Upgrade to version 1.1.1n

Resolves: CVE-2022-0778, rhbz#2064918 Signed-off-by: Clemens Lang <cllang@redhat.com>
2022-03-24 18:03:35 +01:00 · 2022-03-24 18:03:35 +01:00 · 861bb10feb
parent ee137d823d
commit 861bb10feb
7 changed files with 18 additions and 25 deletions
--- a/.gitignore
+++ b/.gitignore
@ -3,3 +3,4 @@
 /openssl-1.1.1i-hobbled.tar.xz
 /openssl-1.1.1k-hobbled.tar.xz
 /openssl-1.1.1l-hobbled.tar.xz
+/openssl-1.1.1n-hobbled.tar.xz
--- a/openssl-1.1.1-evp-kdf.patch
+++ b/openssl-1.1.1-evp-kdf.patch
@ -4474,13 +4474,6 @@ diff -up openssl-1.1.1j/test/pkey_meth_kdf_test.c.evp-kdf openssl-1.1.1j/test/pk
 diff -up openssl-1.1.1j/test/recipes/30-test_evp_data/evpkdf.txt.evp-kdf openssl-1.1.1j/test/recipes/30-test_evp_data/evpkdf.txt
 --- openssl-1.1.1j/test/recipes/30-test_evp_data/evpkdf.txt.evp-kdf	2021-02-16 16:24:01.000000000 +0100
 +++ openssl-1.1.1j/test/recipes/30-test_evp_data/evpkdf.txt	2021-03-03 14:08:02.494294874 +0100
-@@ -1,5 +1,5 @@
- #
-# Copyright 2001-2017 The OpenSSL Project Authors. All Rights Reserved.
-+# Copyright 2001-2018 The OpenSSL Project Authors. All Rights Reserved.
- #
- # Licensed under the OpenSSL license (the "License").  You may not use
- # this file except in compliance with the License.  You can obtain a copy
@@ -15,7 +15,7 @@
 Title = TLS1 PRF tests (from NIST test vectors)
 
@ -4740,7 +4733,7 @@ diff -up openssl-1.1.1j/test/recipes/30-test_evp_data/evpkdf.txt.evp-kdf openssl
 Output = 2c91117204d745f3500d636a62f64f0ab3bae548aa53d423b0d1f27ebba6f5e5673a081d70cce7acfc48
@@ -303,3 +303,133 @@ Ctrl.r = r:8
 Ctrl.p = p:1
- Result = INTERNAL_ERROR
+ Result = KDF_DERIVE_ERROR
 
 +Title = PBKDF2 tests
 +
--- a/openssl-1.1.1-fips.patch
+++ b/openssl-1.1.1-fips.patch
@ -870,8 +870,8 @@ diff -up openssl-1.1.1j/crypto/evp/digest.c.fips openssl-1.1.1j/crypto/evp/diges
 +# include <openssl/fips.h>
 +#endif
 
- /* This call frees resources associated with the context */
- int EVP_MD_CTX_reset(EVP_MD_CTX *ctx)
+ 
+ static void cleanup_old_md_data(EVP_MD_CTX *ctx, int force)
@@ -66,6 +69,12 @@ int EVP_DigestInit(EVP_MD_CTX *ctx, cons
 int EVP_DigestInit_ex(EVP_MD_CTX *ctx, const EVP_MD *type, ENGINE *impl)
 {
@ -898,9 +898,9 @@ diff -up openssl-1.1.1j/crypto/evp/digest.c.fips openssl-1.1.1j/crypto/evp/diges
 +            }
 +        }
 +#endif
-         if (ctx->digest && ctx->digest->ctx_size) {
-             OPENSSL_clear_free(ctx->md_data, ctx->digest->ctx_size);
-             ctx->md_data = NULL;
+         cleanup_old_md_data(ctx, 1);
+ 
+         ctx->digest = type;
@@ -150,6 +168,10 @@ int EVP_DigestInit_ex(EVP_MD_CTX *ctx, c
 
 int EVP_DigestUpdate(EVP_MD_CTX *ctx, const void *data, size_t count)
--- a/openssl-1.1.1-system-cipherlist.patch
+++ b/openssl-1.1.1-system-cipherlist.patch
@ -238,7 +238,7 @@ diff -up openssl-1.1.1c/ssl/ssl_ciph.c.system-cipherlist openssl-1.1.1c/ssl/ssl_
     }
 
     /*
-@@ -1592,14 +1648,18 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
+@@ -1592,10 +1648,13 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
      * if we cannot get one.
      */
     if ((cipherstack = sk_SSL_CIPHER_new_null()) == NULL) {
@ -254,11 +254,6 @@ diff -up openssl-1.1.1c/ssl/ssl_ciph.c.system-cipherlist openssl-1.1.1c/ssl/ssl_
     /* Add TLSv1.3 ciphers first - we always prefer those if possible */
     for (i = 0; i < sk_SSL_CIPHER_num(tls13_ciphersuites); i++) {
         if (!sk_SSL_CIPHER_push(cipherstack,
-                                 sk_SSL_CIPHER_value(tls13_ciphersuites, i))) {
-+            OPENSSL_free(co_list);
-             sk_SSL_CIPHER_free(cipherstack);
-             return NULL;
-         }
@@ -1631,6 +1691,14 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
     *cipher_list = cipherstack;
 
--- a/openssl-1.1.1-version-override.patch
+++ b/openssl-1.1.1-version-override.patch
@ -4,9 +4,9 @@ diff -up openssl-1.1.1i/include/openssl/opensslv.h.version-override openssl-1.1.
@@ -40,7 +40,7 @@ extern "C" {
  *  major minor fix final patch/beta)
  */
- # define OPENSSL_VERSION_NUMBER  0x101010cfL
-# define OPENSSL_VERSION_TEXT    "OpenSSL 1.1.1l  24 Aug 2021"
-+# define OPENSSL_VERSION_TEXT    "OpenSSL 1.1.1l  FIPS 24 Aug 2021"
+ # define OPENSSL_VERSION_NUMBER  0x101010efL
+-# define OPENSSL_VERSION_TEXT    "OpenSSL 1.1.1n  15 Mar 2022"
+# define OPENSSL_VERSION_TEXT    "OpenSSL 1.1.1n  FIPS 15 Mar 2022"
 
 /*-
  * The macros below are to be used for shared library (.so, .dll, ...)
--- a/openssl1.1.spec
+++ b/openssl1.1.spec
@ -25,8 +25,8 @@

 Summary: Compatibility version of the OpenSSL library
 Name: openssl1.1
-Version: 1.1.1l
-Release: 2%{?dist}
+Version: 1.1.1n
+Release: 1%{?dist}
 Epoch: 1
 # We have to remove certain patented algorithms from the openssl source
 # tarball with the hobble-openssl script which is included below.
@ -373,6 +373,10 @@ rm -rf $RPM_BUILD_ROOT%{_libdir}/pkgconfig
 %ldconfig_scriptlets

 %changelog
+* Thu Mar 24 2022 Clemens Lang <cllang@redhat.com> - 1:1.1.1n-1
+- Upgrade to version 1.1.1n
+  Resolves: CVE-2022-0778, rhbz#2064918
+
 * Thu Jan 20 2022 Fedora Release Engineering <releng@fedoraproject.org> - 1:1.1.1l-2
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild

--- a/2
+++ b/2
@ -1 +1 @@
-SHA512 (openssl-1.1.1l-hobbled.tar.xz) = f0dfe3d3f4d1165173a0aeb50949792fef37069fc2b29de4845851fe0dbae8254f1d892b0ab8b23b75efc994742f3a57c30c78efa0702f6408d3a80442053d6f
+SHA512 (openssl-1.1.1n-hobbled.tar.xz) = e76b367218394279a1f34afcb747c2fdac6fc25fc933a70cdf85d1fd0eb6a4418b3bab985e8082b563df4f98dd6bac34464d143a8532bb78530235aaef988c4b