From 861bb10feb904411eec91836429e6981538822f7 Mon Sep 17 00:00:00 2001 From: Clemens Lang Date: Thu, 24 Mar 2022 18:03:35 +0100 Subject: [PATCH] Upgrade to version 1.1.1n Resolves: CVE-2022-0778, rhbz#2064918 Signed-off-by: Clemens Lang --- .gitignore | 1 + openssl-1.1.1-evp-kdf.patch | 9 +-------- openssl-1.1.1-fips.patch | 10 +++++----- openssl-1.1.1-system-cipherlist.patch | 7 +------ openssl-1.1.1-version-override.patch | 6 +++--- openssl1.1.spec | 8 ++++++-- sources | 2 +- 7 files changed, 18 insertions(+), 25 deletions(-) diff --git a/.gitignore b/.gitignore index f8397f6..c22de2e 100644 --- a/.gitignore +++ b/.gitignore @@ -3,3 +3,4 @@ /openssl-1.1.1i-hobbled.tar.xz /openssl-1.1.1k-hobbled.tar.xz /openssl-1.1.1l-hobbled.tar.xz +/openssl-1.1.1n-hobbled.tar.xz diff --git a/openssl-1.1.1-evp-kdf.patch b/openssl-1.1.1-evp-kdf.patch index 6145753..dab4a0c 100644 --- a/openssl-1.1.1-evp-kdf.patch +++ b/openssl-1.1.1-evp-kdf.patch @@ -4474,13 +4474,6 @@ diff -up openssl-1.1.1j/test/pkey_meth_kdf_test.c.evp-kdf openssl-1.1.1j/test/pk diff -up openssl-1.1.1j/test/recipes/30-test_evp_data/evpkdf.txt.evp-kdf openssl-1.1.1j/test/recipes/30-test_evp_data/evpkdf.txt --- openssl-1.1.1j/test/recipes/30-test_evp_data/evpkdf.txt.evp-kdf 2021-02-16 16:24:01.000000000 +0100 +++ openssl-1.1.1j/test/recipes/30-test_evp_data/evpkdf.txt 2021-03-03 14:08:02.494294874 +0100 -@@ -1,5 +1,5 @@ - # --# Copyright 2001-2017 The OpenSSL Project Authors. All Rights Reserved. -+# Copyright 2001-2018 The OpenSSL Project Authors. All Rights Reserved. - # - # Licensed under the OpenSSL license (the "License"). You may not use - # this file except in compliance with the License. You can obtain a copy @@ -15,7 +15,7 @@ Title = TLS1 PRF tests (from NIST test vectors) @@ -4740,7 +4733,7 @@ diff -up openssl-1.1.1j/test/recipes/30-test_evp_data/evpkdf.txt.evp-kdf openssl Output = 2c91117204d745f3500d636a62f64f0ab3bae548aa53d423b0d1f27ebba6f5e5673a081d70cce7acfc48 @@ -303,3 +303,133 @@ Ctrl.r = r:8 Ctrl.p = p:1 - Result = INTERNAL_ERROR + Result = KDF_DERIVE_ERROR +Title = PBKDF2 tests + diff --git a/openssl-1.1.1-fips.patch b/openssl-1.1.1-fips.patch index aa3d33d..fffc973 100644 --- a/openssl-1.1.1-fips.patch +++ b/openssl-1.1.1-fips.patch @@ -870,8 +870,8 @@ diff -up openssl-1.1.1j/crypto/evp/digest.c.fips openssl-1.1.1j/crypto/evp/diges +# include +#endif - /* This call frees resources associated with the context */ - int EVP_MD_CTX_reset(EVP_MD_CTX *ctx) + + static void cleanup_old_md_data(EVP_MD_CTX *ctx, int force) @@ -66,6 +69,12 @@ int EVP_DigestInit(EVP_MD_CTX *ctx, cons int EVP_DigestInit_ex(EVP_MD_CTX *ctx, const EVP_MD *type, ENGINE *impl) { @@ -898,9 +898,9 @@ diff -up openssl-1.1.1j/crypto/evp/digest.c.fips openssl-1.1.1j/crypto/evp/diges + } + } +#endif - if (ctx->digest && ctx->digest->ctx_size) { - OPENSSL_clear_free(ctx->md_data, ctx->digest->ctx_size); - ctx->md_data = NULL; + cleanup_old_md_data(ctx, 1); + + ctx->digest = type; @@ -150,6 +168,10 @@ int EVP_DigestInit_ex(EVP_MD_CTX *ctx, c int EVP_DigestUpdate(EVP_MD_CTX *ctx, const void *data, size_t count) diff --git a/openssl-1.1.1-system-cipherlist.patch b/openssl-1.1.1-system-cipherlist.patch index a70f20b..f4b69a3 100644 --- a/openssl-1.1.1-system-cipherlist.patch +++ b/openssl-1.1.1-system-cipherlist.patch @@ -238,7 +238,7 @@ diff -up openssl-1.1.1c/ssl/ssl_ciph.c.system-cipherlist openssl-1.1.1c/ssl/ssl_ } /* -@@ -1592,14 +1648,18 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_ +@@ -1592,10 +1648,13 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_ * if we cannot get one. */ if ((cipherstack = sk_SSL_CIPHER_new_null()) == NULL) { @@ -254,11 +254,6 @@ diff -up openssl-1.1.1c/ssl/ssl_ciph.c.system-cipherlist openssl-1.1.1c/ssl/ssl_ /* Add TLSv1.3 ciphers first - we always prefer those if possible */ for (i = 0; i < sk_SSL_CIPHER_num(tls13_ciphersuites); i++) { if (!sk_SSL_CIPHER_push(cipherstack, - sk_SSL_CIPHER_value(tls13_ciphersuites, i))) { -+ OPENSSL_free(co_list); - sk_SSL_CIPHER_free(cipherstack); - return NULL; - } @@ -1631,6 +1691,14 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_ *cipher_list = cipherstack; diff --git a/openssl-1.1.1-version-override.patch b/openssl-1.1.1-version-override.patch index 762a257..601c841 100644 --- a/openssl-1.1.1-version-override.patch +++ b/openssl-1.1.1-version-override.patch @@ -4,9 +4,9 @@ diff -up openssl-1.1.1i/include/openssl/opensslv.h.version-override openssl-1.1. @@ -40,7 +40,7 @@ extern "C" { * major minor fix final patch/beta) */ - # define OPENSSL_VERSION_NUMBER 0x101010cfL --# define OPENSSL_VERSION_TEXT "OpenSSL 1.1.1l 24 Aug 2021" -+# define OPENSSL_VERSION_TEXT "OpenSSL 1.1.1l FIPS 24 Aug 2021" + # define OPENSSL_VERSION_NUMBER 0x101010efL +-# define OPENSSL_VERSION_TEXT "OpenSSL 1.1.1n 15 Mar 2022" ++# define OPENSSL_VERSION_TEXT "OpenSSL 1.1.1n FIPS 15 Mar 2022" /*- * The macros below are to be used for shared library (.so, .dll, ...) diff --git a/openssl1.1.spec b/openssl1.1.spec index 256a223..cfc953a 100644 --- a/openssl1.1.spec +++ b/openssl1.1.spec @@ -25,8 +25,8 @@ Summary: Compatibility version of the OpenSSL library Name: openssl1.1 -Version: 1.1.1l -Release: 2%{?dist} +Version: 1.1.1n +Release: 1%{?dist} Epoch: 1 # We have to remove certain patented algorithms from the openssl source # tarball with the hobble-openssl script which is included below. @@ -373,6 +373,10 @@ rm -rf $RPM_BUILD_ROOT%{_libdir}/pkgconfig %ldconfig_scriptlets %changelog +* Thu Mar 24 2022 Clemens Lang - 1:1.1.1n-1 +- Upgrade to version 1.1.1n + Resolves: CVE-2022-0778, rhbz#2064918 + * Thu Jan 20 2022 Fedora Release Engineering - 1:1.1.1l-2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild diff --git a/sources b/sources index 1331d7d..49fda36 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (openssl-1.1.1l-hobbled.tar.xz) = f0dfe3d3f4d1165173a0aeb50949792fef37069fc2b29de4845851fe0dbae8254f1d892b0ab8b23b75efc994742f3a57c30c78efa0702f6408d3a80442053d6f +SHA512 (openssl-1.1.1n-hobbled.tar.xz) = e76b367218394279a1f34afcb747c2fdac6fc25fc933a70cdf85d1fd0eb6a4418b3bab985e8082b563df4f98dd6bac34464d143a8532bb78530235aaef988c4b