From 22a821356e6f4b9c0df6538f8f40fb924bbb1bcd Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Fri, 10 May 2019 14:35:26 +0200 Subject: [PATCH] Fix two small regressions Change the ts application default hash to SHA256 --- openssl-1.1.1-fips.patch | 30 +++++++++++----- openssl-1.1.1-no-brainpool.patch | 36 ++++++++----------- openssl-1.1.1-regression-fixes.patch | 37 ++++++++++++++++++++ openssl-1.1.1-ts-sha256-default.patch | 50 +++++++++++++++++++++++++++ openssl.spec | 10 +++++- 5 files changed, 131 insertions(+), 32 deletions(-) create mode 100644 openssl-1.1.1-regression-fixes.patch create mode 100644 openssl-1.1.1-ts-sha256-default.patch diff --git a/openssl-1.1.1-fips.patch b/openssl-1.1.1-fips.patch index adcc584..09d8692 100644 --- a/openssl-1.1.1-fips.patch +++ b/openssl-1.1.1-fips.patch @@ -1,6 +1,6 @@ diff -up openssl-1.1.1b/apps/speed.c.fips openssl-1.1.1b/apps/speed.c ---- openssl-1.1.1b/apps/speed.c.fips 2019-05-07 08:56:33.531174336 +0200 -+++ openssl-1.1.1b/apps/speed.c 2019-05-07 09:43:06.673989992 +0200 +--- openssl-1.1.1b/apps/speed.c.fips 2019-05-07 11:52:35.887597899 +0200 ++++ openssl-1.1.1b/apps/speed.c 2019-05-07 16:51:36.946350159 +0200 @@ -1592,7 +1592,8 @@ int speed_main(int argc, char **argv) continue; if (strcmp(*argv, "rsa") == 0) { @@ -22,8 +22,19 @@ diff -up openssl-1.1.1b/apps/speed.c.fips openssl-1.1.1b/apps/speed.c dsa_doit[R_DSA_2048] = 1; continue; } -@@ -1640,12 +1643,12 @@ int speed_main(int argc, char **argv) - ecdh_doit[i] = 2; +@@ -1633,19 +1636,21 @@ int speed_main(int argc, char **argv) + } + if (strcmp(*argv, "ecdh") == 0) { + for (loop = 0; loop < OSSL_NELEM(ecdh_doit); loop++) +- ecdh_doit[loop] = 1; ++ if(!FIPS_mode() || (loop != R_EC_X25519 && loop != R_EC_X448)) ++ ecdh_doit[loop] = 1; + continue; + } + if (found(*argv, ecdh_choices, &i)) { +- ecdh_doit[i] = 2; ++ if(!FIPS_mode() || (i != R_EC_X25519 && i != R_EC_X448)) ++ ecdh_doit[i] = 2; continue; } - if (strcmp(*argv, "eddsa") == 0) { @@ -37,7 +48,7 @@ diff -up openssl-1.1.1b/apps/speed.c.fips openssl-1.1.1b/apps/speed.c eddsa_doit[i] = 2; continue; } -@@ -1734,23 +1737,30 @@ int speed_main(int argc, char **argv) +@@ -1734,23 +1739,30 @@ int speed_main(int argc, char **argv) /* No parameters; turn on everything. */ if ((argc == 0) && !doit[D_EVP]) { for (i = 0; i < ALGOR_NUM; i++) @@ -73,7 +84,7 @@ diff -up openssl-1.1.1b/apps/speed.c.fips openssl-1.1.1b/apps/speed.c #endif } for (i = 0; i < ALGOR_NUM; i++) -@@ -1798,30 +1808,46 @@ int speed_main(int argc, char **argv) +@@ -1798,30 +1810,46 @@ int speed_main(int argc, char **argv) AES_set_encrypt_key(key24, 192, &aes_ks2); AES_set_encrypt_key(key32, 256, &aes_ks3); #ifndef OPENSSL_NO_CAMELLIA @@ -130,7 +141,7 @@ diff -up openssl-1.1.1b/apps/speed.c.fips openssl-1.1.1b/apps/speed.c #endif #ifndef SIGALRM # ifndef OPENSSL_NO_DES -@@ -2118,6 +2144,7 @@ int speed_main(int argc, char **argv) +@@ -2118,6 +2146,7 @@ int speed_main(int argc, char **argv) for (i = 0; i < loopargs_len; i++) { loopargs[i].hctx = HMAC_CTX_new(); @@ -1648,7 +1659,7 @@ diff -up openssl-1.1.1b/crypto/evp/pmeth_lib.c.fips openssl-1.1.1b/crypto/evp/pm + { pmeth = EVP_PKEY_meth_find(id); +#ifdef OPENSSL_FIPS -+ if (!(pmeth->flags & EVP_PKEY_FLAG_FIPS) && FIPS_mode()) { ++ if (pmeth && !(pmeth->flags & EVP_PKEY_FLAG_FIPS) && FIPS_mode()) { + EVPerr(EVP_F_INT_CTX_NEW, EVP_R_DISABLED_FOR_FIPS); + return NULL; + } @@ -9890,7 +9901,7 @@ diff -up openssl-1.1.1b/crypto/hmac/hm_pmeth.c.fips openssl-1.1.1b/crypto/hmac/h diff -up openssl-1.1.1b/crypto/include/internal/fips_int.h.fips openssl-1.1.1b/crypto/include/internal/fips_int.h --- openssl-1.1.1b/crypto/include/internal/fips_int.h.fips 2019-02-28 11:30:06.817745466 +0100 +++ openssl-1.1.1b/crypto/include/internal/fips_int.h 2019-02-28 11:30:06.817745466 +0100 -@@ -0,0 +1,97 @@ +@@ -0,0 +1,98 @@ +/* ==================================================================== + * Copyright (c) 2003 The OpenSSL Project. All rights reserved. + * @@ -9954,6 +9965,7 @@ diff -up openssl-1.1.1b/crypto/include/internal/fips_int.h.fips openssl-1.1.1b/c +int FIPS_module_installed(void); +int FIPS_selftest_sha1(void); +int FIPS_selftest_sha2(void); ++int FIPS_selftest_sha3(void); +int FIPS_selftest_aes_ccm(void); +int FIPS_selftest_aes_gcm(void); +int FIPS_selftest_aes_xts(void); diff --git a/openssl-1.1.1-no-brainpool.patch b/openssl-1.1.1-no-brainpool.patch index bbda9ef..2ab6fc9 100644 --- a/openssl-1.1.1-no-brainpool.patch +++ b/openssl-1.1.1-no-brainpool.patch @@ -1,6 +1,6 @@ -diff -up openssl-1.1.1a/test/ssl-tests/20-cert-select.conf.in.no-brainpool openssl-1.1.1a/test/ssl-tests/20-cert-select.conf.in ---- openssl-1.1.1a/test/ssl-tests/20-cert-select.conf.in.no-brainpool 2018-11-20 14:35:42.000000000 +0100 -+++ openssl-1.1.1a/test/ssl-tests/20-cert-select.conf.in 2019-01-15 14:55:03.898065698 +0100 +diff -up openssl-1.1.1b/test/ssl-tests/20-cert-select.conf.in.no-brainpool openssl-1.1.1b/test/ssl-tests/20-cert-select.conf.in +--- openssl-1.1.1b/test/ssl-tests/20-cert-select.conf.in.no-brainpool 2019-02-26 15:15:30.000000000 +0100 ++++ openssl-1.1.1b/test/ssl-tests/20-cert-select.conf.in 2019-05-07 11:52:35.885597934 +0200 @@ -141,22 +141,23 @@ our @tests = ( { name => "ECDSA with brainpool", @@ -57,10 +57,10 @@ diff -up openssl-1.1.1a/test/ssl-tests/20-cert-select.conf.in.no-brainpool opens }, }, ); -diff -up openssl-1.1.1a/test/ssl-tests/20-cert-select.conf.no-brainpool openssl-1.1.1a/test/ssl-tests/20-cert-select.conf ---- openssl-1.1.1a/test/ssl-tests/20-cert-select.conf.no-brainpool 2018-11-20 14:35:42.000000000 +0100 -+++ openssl-1.1.1a/test/ssl-tests/20-cert-select.conf 2019-01-15 14:58:24.420416659 +0100 -@@ -233,23 +233,23 @@ server = 5-ECDSA with brainpool-server +diff -up openssl-1.1.1b/test/ssl-tests/20-cert-select.conf.no-brainpool openssl-1.1.1b/test/ssl-tests/20-cert-select.conf +--- openssl-1.1.1b/test/ssl-tests/20-cert-select.conf.no-brainpool 2019-02-26 15:15:30.000000000 +0100 ++++ openssl-1.1.1b/test/ssl-tests/20-cert-select.conf 2019-05-07 12:15:12.762907496 +0200 +@@ -233,23 +233,18 @@ server = 5-ECDSA with brainpool-server client = 5-ECDSA with brainpool-client [5-ECDSA with brainpool-server] @@ -68,32 +68,26 @@ diff -up openssl-1.1.1a/test/ssl-tests/20-cert-select.conf.no-brainpool openssl- -CipherString = DEFAULT -Groups = brainpoolP256r1 -PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ecdsa-brainpoolP256r1-key.pem -+#Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-brainpoolP256r1-cert.pem ++Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = aNULL -+#Groups = brainpoolP256r1 -+#PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ecdsa-brainpoolP256r1-key.pem ++PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem [5-ECDSA with brainpool-client] CipherString = aECDSA -Groups = brainpoolP256r1 -+#Groups = brainpoolP256r1 RequestCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer [test-5] --ExpectedResult = Success + ExpectedResult = Success -ExpectedServerCANames = empty -ExpectedServerCertType = brainpoolP256r1 -ExpectedServerSignType = EC -+ExpectedResult = ServerFail -+#ExpectedServerCANames = empty -+#ExpectedServerCertType = brainpoolP256r1 -+#ExpectedServerSignType = EC # =========================================================== -@@ -1577,14 +1577,14 @@ server = 47-TLS 1.3 ECDSA with brainpool +@@ -1577,14 +1572,12 @@ server = 47-TLS 1.3 ECDSA with brainpool client = 47-TLS 1.3 ECDSA with brainpool-client [47-TLS 1.3 ECDSA with brainpool-server] @@ -101,19 +95,17 @@ diff -up openssl-1.1.1a/test/ssl-tests/20-cert-select.conf.no-brainpool openssl- -CipherString = DEFAULT -Groups = brainpoolP256r1 -PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ecdsa-brainpoolP256r1-key.pem -+#Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-brainpoolP256r1-cert.pem ++Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = aNULL -+#Groups = brainpoolP256r1 -+#PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ecdsa-brainpoolP256r1-key.pem ++PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem [47-TLS 1.3 ECDSA with brainpool-client] CipherString = DEFAULT -Groups = brainpoolP256r1 -+#Groups = brainpoolP256r1 MaxProtocol = TLSv1.3 MinProtocol = TLSv1.3 RequestCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem -@@ -1592,7 +1592,7 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/ro +@@ -1592,7 +1585,7 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/ro VerifyMode = Peer [test-47] diff --git a/openssl-1.1.1-regression-fixes.patch b/openssl-1.1.1-regression-fixes.patch new file mode 100644 index 0000000..3af815e --- /dev/null +++ b/openssl-1.1.1-regression-fixes.patch @@ -0,0 +1,37 @@ +diff -up openssl-1.1.1b/crypto/conf/conf_lib.c.regression openssl-1.1.1b/crypto/conf/conf_lib.c +--- openssl-1.1.1b/crypto/conf/conf_lib.c.regression 2019-02-26 15:15:30.000000000 +0100 ++++ openssl-1.1.1b/crypto/conf/conf_lib.c 2019-05-10 14:28:57.718049429 +0200 +@@ -356,8 +356,10 @@ OPENSSL_INIT_SETTINGS *OPENSSL_INIT_new( + { + OPENSSL_INIT_SETTINGS *ret = malloc(sizeof(*ret)); + +- if (ret != NULL) +- memset(ret, 0, sizeof(*ret)); ++ if (ret == NULL) ++ return NULL; ++ ++ memset(ret, 0, sizeof(*ret)); + ret->flags = DEFAULT_CONF_MFLAGS; + + return ret; +diff -up openssl-1.1.1b/crypto/evp/evp_enc.c.regression openssl-1.1.1b/crypto/evp/evp_enc.c +--- openssl-1.1.1b/crypto/evp/evp_enc.c.regression 2019-05-07 11:52:35.982596242 +0200 ++++ openssl-1.1.1b/crypto/evp/evp_enc.c 2019-05-10 14:30:42.269243383 +0200 +@@ -338,7 +338,7 @@ static int evp_EncryptDecryptUpdate(EVP_ + + bl = ctx->cipher->block_size; + +- if (inl <= 0) { ++ if (in == NULL && inl <= 0) { + *outl = 0; + return inl == 0; + } +@@ -491,7 +491,7 @@ int EVP_DecryptUpdate(EVP_CIPHER_CTX *ct + if (EVP_CIPHER_CTX_test_flags(ctx, EVP_CIPH_FLAG_LENGTH_BITS)) + cmpl = (cmpl + 7) / 8; + +- if (inl <= 0) { ++ if (in == NULL && inl <= 0) { + *outl = 0; + return inl == 0; + } diff --git a/openssl-1.1.1-ts-sha256-default.patch b/openssl-1.1.1-ts-sha256-default.patch new file mode 100644 index 0000000..d99dc47 --- /dev/null +++ b/openssl-1.1.1-ts-sha256-default.patch @@ -0,0 +1,50 @@ +diff --git a/apps/ts.c b/apps/ts.c +index 63c5210183..4ef8a72eef 100644 +--- a/apps/ts.c ++++ b/apps/ts.c +@@ -425,7 +425,7 @@ static TS_REQ *create_query(BIO *data_bio, const char *digest, const EVP_MD *md, + ASN1_OBJECT *policy_obj = NULL; + ASN1_INTEGER *nonce_asn1 = NULL; + +- if (md == NULL && (md = EVP_get_digestbyname("sha1")) == NULL) ++ if (md == NULL && (md = EVP_get_digestbyname("sha256")) == NULL) + goto err; + if ((ts_req = TS_REQ_new()) == NULL) + goto err; +diff --git a/doc/man1/ts.pod b/doc/man1/ts.pod +index 078905a845..83b8fe4350 100644 +--- a/doc/man1/ts.pod ++++ b/doc/man1/ts.pod +@@ -517,7 +517,7 @@ included. Default is no. (Optional) + =item B + + This option specifies the hash function to be used to calculate the TSA's +-public key certificate identifier. Default is sha1. (Optional) ++public key certificate identifier. Default is sha256. (Optional) + + =back + +@@ -529,7 +529,7 @@ openssl/apps/openssl.cnf will do. + + =head2 Time Stamp Request + +-To create a time stamp request for design1.txt with SHA-1 ++To create a time stamp request for design1.txt with SHA-256 + without nonce and policy and no certificate is required in the response: + + openssl ts -query -data design1.txt -no_nonce \ +@@ -545,12 +545,12 @@ To print the content of the previous request in human readable format: + + openssl ts -query -in design1.tsq -text + +-To create a time stamp request which includes the MD-5 digest ++To create a time stamp request which includes the SHA-512 digest + of design2.txt, requests the signer certificate and nonce, + specifies a policy id (assuming the tsa_policy1 name is defined in the + OID section of the config file): + +- openssl ts -query -data design2.txt -md5 \ ++ openssl ts -query -data design2.txt -sha512 \ + -tspolicy tsa_policy1 -cert -out design2.tsq + + =head2 Time Stamp Response diff --git a/openssl.spec b/openssl.spec index 1814eed..a8ba638 100644 --- a/openssl.spec +++ b/openssl.spec @@ -22,7 +22,7 @@ Summary: Utilities from the general purpose cryptography library with TLS implementation Name: openssl Version: 1.1.1b -Release: 8%{?dist} +Release: 9%{?dist} Epoch: 1 # We have to remove certain patented algorithms from the openssl source # tarball with the hobble-openssl script which is included below. @@ -58,6 +58,7 @@ Patch43: openssl-1.1.1-ignore-bound.patch Patch44: openssl-1.1.1-version-override.patch Patch45: openssl-1.1.1-weak-ciphers.patch Patch46: openssl-1.1.1-seclevel.patch +Patch47: openssl-1.1.1-ts-sha256-default.patch Patch48: openssl-1.1.1-fips-post-rand.patch Patch49: openssl-1.1.1-evp-kdf.patch Patch50: openssl-1.1.1-ssh-kdf.patch @@ -65,6 +66,7 @@ Patch50: openssl-1.1.1-ssh-kdf.patch Patch51: openssl-1.1.1-upstream-sync.patch Patch52: openssl-1.1.1-s390x-update.patch Patch53: openssl-1.1.1-fips-crng-test.patch +Patch54: openssl-1.1.1-regression-fixes.patch License: OpenSSL URL: http://www.openssl.org/ @@ -158,12 +160,14 @@ cp %{SOURCE13} test/ %patch44 -p1 -b .version-override %patch45 -p1 -b .weak-ciphers %patch46 -p1 -b .seclevel +%patch47 -p1 -b .ts-sha256-default %patch48 -p1 -b .fips-post-rand %patch49 -p1 -b .evp-kdf %patch50 -p1 -b .ssh-kdf %patch51 -p1 -b .upstream-sync %patch52 -p1 -b .s390x-update %patch53 -p1 -b .crng-test +%patch54 -p1 -b .regression %build @@ -450,6 +454,10 @@ export LD_LIBRARY_PATH %ldconfig_scriptlets libs %changelog +* Fri May 10 2019 Tomáš Mráz 1.1.1b-9 +- Fix two small regressions +- Change the ts application default hash to SHA256 + * Tue May 7 2019 Tomáš Mráz 1.1.1b-8 - FIPS compliance fixes