
10 
-OtherName (of any type), then "nc_email_eai" will be invoked, with the
11 
-OTHERNAME "base" being incorrectly interpreted as a ASN1_IA5STRING.
12 
-
13 
-Reported by Corey Bonnell from Digicert.
14 
-
15 
-CVE-2022-4203
16 
- crypto/x509/v3_ncons.c | 45 +++++++++++++++++++++++++++++-------------
17 
- 1 file changed, 31 insertions(+), 14 deletions(-)
18 
-
19 
-diff --git a/crypto/x509/v3_ncons.c b/crypto/x509/v3_ncons.c
20 
-index 70a7e8304e..5101598512 100644
21 
-+++ b/crypto/x509/v3_ncons.c
22 
-@@ -31,7 +31,8 @@ static int do_i2r_name_constraints(const X509V3_EXT_METHOD *method,
23 
- static int print_nc_ipadd(BIO *bp, ASN1_OCTET_STRING *ip);
24 
-
25 
- static int nc_match(GENERAL_NAME *gen, NAME_CONSTRAINTS *nc);
26 
--static int nc_match_single(GENERAL_NAME *sub, GENERAL_NAME *gen);
27 
-+static int nc_match_single(int effective_type, GENERAL_NAME *sub,
28 
-+                           GENERAL_NAME *gen);
29 
- static int nc_dn(const X509_NAME *sub, const X509_NAME *nm);
30 
- static int nc_dns(ASN1_IA5STRING *sub, ASN1_IA5STRING *dns);
31 
- static int nc_email(ASN1_IA5STRING *sub, ASN1_IA5STRING *eml);
32 
-@@ -472,14 +473,17 @@ static int nc_match(GENERAL_NAME *gen, NAME_CONSTRAINTS *nc)
33 
- {
34 
-     GENERAL_SUBTREE *sub;
35 
-     int i, r, match = 0;
36 
-+    int effective_type = gen->type;
37 
-+
38 
-     /*
39 
-      * We need to compare not gen->type field but an "effective" type because
40 
-      * the otherName field may contain EAI email address treated specially
41 
-      * according to RFC 8398, section 6
42 
-      */
43 
--    int effective_type = ((gen->type == GEN_OTHERNAME) &&
44 
--                          (OBJ_obj2nid(gen->d.otherName->type_id) ==
45 
--                           NID_id_on_SmtpUTF8Mailbox)) ? GEN_EMAIL : gen->type;
46 
-+    if (effective_type == GEN_OTHERNAME &&
47 
-+        (OBJ_obj2nid(gen->d.otherName->type_id) == NID_id_on_SmtpUTF8Mailbox)) {
48 
-+        effective_type = GEN_EMAIL;
49 
-+    }
50 
-
51 
-     /*
52 
-      * Permitted subtrees: if any subtrees exist of matching the type at
53 
-@@ -488,7 +492,10 @@ static int nc_match(GENERAL_NAME *gen, NAME_CONSTRAINTS *nc)
54 
-
55 
-     for (i = 0; i < sk_GENERAL_SUBTREE_num(nc->permittedSubtrees); i++) {
56 
-         sub = sk_GENERAL_SUBTREE_value(nc->permittedSubtrees, i);
57 
--        if (effective_type != sub->base->type)
58 
-+        if (effective_type != sub->base->type
59 
-+            || (effective_type == GEN_OTHERNAME &&
60 
-+                OBJ_cmp(gen->d.otherName->type_id,
61 
-+                        sub->base->d.otherName->type_id) != 0))
62 
-             continue;
63 
-         if (!nc_minmax_valid(sub))
64 
-             return X509_V_ERR_SUBTREE_MINMAX;
65 
-@@ -497,7 +504,7 @@ static int nc_match(GENERAL_NAME *gen, NAME_CONSTRAINTS *nc)
66 
-             continue;
67 
-         if (match == 0)
68 
-             match = 1;
69 
--        r = nc_match_single(gen, sub->base);
70 
-+        r = nc_match_single(effective_type, gen, sub->base);
71 
-         if (r == X509_V_OK)
72 
-             match = 2;
73 
-         else if (r != X509_V_ERR_PERMITTED_VIOLATION)
74 
-@@ -511,12 +518,15 @@ static int nc_match(GENERAL_NAME *gen, NAME_CONSTRAINTS *nc)
75 
-
76 
-     for (i = 0; i < sk_GENERAL_SUBTREE_num(nc->excludedSubtrees); i++) {
77 
-         sub = sk_GENERAL_SUBTREE_value(nc->excludedSubtrees, i);
78 
--        if (effective_type != sub->base->type)
79 
-+        if (effective_type != sub->base->type
80 
-+            || (effective_type == GEN_OTHERNAME &&
81 
-+                OBJ_cmp(gen->d.otherName->type_id,
82 
-+                        sub->base->d.otherName->type_id) != 0))
83 
-             continue;
84 
-         if (!nc_minmax_valid(sub))
85 
-             return X509_V_ERR_SUBTREE_MINMAX;
86 
-
87 
--        r = nc_match_single(gen, sub->base);
88 
-+        r = nc_match_single(effective_type, gen, sub->base);
89 
-         if (r == X509_V_OK)
90 
-             return X509_V_ERR_EXCLUDED_VIOLATION;
91 
-         else if (r != X509_V_ERR_PERMITTED_VIOLATION)
92 
-@@ -528,15 +538,22 @@ static int nc_match(GENERAL_NAME *gen, NAME_CONSTRAINTS *nc)
93 
-
94 
- }
95 
-
96 
--static int nc_match_single(GENERAL_NAME *gen, GENERAL_NAME *base)
97 
-+static int nc_match_single(int effective_type, GENERAL_NAME *gen,
98 
-+                           GENERAL_NAME *base)
99 
- {
100 
-     switch (gen->type) {
101 
-     case GEN_OTHERNAME:
102 
--        /*
103 
--         * We are here only when we have SmtpUTF8 name,
104 
--         * so we match the value of othername with base->d.rfc822Name
105 
--         */
106 
--        return nc_email_eai(gen->d.otherName->value, base->d.rfc822Name);
107 
-+        switch (effective_type) {
108 
-+        case GEN_EMAIL:
109 
-+            /*
110 
-+             * We are here only when we have SmtpUTF8 name,
111 
-+             * so we match the value of othername with base->d.rfc822Name
112 
-+             */
113 
-+            return nc_email_eai(gen->d.otherName->value, base->d.rfc822Name);
114 
-+
115 
-+        default:
116 
-+            return X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE;
117 
-+        }
118 
-
119 
-     case GEN_DIRNAME:
120 
-         return nc_dn(gen->d.directoryName, base->d.directoryName);
121 
-2.32.0 (Apple Git-132)
122 
-
SPECS/openssl/CVE/4203/0002-Add-testcase-for-nc_match_single-type-confusion.patch
History View file @ 7f4c42b
123 1 
deleted file mode 100644
... ... 
@@ -1,150 +0,0 @@
1 
-From 5850657befba35f5ea754ce38b30dcd895b00752 Mon Sep 17 00:00:00 2001
2 
-From: Tomas Mraz <tomas@openssl.org>
3 
-Date: Tue, 13 Dec 2022 19:45:09 +0100
4 
-Subject: [PATCH 2/2] Add testcase for nc_match_single type confusion
5 
-
6 
- test/certs/bad-othername-cert.pem | 20 ++++++++++++++++++++
7 
- test/certs/nccaothername-cert.pem | 20 ++++++++++++++++++++
8 
- test/certs/nccaothername-key.pem  | 28 ++++++++++++++++++++++++++++
9 
- test/certs/setup.sh               | 11 +++++++++++
10 
- test/recipes/25-test_verify.t     |  5 ++++-
11 
- 5 files changed, 83 insertions(+), 1 deletion(-)
12 
- create mode 100644 test/certs/bad-othername-cert.pem
13 
- create mode 100644 test/certs/nccaothername-cert.pem
14 
- create mode 100644 test/certs/nccaothername-key.pem
15 
-
16 
-diff --git a/test/certs/bad-othername-cert.pem b/test/certs/bad-othername-cert.pem
17 
-new file mode 100644
18 
-index 0000000000..cf279de5ea
19 
-+++ b/test/certs/bad-othername-cert.pem
20 
-@@ -0,0 +1,20 @@
21 
-+-----BEGIN CERTIFICATE-----
22 
-+MIIDRDCCAiygAwIBAgIBAjANBgkqhkiG9w0BAQsFADAfMR0wGwYDVQQDDBRUZXN0
23 
-+IE5DIENBIG90aGVybmFtZTAgFw0yMjEyMTMxODMzMTZaGA8yMTIyMTIxNDE4MzMx
24 
-+NlowMTEvMC0GA1UECgwmTkMgZW1haWwgaW4gb3RoZXJuYW1lIFRlc3QgQ2VydGlm
25 
-+aWNhdGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDPgeoakqHk1zYt
26 
-+JZpEC0qkJPU/X0lfI+6GY2LHFY9KOSFqqmTXxrUtjQc3SdpQvBZhPuMZ8p82Jid2
27 
-+kkRHnWs0uqX9NtLO923yQalYvP6Mt3fokcYgw/C9b+I/q1PKUyN0kPB6McROguD5
28 
-+Jz2DcEufJBhbpyay1bFjEI2DAQJKDP/U7uH0EA7kH/27UMk0vfvL5uVjDvlo8i6S
29 
-+Ul8+u0cDV5ZFJW2VAJKLU3wp6IY4fZl9UqkHZuRQpMJGqAjAleWOIEpyyvfGGh0b
30 
-+75n3GJ+4YZ7CIBEgY7K0nIbKxtcDZPvmtbYg3g1tkPMTHcodFT7yEdqkBTJ5AGL7
31 
-+6U850OhjAgMBAAGjdzB1MB0GA1UdDgQWBBTBz0k+q6d4c3aM+s2IyOF/QP6zCTAf
32 
-+BgNVHSMEGDAWgBTwhghX7uNdMejZ3f4XorqOQoMqwTAJBgNVHRMEAjAAMCgGA1Ud
33 
-+EQQhMB+gHQYIKwYBBQUHCAegEQwPZm9vQGV4YW1wbGUub3JnMA0GCSqGSIb3DQEB
34 
-+CwUAA4IBAQAhxbCEVH8pq0aUMaLWaodyXdCqA0AKTFG6Mz9Rpwn89OwC8FylTEru
35 
-+t+Bqx/ZuTo8YzON8h9m7DIrQIjZKDLW/g5YbvIsxIVV9gWhAGohdsIyMKRBepSmr
36 
-+NxJQkO74RLBTamfl0WUCVM4HqroflFjBBG67CTJaQ9cH9ug3TKxaXCK1L6iQAXtq
37 
-+enILGai98Byo0LCFH4MQOhmhV1BDT2boIG/iYb5VKCTSX25vhaF+PNBhUoysjW0O
38 
-+vhQX8vrw42QRr4Qi7VfUBXzrbRTzxjOc4yqki7h2DcEdpginqe+aGyaFY+H9m/ka
39 
-+1AR5KN8h5SYKltSXknjs0pp1w4k49aHl
40 
-+-----END CERTIFICATE-----
41 
-diff --git a/test/certs/nccaothername-cert.pem b/test/certs/nccaothername-cert.pem
42 
-new file mode 100644
43 
-index 0000000000..f9b9b07b80
44 
-+++ b/test/certs/nccaothername-cert.pem
45 
-@@ -0,0 +1,20 @@
46 
-+-----BEGIN CERTIFICATE-----
47 
-+MIIDPjCCAiagAwIBAgIBAjANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDDAdSb290
48 
-+IENBMCAXDTIyMTIxMzE4MTgwM1oYDzIxMjIxMjE0MTgxODAzWjAfMR0wGwYDVQQD
49 
-+DBRUZXN0IE5DIENBIG90aGVybmFtZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
50 
-+AQoCggEBAN0Dx+ei8CgtRKnDcYiLwX4vrA48at/o/zfX24X/WZZM1o9HUKo1FQBN
51 
-+vhESJu+gqPxuIePrk+/L25XdRqwCKk8wkWX0XIz18q5orOHUUFAWNK3g0FDj6N8H
52 
-+d8urNIbDJ44FCx+/0n8Ppiht/EYN3aVOW5enqbgZ+EEt+3AUG6ibieRdGri9g4oh
53 
-+IIx60MmVHLbuT/TcVZxaeWyTl6iWmsYosUyqlhTtu1uGtbVtkCAhBYloVvz4J5eA
54 
-+mVu/JuJbsNxbxVeO9Q8Kj6nb4jPPdGvZ3JPcabbWrz5LwaereBf5IPrXEVdQTlYB
55 
-+gI0pTz2CEDHSIrd7jzRUX/9EC2gMk6UCAwEAAaOBjzCBjDAPBgNVHRMBAf8EBTAD
56 
-+AQH/MAsGA1UdDwQEAwIBBjAdBgNVHQ4EFgQU8IYIV+7jXTHo2d3+F6K6jkKDKsEw
57 
-+HwYDVR0jBBgwFoAUjvUlrx6ba4Q9fICayVOcTXL3o1IwLAYDVR0eBCUwI6EhMB+g
58 
-+HQYIKwYBBQUHCAegEQwPZm9vQGV4YW1wbGUub3JnMA0GCSqGSIb3DQEBCwUAA4IB
59 
-+AQDPI5uZd8DhSNKMvYF5bxOshd6h6UJ7YzZS7K6fhiygltdqzkHQ/5+4yiuUkDe4
60 
-+hOZlH8MCfXQy5jVZDTk24yNchpdfie5Bswn4SmQVQh3QyzOLxizoh0rLCf2PHueu
61 
-+dNVNhfiiJNJ5kd8MIuVG7CPK68dP0QrVR+DihROuJgvGB3ClKttLrgle19t4PFRR
62 
-+2wW6hJT9aXEjzLNyN1QFZKoShuiGX4xwjZh7VyKkV64p8hjojhcLk6dQkel+Jw4y
63 
-+OP26XbVfM8/6KG8f6WAZ8P0qJwHlhmi0EvRTnEpAM8WuenOeZH6ERZ9uZbRGh6xx
64 
-+LKQu2Aw2+bOEZ2vUtz0dBhX8
65 
-+-----END CERTIFICATE-----
66 
-diff --git a/test/certs/nccaothername-key.pem b/test/certs/nccaothername-key.pem
67 
-new file mode 100644
68 
-index 0000000000..d3e300ac2f
69 
-+++ b/test/certs/nccaothername-key.pem
70 
-@@ -0,0 +1,28 @@
71 
-+-----BEGIN PRIVATE KEY-----
72 
-+MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQDdA8fnovAoLUSp
73 
-+w3GIi8F+L6wOPGrf6P8319uF/1mWTNaPR1CqNRUATb4REibvoKj8biHj65Pvy9uV
74 
-+3UasAipPMJFl9FyM9fKuaKzh1FBQFjSt4NBQ4+jfB3fLqzSGwyeOBQsfv9J/D6Yo
75 
-+bfxGDd2lTluXp6m4GfhBLftwFBuom4nkXRq4vYOKISCMetDJlRy27k/03FWcWnls
76 
-+k5eolprGKLFMqpYU7btbhrW1bZAgIQWJaFb8+CeXgJlbvybiW7DcW8VXjvUPCo+p
77 
-+2+Izz3Rr2dyT3Gm21q8+S8Gnq3gX+SD61xFXUE5WAYCNKU89ghAx0iK3e480VF//
78 
-+RAtoDJOlAgMBAAECggEAMFSJlCyEFlER3Qq9asXe9eRgXEuXdmfZ2aEVIuf8M/sR
79 
-+B0tpxxKtCUA24j5FL+0CzxKZTCFBnDRIzCyTbf1aOa9t+CzXyUZmP3/p4EdgmabF
80 
-+dcl93FZ+X7kfF/VUGu0Vmv+c12BH3Fu0cs5cVohlMecg7diu6zCYok43F+L5ymRy
81 
-+2mTcKkGc0ShWizj8Z9R3WJGssZOlxbxa/Zr4rZwRC24UVhfN8AfGWYx/StyQPQIw
82 
-+gtbbtOmwbyredQmY4jwNqgrnfZS9bkWwJbRuCmD5l7lxubBgcHQpoM+DQVeOLZIq
83 
-+uksFXeNfal9G5Bo747MMzpD7dJMCGmX+gbMY5oZF+QKBgQDs2MbY4nbxi+fV+KuV
84 
-+zUvis8m8Lpzf3T6NLkgSkUPRN9tGr95iLIrB/bRPJg5Ne02q/cT7d86B9rpE42w7
85 
-+eeIF9fANezX2AF8LUqNZhIR23J3tfB/eqGlJRZeMNia+lD09a7SWGwrS7sufY1I+
86 
-+JQGcHx77ntt+eQT1MUJ1skF06QKBgQDu4z+TW4QIA5ItxIReVdcfh5e3xLkzDEVP
87 
-+3KNo9tpXxvPwqapdeBh6c9z4Lqe3MKr5UPlDvVW+o40t6OjKxDCXczB8+JAM0OyX
88 
-+8V+K3zXXUxRgieSd3oMncTylSWIvouPP3aW37B67TKdRlRHgaBrpJT2wdk3kYR4t
89 
-+62J1eDdjXQKBgQDMsY0pZI/nskJrar7geM1c4IU5Xg+2aj/lRFqFsYYrC1s3fEd2
90 
-+EYjan6l1vi4eSLKXVTspGiIfsFzLrMGdpXjyLduJyzKXqTp7TrBebWkOUR0sYloo
91 
-+1OQprzuKskJJ81P6AVvRXw27vyW8Wtp5WwJJK5xbWq/YXj8qqagGkEiCAQKBgQCc
92 
-+RK3XAFurPmLGa7JHX5Hc/z8BKMAZo6JHrsZ6qFiGaRA0U1it0hz5JYfcFfECheSi
93 
-+ORUF+fn4PlbhPGXkFljPCbwjVBovOBA9CNl+J6u50pAW4r1ZhDB5gbqxSQLgtIaf
94 
-++JcqbFxiG6+sT36lNJS+BO2I3KrxhZJPaZY7z8szxQKBgQDRy70XzwOk8jXayiF2
95 
-+ej2IN7Ow9cgSE4tLEwR/vCjxvOlWhA3jC3wxoggshGJkpbP3DqLkQtwQm0h1lM8J
96 
-+QNtFwKzjtpf//bTlfFq08/YxWimTPMqzcV2PgRacB8P3yf1r8T7M4fA5TORCDWpW
97 
-+5FtOCFEmwQHTR8lu4c63qfxkEQ==
98 
-+-----END PRIVATE KEY-----
99 
-diff --git a/test/certs/setup.sh b/test/certs/setup.sh
100 
-index b9766aab20..2240cd9df0 100755
101 
-+++ b/test/certs/setup.sh
102 
-@@ -388,6 +388,17 @@ REQMASK=MASK:0x800 ./mkcert.sh req badalt7-key "O = Bad NC Test Certificate 7" \
103 
-     "email.1 = good@good.org" "email.2 = any@good.com" \
104 
-     "IP = 127.0.0.1" "IP = 192.168.0.1"
105 
-
106 
-+# Certs for CVE-2022-4203 testcase
107 
-+
108 
-+NC="excluded;otherName:SRVName;UTF8STRING:foo@example.org" ./mkcert.sh genca \
109 
-+    "Test NC CA othername" nccaothername-key nccaothername-cert \
110 
-+    root-key root-cert
111 
-+
112 
-+./mkcert.sh req alt-email-key "O = NC email in othername Test Certificate" | \
113 
-+    ./mkcert.sh geneealt bad-othername-key bad-othername-cert \
114 
-+    nccaothername-key nccaothername-cert \
115 
-+    "otherName.1 = SRVName;UTF8STRING:foo@example.org"
116 
-+
117 
- # RSA-PSS signatures
118 
- # SHA1
119 
- ./mkcert.sh genee PSS-SHA1 ee-key ee-pss-sha1-cert ca-key ca-cert \
120 
-diff --git a/test/recipes/25-test_verify.t b/test/recipes/25-test_verify.t
121 
-index 4613489f57..e6a2bca731 100644
122 
-+++ b/test/recipes/25-test_verify.t
123 
-@@ -29,7 +29,7 @@ sub verify {
124 
-     run(app([@args]));
125 
- }
126 
-
127 
--plan tests => 163;
128 
-+plan tests => 164;
129 
-
130 
- # Canonical success
131 
- ok(verify("ee-cert", "sslserver", ["root-cert"], ["ca-cert"]),
132 
-@@ -402,6 +402,9 @@ ok(!verify("badalt9-cert", "", ["root-cert"], ["ncca1-cert", "ncca3-cert"], ),
133 
- ok(!verify("badalt10-cert", "", ["root-cert"], ["ncca1-cert", "ncca3-cert"], ),
134 
-    "Name constraints nested DNS name excluded");
135 
-
136 
-+ok(!verify("bad-othername-cert", "", ["root-cert"], ["nccaothername-cert"], ),
137 
-+   "CVE-2022-4203 type confusion test");
138 
-+
139 
- #Check that we get the expected failure return code
140 
- with({ exit_checker => sub { return shift == 2; } },
141 
-      sub {
142 
-2.32.0 (Apple Git-132)
143 
-
SPECS/openssl/CVE/4304/0001-Fix-Timing-Oracle-in-RSA-decryption.patch
History View file @ 7f4c42b
144 1 
deleted file mode 100644
... ... 
@@ -1,748 +0,0 @@
1 
-From a193d769315602d5ba7a10f9cfb2dd729e0ca010 Mon Sep 17 00:00:00 2001
2 
-From: Dmitry Belyavskiy <beldmit@gmail.com>
3 
-Date: Fri, 20 Jan 2023 15:03:40 +0000
4 
-Subject: [PATCH] Fix Timing Oracle in RSA decryption
5 
-
6 
-A timing based side channel exists in the OpenSSL RSA Decryption
7 
-implementation which could be sufficient to recover a ciphertext across
8 
-a network in a Bleichenbacher style attack. To achieve a successful
9 
-decryption an attacker would have to be able to send a very large number
10 
-of trial messages for decryption. The vulnerability affects all RSA
11 
-padding modes: PKCS#1 v1.5, RSA-OEAP and RSASVE.
12 
-
13 
-Patch written by Dmitry Belyavsky and Hubert Kario
14 
-
15 
-CVE-2022-4304
16 
- crypto/bn/bn_blind.c     |  14 -
17 
- crypto/bn/bn_local.h     |  14 +
18 
- crypto/rsa/build.info    |   2 +-
19 
- crypto/rsa/rsa_ossl.c    |  19 +-
20 
- crypto/rsa/rsa_sup_mul.c | 600 +++++++++++++++++++++++++++++++++++++++
21 
- crypto/rsa/rsa_sup_mul.h |   6 +
22 
- 6 files changed, 634 insertions(+), 21 deletions(-)
23 
- create mode 100644 crypto/rsa/rsa_sup_mul.c
24 
- create mode 100644 crypto/rsa/rsa_sup_mul.h
25 
-
26 
-diff --git a/crypto/bn/bn_blind.c b/crypto/bn/bn_blind.c
27 
-index 72457b34cf..6061ebb4c0 100644
28 
-+++ b/crypto/bn/bn_blind.c
29 
-@@ -13,20 +13,6 @@
30 
-
31 
- #define BN_BLINDING_COUNTER     32
32 
-
33 
--struct bn_blinding_st {
34 
--    BIGNUM *A;
35 
--    BIGNUM *Ai;
36 
--    BIGNUM *e;
37 
--    BIGNUM *mod;                /* just a reference */
38 
--    CRYPTO_THREAD_ID tid;
39 
--    int counter;
40 
--    unsigned long flags;
41 
--    BN_MONT_CTX *m_ctx;
42 
--    int (*bn_mod_exp) (BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
43 
--                       const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx);
44 
--    CRYPTO_RWLOCK *lock;
45 
--};
46 
--
47 
- BN_BLINDING *BN_BLINDING_new(const BIGNUM *A, const BIGNUM *Ai, BIGNUM *mod)
48 
- {
49 
-     BN_BLINDING *ret = NULL;
50 
-diff --git a/crypto/bn/bn_local.h b/crypto/bn/bn_local.h
51 
-index c9a7ecf298..8c428f919d 100644
52 
-+++ b/crypto/bn/bn_local.h
53 
-@@ -290,6 +290,20 @@ struct bn_gencb_st {
54 
-     } cb;
55 
- };
56 
-
57 
-+struct bn_blinding_st {
58 
-+    BIGNUM *A;
59 
-+    BIGNUM *Ai;
60 
-+    BIGNUM *e;
61 
-+    BIGNUM *mod;                /* just a reference */
62 
-+    CRYPTO_THREAD_ID tid;
63 
-+    int counter;
64 
-+    unsigned long flags;
65 
-+    BN_MONT_CTX *m_ctx;
66 
-+    int (*bn_mod_exp) (BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
67 
-+                       const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx);
68 
-+    CRYPTO_RWLOCK *lock;
69 
-+};
70 
-+
71 
- /*-
72 
-  * BN_window_bits_for_exponent_size -- macro for sliding window mod_exp functions
73 
-  *
74 
-diff --git a/crypto/rsa/build.info b/crypto/rsa/build.info
75 
-index ad3370db39..10f2c00ec1 100644
76 
-+++ b/crypto/rsa/build.info
77 
-@@ -3,7 +3,7 @@ LIBS=../../libcrypto
78 
- $COMMON=rsa_ossl.c rsa_gen.c rsa_lib.c rsa_sign.c rsa_pk1.c \
79 
-         rsa_none.c rsa_oaep.c rsa_chk.c rsa_pss.c rsa_x931.c rsa_crpt.c \
80 
-         rsa_sp800_56b_gen.c rsa_sp800_56b_check.c rsa_backend.c \
81 
--        rsa_mp_names.c rsa_schemes.c
82 
-+        rsa_mp_names.c rsa_schemes.c rsa_sup_mul.c
83 
-
84 
- SOURCE[../../libcrypto]=$COMMON\
85 
-         rsa_saos.c rsa_err.c rsa_asn1.c rsa_ameth.c rsa_prn.c \
86 
-diff --git a/crypto/rsa/rsa_ossl.c b/crypto/rsa/rsa_ossl.c
87 
-index 381c659352..5d7cd0ab3b 100644
88 
-+++ b/crypto/rsa/rsa_ossl.c
89 
-@@ -16,6 +16,7 @@
90 
- #include "internal/cryptlib.h"
91 
- #include "crypto/bn.h"
92 
- #include "rsa_local.h"
93 
-+#include "rsa_sup_mul.h"
94 
- #include "internal/constant_time.h"
95 
-
96 
- static int rsa_ossl_public_encrypt(int flen, const unsigned char *from,
97 
-@@ -469,13 +470,19 @@ static int rsa_ossl_private_decrypt(int flen, const unsigned char *from,
98 
-         BN_free(d);
99 
-     }
100 
-
101 
--    if (blinding)
102 
--        if (!rsa_blinding_invert(blinding, ret, unblind, ctx))
103 
-+    if (blinding) {
104 
-+        /*
105 
-+	 * do_unblind combines blinding inversion and
106 
-+	 * 0-padded BN BE serialization
107 
-+	 */
108 
-+        j = do_unblind(ret, blinding, unblind, rsa->n, ctx, buf, num);
109 
-+        if (j == 0)
110 
-             goto err;
111 
--
112 
--    j = BN_bn2binpad(ret, buf, num);
113 
--    if (j < 0)
114 
--        goto err;
115 
-+    } else {
116 
-+        j = BN_bn2binpad(ret, buf, num);
117 
-+        if (j < 0)
118 
-+            goto err;
119 
-+    }
120 
-
121 
-     switch (padding) {
122 
-     case RSA_PKCS1_PADDING:
123 
-diff --git a/crypto/rsa/rsa_sup_mul.c b/crypto/rsa/rsa_sup_mul.c
124 
-new file mode 100644
125 
-index 0000000000..3f6fba26e5
126 
-+++ b/crypto/rsa/rsa_sup_mul.c
127 
-@@ -0,0 +1,600 @@
128 
-+#include <openssl/e_os2.h>
129 
-+#include <stddef.h>
130 
-+#include <sys/types.h>
131 
-+#include <string.h>
132 
-+#include "openssl/bn.h"
133 
-+#include "rsa_sup_mul.h"
134 
-+#include "crypto/bn/bn_local.h"
135 
-+#include "internal/endian.h"
136 
-+#include "internal/numbers.h"
137 
-+#include "internal/constant_time.h"
138 
-+
139 
-+# if BN_BYTES == 8
140 
-+typedef uint64_t limb_t;
141 
-+#  if defined(__SIZEOF_INT128__) && __SIZEOF_INT128__ == 16
142 
-+typedef uint128_t limb2_t;
143 
-+#   define HAVE_LIMB2_T
144 
-+#  endif
145 
-+#  define LIMB_BIT_SIZE 64
146 
-+#  define LIMB_BYTE_SIZE 8
147 
-+# elif BN_BYTES == 4
148 
-+typedef uint32_t limb_t;
149 
-+typedef uint64_t limb2_t;
150 
-+#  define LIMB_BIT_SIZE 32
151 
-+#  define LIMB_BYTE_SIZE 4
152 
-+#  define HAVE_LIMB2_T
153 
-+# else
154 
-+#  error "Not supported"
155 
-+# endif
156 
-+
157 
-+/*
158 
-+ * For multiplication we're using schoolbook multiplication,
159 
-+ * so if we have two numbers, each with 6 "digits" (words)
160 
-+ * the multiplication is calculated as follows:
161 
-+ *                        A B C D E F
162 
-+ *                     x  I J K L M N
163 
-+ *                     --------------
164 
-+ *                                N*F
165 
-+ *                              N*E
166 
-+ *                            N*D
167 
-+ *                          N*C
168 
-+ *                        N*B
169 
-+ *                      N*A
170 
-+ *                              M*F
171 
-+ *                            M*E
172 
-+ *                          M*D
173 
-+ *                        M*C
174 
-+ *                      M*B
175 
-+ *                    M*A
176 
-+ *                            L*F
177 
-+ *                          L*E
178 
-+ *                        L*D
179 
-+ *                      L*C
180 
-+ *                    L*B
181 
-+ *                  L*A
182 
-+ *                          K*F
183 
-+ *                        K*E
184 
-+ *                      K*D
185 
-+ *                    K*C
186 
-+ *                  K*B
187 
-+ *                K*A
188 
-+ *                        J*F
189 
-+ *                      J*E
190 
-+ *                    J*D
191 
-+ *                  J*C
192 
-+ *                J*B
193 
-+ *              J*A
194 
-+ *                      I*F
195 
-+ *                    I*E
196 
-+ *                  I*D
197 
-+ *                I*C
198 
-+ *              I*B
199 
-+ *         +  I*A
200 
-+ *         ==========================
201 
-+ *                        N*B N*D N*F
202 
-+ *                    + N*A N*C N*E
203 
-+ *                    + M*B M*D M*F
204 
-+ *                  + M*A M*C M*E
205 
-+ *                  + L*B L*D L*F
206 
-+ *                + L*A L*C L*E
207 
-+ *                + K*B K*D K*F
208 
-+ *              + K*A K*C K*E
209 
-+ *              + J*B J*D J*F
210 
-+ *            + J*A J*C J*E
211 
-+ *            + I*B I*D I*F
212 
-+ *          + I*A I*C I*E
213 
-+ *
214 
-+ *                1+1 1+3 1+5
215 
-+ *              1+0 1+2 1+4
216 
-+ *              0+1 0+3 0+5
217 
-+ *            0+0 0+2 0+4
218 
-+ *
219 
-+ *            0 1 2 3 4 5 6
220 
-+ * which requires n^2 multiplications and 2n full length additions
221 
-+ * as we can keep every other result of limb multiplication in two separate
222 
-+ * limbs
223 
-+ */
224 
-+
225 
-+#if defined HAVE_LIMB2_T
226 
-+static ossl_inline void _mul_limb(limb_t *hi, limb_t *lo, limb_t a, limb_t b)
227 
-+{
228 
-+    limb2_t t;
229 
-+    /*
230 
-+     * this is idiomatic code to tell compiler to use the native mul
231 
-+     * those three lines will actually compile to single instruction
232 
-+     */
233 
-+
234 
-+    t = (limb2_t)a * b;
235 
-+    *hi = t >> LIMB_BIT_SIZE;
236 
-+    *lo = t & -1UL;
237 
-+}
238 
-+#elif (BN_BYTES == 8) && (defined _MSC_VER)
239 
-+/* https://learn.microsoft.com/en-us/cpp/intrinsics/mul128?view=msvc-170 */
240 
-+#pragma intrinsic(_mul128)
241 
-+static ossl_inline void _mul_limb(limb_t *hi, limb_t *lo, limb_t a, limb_t b)
242 
-+{
243 
-+    *lo = _mul128(a, b, hi);
244 
-+}
245 
-+#else
246 
-+/*
247 
-+ * if the compiler doesn't have either a 128bit data type nor a "return
248 
-+ * high 64 bits of multiplication"
249 
-+ */
250 
-+static ossl_inline void _mul_limb(limb_t *hi, limb_t *lo, limb_t a, limb_t b)
251 
-+{
252 
-+    limb_t a_low = (limb_t)(uint32_t)a;
253 
-+    limb_t a_hi = a >> 32;
254 
-+    limb_t b_low = (limb_t)(uint32_t)b;
255 
-+    limb_t b_hi = b >> 32;
256 
-+
257 
-+    limb_t p0 = a_low * b_low;
258 
-+    limb_t p1 = a_low * b_hi;
259 
-+    limb_t p2 = a_hi * b_low;
260 
-+    limb_t p3 = a_hi * b_hi;
261 
-+
262 
-+    uint32_t cy = (uint32_t)(((p0 >> 32) + (uint32_t)p1 + (uint32_t)p2) >> 32);
263 
-+
264 
-+    *lo = p0 + (p1 << 32) + (p2 << 32);
265 
-+    *hi = p3 + (p1 >> 32) + (p2 >> 32) + cy;
266 
-+}
267 
-+#endif
268 
-+
269 
-+/* add two limbs with carry in, return carry out */
270 
-+static ossl_inline limb_t _add_limb(limb_t *ret, limb_t a, limb_t b, limb_t carry)
271 
-+{
272 
-+    limb_t carry1, carry2, t;
273 
-+    /*
274 
-+     * `c = a + b; if (c < a)` is idiomatic code that makes compilers
275 
-+     * use add with carry on assembly level
276 
-+     */
277 
-+
278 
-+    *ret = a + carry;
279 
-+    if (*ret < a)
280 
-+        carry1 = 1;
281 
-+    else
282 
-+        carry1 = 0;
283 
-+
284 
-+    t = *ret;
285 
-+    *ret = t + b;
286 
-+    if (*ret < t)
287 
-+        carry2 = 1;
288 
-+    else
289 
-+        carry2 = 0;
290 
-+
291 
-+    return carry1 + carry2;
292 
-+}
293 
-+
294 
-+/*
295 
-+ * add two numbers of the same size, return overflow
296 
-+ *
297 
-+ * add a to b, place result in ret; all arrays need to be n limbs long
298 
-+ * return overflow from addition (0 or 1)
299 
-+ */
300 
-+static ossl_inline limb_t add(limb_t *ret, limb_t *a, limb_t *b, size_t n)
301 
-+{
302 
-+    limb_t c = 0;
303 
-+    ossl_ssize_t i;
304 
-+
305 
-+    for(i = n - 1; i > -1; i--)
306 
-+        c = _add_limb(&ret[i], a[i], b[i], c);
307 
-+
308 
-+    return c;
309 
-+}
310 
-+
311 
-+/*
312 
-+ * return number of limbs necessary for temporary values
313 
-+ * when multiplying numbers n limbs large
314 
-+ */
315 
-+static ossl_inline size_t mul_limb_numb(size_t n)
316 
-+{
317 
-+    return  2 * n * 2;
318 
-+}
319 
-+
320 
-+/*
321 
-+ * multiply two numbers of the same size
322 
-+ *
323 
-+ * multiply a by b, place result in ret; a and b need to be n limbs long
324 
-+ * ret needs to be 2*n limbs long, tmp needs to be mul_limb_numb(n) limbs
325 
-+ * long
326 
-+ */
327 
-+static void limb_mul(limb_t *ret, limb_t *a, limb_t *b, size_t n, limb_t *tmp)
328 
-+{
329 
-+    limb_t *r_odd, *r_even;
330 
-+    size_t i, j, k;
331 
-+
332 
-+    r_odd = tmp;
333 
-+    r_even = &tmp[2 * n];
334 
-+
335 
-+    memset(ret, 0, 2 * n * sizeof(limb_t));
336 
-+
337 
-+    for (i = 0; i < n; i++) {
338 
-+        for (k = 0; k < i + n + 1; k++) {
339 
-+            r_even[k] = 0;
340 
-+            r_odd[k] = 0;
341 
-+        }
342 
-+        for (j = 0; j < n; j++) {
343 
-+            /*
344 
-+	     * place results from even and odd limbs in separate arrays so that
345 
-+             * we don't have to calculate overflow every time we get individual
346 
-+             * limb multiplication result
347 
-+	     */
348 
-+            if (j % 2 == 0)
349 
-+                _mul_limb(&r_even[i + j], &r_even[i + j + 1], a[i], b[j]);
350 
-+            else
351 
-+                _mul_limb(&r_odd[i + j], &r_odd[i + j + 1], a[i], b[j]);
352 
-+        }
353 
-+        /*
354 
-+	 * skip the least significant limbs when adding multiples of
355 
-+         * more significant limbs (they're zero anyway)
356 
-+	 */
357 
-+        add(ret, ret, r_even, n + i + 1);
358 
-+        add(ret, ret, r_odd, n + i + 1);
359 
-+    }
360 
-+}
361 
-+
362 
-+/* modifies the value in place by performing a right shift by one bit */
363 
-+static ossl_inline void rshift1(limb_t *val, size_t n)
364 
-+{
365 
-+    limb_t shift_in = 0, shift_out = 0;
366 
-+    size_t i;
367 
-+
368 
-+    for (i = 0; i < n; i++) {
369 
-+        shift_out = val[i] & 1;
370 
-+        val[i] = shift_in << (LIMB_BIT_SIZE - 1) | (val[i] >> 1);
371 
-+        shift_in = shift_out;
372 
-+    }
373 
-+}
374 
-+
375 
-+/* extend the LSB of flag to all bits of limb */
376 
-+static ossl_inline limb_t mk_mask(limb_t flag)
377 
-+{
378 
-+    flag |= flag << 1;
379 
-+    flag |= flag << 2;
380 
-+    flag |= flag << 4;
381 
-+    flag |= flag << 8;
382 
-+    flag |= flag << 16;
383 
-+#if (LIMB_BYTE_SIZE == 8)
384 
-+    flag |= flag << 32;
385 
-+#endif
386 
-+    return flag;
387 
-+}
388 
-+
389 
-+/*
390 
-+ * copy from either a or b to ret based on flag
391 
-+ * when flag == 0, then copies from b
392 
-+ * when flag == 1, then copies from a
393 
-+ */
394 
-+static ossl_inline void cselect(limb_t flag, limb_t *ret, limb_t *a, limb_t *b, size_t n)
395 
-+{
396 
-+    /*
397 
-+     * would be more efficient with non volatile mask, but then gcc
398 
-+     * generates code with jumps
399 
-+     */
400 
-+    volatile limb_t mask;
401 
-+    size_t i;
402 
-+
403 
-+    mask = mk_mask(flag);
404 
-+    for (i = 0; i < n; i++) {
405 
-+#if (LIMB_BYTE_SIZE == 8)
406 
-+        ret[i] = constant_time_select_64(mask, a[i], b[i]);
407 
-+#else
408 
-+        ret[i] = constant_time_select_32(mask, a[i], b[i]);
409 
-+#endif
410 
-+    }
411 
-+}
412 
-+
413 
-+static limb_t _sub_limb(limb_t *ret, limb_t a, limb_t b, limb_t borrow)
414 
-+{
415 
-+    limb_t borrow1, borrow2, t;
416 
-+    /*
417 
-+     * while it doesn't look constant-time, this is idiomatic code
418 
-+     * to tell compilers to use the carry bit from subtraction
419 
-+     */
420 
-+
421 
-+    *ret = a - borrow;
422 
-+    if (*ret > a)
423 
-+        borrow1 = 1;
424 
-+    else
425 
-+        borrow1 = 0;
426 
-+
427 
-+    t = *ret;
428 
-+    *ret = t - b;
429 
-+    if (*ret > t)
430 
-+        borrow2 = 1;
431 
-+    else
432 
-+        borrow2 = 0;
433 
-+
434 
-+    return borrow1 + borrow2;
435 
-+}
436 
-+
437 
-+/*
438 
-+ * place the result of a - b into ret, return the borrow bit.
439 
-+ * All arrays need to be n limbs long
440 
-+ */
441 
-+static limb_t sub(limb_t *ret, limb_t *a, limb_t *b, size_t n)
442 
-+{
443 
-+    limb_t borrow = 0;
444 
-+    ossl_ssize_t i;
445 
-+
446 
-+    for (i = n - 1; i > -1; i--)
447 
-+        borrow = _sub_limb(&ret[i], a[i], b[i], borrow);
448 
-+
449 
-+    return borrow;
450 
-+}
451 
-+
452 
-+/* return the number of limbs necessary to allocate for the mod() tmp operand */
453 
-+static ossl_inline size_t mod_limb_numb(size_t anum, size_t modnum)
454 
-+{
455 
-+    return (anum + modnum) * 3;
456 
-+}
457 
-+
458 
-+/*
459 
-+ * calculate a % mod, place the result in ret
460 
-+ * size of a is defined by anum, size of ret and mod is modnum,
461 
-+ * size of tmp is returned by mod_limb_numb()
462 
-+ */
463 
-+static void mod(limb_t *ret, limb_t *a, size_t anum, limb_t *mod,
464 
-+               size_t modnum, limb_t *tmp)
465 
-+{
466 
-+    limb_t *atmp, *modtmp, *rettmp;
467 
-+    limb_t res;
468 
-+    size_t i;
469 
-+
470 
-+    memset(tmp, 0, mod_limb_numb(anum, modnum) * LIMB_BYTE_SIZE);
471 
-+
472 
-+    atmp = tmp;
473 
-+    modtmp = &tmp[anum + modnum];
474 
-+    rettmp = &tmp[(anum + modnum) * 2];
475 
-+
476 
-+    for (i = modnum; i <modnum + anum; i++)
477 
-+        atmp[i] = a[i-modnum];
478 
-+
479 
-+    for (i = 0; i < modnum; i++)
480 
-+        modtmp[i] = mod[i];
481 
-+
482 
-+    for (i = 0; i < anum * LIMB_BIT_SIZE; i++) {
483 
-+        rshift1(modtmp, anum + modnum);
484 
-+        res = sub(rettmp, atmp, modtmp, anum+modnum);
485 
-+        cselect(res, atmp, atmp, rettmp, anum+modnum);
486 
-+    }
487 
-+
488 
-+    memcpy(ret, &atmp[anum], sizeof(limb_t) * modnum);
489 
-+}
490 
-+
491 
-+/* necessary size of tmp for a _mul_add_limb() call with provided anum */
492 
-+static ossl_inline size_t _mul_add_limb_numb(size_t anum)
493 
-+{
494 
-+    return 2 * (anum + 1);
495 
-+}
496 
-+
497 
-+/* multiply a by m, add to ret, return carry */
498 
-+static limb_t _mul_add_limb(limb_t *ret, limb_t *a, size_t anum,
499 
-+                           limb_t m, limb_t *tmp)
500 
-+{
501 
-+    limb_t carry = 0;
502 
-+    limb_t *r_odd, *r_even;
503 
-+    size_t i;
504 
-+
505 
-+    memset(tmp, 0, sizeof(limb_t) * (anum + 1) * 2);
506 
-+
507 
-+    r_odd = tmp;
508 
-+    r_even = &tmp[anum + 1];
509 
-+
510 
-+    for (i = 0; i < anum; i++) {
511 
-+        /*
512 
-+	 * place the results from even and odd limbs in separate arrays
513 
-+         * so that we have to worry about carry just once
514 
-+	 */
515 
-+        if (i % 2 == 0)
516 
-+            _mul_limb(&r_even[i], &r_even[i + 1], a[i], m);
517 
-+        else
518 
-+            _mul_limb(&r_odd[i], &r_odd[i + 1], a[i], m);
519 
-+    }
520 
-+    /* assert: add() carry here will be equal zero */
521 
-+    add(r_even, r_even, r_odd, anum + 1);
522 
-+    /*
523 
-+     * while here it will not overflow as the max value from multiplication
524 
-+     * is -2 while max overflow from addition is 1, so the max value of
525 
-+     * carry is -1 (i.e. max int)
526 
-+     */
527 
-+    carry = add(ret, ret, &r_even[1], anum) + r_even[0];
528 
-+
529 
-+    return carry;
530 
-+}
531 
-+
532 
-+static ossl_inline size_t mod_montgomery_limb_numb(size_t modnum)
533 
-+{
534 
-+    return modnum * 2 + _mul_add_limb_numb(modnum);
535 
-+}
536 
-+
537 
-+/*
538 
-+ * calculate a % mod, place result in ret
539 
-+ * assumes that a is in mongomery form with the R (Mongomery modulus) being
540 
-+ * smallest power of two big enough to fit mod and that's also a power
541 
-+ * of the count of number of bits in limb_t (B).
542 
-+ * For calculation, we also need n', such that mod * n' == -1 mod B.
543 
-+ * anum must be <= 2 * modnum
544 
-+ * ret needs to be modnum words long
545 
-+ * tmp needs to be mod_montgomery_limb_numb(modnum) limbs long
546 
-+ */
547 
-+static void mod_montgomery(limb_t *ret, limb_t *a, size_t anum, limb_t *mod,
548 
-+                          size_t modnum, limb_t ni0, limb_t *tmp)
549 
-+{
550 
-+    limb_t carry, v;
551 
-+    limb_t *res, *rp, *tmp2;
552 
-+    ossl_ssize_t i;
553 
-+
554 
-+    res = tmp;
555 
-+    /*
556 
-+     * for intermediate result we need an integer twice as long as modulus
557 
-+     * but keep the input in the least significant limbs
558 
-+     */
559 
-+    memset(res, 0, sizeof(limb_t) * (modnum * 2));
560 
-+    memcpy(&res[modnum * 2 - anum], a, sizeof(limb_t) * anum);
561 
-+    rp = &res[modnum];
562 
-+    tmp2 = &res[modnum * 2];
563 
-+
564 
-+    carry = 0;
565 
-+
566 
-+    /* add multiples of the modulus to the value until R divides it cleanly */
567 
-+    for (i = modnum; i > 0; i--, rp--) {
568 
-+        v = _mul_add_limb(rp, mod, modnum, (rp[modnum-1] * ni0) & -1UL, tmp2);
569 
-+        v = (v + carry + rp[-1]) & -1UL;
570 
-+        carry |= (v != rp[-1]);
571 
-+        carry &= (v <= rp[-1]);
572 
-+        rp[-1] = v;
573 
-+    }
574 
-+
575 
-+    /* perform the final reduction by mod... */
576 
-+    carry -= sub(ret, rp, mod, modnum);
577 
-+
578 
-+    /* ...conditionally */
579 
-+    cselect(carry, ret, rp, ret, modnum);
580 
-+}
581 
-+
582 
-+/* allocated buffer should be freed afterwards */
583 
-+static void BN_to_limb(const BIGNUM *bn, limb_t *buf, size_t limbs)
584 
-+{
585 
-+    int i;
586 
-+    int real_limbs = (BN_num_bytes(bn) + LIMB_BYTE_SIZE - 1) / LIMB_BYTE_SIZE;
587 
-+    limb_t *ptr = buf + (limbs - real_limbs);
588 
-+
589 
-+    for (i = 0; i < real_limbs; i++)
590 
-+         ptr[i] = bn->d[real_limbs - i - 1];
591 
-+}
592 
-+
593 
-+#if LIMB_BYTE_SIZE == 8
594 
-+static ossl_inline uint64_t be64(uint64_t host)
595 
-+{
596 
-+    uint64_t big = 0;
597 
-+    DECLARE_IS_ENDIAN;
598 
-+
599 
-+    if (!IS_LITTLE_ENDIAN)
600 
-+        return host;
601 
-+
602 
-+    big |= (host & 0xff00000000000000) >> 56;
603 
-+    big |= (host & 0x00ff000000000000) >> 40;
604 
-+    big |= (host & 0x0000ff0000000000) >> 24;
605 
-+    big |= (host & 0x000000ff00000000) >>  8;
606 
-+    big |= (host & 0x00000000ff000000) <<  8;
607 
-+    big |= (host & 0x0000000000ff0000) << 24;
608 
-+    big |= (host & 0x000000000000ff00) << 40;
609 
-+    big |= (host & 0x00000000000000ff) << 56;
610 
-+    return big;
611 
-+}
612 
-+
613 
-+#else
614 
-+/* Not all platforms have htobe32(). */
615 
-+static ossl_inline uint32_t be32(uint32_t host)
616 
-+{
617 
-+    uint32_t big = 0;
618 
-+    DECLARE_IS_ENDIAN;
619 
-+
620 
-+    if (!IS_LITTLE_ENDIAN)
621 
-+        return host;
622 
-+
623 
-+    big |= (host & 0xff000000) >> 24;
624 
-+    big |= (host & 0x00ff0000) >> 8;
625 
-+    big |= (host & 0x0000ff00) << 8;
626 
-+    big |= (host & 0x000000ff) << 24;
627 
-+    return big;
628 
-+}
629 
-+#endif
630 
-+
631 
-+/*
632 
-+ * We assume that intermediate, possible_arg2, blinding, and ctx are used
633 
-+ * similar to BN_BLINDING_invert_ex() arguments.
634 
-+ * to_mod is RSA module
635 
-+ * buf and num is the serialization buffer and its length.
636 
-+ *
637 
-+ * Here we use classic/Mongomery multiplication and modulo. After the calculation finished
638 
-+ * we serialize the new structure instead of BIGNUMs taking endianness into account.
639 
-+ */
640 
-+int do_unblind(const BIGNUM *intermediate, const BN_BLINDING *blinding, const BIGNUM *possible_arg2,
641 
-+               const BIGNUM *to_mod, BN_CTX *ctx, unsigned char *buf, int num)
642 
-+{
643 
-+    limb_t *l_im = NULL, *l_mul = NULL, *l_mod = NULL;
644 
-+    limb_t *l_ret = NULL, *l_tmp = NULL, l_buf;
645 
-+    size_t l_im_count = 0, l_mul_count = 0, l_size = 0, l_mod_count = 0;
646 
-+    size_t l_tmp_count = 0;
647 
-+    int ret = 0;
648 
-+    size_t i;
649 
-+    unsigned char *tmp;
650 
-+    const BIGNUM *arg1 = intermediate;
651 
-+    const BIGNUM *arg2 = (possible_arg2 == NULL) ? blinding->Ai : possible_arg2;
652 
-+
653 
-+    l_im_count  = (BN_num_bytes(arg1)   + LIMB_BYTE_SIZE - 1) / LIMB_BYTE_SIZE;
654 
-+    l_mul_count = (BN_num_bytes(arg2)   + LIMB_BYTE_SIZE - 1) / LIMB_BYTE_SIZE;
655 
-+    l_mod_count = (BN_num_bytes(to_mod) + LIMB_BYTE_SIZE - 1) / LIMB_BYTE_SIZE;
656 
-+
657 
-+    l_size = l_im_count > l_mul_count ? l_im_count : l_mul_count;
658 
-+    l_im  = OPENSSL_zalloc(l_size * LIMB_BYTE_SIZE);
659 
-+    l_mul = OPENSSL_zalloc(l_size * LIMB_BYTE_SIZE);
660 
-+    l_mod = OPENSSL_zalloc(l_mod_count * LIMB_BYTE_SIZE);
661 
-+
662 
-+    if ((l_im == NULL) || (l_mul == NULL) || (l_mod == NULL))
663 
-+        goto err;
664 
-+
665 
-+    BN_to_limb(arg1,   l_im,  l_size);
666 
-+    BN_to_limb(arg2,   l_mul, l_size);
667 
-+    BN_to_limb(to_mod, l_mod, l_mod_count);
668 
-+
669 
-+    l_ret = OPENSSL_malloc(2 * l_size * LIMB_BYTE_SIZE);
670 
-+
671 
-+    if (blinding->m_ctx != NULL) {
672 
-+        l_tmp_count = mul_limb_numb(l_size) > mod_montgomery_limb_numb(l_mod_count) ?
673 
-+                      mul_limb_numb(l_size) : mod_montgomery_limb_numb(l_mod_count);
674 
-+        l_tmp = OPENSSL_malloc(l_tmp_count * LIMB_BYTE_SIZE);
675 
-+    } else {
676 
-+        l_tmp_count = mul_limb_numb(l_size) > mod_limb_numb(2 * l_size, l_mod_count) ?
677 
-+                      mul_limb_numb(l_size) : mod_limb_numb(2 * l_size, l_mod_count);
678 
-+        l_tmp = OPENSSL_malloc(l_tmp_count * LIMB_BYTE_SIZE);
679 
-+    }
680 
-+
681 
-+    if ((l_ret == NULL) || (l_tmp == NULL))
682 
-+        goto err;
683 
-+
684 
-+    if (blinding->m_ctx != NULL) {
685 
-+        limb_mul(l_ret, l_im, l_mul, l_size, l_tmp);
686 
-+	mod_montgomery(l_ret, l_ret, 2 * l_size, l_mod, l_mod_count,
687 
-+                       blinding->m_ctx->n0[0], l_tmp);
688 
-+    } else {
689 
-+        limb_mul(l_ret, l_im, l_mul, l_size, l_tmp);
690 
-+        mod(l_ret, l_ret, 2 * l_size, l_mod, l_mod_count, l_tmp);
691 
-+    }
692 
-+
693 
-+    /* module size in bytes can be equal to num but after limbs conversion it becomes bigger */
694 
-+    if (num < BN_num_bytes(to_mod)) {
695 
-+        ERR_raise(ERR_LIB_RSA, ERR_R_PASSED_INVALID_ARGUMENT);
696 
-+        goto err;
697 
-+    }
698 
-+
699 
-+    memset(buf, 0, num);
700 
-+    tmp = buf + num - BN_num_bytes(to_mod);
701 
-+    for (i = 0; i < l_mod_count; i++) {
702 
-+#if LIMB_BYTE_SIZE == 8
703 
-+        l_buf = be64(l_ret[i]);
704 
-+#else
705 
-+        l_buf = be32(l_ret[i]);
706 
-+#endif
707 
-+        if (i == 0) {
708 
-+            int delta = LIMB_BYTE_SIZE - ((l_mod_count * LIMB_BYTE_SIZE) - num);
709 
-+
710 
-+            memcpy(tmp, ((char *)&l_buf) + LIMB_BYTE_SIZE - delta, delta);
711 
-+            tmp += delta;
712 
-+        } else {
713 
-+            memcpy(tmp, &l_buf, LIMB_BYTE_SIZE);
714 
-+            tmp += LIMB_BYTE_SIZE;
715 
-+        }
716 
-+    }
717 
-+    ret = num;
718 
-+
719 
-+ err:
720 
-+    OPENSSL_free(l_im);
721 
-+    OPENSSL_free(l_mul);
722 
-+    OPENSSL_free(l_mod);
723 
-+    OPENSSL_free(l_tmp);
724 
-+    OPENSSL_free(l_ret);
725 
-+
726 
-+    return ret;
727 
-+}
728 
-diff --git a/crypto/rsa/rsa_sup_mul.h b/crypto/rsa/rsa_sup_mul.h
729 
-new file mode 100644
730 
-index 0000000000..4d4b513667
731 
-+++ b/crypto/rsa/rsa_sup_mul.h
732 
-@@ -0,0 +1,6 @@
733 
-+#ifndef OSSL_CRYPTO_RSA_SUP_MUL_H
734 
-+#define OSSL_CRYPTO_RSA_SUP_MUL_H
735 
-+
736 
-+int do_unblind(const BIGNUM *intermediate, const BN_BLINDING *blinding, const BIGNUM *possible_arg2,
737 
-+               const BIGNUM *to_mod, BN_CTX *ctx, unsigned char *buf, int num);
738 
-+#endif /* OSSL_CRYPTO_RSA_SUP_MUL_H */
739 
-2.32.0 (Apple Git-132)
740 
-
SPECS/openssl/CVE/4450/0001-Avoid-dangling-ptrs-in-header-and-data-params-for-PE.patch
History View file @ 7f4c42b
741 1 
deleted file mode 100644
... ... 
@@ -1,38 +0,0 @@
1 
-From 4e519b9223c19d80d2b1e1a6de061ba2548d84cb Mon Sep 17 00:00:00 2001
2 
-From: Matt Caswell <matt@openssl.org>
3 
-Date: Tue, 13 Dec 2022 14:54:55 +0000
4 
-Subject: [PATCH 1/2] Avoid dangling ptrs in header and data params for
5 
- PEM_read_bio_ex
6 
-
7 
-In the event of a failure in PEM_read_bio_ex() we free the buffers we
8 
-allocated for the header and data buffers. However we were not clearing
9 
-the ptrs stored in *header and *data. Since, on success, the caller is
10 
-responsible for freeing these ptrs this can potentially lead to a double
11 
-free if the caller frees them even on failure.
12 
-
13 
-Thanks to Dawei Wang for reporting this issue.
14 
-
15 
-Based on a proposed patch by Kurt Roeckx.
16 
-
17 
-CVE-2022-4450
18 
- crypto/pem/pem_lib.c | 2 ++
19 
- 1 file changed, 2 insertions(+)
20 
-
21 
-diff --git a/crypto/pem/pem_lib.c b/crypto/pem/pem_lib.c
22 
-index f9ff80162a..85c47fb627 100644
23 
-+++ b/crypto/pem/pem_lib.c
24 
-@@ -989,7 +989,9 @@ int PEM_read_bio_ex(BIO *bp, char **name_out, char **header,
25 
-
26 
- out_free:
27 
-     pem_free(*header, flags, 0);
28 
-+    *header = NULL;
29 
-     pem_free(*data, flags, 0);
30 
-+    *data = NULL;
31 
- end:
32 
-     EVP_ENCODE_CTX_free(ctx);
33 
-     pem_free(name, flags, 0);
34 
-2.32.0 (Apple Git-132)
35 
-
SPECS/openssl/CVE/4450/0002-Add-a-test-for-CVE-2022-4450.patch
History View file @ 7f4c42b
36 1 
deleted file mode 100644
... ... 
@@ -1,62 +0,0 @@
1 
-From bbc051d9aaf2d982fab9aef8b2f2f58a2b55cec7 Mon Sep 17 00:00:00 2001
2 
-From: Matt Caswell <matt@openssl.org>
3 
-Date: Tue, 13 Dec 2022 15:02:26 +0000
4 
-Subject: [PATCH 2/2] Add a test for CVE-2022-4450
5 
-
6 
-Call PEM_read_bio_ex() and expect a failure. There should be no dangling
7 
-ptrs and therefore there should be no double free if we free the ptrs on
8 
-error.
9 
- test/pemtest.c | 30 ++++++++++++++++++++++++++++++
10 
- 1 file changed, 30 insertions(+)
11 
-
12 
-diff --git a/test/pemtest.c b/test/pemtest.c
13 
-index a8d2d49bb5..a5d28cb256 100644
14 
-+++ b/test/pemtest.c
15 
-@@ -96,6 +96,35 @@ static int test_cert_key_cert(void)
16 
-     return 1;
17 
- }
18 
-
19 
-+static int test_empty_payload(void)
20 
-+{
21 
-+    BIO *b;
22 
-+    static char *emptypay =
23 
-+        "-----BEGIN CERTIFICATE-----\n"
24 
-+        "-\n" /* Base64 EOF character */
25 
-+        "-----END CERTIFICATE-----";
26 
-+    char *name = NULL, *header = NULL;
27 
-+    unsigned char *data = NULL;
28 
-+    long len;
29 
-+    int ret = 0;
30 
-+
31 
-+    b = BIO_new_mem_buf(emptypay, strlen(emptypay));
32 
-+    if (!TEST_ptr(b))
33 
-+        return 0;
34 
-+
35 
-+    /* Expected to fail because the payload is empty */
36 
-+    if (!TEST_false(PEM_read_bio_ex(b, &name, &header, &data, &len, 0)))
37 
-+        goto err;
38 
-+
39 
-+    ret = 1;
40 
-+ err:
41 
-+    OPENSSL_free(name);
42 
-+    OPENSSL_free(header);
43 
-+    OPENSSL_free(data);
44 
-+    BIO_free(b);
45 
-+    return ret;
46 
-+}
47 
-+
48 
- int setup_tests(void)
49 
- {
50 
-     if (!TEST_ptr(pemfile = test_get_argument(0)))
51 
-@@ -103,5 +132,6 @@ int setup_tests(void)
52 
-     ADD_ALL_TESTS(test_b64, OSSL_NELEM(b64_pem_data));
53 
-     ADD_TEST(test_invalid);
54 
-     ADD_TEST(test_cert_key_cert);
55 
-+    ADD_TEST(test_empty_payload);
56 
-     return 1;
57 
- }
58 
-2.32.0 (Apple Git-132)
59 
-
SPECS/openssl/openssl.spec
History View file @ 7f4c42b
... ... 
@@ -7,8 +7,8 @@
7 7
8 8 
 Summary:        Management tools and libraries relating to cryptography
9 9 
 Name:           openssl
10 
-Version:        3.0.7
11 
-Release:        3%{?dist}
10 
+Version:        3.0.8
11 
+Release:        1%{?dist}
12 12 
 License:        OpenSSL
13 13 
 URL:            http://www.openssl.org
14 14 
 Group:          System Environment/Security
... ... 
@@ -16,7 +16,7 @@ Vendor:         VMware, Inc.
16 16 
 Distribution:   Photon
17 17
18 18 
 Source0: http://www.openssl.org/source/%{name}-%{version}.tar.gz
19 
-%define sha512 %{name}=6c2bcd1cd4b499e074e006150dda906980df505679d8e9d988ae93aa61ee6f8c23c0fa369e2edc1e1a743d7bec133044af11d5ed57633b631ae479feb59e3424
19 
+%define sha512 %{name}=8ce10be000d7d4092c8efc5b96b1d2f7da04c1c3a624d3a7923899c6b1de06f369016be957e36e8ab6d4c9102eaeec5d1973295d547f7893a7f11f132ae42b0d
20 20
21 21 
 Source1: rehash_ca_certificates.sh
22 22 
 Source2: provider_default.cnf
... ... 
@@ -38,34 +38,6 @@ Source8: dsapub_noparam.der
38 38 
 %endif
39 39
40 40 
 Patch0: openssl-cnf.patch
41 
-Patch1: 0001-x509-fix-double-locking-problem.patch
42 
-
43 
-# Fix for multiple security issues
44 
-Patch2: 0001-Fix-type-confusion-in-nc_match_single.patch
45 
-Patch3: 0002-Add-testcase-for-nc_match_single-type-confusion.patch
46 
-
47 
-Patch4: 0001-Fix-Timing-Oracle-in-RSA-decryption.patch
48 
-
49 
-Patch5: 0001-Avoid-dangling-ptrs-in-header-and-data-params-for-PE.patch
50 
-Patch6: 0002-Add-a-test-for-CVE-2022-4450.patch
51 
-
52 
-Patch7: 0001-Fix-a-UAF-resulting-from-a-bug-in-BIO_new_NDEF.patch
53 
-Patch8: 0002-Check-CMS-failure-during-BIO-setup-with-stream-is-ha.patch
54 
-Patch9: 0003-squash-Fix-a-UAF-resulting-from-a-bug-in-BIO_new_NDE.patch
55 
-Patch10: 0004-fixup-Fix-a-UAF-resulting-from-a-bug-in-BIO_new_NDEF.patch
56 
-
57 
-Patch11: 0001-Do-not-dereference-PKCS7-object-data-if-not-set.patch
58 
-Patch12: 0002-Add-test-for-d2i_PKCS7-NULL-dereference.patch
59 
-
60 
-Patch13: 0001-Fix-NULL-deference-when-validating-FFC-public-key.patch
61 
-Patch14: 0002-Prevent-creating-DSA-and-DH-keys-without-parameters-.patch
62 
-Patch15: 0003-Do-not-create-DSA-keys-without-parameters-by-decoder.patch
63 
-Patch16: 0004-Add-test-for-DSA-pubkey-without-param-import-and-che.patch
64 
-
65 
-Patch17: 0001-CVE-2023-0286-Fix-GENERAL_NAME_cmp-for-x400Address-3.patch
66 
-
67 
-Patch18: 0001-pk7_doit.c-Check-return-of-BIO_set_md-calls.patch
68 
-Patch19: 0002-Add-testcase-for-missing-return-check-of-BIO_set_md-.patch
69 41
70 42 
 %if 0%{?with_check}
71 43 
 BuildRequires: zlib-devel
... ... 
@@ -74,6 +46,7 @@ BuildRequires: zlib-devel
74 74 
 Requires: bash
75 75 
 Requires: glibc
76 76 
 Requires: libgcc
77 
+Requires: %{name}-libs = %{version}-%{release}
77 78
78 79 
 %description
79 80 
 The OpenSSL package contains management tools and libraries relating
... ... 
@@ -81,6 +54,13 @@ to cryptography. These are useful for providing cryptography
81 81 
 functions to other packages, such as OpenSSH, email applications and
82 82 
 web browsers (for accessing HTTPS sites).
83 83
84 
+%package libs
85 
+Summary: Core libraries and other files needed by openssl.
86 
+Conflicts: %{name} < 3.0.8-1
87 
+
88 
+%description libs
89 
+%{summary}
90 
+
84 91 
 %package devel
85 92 
 Summary:    Development Libraries for openssl
86 93 
 Group:      Development/Libraries
... ... 
@@ -142,13 +122,16 @@ exit 1
142 142 
 %endif
143 143
144 144 
 %build
145 
-%if 0%{?with_certified_fips}
146 
-  %undefine with_latest_fips
147 
-%elif 0%{?with_latest_fips}
148 
-  %undefine with_certified_fips
145 
+# rpm 4.14.x doesn't understand elif, so keep it basic
146 
+%if 0%{?with_certified_fips} || 0%{?with_latest_fips}
147 
+  %if 0%{?with_certified_fips}
148 
+    %undefine with_latest_fips
149 
+  %else
150 
+    %undefine with_certified_fips
151 
+  %endif
149 152 
 %else
150 
-  %undefine with_latest_fips
151 153 
   %undefine with_certified_fips
154 
+  %undefine with_latest_fips
152 155 
 %endif
153 156
154 157 
 if [ %{_host} != %{_build} ]; then
... ... 
@@ -199,7 +182,7 @@ cp %{SOURCE8} test/recipes/91-test_pkey_check_data/
199 199 
 make tests %{?_smp_mflags}
200 200 
 %endif
201 201
202 
-%ldconfig_scriptlets
202 
+%ldconfig_scriptlets libs
203 203
204 204 
 %if 0%{?with_certified_fips} || 0%{?with_latest_fips}
205 205 
 %post fips-provider
... ... 
@@ -223,19 +206,7 @@ rm -rf %{buildroot}/*
223 223
224 224 
 %files
225 225 
 %defattr(-,root,root)
226 
-%{_sysconfdir}/ssl/certs
227 
-%{_sysconfdir}/ssl/ct_log_list.cnf
228 
-%{_sysconfdir}/ssl/ct_log_list.cnf.dist
229 
-%{_sysconfdir}/ssl/openssl.cnf.dist
230 
-%config(noreplace) %{_sysconfdir}/ssl/openssl.cnf
231 
-%config(noreplace) %{_sysconfdir}/ssl/user.cnf
232 
-%{_sysconfdir}/ssl/provider_default.cnf
233 
-%{_sysconfdir}/ssl/distro.cnf
234 
-%{_sysconfdir}/ssl/private
235 226 
 %{_bindir}/%{name}
236 
-%{_libdir}/*.so.*
237 
-%{_libdir}/engines*/*
238 
-%{_libdir}/ossl-modules/legacy.so
239 227
240 228 
 %if 0%{?with_certified_fips} || 0%{?with_latest_fips}
241 229 
 %files fips-provider
... ... 
@@ -249,6 +220,21 @@ rm -rf %{buildroot}/*
249 249 
 %endif
250 250 
 %endif
251 251
252 
+%files libs
253 
+%defattr(-,root,root)
254 
+%{_libdir}/*.so.*
255 
+%{_libdir}/engines*/*
256 
+%{_libdir}/ossl-modules/legacy.so
257 
+%{_sysconfdir}/ssl/openssl.cnf.dist
258 
+%config(noreplace) %{_sysconfdir}/ssl/openssl.cnf
259 
+%config(noreplace) %{_sysconfdir}/ssl/user.cnf
260 
+%{_sysconfdir}/ssl/provider_default.cnf
261 
+%{_sysconfdir}/ssl/distro.cnf
262 
+%{_sysconfdir}/ssl/certs
263 
+%{_sysconfdir}/ssl/ct_log_list.cnf
264 
+%{_sysconfdir}/ssl/ct_log_list.cnf.dist
265 
+%{_sysconfdir}/ssl/private
266 
+
252 267 
 %files devel
253 268 
 %defattr(-,root,root)
254 269 
 %{_includedir}/*
... ... 
@@ -276,6 +262,9 @@ rm -rf %{buildroot}/*
276 276 
 %{_mandir}/man7/*
277 277
278 278 
 %changelog
279 
+* Wed Mar 08 2023 Shreenidhi Shedi <sshedi@vmware.com> 3.0.8-1
280 
+- Add openssl-libs subpackage
281 
+- Upgrade to v3.0.8
279 282 
 * Tue Feb 21 2023 Shreenidhi Shedi <sshedi@vmware.com> 3.0.7-3
280 283 
 - Package fips certified fips.so in openssl-fips-provider
281 284 
 - Fix various security issues
SPECS/openssl/rehash_ca_certificates.sh
History View file @ 7f4c42b
... ... 
@@ -5,11 +5,8 @@ set -e
5 5 
 CERTIFICATES_PATH="/etc/ssl/certs/"
6 6 
 CONCATENATED_CERT_FILE="/etc/pki/tls/certs/ca-bundle.crt"
7 7
8 
-openssl rehash $CERTIFICATES_PATH
9 
-
10 
-if [ $? != 0 ]; then
11 
-    echo "Error while c_rehashing"
8 
+if ! openssl rehash $CERTIFICATES_PATH; then
9 
+   echo "Error while c_rehashing"
12 10 
 fi
13 11
14 12 
 cat $CERTIFICATES_PATH*.pem > $CONCATENATED_CERT_FILE
15 
-
SPECS/rpm/rpm.spec
History View file @ 7f4c42b
... ... 
@@ -3,7 +3,7 @@
3 3 
 Summary:    Package manager
4 4 
 Name:       rpm
5 5 
 Version:    4.18.0
6 
-Release:    8%{?dist}
6 
+Release:    9%{?dist}
7 7 
 License:    GPLv2+
8 8 
 URL:        http://rpm.org
9 9 
 Group:      Applications/System
... ... 
@@ -28,7 +28,6 @@ Patch4:     fix-race-condition-in-brp-strip.patch
28 28 
 Requires:   bash
29 29 
 Requires:   zstd-libs
30 30 
 Requires:   lua
31 
-Requires:   openssl >= 1.1.1
32 31 
 Requires:   %{name}-libs = %{version}-%{release}
33 32
34 33 
 BuildRequires:  pandoc-bin
... ... 
@@ -43,7 +42,7 @@ BuildRequires:  libcap-devel
43 43 
 BuildRequires:  xz-devel
44 44 
 BuildRequires:  file-devel
45 45 
 BuildRequires:  python3-devel
46 
-BuildRequires:  openssl-devel >= 1.1.1
46 
+BuildRequires:  openssl-devel
47 47 
 BuildRequires:  zstd-devel
48 48 
 BuildRequires:  sqlite-devel
49 49 
 BuildRequires:  debugedit
... ... 
@@ -73,6 +72,7 @@ Requires: bzip2-libs
73 73 
 Requires: elfutils-libelf
74 74 
 Requires: xz-libs
75 75 
 Requires: zstd-libs
76 
+Requires: openssl-libs
76 77 
 Conflicts:  libsolv < 0.7.19
77 78
78 79 
 %description  libs
... ... 
@@ -305,6 +305,8 @@ rm -rf %{buildroot}
305 305 
 %{_mandir}/man8/%{name}-plugin-systemd-inhibit.8*
306 306
307 307 
 %changelog
308 
+* Wed Mar 08 2023 Shreenidhi Shedi <sshedi@vmware.com> 4.18.0-9
309 
+- Require openssl-libs
308 310 
 * Wed Feb 08 2023 Shreenidhi Shedi <sshedi@vmware.com> 4.18.0-8
309 311 
 - Fix requires
310 312 
 * Tue Jan 24 2023 Shreenidhi Shedi <sshedi@vmware.com> 4.18.0-7
SPECS/tdnf/tdnf.spec
History View file @ 7f4c42b
... ... 
@@ -1,7 +1,7 @@
1 1 
 Summary:        dnf/yum equivalent using C libs
2 2 
 Name:           tdnf
3 3 
 Version:        3.5.0
4 
-Release:        1%{?dist}
4 
+Release:        2%{?dist}
5 5 
 Vendor:         VMware, Inc.
6 6 
 Distribution:   Photon
7 7 
 License:        LGPLv2.1,GPLv2
... ... 
@@ -17,6 +17,7 @@ Requires:       curl-libs
17 17 
 Requires:       %{name}-cli-libs = %{version}-%{release}
18 18 
 Requires:       libsolv
19 19 
 Requires:       zlib
20 
+Requires:       openssl-libs
20 21
21 22 
 BuildRequires:  curl-devel
22 23 
 BuildRequires:  libsolv-devel
... ... 
@@ -264,6 +265,8 @@ systemctl try-restart %{name}-cache-updateinfo.timer >/dev/null 2>&1 || :
264 264 
 %{_unitdir}/%{name}-automatic-notifyonly.service
265 265
266 266 
 %changelog
267 
+* Fri Mar 10 2023 Shreenidhi Shedi <sshedi@vmware.com> 3.5.0-2
268 
+- Require openssl-libs
267 269 
 * Thu Mar 09 2023 Oliver Kurth <okurth@vmware.com> 3.5.0-1
268 270 
 - update to 3.5.0
269 271 
 * Tue Jan 31 2023 Oliver Kurth <okurth@vmware.com> 3.4.9-1
SPECS/toybox/toybox.spec
History View file @ 7f4c42b
... ... 
@@ -4,7 +4,7 @@
4 4
5 5 
 Name:           toybox
6 6 
 Version:        0.8.9
7 
-Release:        1%{?dist}
7 
+Release:        2%{?dist}
8 8 
 License:        BSD
9 9 
 Summary:        Common Linux command line utilities in a single executable
10 10 
 Url:            http://landley.net/toybox
... ... 
@@ -23,7 +23,7 @@ Source2: %{name}-toys
23 23 
 BuildRequires:  openssl-devel
24 24 
 BuildRequires:  zlib-devel
25 25
26 
-Requires:       openssl
26 
+Requires:       openssl-libs
27 27 
 Requires:       zlib
28 28
29 29 
 Provides:       /bin/grep
... ... 
@@ -707,6 +707,8 @@ mktoy %{_bindir}/which
707 707 
 %doc README LICENSE
708 708
709 709 
 %changelog
710 
+* Thu Mar 09 2023 Shreenidhi Shedi <sshedi@vmware.com> 0.8.9-2
711 
+- Require openssl-libs
710 712 
 * Mon Mar 06 2023 Harinadh D <hdommaraju@vmware.com> 0.8.9-1
711 713 
 - version upgrade
712 714 
 - fix copy_file_range() issue when copying to another filesystem
support/dockerfiles/photon/make-docker-image.sh
History View file @ 7f4c42b
... ... 
@@ -16,7 +16,6 @@ STAGE_DIR=$(pwd)/stage
16 16 
 rm -rf /etc/yum.repos.d/*
17 17
18 18 
 cat > /etc/yum.repos.d/photon-local.repo <<- EOF
19 
-
20 19 
 [photon-local]
21 20 
 name=VMware Photon Linux ${PHOTON_RELEASE_VERSION}($arch)
22 21 
 baseurl=file://$(pwd)/stage/RPMS
... ... 
@@ -24,7 +23,6 @@ gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY
24 24 
 gpgcheck=0
25 25 
 enabled=1
26 26 
 skip_if_unavailable=True
27 
-
28 27 
 EOF
29 28
30 29 
 rm -rf $TEMP_CHROOT
... ... 
@@ -48,8 +46,8 @@ expected_pkg_list=(
48 48 
   bash bzip2-libs ca-certificates ca-certificates-pki curl curl-libs
49 49 
   e2fsprogs-libs elfutils-libelf expat-libs filesystem glibc krb5
50 50 
   libcap libgcc libsolv libssh2 lua ncurses-libs nspr nss-libs
51 
-  openssl photon-release photon-repos popt readline rpm-libs sqlite-libs
52 
-  tdnf tdnf-cli-libs toybox xz-libs zlib zstd-libs
51 
+  openssl-libs photon-release photon-repos popt readline rpm-libs
52 
+  sqlite-libs tdnf tdnf-cli-libs toybox xz-libs zlib zstd-libs
53 53 
 )
54 54
55 55 
 actual_pkg_count=${#actual_pkg_list[@]}
support/package-builder/constants.py
History View file @ 7f4c42b
... ... 
@@ -127,7 +127,7 @@ class constants(object):
127 127 
         "texinfo",
128 128 
         "autoconf",
129 129 
         "automake",
130 
-        "openssl",
130 
+        "openssl-libs",
131 131 
         "zstd",
132 132 
         "rpm",
133 133 
         "dwz",
... ... 
@@ -222,6 +222,7 @@ class constants(object):
222 222 
         "autoconf",
223 223 
         "automake",
224 224 
         "openssl",
225 
+        "openssl-libs",
225 226 
         "openssl-devel",
226 227 
         "libcap",
227 228 
         "zstd",
... ... 
@@ -268,6 +269,7 @@ class constants(object):
268 268 
         "pkg-config",
269 269 
         "git",
270 270 
         "openssl",
271 
+        "openssl-libs",
271 272 
         "openssl-devel",
272 273 
         "net-tools",
273 274 
         "less",
support/pullpublishrpms/rpmfilelist-aarch64
History View file @ 7f4c42b
... ... 
@@ -72,8 +72,9 @@ aarch64/nspr-devel-4.33-1.ph5.aarch64.rpm
72 72 
 aarch64/nss-3.78-3.ph5.aarch64.rpm
73 73 
 aarch64/nss-devel-3.78-3.ph5.aarch64.rpm
74 74 
 aarch64/nss-libs-3.78-3.ph5.aarch64.rpm
75 
-aarch64/openssl-3.0.7-2.ph5.aarch64.rpm
76 
-aarch64/openssl-devel-3.0.7-2.ph5.aarch64.rpm
75 
+aarch64/openssl-3.0.8-1.ph5.aarch64.rpm
76 
+aarch64/openssl-libs-3.0.8-1.ph5.aarch64.rpm
77 
+aarch64/openssl-devel-3.0.8-1.ph5.aarch64.rpm
77 78 
 aarch64/patch-2.7.6-5.ph5.aarch64.rpm
78 79 
 aarch64/pcre-libs-8.45-3.ph5.aarch64.rpm
79 80 
 aarch64/perl-5.36.0-1.ph5.aarch64.rpm
support/pullpublishrpms/rpmfilelist-x86_64
History View file @ 7f4c42b
... ... 
@@ -73,8 +73,9 @@ x86_64/nspr-devel-4.33-1.ph5.x86_64.rpm
73 73 
 x86_64/nss-3.78-3.ph5.x86_64.rpm
74 74 
 x86_64/nss-devel-3.78-3.ph5.x86_64.rpm
75 75 
 x86_64/nss-libs-3.78-3.ph5.x86_64.rpm
76 
-x86_64/openssl-3.0.7-2.ph5.x86_64.rpm
77 
-x86_64/openssl-devel-3.0.7-2.ph5.x86_64.rpm
76 
+x86_64/openssl-3.0.8-1.ph5.x86_64.rpm
77 
+x86_64/openssl-libs-3.0.8-1.ph5.x86_64.rpm
78 
+x86_64/openssl-devel-3.0.8-1.ph5.x86_64.rpm
78 79 
 x86_64/patch-2.7.6-5.ph5.x86_64.rpm
79 80 
 x86_64/pcre-libs-8.45-3.ph5.x86_64.rpm
80 81 
 x86_64/perl-5.36.0-1.ph5.x86_64.rpm
... ... 
@@ -104,4 +105,4 @@ x86_64/zlib-1.2.11-2.ph5.x86_64.rpm
104 104 
 x86_64/zlib-devel-1.2.11-2.ph5.x86_64.rpm
105 105 
 x86_64/zstd-1.5.2-1.ph5.x86_64.rpm
106 106 
 x86_64/zstd-devel-1.5.2-1.ph5.x86_64.rpm
107 
-x86_64/zstd-libs-1.5.2-1.ph5.x86_64.rpm
108 107 
\ No newline at end of file
108 
+x86_64/zstd-libs-1.5.2-1.ph5.x86_64.rpm