packages/compat-openssl11
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

fix CVE-2023-5678 CVE-2024-0727 CVE-2024-2511

Browse Source 
(cherry picked from commit 8d6cf6e34cd3d310acb2e247b326a7d1a67e1ac9)
This commit is contained in:
wangcheng 2024-04-28 15:03:05 +08:00 committed by openeuler-sync-bot
parent 93a86038d5
commit 4a4078802f
22 changed files with 2188 additions and 775 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

36
backport-A-null-pointer-dereference-occurs-when-memory-alloca.patch Normal file
View File

@ -0,0 +1,36 @@
From a8da305fa3dd6e34ba5aab3978281f652fd12883 Mon Sep 17 00:00:00 2001
From: yangyangtiantianlonglong <yangtianlong1224@163.com>
Date: Mon, 31 Jul 2023 07:04:41 -0700
Subject: [PATCH] A null pointer dereference occurs when memory allocation
fails
Fixes #21605
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21606)
---
ssl/ssl_sess.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/ssl/ssl_sess.c b/ssl/ssl_sess.c
index cda6b7cc5b..2a5d21be79 100644
--- a/ssl/ssl_sess.c
+++ b/ssl/ssl_sess.c
@@ -139,8 +139,11 @@ SSL_SESSION *ssl_session_dup(SSL_SESSION *src, int ticket)
dest->references = 1;
dest->lock = CRYPTO_THREAD_lock_new();
- if (dest->lock == NULL)
+ if (dest->lock == NULL) {
+ OPENSSL_free(dest);
+ dest = NULL;
goto err;
+ }
if (!CRYPTO_new_ex_data(CRYPTO_EX_INDEX_SSL_SESSION, dest, &dest->ex_data))
goto err;
--
2.27.0

125
backport-Add-a-test-for-session-cache-handling.patch Normal file
View File

@ -0,0 +1,125 @@
From 913ac6975162dde9e6f715c7b12869ea32ab8b70 Mon Sep 17 00:00:00 2001
From: Matt Caswell <matt@openssl.org>
Date: Mon, 4 Mar 2024 13:45:23 +0000
Subject: [PATCH] Add a test for session cache handling
Repeatedly create sessions to be added to the cache and ensure we never
exceed the expected size.
Related to CVE-2024-2511
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24044)
(cherry picked from commit 5f5b9e1ca1fad0215f623b8bd4955a2e8101f306)
Signed-off-by: Liu-Ermeng <liuermeng2@huawei.com>
---
test/sslapitest.c | 91 +++++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 91 insertions(+)
diff --git a/test/sslapitest.c b/test/sslapitest.c
index 5ee982ab06..2992356fdf 100644
--- a/test/sslapitest.c
+++ b/test/sslapitest.c
@@ -7288,6 +7288,97 @@ static int test_inherit_verify_param(void)
return testresult;
}
+/*
+ * Test multiple resumptions and cache size handling
+ * Test 0: TLSv1.3 (max_early_data set)
+ * Test 1: TLSv1.3 (SSL_OP_NO_TICKET set)
+ * Test 2: TLSv1.3 (max_early_data and SSL_OP_NO_TICKET set)
+ * Test 3: TLSv1.2
+ */
+static int test_multi_resume(int idx)
+{
+ SSL_CTX *sctx = NULL, *cctx = NULL;
+ SSL *serverssl = NULL, *clientssl = NULL;
+ SSL_SESSION *sess = NULL;
+ int max_version = TLS1_3_VERSION;
+ int i, testresult = 0;
+
+ if (idx == 3)
+ max_version = TLS1_2_VERSION;
+
+ if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
+ TLS_client_method(), TLS1_VERSION,
+ max_version, &sctx, &cctx, cert,
+ privkey)))
+ goto end;
+
+ /*
+ * TLSv1.3 only uses a session cache if either max_early_data > 0 (used for
+ * replay protection), or if SSL_OP_NO_TICKET is in use
+ */
+ if (idx == 0 || idx == 2) {
+ if (!TEST_true(SSL_CTX_set_max_early_data(sctx, 1024)))
+ goto end;
+ }
+ if (idx == 1 || idx == 2)
+ SSL_CTX_set_options(sctx, SSL_OP_NO_TICKET);
+
+ SSL_CTX_sess_set_cache_size(sctx, 5);
+
+ for (i = 0; i < 30; i++) {
+ if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
+ NULL, NULL))
+ || !TEST_true(SSL_set_session(clientssl, sess)))
+ goto end;
+
+ /*
+ * Recreate a bug where dynamically changing the max_early_data value
+ * can cause sessions in the session cache which cannot be deleted.
+ */
+ if ((idx == 0 || idx == 2) && (i % 3) == 2)
+ SSL_set_max_early_data(serverssl, 0);
+
+ if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
+ goto end;
+
+ if (sess == NULL || (idx == 0 && (i % 3) == 2)) {
+ if (!TEST_false(SSL_session_reused(clientssl)))
+ goto end;
+ } else {
+ if (!TEST_true(SSL_session_reused(clientssl)))
+ goto end;
+ }
+ SSL_SESSION_free(sess);
+
+ /* Do a full handshake, followed by two resumptions */
+ if ((i % 3) == 2) {
+ sess = NULL;
+ } else {
+ if (!TEST_ptr((sess = SSL_get1_session(clientssl))))
+ goto end;
+ }
+
+ SSL_shutdown(clientssl);
+ SSL_shutdown(serverssl);
+ SSL_free(serverssl);
+ SSL_free(clientssl);
+ serverssl = clientssl = NULL;
+ }
+
+ /* We should never exceed the session cache size limit */
+ if (!TEST_long_le(SSL_CTX_sess_number(sctx), 5))
+ goto end;
+
+ testresult = 1;
+ end:
+ SSL_free(serverssl);
+ SSL_free(clientssl);
+ SSL_CTX_free(sctx);
+ SSL_CTX_free(cctx);
+ SSL_SESSION_free(sess);
+ return testresult;
+}
+
int setup_tests(void)
{
if (!TEST_ptr(certsdir = test_get_argument(0))
--
2.33.0

176
backport-Add-a-test-for-session-cache-overflow.patch Normal file
View File

@ -0,0 +1,176 @@
From 1659dc936a8763a243d09c2a6484eb1f25580ef4 Mon Sep 17 00:00:00 2001
From: Matt Caswell <matt@openssl.org>
Date: Fri, 15 Jul 2022 13:26:33 +0100
Subject: [PATCH] Add a test for session cache overflow
Test sessions behave as we expect even in the case that an overflow
occurs when adding a new session into the session cache.
Related to CVE-2024-2511
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24044)
(cherry picked from commit ddead0935d77ba9b771d632ace61b145d7153f18)
Signed-off-by: Liu-Ermeng <liuermeng2@huawei.com>
---
test/sslapitest.c | 130 ++++++++++++++++++++++++++++++++++++++++++++--
1 file changed, 127 insertions(+), 3 deletions(-)
diff --git a/test/sslapitest.c b/test/sslapitest.c
index 472b1224ca..395b1e5457 100644
--- a/test/sslapitest.c
+++ b/test/sslapitest.c
@@ -6669,6 +6669,128 @@ static int test_ca_names(int tst)
return testresult;
}
+/*
+ * Test that a session cache overflow works as expected
+ * Test 0: TLSv1.3, timeout on new session later than old session
+ * Test 1: TLSv1.2, timeout on new session later than old session
+ * Test 2: TLSv1.3, timeout on new session earlier than old session
+ * Test 3: TLSv1.2, timeout on new session earlier than old session
+ */
+#if !defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
+static int test_session_cache_overflow(int idx)
+{
+ SSL_CTX *sctx = NULL, *cctx = NULL;
+ SSL *serverssl = NULL, *clientssl = NULL;
+ int testresult = 0;
+ SSL_SESSION *sess = NULL;
+
+#ifdef OPENSSL_NO_TLS1_3
+ /* If no TLSv1.3 available then do nothing in this case */
+ if (idx % 2 == 0)
+ TEST_info("No TLSv1.3 available");
+ return 1;
+#endif
+#ifdef OPENSSL_NO_TLS1_2
+ /* If no TLSv1.2 available then do nothing in this case */
+ if (idx % 2 == 1)
+ TEST_info("No TLSv1.2 available");
+ return 1;
+#endif
+
+ if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
+ TLS_client_method(), TLS1_VERSION,
+ (idx % 2 == 0) ? TLS1_3_VERSION
+ : TLS1_2_VERSION,
+ &sctx, &cctx, cert, privkey))
+ || !TEST_true(SSL_CTX_set_options(sctx, SSL_OP_NO_TICKET)))
+ goto end;
+
+ SSL_CTX_sess_set_get_cb(sctx, get_session_cb);
+ get_sess_val = NULL;
+
+ SSL_CTX_sess_set_cache_size(sctx, 1);
+
+ if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
+ NULL, NULL)))
+ goto end;
+
+ if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
+ goto end;
+
+ if (idx > 1) {
+ sess = SSL_get_session(serverssl);
+ if (!TEST_ptr(sess))
+ goto end;
+
+ /*
+ * Cause this session to have a longer timeout than the next session to
+ * be added.
+ */
+ if (!TEST_true(SSL_SESSION_set_timeout(sess, LONG_MAX / 2))) {
+ sess = NULL;
+ goto end;
+ }
+ sess = NULL;
+ }
+
+ SSL_shutdown(serverssl);
+ SSL_shutdown(clientssl);
+ SSL_free(serverssl);
+ SSL_free(clientssl);
+ serverssl = clientssl = NULL;
+
+ /*
+ * Session cache size is 1 and we already populated the cache with a session
+ * so the next connection should cause an overflow.
+ */
+
+ if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
+ NULL, NULL)))
+ goto end;
+
+ if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
+ goto end;
+
+ /*
+ * The session we just negotiated may have been already removed from the
+ * internal cache - but we will return it anyway from our external cache.
+ */
+ get_sess_val = SSL_get_session(serverssl);
+ if (!TEST_ptr(get_sess_val))
+ goto end;
+ sess = SSL_get1_session(clientssl);
+ if (!TEST_ptr(sess))
+ goto end;
+
+ SSL_shutdown(serverssl);
+ SSL_shutdown(clientssl);
+ SSL_free(serverssl);
+ SSL_free(clientssl);
+ serverssl = clientssl = NULL;
+
+ if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
+ NULL, NULL)))
+ goto end;
+
+ if (!TEST_true(SSL_set_session(clientssl, sess)))
+ goto end;
+
+ if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
+ goto end;
+
+ testresult = 1;
+
+ end:
+ SSL_free(serverssl);
+ SSL_free(clientssl);
+ SSL_CTX_free(sctx);
+ SSL_CTX_free(cctx);
+ SSL_SESSION_free(sess);
+
+ return testresult;
+}
+#endif /* !defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2) */
+
/*
* Test 0: Client sets servername and server acknowledges it (TLSv1.2)
* Test 1: Client sets servername and server does not acknowledge it (TLSv1.2)
@@ -7357,14 +7479,16 @@ static int test_multi_resume(int idx)
#if defined(OPENSSL_NO_TLS1_2)
if (idx == 4)
- return TEST_skip("TLSv1.2 is disabled in this build");
+ TEST_info("TLSv1.2 is disabled in this build");
+ return 1;
#else
if (idx == 4)
max_version = TLS1_2_VERSION;
#endif
-#if defined(OSSL_NO_USABLE_TLS1_3)
+#if defined(OPENSSL_NO_TLS1_3)
if (idx != 4)
- return TEST_skip("No usable TLSv1.3 in this build");
+ TEST_info("No usable TLSv1.3 in this build");
+ return 1;
#endif
if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
--
2.33.0

47
backport-Add-negative-integer-check-when-using-ASN1_BIT_STRIN.patch Executable file
View File

@ -0,0 +1,47 @@
From 8ddacec11481a37302c19f4454e23299af399f83 Mon Sep 17 00:00:00 2001
From: mlitre <martinlitre@mac.com>
Date: Mon, 1 May 2023 11:07:21 +0200
Subject: [PATCH] Add negative integer check when using ASN1_BIT_STRING
The negative integer check is done to prevent potential overflow.
Fixes #20719.
CLA: trivial
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20862)
(cherry picked from commit 1258a8e4361320cd3cfaf9ede692492ce01034c8)
---
crypto/asn1/a_bitstr.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/crypto/asn1/a_bitstr.c b/crypto/asn1/a_bitstr.c
index f462dd1073..31a1e11359 100644
--- a/crypto/asn1/a_bitstr.c
+++ b/crypto/asn1/a_bitstr.c
@@ -148,6 +148,9 @@ int ASN1_BIT_STRING_set_bit(ASN1_BIT_STRING *a, int n, int value)
int w, v, iv;
unsigned char *c;
+ if (n < 0)
+ return 0;
+
w = n / 8;
v = 1 << (7 - (n & 0x07));
iv = ~v;
@@ -182,6 +185,9 @@ int ASN1_BIT_STRING_get_bit(const ASN1_BIT_STRING *a, int n)
{
int w, v;
+ if (n < 0)
+ return 0;
+
w = n / 8;
v = 1 << (7 - (n & 0x07));
if ((a == NULL) || (a->length < (w + 1)) || (a->data == NULL))
--
2.27.0

1213
backport-CVE-2022-4304-Fix-Timing-Oracle-in-RSA-decryption.patch
View File

File diff suppressed because it is too large Load Diff

130
backport-CVE-2023-5678-Make-DH_check_pub_key-and-DH_generate_key-safer-yet.patch Normal file
View File

@ -0,0 +1,130 @@
From 58589a46204c0dfca58906d6e66cf610caa11d88 Mon Sep 17 00:00:00 2001
From: lanming1120 <lanming1120@126.com>
Date: Tue, 7 Nov 2023 14:42:28 +0800
Subject: [PATCH] Make DH_check_pub_key() and DH_generate_key() safer yet
Signed-off-by: lanming1120 <lanming1120@126.com>
---
crypto/dh/dh_check.c | 13 +++++++++++++
crypto/dh/dh_err.c | 1 +
crypto/dh/dh_key.c | 12 ++++++++++++
crypto/err/openssl.txt | 1 +
include/openssl/dh.h | 5 +++--
include/openssl/dherr.h | 1 +
6 files changed, 31 insertions(+), 2 deletions(-)
diff --git a/crypto/dh/dh_check.c b/crypto/dh/dh_check.c
index ae1b03bc92..779cfbcd91 100644
--- a/crypto/dh/dh_check.c
+++ b/crypto/dh/dh_check.c
@@ -198,6 +198,19 @@ int DH_check_pub_key(const DH *dh, const BIGNUM *pub_key, int *ret)
BN_CTX *ctx = NULL;
*ret = 0;
+
+ /* Don't do any checks at all with an excessively large modulus */
+ if (BN_num_bits(dh->p) > OPENSSL_DH_CHECK_MAX_MODULUS_BITS) {
+ DHerr(DH_F_DH_CHECK_EX, DH_R_MODULUS_TOO_LARGE);
+ *ret = DH_MODULUS_TOO_LARGE | DH_CHECK_PUBKEY_INVALID;
+ return 0;
+ }
+
+ if (dh->q != NULL && BN_ucmp(dh->p, dh->q) < 0) {
+ *ret |= DH_CHECK_INVALID_Q_VALUE | DH_CHECK_PUBKEY_INVALID;
+ return 1;
+ }
+
ctx = BN_CTX_new();
if (ctx == NULL)
goto err;
diff --git a/crypto/dh/dh_err.c b/crypto/dh/dh_err.c
index 92800d3fcc..b3b1e7a706 100644
--- a/crypto/dh/dh_err.c
+++ b/crypto/dh/dh_err.c
@@ -82,6 +82,7 @@ static const ERR_STRING_DATA DH_str_reasons[] = {
{ERR_PACK(ERR_LIB_DH, 0, DH_R_PARAMETER_ENCODING_ERROR),
"parameter encoding error"},
{ERR_PACK(ERR_LIB_DH, 0, DH_R_PEER_KEY_ERROR), "peer key error"},
+ {ERR_PACK(ERR_LIB_DH, 0, DH_R_Q_TOO_LARGE), "q too large"},
{ERR_PACK(ERR_LIB_DH, 0, DH_R_SHARED_INFO_ERROR), "shared info error"},
{ERR_PACK(ERR_LIB_DH, 0, DH_R_UNABLE_TO_CHECK_GENERATOR),
"unable to check generator"},
diff --git a/crypto/dh/dh_key.c b/crypto/dh/dh_key.c
index 117f2fa883..4c4c4b9874 100644
--- a/crypto/dh/dh_key.c
+++ b/crypto/dh/dh_key.c
@@ -109,6 +109,12 @@ static int generate_key(DH *dh)
}
#endif
+ if (dh->q != NULL
+ && BN_num_bits(dh->q) > OPENSSL_DH_MAX_MODULUS_BITS) {
+ DHerr(DH_F_GENERATE_KEY, DH_R_Q_TOO_LARGE);
+ return 0;
+ }
+
if (BN_num_bits(dh->p) > OPENSSL_DH_MAX_MODULUS_BITS) {
DHerr(DH_F_GENERATE_KEY, DH_R_MODULUS_TOO_LARGE);
return 0;
@@ -202,6 +208,12 @@ static int compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh)
int ret = -1;
int check_result;
+ if (dh->q != NULL
+ && BN_num_bits(dh->q) > OPENSSL_DH_MAX_MODULUS_BITS) {
+ DHerr(DH_F_COMPUTE_KEY, DH_R_Q_TOO_LARGE);
+ goto err;
+ }
+
if (BN_num_bits(dh->p) > OPENSSL_DH_MAX_MODULUS_BITS) {
DHerr(DH_F_COMPUTE_KEY, DH_R_MODULUS_TOO_LARGE);
goto err;
diff --git a/crypto/err/openssl.txt b/crypto/err/openssl.txt
index c111822eac..56d4093ada 100644
--- a/crypto/err/openssl.txt
+++ b/crypto/err/openssl.txt
@@ -2139,6 +2139,7 @@ DH_R_NO_PARAMETERS_SET:107:no parameters set
DH_R_NO_PRIVATE_VALUE:100:no private value
DH_R_PARAMETER_ENCODING_ERROR:105:parameter encoding error
DH_R_PEER_KEY_ERROR:111:peer key error
+DH_R_Q_TOO_LARGE:130:q too large
DH_R_SHARED_INFO_ERROR:113:shared info error
DH_R_UNABLE_TO_CHECK_GENERATOR:121:unable to check generator
DSA_R_BAD_Q_VALUE:102:bad q value
diff --git a/include/openssl/dh.h b/include/openssl/dh.h
index 6c6ff3636a..7509f4fc3e 100644
--- a/include/openssl/dh.h
+++ b/include/openssl/dh.h
@@ -71,14 +71,15 @@ DECLARE_ASN1_ITEM(DHparams)
/* #define DH_GENERATOR_3 3 */
# define DH_GENERATOR_5 5
-/* DH_check error codes */
+/* DH_check error codes, some of them shared with DH_check_pub_key */
# define DH_CHECK_P_NOT_PRIME 0x01
# define DH_CHECK_P_NOT_SAFE_PRIME 0x02
# define DH_UNABLE_TO_CHECK_GENERATOR 0x04
# define DH_NOT_SUITABLE_GENERATOR 0x08
# define DH_CHECK_Q_NOT_PRIME 0x10
-# define DH_CHECK_INVALID_Q_VALUE 0x20
+# define DH_CHECK_INVALID_Q_VALUE 0x20 /* +DH_check_pub_key */
# define DH_CHECK_INVALID_J_VALUE 0x40
+# define DH_MODULUS_TOO_LARGE 0x100
/* DH_check_pub_key error codes */
# define DH_CHECK_PUBKEY_TOO_SMALL 0x01
diff --git a/include/openssl/dherr.h b/include/openssl/dherr.h
index 528c819856..d66c35aa8e 100644
--- a/include/openssl/dherr.h
+++ b/include/openssl/dherr.h
@@ -82,6 +82,7 @@ int ERR_load_DH_strings(void);
# define DH_R_NO_PRIVATE_VALUE 100
# define DH_R_PARAMETER_ENCODING_ERROR 105
# define DH_R_PEER_KEY_ERROR 111
+# define DH_R_Q_TOO_LARGE 130
# define DH_R_SHARED_INFO_ERROR 113
# define DH_R_UNABLE_TO_CHECK_GENERATOR 121
--
2.33.0

111
backport-CVE-2024-0727-fix-pkcs12-decoding-crashes.patch Normal file
View File

@ -0,0 +1,111 @@
From 09015a582baa980dc04f635504b16fe95dc3790b Mon Sep 17 00:00:00 2001
From: liwei <liwei3013@126.com>
Date: Fri, 26 Jan 2024 18:45:28 +0800
Subject: [PATCH] fix CVE-2024-0727
Add NULL checks where ContentInfo data can be NULL
---
crypto/pkcs12/p12_add.c | 16 ++++++++++++++++
crypto/pkcs12/p12_mutl.c | 5 +++++
crypto/pkcs12/p12_npas.c | 5 +++--
crypto/pkcs7/pk7_mime.c | 8 ++++++--
4 files changed, 30 insertions(+), 4 deletions(-)
diff --git a/crypto/pkcs12/p12_add.c b/crypto/pkcs12/p12_add.c
index af184c86af..9b40e5384e 100644
--- a/crypto/pkcs12/p12_add.c
+++ b/crypto/pkcs12/p12_add.c
@@ -76,6 +76,12 @@ STACK_OF(PKCS12_SAFEBAG) *PKCS12_unpack_p7data(PKCS7 *p7)
PKCS12_R_CONTENT_TYPE_NOT_DATA);
return NULL;
}
+
+ if (p7->d.data == NULL) {
+ PKCS12err(PKCS12_F_PKCS12_UNPACK_P7DATA, PKCS12_R_DECODE_ERROR);
+ return NULL;
+ }
+
return ASN1_item_unpack(p7->d.data, ASN1_ITEM_rptr(PKCS12_SAFEBAGS));
}
@@ -132,6 +138,11 @@ STACK_OF(PKCS12_SAFEBAG) *PKCS12_unpack_p7encdata(PKCS7 *p7, const char *pass,
{
if (!PKCS7_type_is_encrypted(p7))
return NULL;
+
+ if (p7->d.encrypted == NULL) {
+ return NULL;
+ }
+
return PKCS12_item_decrypt_d2i(p7->d.encrypted->enc_data->algorithm,
ASN1_ITEM_rptr(PKCS12_SAFEBAGS),
pass, passlen,
@@ -159,6 +170,11 @@ STACK_OF(PKCS7) *PKCS12_unpack_authsafes(const PKCS12 *p12)
PKCS12_R_CONTENT_TYPE_NOT_DATA);
return NULL;
}
+ if (p12->authsafes->d.data == NULL) {
+ PKCS12err(PKCS12_F_PKCS12_UNPACK_AUTHSAFES, PKCS12_R_DECODE_ERROR);
+ return NULL;
+ }
+
return ASN1_item_unpack(p12->authsafes->d.data,
ASN1_ITEM_rptr(PKCS12_AUTHSAFES));
}
diff --git a/crypto/pkcs12/p12_mutl.c b/crypto/pkcs12/p12_mutl.c
index 3658003fe5..766c9c1e9d 100644
--- a/crypto/pkcs12/p12_mutl.c
+++ b/crypto/pkcs12/p12_mutl.c
@@ -93,6 +93,11 @@ static int pkcs12_gen_mac(PKCS12 *p12, const char *pass, int passlen,
return 0;
}
+ if (p12->authsafes->d.data == NULL) {
+ PKCS12err(PKCS12_F_PKCS12_GEN_MAC, PKCS12_R_DECODE_ERROR);
+ return 0;
+ }
+
salt = p12->mac->salt->data;
saltlen = p12->mac->salt->length;
if (!p12->mac->iter)
diff --git a/crypto/pkcs12/p12_npas.c b/crypto/pkcs12/p12_npas.c
index 0334289a89..130337638d 100644
--- a/crypto/pkcs12/p12_npas.c
+++ b/crypto/pkcs12/p12_npas.c
@@ -78,8 +78,9 @@ static int newpass_p12(PKCS12 *p12, const char *oldpass, const char *newpass)
bags = PKCS12_unpack_p7data(p7);
} else if (bagnid == NID_pkcs7_encrypted) {
bags = PKCS12_unpack_p7encdata(p7, oldpass, -1);
- if (!alg_get(p7->d.encrypted->enc_data->algorithm,
- &pbe_nid, &pbe_iter, &pbe_saltlen))
+ if (p7->d.encrypted == NULL
+ || !alg_get(p7->d.encrypted->enc_data->algorithm,
+ &pbe_nid, &pbe_iter, &pbe_saltlen))
goto err;
} else {
continue;
diff --git a/crypto/pkcs7/pk7_mime.c b/crypto/pkcs7/pk7_mime.c
index 19e6868148..b457108c94 100644
--- a/crypto/pkcs7/pk7_mime.c
+++ b/crypto/pkcs7/pk7_mime.c
@@ -30,10 +30,14 @@ int SMIME_write_PKCS7(BIO *bio, PKCS7 *p7, BIO *data, int flags)
{
STACK_OF(X509_ALGOR) *mdalgs;
int ctype_nid = OBJ_obj2nid(p7->type);
- if (ctype_nid == NID_pkcs7_signed)
+
+ if (ctype_nid == NID_pkcs7_signed) {
+ if (p7->d.sign == NULL)
+ return 0;
mdalgs = p7->d.sign->md_algs;
- else
+ } else {
mdalgs = NULL;
+ }
flags ^= SMIME_OLDMIME;
--
2.28.0.1

173
backport-CVE-2024-2511-Fix-unconstrained-session-cache-growth-in-TLSv1.3.patch Normal file
View File

@ -0,0 +1,173 @@
From 722e734a9265530db1a41a4604d21c03b1ba1733 Mon Sep 17 00:00:00 2001
From: Matt Caswell <matt@openssl.org>
Date: Tue, 5 Mar 2024 15:43:53 +0000
Subject: [PATCH] Fix unconstrained session cache growth in TLSv1.3
In TLSv1.3 we create a new session object for each ticket that we send.
We do this by duplicating the original session. If SSL_OP_NO_TICKET is in
use then the new session will be added to the session cache. However, if
early data is not in use (and therefore anti-replay protection is being
used), then multiple threads could be resuming from the same session
simultaneously. If this happens and a problem occurs on one of the threads,
then the original session object could be marked as not_resumable. When we
duplicate the session object this not_resumable status gets copied into the
new session object. The new session object is then added to the session
cache even though it is not_resumable.
Subsequently, another bug means that the session_id_length is set to 0 for
sessions that are marked as not_resumable - even though that session is
still in the cache. Once this happens the session can never be removed from
the cache. When that object gets to be the session cache tail object the
cache never shrinks again and grows indefinitely.
CVE-2024-2511
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24044)
(cherry picked from commit 7e4d731b1c07201ad9374c1cd9ac5263bdf35bce)
Signed-off-by: Liu-Ermeng <liuermeng2@huawei.com>
---
include/openssl/sslerr.h | 4 ++--
ssl/ssl_err.c | 5 +++--
ssl/ssl_lib.c | 5 +++--
ssl/ssl_sess.c | 30 +++++++++++++++++++++++-------
ssl/statem/statem_srvr.c | 5 ++---
5 files changed, 33 insertions(+), 16 deletions(-)
diff --git a/include/openssl/sslerr.h b/include/openssl/sslerr.h
index aa5f56a482..3e99ffc27f 100644
--- a/include/openssl/sslerr.h
+++ b/include/openssl/sslerr.h
@@ -1,6 +1,6 @@
/*
* Generated by util/mkerr.pl DO NOT EDIT
- * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2024 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -224,7 +224,7 @@ int ERR_load_SSL_strings(void);
# define SSL_F_SSL_RENEGOTIATE_ABBREVIATED 546
# define SSL_F_SSL_SCAN_CLIENTHELLO_TLSEXT 320
# define SSL_F_SSL_SCAN_SERVERHELLO_TLSEXT 321
-# define SSL_F_SSL_SESSION_DUP 348
+# define SSL_F_SSL_SESSION_DUP_INTERN 668
# define SSL_F_SSL_SESSION_NEW 189
# define SSL_F_SSL_SESSION_PRINT_FP 190
# define SSL_F_SSL_SESSION_SET1_ID 423
diff --git a/ssl/ssl_err.c b/ssl/ssl_err.c
index 5a7c42a88c..c4144bb8b4 100644
--- a/ssl/ssl_err.c
+++ b/ssl/ssl_err.c
@@ -1,6 +1,6 @@
/*
* Generated by util/mkerr.pl DO NOT EDIT
- * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2024 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -325,7 +325,8 @@ static const ERR_STRING_DATA SSL_str_functs[] = {
"SSL_renegotiate_abbreviated"},
{ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_SCAN_CLIENTHELLO_TLSEXT, 0), ""},
{ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_SCAN_SERVERHELLO_TLSEXT, 0), ""},
- {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_SESSION_DUP, 0), "ssl_session_dup"},
+ {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_SESSION_DUP_INTERN, 0),
+ "ssl_session_dup_intern"},
{ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_SESSION_NEW, 0), "SSL_SESSION_new"},
{ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_SESSION_PRINT_FP, 0),
"SSL_SESSION_print_fp"},
diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
index 618549a2ca..2a44960fac 100644
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -3541,9 +3541,10 @@ void ssl_update_cache(SSL *s, int mode)
/*
* If the session_id_length is 0, we are not supposed to cache it, and it
- * would be rather hard to do anyway :-)
+ * would be rather hard to do anyway :-). Also if the session has already
+ * been marked as not_resumable we should not cache it for later reuse.
*/
- if (s->session->session_id_length == 0)
+ if (s->session->session_id_length == 0 || s->session->not_resumable)
return;
/*
diff --git a/ssl/ssl_sess.c b/ssl/ssl_sess.c
index 1b4c85b60c..28affe0a26 100644
--- a/ssl/ssl_sess.c
+++ b/ssl/ssl_sess.c
@@ -94,16 +94,11 @@ SSL_SESSION *SSL_SESSION_new(void)
return ss;
}
-SSL_SESSION *SSL_SESSION_dup(SSL_SESSION *src)
-{
- return ssl_session_dup(src, 1);
-}
-
/*
* Create a new SSL_SESSION and duplicate the contents of |src| into it. If
* ticket == 0 then no ticket information is duplicated, otherwise it is.
*/
-SSL_SESSION *ssl_session_dup(SSL_SESSION *src, int ticket)
+static SSL_SESSION *ssl_session_dup_intern(SSL_SESSION *src, int ticket)
{
SSL_SESSION *dest;
@@ -221,11 +216,32 @@ SSL_SESSION *ssl_session_dup(SSL_SESSION *src, int ticket)
return dest;
err:
- SSLerr(SSL_F_SSL_SESSION_DUP, ERR_R_MALLOC_FAILURE);
+ SSLerr(SSL_F_SSL_SESSION_DUP_INTERN, ERR_R_MALLOC_FAILURE);
SSL_SESSION_free(dest);
return NULL;
}
+SSL_SESSION *SSL_SESSION_dup(SSL_SESSION *src)
+{
+ return ssl_session_dup_intern(src, 1);
+}
+
+/*
+ * Used internally when duplicating a session which might be already shared.
+ * We will have resumed the original session. Subsequently we might have marked
+ * it as non-resumable (e.g. in another thread) - but this copy should be ok to
+ * resume from.
+ */
+SSL_SESSION *ssl_session_dup(SSL_SESSION *src, int ticket)
+{
+ SSL_SESSION *sess = ssl_session_dup_intern(src, ticket);
+
+ if (sess != NULL)
+ sess->not_resumable = 0;
+
+ return sess;
+}
+
const unsigned char *SSL_SESSION_get_id(const SSL_SESSION *s, unsigned int *len)
{
if (len)
diff --git a/ssl/statem/statem_srvr.c b/ssl/statem/statem_srvr.c
index 1b3b8002ee..d242e98024 100644
--- a/ssl/statem/statem_srvr.c
+++ b/ssl/statem/statem_srvr.c
@@ -2418,9 +2418,8 @@ int tls_construct_server_hello(SSL *s, WPACKET *pkt)
* so the following won't overwrite an ID that we're supposed
* to send back.
*/
- if (s->session->not_resumable ||
- (!(s->ctx->session_cache_mode & SSL_SESS_CACHE_SERVER)
- && !s->hit))
+ if (!(s->ctx->session_cache_mode & SSL_SESS_CACHE_SERVER)
+ && !s->hit)
s->session->session_id_length = 0;
if (usetls13) {
--
2.33.0

152
backport-Extend-the-multi_resume-test-for-simultaneous-resump.patch Normal file
View File

@ -0,0 +1,152 @@
From cf1f5d212c9d30d2a1996b7426cf8483205e8491 Mon Sep 17 00:00:00 2001
From: Matt Caswell <matt@openssl.org>
Date: Tue, 5 Mar 2024 15:35:51 +0000
Subject: [PATCH] Extend the multi_resume test for simultaneous resumptions
Test what happens if the same session gets resumed multiple times at the
same time - and one of them gets marked as not_resumable.
Related to CVE-2024-2511
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24044)
(cherry picked from commit 031b11a4054c972a5e2f07dfa81ce1842453253e)
Signed-off-by: Liu-Ermeng <liuermeng2@huawei.com>
---
test/sslapitest.c | 87 ++++++++++++++++++++++++++++++++++++++++++++---
1 file changed, 84 insertions(+), 3 deletions(-)
diff --git a/test/sslapitest.c b/test/sslapitest.c
index 2992356fdf..472b1224ca 100644
--- a/test/sslapitest.c
+++ b/test/sslapitest.c
@@ -7288,12 +7288,63 @@ static int test_inherit_verify_param(void)
return testresult;
}
+struct resume_servername_cb_data {
+ int i;
+ SSL_CTX *cctx;
+ SSL_CTX *sctx;
+ SSL_SESSION *sess;
+ int recurse;
+};
+
+/*
+ * Servername callback. We use it here to run another complete handshake using
+ * the same session - and mark the session as not_resuamble at the end
+ */
+static int resume_servername_cb(SSL *s, int *ad, void *arg)
+{
+ struct resume_servername_cb_data *cbdata = arg;
+ SSL *serverssl = NULL, *clientssl = NULL;
+ int ret = SSL_TLSEXT_ERR_ALERT_FATAL;
+
+ if (cbdata->recurse)
+ return SSL_TLSEXT_ERR_ALERT_FATAL;
+
+ if ((cbdata->i % 3) != 1)
+ return SSL_TLSEXT_ERR_OK;
+
+ cbdata->recurse = 1;
+
+ if (!TEST_true(create_ssl_objects(cbdata->sctx, cbdata->cctx, &serverssl,
+ &clientssl, NULL, NULL))
+ || !TEST_true(SSL_set_session(clientssl, cbdata->sess)))
+ goto end;
+
+ ERR_set_mark();
+ /*
+ * We expect this to fail - because the servername cb will fail. This will
+ * mark the session as not_resumable.
+ */
+ if (!TEST_false(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))) {
+ ERR_clear_last_mark();
+ goto end;
+ }
+ ERR_pop_to_mark();
+
+ ret = SSL_TLSEXT_ERR_OK;
+ end:
+ SSL_free(serverssl);
+ SSL_free(clientssl);
+ cbdata->recurse = 0;
+ return ret;
+}
+
/*
* Test multiple resumptions and cache size handling
* Test 0: TLSv1.3 (max_early_data set)
* Test 1: TLSv1.3 (SSL_OP_NO_TICKET set)
* Test 2: TLSv1.3 (max_early_data and SSL_OP_NO_TICKET set)
- * Test 3: TLSv1.2
+ * Test 3: TLSv1.3 (SSL_OP_NO_TICKET, simultaneous resumes)
+ * Test 4: TLSv1.2
*/
static int test_multi_resume(int idx)
{
@@ -7302,9 +7353,19 @@ static int test_multi_resume(int idx)
SSL_SESSION *sess = NULL;
int max_version = TLS1_3_VERSION;
int i, testresult = 0;
+ struct resume_servername_cb_data cbdata;
- if (idx == 3)
+#if defined(OPENSSL_NO_TLS1_2)
+ if (idx == 4)
+ return TEST_skip("TLSv1.2 is disabled in this build");
+#else
+ if (idx == 4)
max_version = TLS1_2_VERSION;
+#endif
+#if defined(OSSL_NO_USABLE_TLS1_3)
+ if (idx != 4)
+ return TEST_skip("No usable TLSv1.3 in this build");
+#endif
if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
TLS_client_method(), TLS1_VERSION,
@@ -7320,17 +7381,37 @@ static int test_multi_resume(int idx)
if (!TEST_true(SSL_CTX_set_max_early_data(sctx, 1024)))
goto end;
}
- if (idx == 1 || idx == 2)
+ if (idx == 1 || idx == 2 || idx == 3)
SSL_CTX_set_options(sctx, SSL_OP_NO_TICKET);
SSL_CTX_sess_set_cache_size(sctx, 5);
+ if (idx == 3) {
+ SSL_CTX_set_tlsext_servername_callback(sctx, resume_servername_cb);
+ SSL_CTX_set_tlsext_servername_arg(sctx, &cbdata);
+ cbdata.cctx = cctx;
+ cbdata.sctx = sctx;
+ cbdata.recurse = 0;
+ }
+
for (i = 0; i < 30; i++) {
if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
NULL, NULL))
|| !TEST_true(SSL_set_session(clientssl, sess)))
goto end;
+ /*
+ * Check simultaneous resumes. We pause the connection part way through
+ * the handshake by (mis)using the servername_cb. The pause occurs after
+ * session resumption has already occurred, but before any session
+ * tickets have been issued. While paused we run another complete
+ * handshake resuming the same session.
+ */
+ if (idx == 3) {
+ cbdata.i = i;
+ cbdata.sess = sess;
+ }
+
/*
* Recreate a bug where dynamically changing the max_early_data value
* can cause sessions in the session cache which cannot be deleted.
--
2.33.0

52
backport-Fix-EVP_PKEY_asn1_copy.patch Normal file
View File

@ -0,0 +1,52 @@
From 47793328424b4d61956eb7c06d601680c233987d Mon Sep 17 00:00:00 2001
From: hangze <hangzegao@gmail.com>
Date: Thu, 3 Aug 2023 03:38:29 +0000
Subject: [PATCH] Fix EVP_PKEY_asn1_copy
Add the copy of the omitted ASN1 public key method and
other members.
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/21125)
---
crypto/asn1/ameth_lib.c | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/crypto/asn1/ameth_lib.c b/crypto/asn1/ameth_lib.c
index 5e8c3ed1d5..228dbef40d 100644
--- a/crypto/asn1/ameth_lib.c
+++ b/crypto/asn1/ameth_lib.c
@@ -264,6 +264,7 @@ void EVP_PKEY_asn1_copy(EVP_PKEY_ASN1_METHOD *dst,
dst->pkey_size = src->pkey_size;
dst->pkey_bits = src->pkey_bits;
+ dst->pkey_security_bits = src->pkey_security_bits;
dst->param_decode = src->param_decode;
dst->param_encode = src->param_encode;
@@ -271,6 +272,7 @@ void EVP_PKEY_asn1_copy(EVP_PKEY_ASN1_METHOD *dst,
dst->param_copy = src->param_copy;
dst->param_cmp = src->param_cmp;
dst->param_print = src->param_print;
+ dst->sig_print = src->sig_print;
dst->pkey_free = src->pkey_free;
dst->pkey_ctrl = src->pkey_ctrl;
@@ -281,6 +283,13 @@ void EVP_PKEY_asn1_copy(EVP_PKEY_ASN1_METHOD *dst,
dst->siginf_set = src->siginf_set;
dst->pkey_check = src->pkey_check;
+ dst->pkey_public_check = src->pkey_public_check;
+ dst->pkey_param_check = src->pkey_param_check;
+
+ dst->set_priv_key = src->set_priv_key;
+ dst->set_pub_key = src->set_pub_key;
+ dst->get_priv_key = src->get_priv_key;
+ dst->get_pub_key = src->get_pub_key;
}
--
2.33.0

66
backport-Fix-a-possbile-memleak-in-rsa_pub_encode.patch Normal file
View File

@ -0,0 +1,66 @@
From b13ef5e90a1d9c73f6c548ab5557a939a09744e0 Mon Sep 17 00:00:00 2001
From: Bernd Edlinger <bernd.edlinger@hotmail.de>
Date: Thu, 7 Sep 2023 19:22:25 +0200
Subject: [PATCH] Fix a possbile memleak in rsa_pub_encode
That seems to be only an issue for RSA-PSS with parameters.
Spotted by code review, so it looks like there is no test coverage for this.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22007)
---
crypto/rsa/rsa_ameth.c | 5 ++++-
test/recipes/15-test_rsapss.t | 10 +++++++++-
2 files changed, 13 insertions(+), 2 deletions(-)
diff --git a/crypto/rsa/rsa_ameth.c b/crypto/rsa/rsa_ameth.c
index 2c9c46ea53..63efd93798 100644
--- a/crypto/rsa/rsa_ameth.c
+++ b/crypto/rsa/rsa_ameth.c
@@ -82,13 +82,16 @@ static int rsa_pub_encode(X509_PUBKEY *pk, const EVP_PKEY *pkey)
if (!rsa_param_encode(pkey, &str, &strtype))
return 0;
penclen = i2d_RSAPublicKey(pkey->pkey.rsa, &penc);
- if (penclen <= 0)
+ if (penclen <= 0) {
+ ASN1_STRING_free(str);
return 0;
+ }
if (X509_PUBKEY_set0_param(pk, OBJ_nid2obj(pkey->ameth->pkey_id),
strtype, str, penc, penclen))
return 1;
OPENSSL_free(penc);
+ ASN1_STRING_free(str);
return 0;
}
diff --git a/test/recipes/15-test_rsapss.t b/test/recipes/15-test_rsapss.t
index 65ec6f3d75..61c13b6a49 100644
--- a/test/recipes/15-test_rsapss.t
+++ b/test/recipes/15-test_rsapss.t
@@ -16,7 +16,7 @@ use OpenSSL::Test::Utils;
setup("test_rsapss");
-plan tests => 5;
+plan tests => 7;
#using test/testrsa.pem which happens to be a 512 bit RSA
ok(run(app(['openssl', 'dgst', '-sign', srctop_file('test', 'testrsa.pem'), '-sha1',
@@ -47,3 +47,11 @@ ok(run(app(['openssl', 'dgst', '-prverify', srctop_file('test', 'testrsa.pem'),
srctop_file('test', 'testrsa.pem')])),
"openssl dgst -prverify");
unlink 'testrsapss.sig';
+
+ok(run(app(['openssl', 'genpkey', '-algorithm', 'RSA-PSS', '-pkeyopt', 'rsa_keygen_bits:1024',
+ '-pkeyopt', 'rsa_pss_keygen_md:SHA256', '-pkeyopt', 'rsa_pss_keygen_saltlen:10',
+ '-out', 'testrsapss.pem'])),
+ "openssl genpkey RSA-PSS with pss parameters");
+ok(run(app(['openssl', 'pkey', '-in', 'testrsapss.pem', '-pubout', '-text'])),
+ "openssl pkey, execute rsa_pub_encode with pss parameters");
+unlink 'testrsapss.pem';
--
2.33.0

76
backport-Fix-a-possible-memleak-in-eckey_priv_encode.patch Normal file
View File

@ -0,0 +1,76 @@
From 7c51c0e56a0f21912f4504c7a06c21eb4bc43c85 Mon Sep 17 00:00:00 2001
From: Bernd Edlinger <bernd.edlinger@hotmail.de>
Date: Thu, 7 Sep 2023 17:38:50 +0200
Subject: [PATCH] Fix a possible memleak in eckey_priv_encode
Additionally use OPENSSL_clear_free on the private
key data in case of error.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22007)
---
crypto/ec/ec_ameth.c | 17 +++++++++++------
1 file changed, 11 insertions(+), 6 deletions(-)
diff --git a/crypto/ec/ec_ameth.c b/crypto/ec/ec_ameth.c
index 5098bd7a66..c48b7cb754 100644
--- a/crypto/ec/ec_ameth.c
+++ b/crypto/ec/ec_ameth.c
@@ -38,7 +38,6 @@ static int eckey_param2type(int *pptype, void **ppval, const EC_KEY *ec_key)
ASN1_OBJECT *asn1obj = OBJ_nid2obj(nid);
if (asn1obj == NULL || OBJ_length(asn1obj) == 0) {
- ASN1_OBJECT_free(asn1obj);
ECerr(EC_F_ECKEY_PARAM2TYPE, EC_R_MISSING_OID);
return 0;
}
@@ -98,9 +97,7 @@ static int eckey_pub_encode(X509_PUBKEY *pk, const EVP_PKEY *pkey)
ptype, pval, penc, penclen))
return 1;
err:
- if (ptype == V_ASN1_OBJECT)
- ASN1_OBJECT_free(pval);
- else
+ if (ptype == V_ASN1_SEQUENCE)
ASN1_STRING_free(pval);
OPENSSL_free(penc);
return 0;
@@ -256,24 +253,32 @@ static int eckey_priv_encode(PKCS8_PRIV_KEY_INFO *p8, const EVP_PKEY *pkey)
eplen = i2d_ECPrivateKey(&ec_key, NULL);
if (!eplen) {
+ if (ptype == V_ASN1_SEQUENCE)
+ ASN1_STRING_free(pval);
ECerr(EC_F_ECKEY_PRIV_ENCODE, ERR_R_EC_LIB);
return 0;
}
ep = OPENSSL_malloc(eplen);
if (ep == NULL) {
+ if (ptype == V_ASN1_SEQUENCE)
+ ASN1_STRING_free(pval);
ECerr(EC_F_ECKEY_PRIV_ENCODE, ERR_R_MALLOC_FAILURE);
return 0;
}
p = ep;
if (!i2d_ECPrivateKey(&ec_key, &p)) {
- OPENSSL_free(ep);
+ OPENSSL_clear_free(ep, eplen);
+ if (ptype == V_ASN1_SEQUENCE)
+ ASN1_STRING_free(pval);
ECerr(EC_F_ECKEY_PRIV_ENCODE, ERR_R_EC_LIB);
return 0;
}
if (!PKCS8_pkey_set0(p8, OBJ_nid2obj(NID_X9_62_id_ecPublicKey), 0,
ptype, pval, ep, eplen)) {
- OPENSSL_free(ep);
+ OPENSSL_clear_free(ep, eplen);
+ if (ptype == V_ASN1_SEQUENCE)
+ ASN1_STRING_free(pval);
return 0;
}
--
2.33.0

170
backport-Fix-error-handling-in-CMS_EncryptedData_encrypt.patch Normal file
View File

@ -0,0 +1,170 @@
From 13dd772f61d149628a768d987828aa6dbc72fb31 Mon Sep 17 00:00:00 2001
From: Bernd Edlinger <bernd.edlinger@hotmail.de>
Date: Thu, 7 Sep 2023 18:05:44 +0200
Subject: [PATCH] Fix error handling in CMS_EncryptedData_encrypt
That caused several memory leaks in case of error.
Also when the CMS object that is created by CMS_EncryptedData_encrypt
is not used in the normal way, but instead just deleted
by CMS_ContentInfo_free some memory was lost.
Fixes #21985
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22008)
---
crypto/cms/cms_asn1.c | 15 +++++++++++++--
crypto/cms/cms_local.h | 1 +
crypto/cms/cms_sd.c | 14 +++++++++++++-
crypto/cms/cms_smime.c | 3 ++-
test/recipes/80-test_cms.t | 7 +++++++
7 files changed, 36 insertions(+), 4 deletions(-)
diff --git a/crypto/cms/cms_asn1.c b/crypto/cms/cms_asn1.c
index 08069d72a2..d006ada998 100644
--- a/crypto/cms/cms_asn1.c
+++ b/crypto/cms/cms_asn1.c
@@ -51,6 +51,7 @@ static int cms_si_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it,
EVP_PKEY_free(si->pkey);
X509_free(si->signer);
EVP_MD_CTX_free(si->mctx);
+ EVP_PKEY_CTX_free(si->pctx);
}
return 1;
}
@@ -89,11 +90,21 @@ ASN1_SEQUENCE(CMS_OriginatorInfo) = {
ASN1_IMP_SET_OF_OPT(CMS_OriginatorInfo, crls, CMS_RevocationInfoChoice, 1)
} static_ASN1_SEQUENCE_END(CMS_OriginatorInfo)
-ASN1_NDEF_SEQUENCE(CMS_EncryptedContentInfo) = {
+static int cms_ec_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it,
+ void *exarg)
+{
+ CMS_EncryptedContentInfo *ec = (CMS_EncryptedContentInfo *)*pval;
+
+ if (operation == ASN1_OP_FREE_POST)
+ OPENSSL_clear_free(ec->key, ec->keylen);
+ return 1;
+}
+
+ASN1_NDEF_SEQUENCE_cb(CMS_EncryptedContentInfo, cms_ec_cb) = {
ASN1_SIMPLE(CMS_EncryptedContentInfo, contentType, ASN1_OBJECT),
ASN1_SIMPLE(CMS_EncryptedContentInfo, contentEncryptionAlgorithm, X509_ALGOR),
ASN1_IMP_OPT(CMS_EncryptedContentInfo, encryptedContent, ASN1_OCTET_STRING_NDEF, 0)
-} static_ASN1_NDEF_SEQUENCE_END(CMS_EncryptedContentInfo)
+} ASN1_NDEF_SEQUENCE_END_cb(CMS_EncryptedContentInfo, CMS_EncryptedContentInfo)
ASN1_SEQUENCE(CMS_KeyTransRecipientInfo) = {
ASN1_EMBED(CMS_KeyTransRecipientInfo, version, INT32),
diff --git a/crypto/cms/cms_local.h b/crypto/cms/cms_local.h
index a0ce4448f6..b275bddf75 100644
--- a/crypto/cms/cms_local.h
+++ b/crypto/cms/cms_local.h
@@ -342,6 +342,7 @@ struct CMS_Receipt_st {
DECLARE_ASN1_FUNCTIONS(CMS_ContentInfo)
DECLARE_ASN1_ITEM(CMS_SignerInfo)
+DECLARE_ASN1_ITEM(CMS_EncryptedContentInfo)
DECLARE_ASN1_ITEM(CMS_IssuerAndSerialNumber)
DECLARE_ASN1_ITEM(CMS_Attributes_Sign)
DECLARE_ASN1_ITEM(CMS_Attributes_Verify)
diff --git a/crypto/cms/cms_sd.c b/crypto/cms/cms_sd.c
index 3f2a782565..708b443704 100644
--- a/crypto/cms/cms_sd.c
+++ b/crypto/cms/cms_sd.c
@@ -375,6 +375,8 @@ CMS_SignerInfo *CMS_add1_signer(CMS_ContentInfo *cms,
} else if (EVP_DigestSignInit(si->mctx, &si->pctx, md, NULL, pk) <=
0)
goto err;
+ else
+ EVP_MD_CTX_set_flags(si->mctx, EVP_MD_CTX_FLAG_KEEP_PKEY_CTX);
}
if (!sd->signerInfos)
@@ -600,6 +602,7 @@ static int cms_SignerInfo_content_sign(CMS_ContentInfo *cms,
unsigned char md[EVP_MAX_MD_SIZE];
unsigned int mdlen;
pctx = si->pctx;
+ si->pctx = NULL;
if (!EVP_DigestFinal_ex(mctx, md, &mdlen))
goto err;
siglen = EVP_PKEY_size(si->pkey);
@@ -680,6 +683,7 @@ int CMS_SignerInfo_sign(CMS_SignerInfo *si)
EVP_MD_CTX_reset(mctx);
if (EVP_DigestSignInit(mctx, &pctx, md, NULL, si->pkey) <= 0)
goto err;
+ EVP_MD_CTX_set_flags(mctx, EVP_MD_CTX_FLAG_KEEP_PKEY_CTX);
si->pctx = pctx;
}
@@ -745,8 +749,13 @@ int CMS_SignerInfo_verify(CMS_SignerInfo *si)
return -1;
}
mctx = si->mctx;
+ if (si->pctx != NULL) {
+ EVP_PKEY_CTX_free(si->pctx);
+ si->pctx = NULL;
+ }
if (EVP_DigestVerifyInit(mctx, &si->pctx, md, NULL, si->pkey) <= 0)
goto err;
+ EVP_MD_CTX_set_flags(mctx, EVP_MD_CTX_FLAG_KEEP_PKEY_CTX);
if (!cms_sd_asn1_ctrl(si, 1))
goto err;
@@ -859,8 +868,11 @@ int CMS_SignerInfo_verify_content(CMS_SignerInfo *si, BIO *chain)
if (EVP_PKEY_CTX_set_signature_md(pkctx, md) <= 0)
goto err;
si->pctx = pkctx;
- if (!cms_sd_asn1_ctrl(si, 1))
+ if (!cms_sd_asn1_ctrl(si, 1)) {
+ si->pctx = NULL;
goto err;
+ }
+ si->pctx = NULL;
r = EVP_PKEY_verify(pkctx, si->signature->data,
si->signature->length, mval, mlen);
if (r <= 0) {
diff --git a/crypto/cms/cms_smime.c b/crypto/cms/cms_smime.c
index 6e7dbc4da1..8f3a9fbaeb 100644
--- a/crypto/cms/cms_smime.c
+++ b/crypto/cms/cms_smime.c
@@ -211,7 +211,7 @@ CMS_ContentInfo *CMS_EncryptedData_encrypt(BIO *in, const EVP_CIPHER *cipher,
if (cms == NULL)
return NULL;
if (!CMS_EncryptedData_set1_key(cms, cipher, key, keylen))
- return NULL;
+ goto err;
if (!(flags & CMS_DETACHED))
CMS_set_detached(cms, 0);
@@ -220,6 +220,7 @@ CMS_ContentInfo *CMS_EncryptedData_encrypt(BIO *in, const EVP_CIPHER *cipher,
|| CMS_final(cms, in, NULL, flags))
return cms;
+ err:
CMS_ContentInfo_free(cms);
return NULL;
}
diff --git a/test/recipes/80-test_cms.t b/test/recipes/80-test_cms.t
index adb60e1436..544d4466b5 100644
--- a/test/recipes/80-test_cms.t
+++ b/test/recipes/80-test_cms.t
@@ -288,6 +288,13 @@ my @smime_cms_tests = (
"-secretkey", "000102030405060708090A0B0C0D0E0F", "-out", "smtst.txt" ]
],
+ [ "encrypted content test streaming PEM format -noout, 128 bit AES key",
+ [ "-EncryptedData_encrypt", "-in", $smcont, "-outform", "PEM",
+ "-aes128", "-secretkey", "000102030405060708090A0B0C0D0E0F",
+ "-stream", "-noout" ],
+ [ "-help" ]
+ ],
+
);
my @smime_cms_comp_tests = (
--
2.33.0

43
backport-Fix-mem-leaks-on-PKCS-12-read-error-in-PKCS12_key_ge.patch Normal file
View File

@ -0,0 +1,43 @@
From ed4faae00cdab23244704660c099e41ec64f5dc0 Mon Sep 17 00:00:00 2001
From: "Dr. David von Oheimb" <David.von.Oheimb@siemens.com>
Date: Wed, 12 Aug 2020 17:37:50 +0200
Subject: [PATCH] Fix mem leaks on PKCS#12 read error in
PKCS12_key_gen_{asc,utf8}
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12639)
---
crypto/pkcs12/p12_key.c | 8 ++------
1 file changed, 2 insertions(+), 6 deletions(-)
diff --git a/crypto/pkcs12/p12_key.c b/crypto/pkcs12/p12_key.c
index a40ae4cbe8..bbe212d125 100644
--- a/crypto/pkcs12/p12_key.c
+++ b/crypto/pkcs12/p12_key.c
@@ -44,10 +44,8 @@ int PKCS12_key_gen_asc(const char *pass, int passlen, unsigned char *salt,
}
ret = PKCS12_key_gen_uni(unipass, uniplen, salt, saltlen,
id, iter, n, out, md_type);
- if (ret <= 0)
- return 0;
OPENSSL_clear_free(unipass, uniplen);
- return ret;
+ return ret > 0;
}
int PKCS12_key_gen_utf8(const char *pass, int passlen, unsigned char *salt,
@@ -67,10 +65,8 @@ int PKCS12_key_gen_utf8(const char *pass, int passlen, unsigned char *salt,
}
ret = PKCS12_key_gen_uni(unipass, uniplen, salt, saltlen,
id, iter, n, out, md_type);
- if (ret <= 0)
- return 0;
OPENSSL_clear_free(unipass, uniplen);
- return ret;
+ return ret > 0;
}
int PKCS12_key_gen_uni(unsigned char *pass, int passlen, unsigned char *salt,
--
2.27.0

64
backport-Fix-stack-corruption-in-ui_read.patch Executable file
View File

@ -0,0 +1,64 @@
From 0f90c4de9f58070a423003ec6b34ef1a9a670ec9 Mon Sep 17 00:00:00 2001
From: Bernd Edlinger <bernd.edlinger@hotmail.de>
Date: Sat, 13 May 2023 09:04:18 +0200
Subject: [PATCH] Fix stack corruption in ui_read
This is an alternative to #20893
Additionally this fixes also a possible issue in UI_UTIL_read_pw:
When UI_new returns NULL, the result code would still be zero
as if UI_UTIL_read_pw succeeded, but the password buffer is left
uninitialized, with subsequent possible stack corruption or worse.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20957)
(cherry picked from commit a64c48cff88e032cf9513578493c4536df725a22)
---
crypto/ui/ui_lib.c | 4 ++++
crypto/ui/ui_util.c | 4 +---
2 files changed, 5 insertions(+), 3 deletions(-)
diff --git a/crypto/ui/ui_lib.c b/crypto/ui/ui_lib.c
index 49cc45057c..daf11c7a0d 100644
--- a/crypto/ui/ui_lib.c
+++ b/crypto/ui/ui_lib.c
@@ -529,6 +529,10 @@ int UI_process(UI *ui)
ok = 0;
break;
}
+ } else {
+ ui->flags &= ~UI_FLAG_REDOABLE;
+ ok = -2;
+ goto err;
}
}
diff --git a/crypto/ui/ui_util.c b/crypto/ui/ui_util.c
index 32a3c4e38d..e582252da6 100644
--- a/crypto/ui/ui_util.c
+++ b/crypto/ui/ui_util.c
@@ -32,7 +32,7 @@ int UI_UTIL_read_pw_string(char *buf, int length, const char *prompt,
int UI_UTIL_read_pw(char *buf, char *buff, int size, const char *prompt,
int verify)
{
- int ok = 0;
+ int ok = -2;
UI *ui;
if (size < 1)
@@ -47,8 +47,6 @@ int UI_UTIL_read_pw(char *buf, char *buff, int size, const char *prompt,
ok = UI_process(ui);
UI_free(ui);
}
- if (ok > 0)
- ok = 0;
return ok;
}
--
2.27.0

39
backport-Hardening-around-not_resumable-sessions.patch Normal file
View File

@ -0,0 +1,39 @@
From 9b79e20ed347f90ed23bfc8e5be2259231fd0a34 Mon Sep 17 00:00:00 2001
From: Matt Caswell <matt@openssl.org>
Date: Fri, 15 Mar 2024 17:58:42 +0000
Subject: [PATCH] Hardening around not_resumable sessions
Make sure we can't inadvertently use a not_resumable session
Related to CVE-2024-2511
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24044)
(cherry picked from commit c342f4b8bd2d0b375b0e22337057c2eab47d9b96)
Signed-off-by: Liu-Ermeng <liuermeng2@huawei.com>
---
ssl/ssl_sess.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/ssl/ssl_sess.c b/ssl/ssl_sess.c
index 28affe0a26..5cc816b0fc 100644
--- a/ssl/ssl_sess.c
+++ b/ssl/ssl_sess.c
@@ -471,6 +471,12 @@ SSL_SESSION *lookup_sess_in_cache(SSL *s, const unsigned char *sess_id,
ret = s->session_ctx->get_session_cb(s, sess_id, sess_id_len, &copy);
if (ret != NULL) {
+ if (ret->not_resumable) {
+ /* If its not resumable then ignore this session */
+ if (!copy)
+ SSL_SESSION_free(ret);
+ return NULL;
+ }
tsan_counter(&s->session_ctx->stats.sess_cb_hit);
/*
--
2.33.0

37
backport-Make-DH_check-set-some-error-bits-in-recently-added-.patch Normal file
View File

@ -0,0 +1,37 @@
From eec805ee71356c06f9a86192fa06507c3bb92b09 Mon Sep 17 00:00:00 2001
From: Bernd Edlinger <bernd.edlinger@hotmail.de>
Date: Sun, 23 Jul 2023 14:27:54 +0200
Subject: [PATCH] Make DH_check set some error bits in recently added error
The pre-existing error cases where DH_check returned zero
are not related to the dh params in any way, but are only
triggered by out-of-memory errors, therefore having *ret
set to zero feels right, but since the new error case is
triggered by too large p values that is something different.
On the other hand some callers of this function might not
be prepared to handle the return value correctly but only
rely on *ret. Therefore we set some error bits in *ret as
additional safety measure.
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21533)
---
crypto/dh/dh_check.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/crypto/dh/dh_check.c b/crypto/dh/dh_check.c
index e5f9dd5030..2001d2e7cb 100644
--- a/crypto/dh/dh_check.c
+++ b/crypto/dh/dh_check.c
@@ -104,6 +104,7 @@ int DH_check(const DH *dh, int *ret)
/* Don't do any checks at all with an excessively large modulus */
if (BN_num_bits(dh->p) > OPENSSL_DH_CHECK_MAX_MODULUS_BITS) {
DHerr(DH_F_DH_CHECK, DH_R_MODULUS_TOO_LARGE);
+ *ret = DH_CHECK_P_NOT_PRIME;
return 0;
}
--
2.27.0

30
backport-Re-add-BN_F_OSSL_BN_RSA_DO_UNBLIND-which-was-incorre.patch Normal file
View File

@ -0,0 +1,30 @@
From 8daa2616bbe6f7994e0cdd796d3280118c51d8d8 Mon Sep 17 00:00:00 2001
From: Tomas Mraz <tomas@openssl.org>
Date: Thu, 20 Apr 2023 10:24:38 +0200
Subject: [PATCH] Re-add BN_F_OSSL_BN_RSA_DO_UNBLIND which was incorrectly
removed
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20784)
---
include/openssl/bnerr.h | 1 +
1 file changed, 1 insertion(+)
diff --git a/include/openssl/bnerr.h b/include/openssl/bnerr.h
index a703efc92b..5c83777f9f 100644
--- a/include/openssl/bnerr.h
+++ b/include/openssl/bnerr.h
@@ -72,6 +72,7 @@ int ERR_load_BN_strings(void);
# define BN_F_BN_SET_WORDS 144
# define BN_F_BN_STACK_PUSH 148
# define BN_F_BN_USUB 115
+# define BN_F_OSSL_BN_RSA_DO_UNBLIND 151
/*
* BN reason codes.
--
2.27.0

61
backport-apps-passwd.c-free-before-error-exiting.patch Normal file
View File

@ -0,0 +1,61 @@
From dd05385e36582f34e691b1350dd7daf74df5cc90 Mon Sep 17 00:00:00 2001
From: Peiwei Hu <jlu.hpw@foxmail.com>
Date: Tue, 4 Jan 2022 09:10:32 +0800
Subject: [PATCH] apps/passwd.c: free before error exiting
use goto instead of returning directly while error handling
Signed-off-by: Peiwei Hu <jlu.hpw@foxmail.com>
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17404)
(cherry picked from commit ea4d16bc60dee53feb71997c1e78379eeb69b7ac)
---
apps/passwd.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/apps/passwd.c b/apps/passwd.c
index d741d05335..2a4199d080 100644
--- a/apps/passwd.c
+++ b/apps/passwd.c
@@ -407,7 +407,7 @@ static char *md5crypt(const char *passwd, const char *magic, const char *salt)
n >>= 1;
}
if (!EVP_DigestFinal_ex(md, buf, NULL))
- return NULL;
+ goto err;
for (i = 0; i < 1000; i++) {
if (!EVP_DigestInit_ex(md2, EVP_md5(), NULL))
@@ -633,7 +633,7 @@ static char *shacrypt(const char *passwd, const char *magic, const char *salt)
n >>= 1;
}
if (!EVP_DigestFinal_ex(md, buf, NULL))
- return NULL;
+ goto err;
/* P sequence */
if (!EVP_DigestInit_ex(md2, sha, NULL))
@@ -644,7 +644,7 @@ static char *shacrypt(const char *passwd, const char *magic, const char *salt)
goto err;
if (!EVP_DigestFinal_ex(md2, temp_buf, NULL))
- return NULL;
+ goto err;
if ((p_bytes = OPENSSL_zalloc(passwd_len)) == NULL)
goto err;
@@ -661,7 +661,7 @@ static char *shacrypt(const char *passwd, const char *magic, const char *salt)
goto err;
if (!EVP_DigestFinal_ex(md2, temp_buf, NULL))
- return NULL;
+ goto err;
if ((s_bytes = OPENSSL_zalloc(salt_len)) == NULL)
goto err;
--
2.33.0

65
backport-x509-Fix-possible-use-after-free-when-OOM.patch Normal file
View File

@ -0,0 +1,65 @@
From b1cc84e82d41ab669bf804ea519f5332c48a3d77 Mon Sep 17 00:00:00 2001
From: Clemens Lang <cllang@redhat.com>
Date: Wed, 24 May 2023 12:22:25 +0200
Subject: [PATCH] x509: Fix possible use-after-free when OOM
ossl_policy_level_add_node() first adds the new node to the level->nodes
stack, and then attempts to add extra data if extra_data is true. If
memory allocation or adding the extra data to tree->extra_data fails,
the allocated node (that has already been added to the level->nodes
stack) is freed using ossl_policy_node_free(), which leads to
a potential use after free.
Additionally, the tree's node count and the parent's child count would
not be updated, despite the new node being added.
Fix this by either performing the function's purpose completely, or not
at all by reverting the changes on error.
Signed-off-by: Clemens Lang <cllang@redhat.com>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21066)
---
crypto/x509v3/pcy_node.c | 12 ++++++++++--
1 file changed, 10 insertions(+), 2 deletions(-)
diff --git a/crypto/x509v3/pcy_node.c b/crypto/x509v3/pcy_node.c
index d574fb9d66..c6c01cbb39 100644
--- a/crypto/x509v3/pcy_node.c
+++ b/crypto/x509v3/pcy_node.c
@@ -100,11 +100,11 @@ X509_POLICY_NODE *level_add_node(X509_POLICY_LEVEL *level,
tree->extra_data = sk_X509_POLICY_DATA_new_null();
if (tree->extra_data == NULL){
X509V3err(X509V3_F_LEVEL_ADD_NODE, ERR_R_MALLOC_FAILURE);
- goto node_error;
+ goto extra_data_error;
}
if (!sk_X509_POLICY_DATA_push(tree->extra_data, data)) {
X509V3err(X509V3_F_LEVEL_ADD_NODE, ERR_R_MALLOC_FAILURE);
- goto node_error;
+ goto extra_data_error;
}
}
@@ -114,6 +114,14 @@ X509_POLICY_NODE *level_add_node(X509_POLICY_LEVEL *level,
return node;
+ extra_data_error:
+ if (level != NULL) {
+ if (level->anyPolicy == node)
+ level->anyPolicy = NULL;
+ else
+ (void) sk_X509_POLICY_NODE_pop(level->nodes);
+ }
+
node_error:
policy_node_free(node);
return NULL;
--
2.33.0

72
backport-x509-Handle-ossl_policy_level_add_node-errors.patch Normal file
View File

@ -0,0 +1,72 @@
From 3cc6933555a0c66328ec659b5bb86c57b6402e1e Mon Sep 17 00:00:00 2001
From: Clemens Lang <cllang@redhat.com>
Date: Wed, 24 May 2023 13:12:54 +0200
Subject: [PATCH] x509: Handle ossl_policy_level_add_node errors
The invocation of ossl_policy_level_add_node in tree_calculate_user_set
did not have any error handling. Add it to prevent a memory leak for the
allocated extra policy data.
Also add error handling to sk_X509_POLICY_NODE_push to ensure that if
a new node was allocated, but could not be added to the stack, it is
freed correctly.
Fix error handling if tree->user_policies cannot be allocated by
returning 0, indicating failure, rather than 1.
Signed-off-by: Clemens Lang <cllang@redhat.com>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21066)
---
crypto/x509v3/pcy_tree.c | 19 +++++++++++++++----
1 file changed, 15 insertions(+), 4 deletions(-)
diff --git a/crypto/x509v3/pcy_tree.c b/crypto/x509v3/pcy_tree.c
index 6c7fd35405..3c504e82c6 100644
--- a/crypto/x509v3/pcy_tree.c
+++ b/crypto/x509v3/pcy_tree.c
@@ -25,6 +25,8 @@
# define OPENSSL_POLICY_TREE_NODES_MAX 1000
#endif
+static void exnode_free(X509_POLICY_NODE *node);
+
/*
* Enable this to print out the complete policy tree at various point during
* evaluation.
@@ -572,15 +574,24 @@ static int tree_calculate_user_set(X509_POLICY_TREE *tree,
extra->qualifier_set = anyPolicy->data->qualifier_set;
extra->flags = POLICY_DATA_FLAG_SHARED_QUALIFIERS
| POLICY_DATA_FLAG_EXTRA_NODE;
- node = level_add_node(NULL, extra, anyPolicy->parent, tree, 1);
+ node = level_add_node(NULL, extra, anyPolicy->parent,
+ tree, 1);
+ if (node == NULL) {
+ policy_data_free(extra);
+ return 0;
+ }
}
if (!tree->user_policies) {
tree->user_policies = sk_X509_POLICY_NODE_new_null();
- if (!tree->user_policies)
- return 1;
+ if (!tree->user_policies) {
+ exnode_free(node);
+ return 0;
+ }
}
- if (!sk_X509_POLICY_NODE_push(tree->user_policies, node))
+ if (!sk_X509_POLICY_NODE_push(tree->user_policies, node)) {
+ exnode_free(node);
return 0;
+ }
}
return 1;
}
--
2.33.0

25
compat-openssl11.spec
View File

@ -1,7 +1,7 @@
%define soversion 1.1
Name: compat-openssl11
Version: 1.1.1m
Release: 9
Release: 10
Epoch: 1
Summary: Cryptography and SSL/TLS Toolkit
License: OpenSSL and SSLeay
@ -113,6 +113,26 @@ Patch102: backport-CVE-2023-3446-Fix-DH_check-excessive-time-with-over-sized-
Patch103: backport-update-expired-certificates-for-sm2.patch
Patch104: backport-CVE-2023-3817.patch
Patch105: backport-CVE-2023-3817-testcase.patch
Patch106: backport-A-null-pointer-dereference-occurs-when-memory-alloca.patch
Patch107: backport-Make-DH_check-set-some-error-bits-in-recently-added-.patch
Patch108: backport-CVE-2023-5678-Make-DH_check_pub_key-and-DH_generate_key-safer-yet.patch
Patch109: backport-Add-negative-integer-check-when-using-ASN1_BIT_STRIN.patch
Patch110: backport-Fix-stack-corruption-in-ui_read.patch
Patch111: backport-Re-add-BN_F_OSSL_BN_RSA_DO_UNBLIND-which-was-incorre.patch
Patch112: backport-x509-Fix-possible-use-after-free-when-OOM.patch
Patch113: backport-x509-Handle-ossl_policy_level_add_node-errors.patch
Patch114: backport-Fix-a-possbile-memleak-in-rsa_pub_encode.patch
Patch115: backport-Fix-a-possible-memleak-in-eckey_priv_encode.patch
Patch116: backport-Fix-error-handling-in-CMS_EncryptedData_encrypt.patch
Patch117: backport-Fix-EVP_PKEY_asn1_copy.patch
Patch118: backport-CVE-2024-0727-fix-pkcs12-decoding-crashes.patch
Patch119: backport-apps-passwd.c-free-before-error-exiting.patch
Patch120: backport-Fix-mem-leaks-on-PKCS-12-read-error-in-PKCS12_key_ge.patch
Patch121: backport-CVE-2024-2511-Fix-unconstrained-session-cache-growth-in-TLSv1.3.patch
Patch122: backport-Add-a-test-for-session-cache-handling.patch
Patch123: backport-Extend-the-multi_resume-test-for-simultaneous-resump.patch
Patch124: backport-Hardening-around-not_resumable-sessions.patch
Patch125: backport-Add-a-test-for-session-cache-overflow.patch
BuildRequires: gcc perl make lksctp-tools-devel coreutils util-linux zlib-devel
@ -239,6 +259,9 @@ make test || :
%ldconfig_scriptlets libs
%changelog
* Mon Apr 22 2023 wangcheng <wangcheng156@huawei.com> - 1:1.1.1m-10
- fix CVE-2023-5678 CVE-2024-0727 CVE-2024-2511
* Thu Oct 12 2023 fangxiuning <fangxiuning@huawei.com> - 1:1.1.1m-9
- fix some CVEs