diff --git a/SOURCES/openssl-1.1.1-cleanup-peer-point-reneg.patch b/SOURCES/openssl-1.1.1-cleanup-peer-point-reneg.patch index 8ea99e0..a98d34e 100644 --- a/SOURCES/openssl-1.1.1-cleanup-peer-point-reneg.patch +++ b/SOURCES/openssl-1.1.1-cleanup-peer-point-reneg.patch @@ -1,11 +1,13 @@ diff -up openssl-1.1.1k/ssl/statem/extensions.c.cleanup-reneg openssl-1.1.1k/ssl/statem/extensions.c --- openssl-1.1.1k/ssl/statem/extensions.c.cleanup-reneg 2021-03-25 14:28:38.000000000 +0100 +++ openssl-1.1.1k/ssl/statem/extensions.c 2021-06-24 16:16:19.526181743 +0200 -@@ -42,6 +42,7 @@ static int tls_parse_certificate_authori +@@ -42,6 +42,9 @@ static int tls_parse_certificate_authori #ifndef OPENSSL_NO_SRP static int init_srp(SSL *s, unsigned int context); #endif ++#ifndef OPENSSL_NO_EC +static int init_ec_point_formats(SSL *s, unsigned int context); ++#endif static int init_etm(SSL *s, unsigned int context); static int init_ems(SSL *s, unsigned int context); static int final_ems(SSL *s, unsigned int context, int sent); @@ -18,10 +20,11 @@ diff -up openssl-1.1.1k/ssl/statem/extensions.c.cleanup-reneg openssl-1.1.1k/ssl tls_construct_stoc_ec_pt_formats, tls_construct_ctos_ec_pt_formats, final_ec_pt_formats }, -@@ -1164,6 +1165,15 @@ static int init_srp(SSL *s, unsigned int +@@ -1164,6 +1165,17 @@ static int init_srp(SSL *s, unsigned int } #endif ++#ifndef OPENSSL_NO_EC +static int init_ec_point_formats(SSL *s, unsigned int context) +{ + OPENSSL_free(s->ext.peer_ecpointformats); @@ -30,6 +33,7 @@ diff -up openssl-1.1.1k/ssl/statem/extensions.c.cleanup-reneg openssl-1.1.1k/ssl + + return 1; +} ++#endif + static int init_etm(SSL *s, unsigned int context) { diff --git a/SOURCES/openssl-1.1.1-cve-2025-9230.patch b/SOURCES/openssl-1.1.1-cve-2025-9230.patch new file mode 100644 index 0000000..5c1f511 --- /dev/null +++ b/SOURCES/openssl-1.1.1-cve-2025-9230.patch @@ -0,0 +1,31 @@ +From 5965ea5dd6960f36d8b7f74f8eac67a8eb8f2b45 Mon Sep 17 00:00:00 2001 +From: Viktor Dukhovni +Date: Thu, 11 Sep 2025 18:10:12 +0200 +Subject: [PATCH] kek_unwrap_key(): Fix incorrect check of unwrapped key size + +Fixes CVE-2025-9230 + +The check is off by 8 bytes so it is possible to overread by +up to 8 bytes and overwrite up to 4 bytes. + +Reviewed-by: Neil Horman +Reviewed-by: Matt Caswell +Reviewed-by: Tomas Mraz +(cherry picked from commit 9c462be2cea54ebfc62953224220b56f8ba22a0c) +--- + crypto/cms/cms_pwri.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/crypto/cms/cms_pwri.c b/crypto/cms/cms_pwri.c +index a7d609f83791a..ee1b8aa6ed61d 100644 +--- a/crypto/cms/cms_pwri.c ++++ b/crypto/cms/cms_pwri.c +@@ -242,7 +242,7 @@ static int kek_unwrap_key(unsigned char *out, size_t *outlen, + /* Check byte failure */ + goto err; + } +- if (inlen < (size_t)(tmp[0] - 4)) { ++ if (inlen < 4 + (size_t)tmp[0]) { + /* Invalid length value */ + goto err; + } diff --git a/SOURCES/openssl-1.1.1-ticket_lifetime_hint.patch b/SOURCES/openssl-1.1.1-ticket_lifetime_hint.patch new file mode 100644 index 0000000..c89faf6 --- /dev/null +++ b/SOURCES/openssl-1.1.1-ticket_lifetime_hint.patch @@ -0,0 +1,145 @@ +From 79dbd85fe27ebabc278417af64ab8e3eb43d2d40 Mon Sep 17 00:00:00 2001 +From: Todd Short +Date: Wed, 23 Mar 2022 18:55:10 -0400 +Subject: [PATCH] ticket_lifetime_hint may exceed 1 week in TLSv1.3 + +For TLSv1.3, limit ticket lifetime hint to 1 week per RFC8446 + +Fixes #17948 + +Reviewed-by: Tomas Mraz +Reviewed-by: Tim Hudson +(Merged from https://github.com/openssl/openssl/pull/17952) + +(cherry picked from commit 0089cc7f9d42f6e39872161199fb8b6a99da2492) +Modified by: Maurizio Barbaro +--- + doc/man3/SSL_CTX_set_timeout.pod | 10 ++++++ + ssl/statem/statem_srvr.c | 21 ++++++++---- + test/sslapitest.c | 59 ++++++++++++++++++++++++++++++++ + 3 files changed, 84 insertions(+), 6 deletions(-) + +diff --git a/doc/man3/SSL_CTX_set_timeout.pod b/doc/man3/SSL_CTX_set_timeout.pod +index c32585e45f924..54592654ffd1f 100644 +--- a/doc/man3/SSL_CTX_set_timeout.pod ++++ b/doc/man3/SSL_CTX_set_timeout.pod +@@ -42,6 +42,16 @@ basis, see L. + All currently supported protocols have the same default timeout value + of 300 seconds. + ++This timeout value is used as the ticket lifetime hint for stateless session ++tickets. It is also used as the timeout value within the ticket itself. ++ ++For TLSv1.3, RFC8446 limits transmission of this value to 1 week (604800 ++seconds). ++ ++For TLSv1.2, tickets generated during an initial handshake use the value ++as specified. Tickets generated during a resumed handshake have a value ++of 0 for the ticket lifetime hint. ++ + =head1 RETURN VALUES + + SSL_CTX_set_timeout() returns the previously set timeout value. +diff --git a/ssl/statem/statem_srvr.c b/ssl/statem/statem_srvr.c +index d701c46b43b5a..79cfd1d8353a0 100644 +--- a/ssl/statem/statem_srvr.c ++++ b/ssl/statem/statem_srvr.c +@@ -3820,15 +3820,24 @@ int tls_construct_server_certificate(SSL *s, WPACKET *pkt) + static int create_ticket_prequel(SSL *s, WPACKET *pkt, uint32_t age_add, + unsigned char *tick_nonce) + { ++ uint32_t timeout = (uint32_t)s->session->timeout; ++ + /* +- * Ticket lifetime hint: For TLSv1.2 this is advisory only and we leave this +- * unspecified for resumed session (for simplicity). ++ * Ticket lifetime hint: + * In TLSv1.3 we reset the "time" field above, and always specify the +- * timeout. ++ * timeout, limited to a 1 week period per RFC8446. ++ * For TLSv1.2 this is advisory only and we leave this unspecified for ++ * resumed session (for simplicity). + */ +- if (!WPACKET_put_bytes_u32(pkt, +- (s->hit && !SSL_IS_TLS13(s)) +- ? 0 : s->session->timeout)) { ++#define ONE_WEEK_SEC (7 * 24 * 60 * 60) ++ ++ if (SSL_IS_TLS13(s)) { ++ if (s->session->timeout > ONE_WEEK_SEC) ++ timeout = ONE_WEEK_SEC; ++ } else if (s->hit) ++ timeout = 0; ++ ++ if (!WPACKET_put_bytes_u32(pkt, timeout)) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_CREATE_TICKET_PREQUEL, + ERR_R_INTERNAL_ERROR); + return 0; + +--- a/test/sslapitest.c 2025-10-21 18:44:14.836888120 +0200 ++++ b/test/sslapitest.c 2025-10-22 17:39:24.869230280 +0200 +@@ -6656,6 +6656,64 @@ + + return testresult; + } ++ ++/* ++ * Test that the lifetime hint of a TLSv1.3 ticket is no more than 1 week ++ * 0 = TLSv1.2 ++ * 1 = TLSv1.3 ++ */ ++static int test_ticket_lifetime(int idx) ++{ ++ SSL_CTX *cctx = NULL, *sctx = NULL; ++ SSL *clientssl = NULL, *serverssl = NULL; ++ int testresult = 0; ++ int version = TLS1_3_VERSION; ++ ++#define ONE_WEEK_SEC (7 * 24 * 60 * 60) ++#define TWO_WEEK_SEC (2 * ONE_WEEK_SEC) ++ ++ if (idx == 0) { ++ version = TLS1_2_VERSION; ++ } ++ ++ if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), ++ TLS_client_method(), version, version, ++ &sctx, &cctx, cert, privkey))) ++ goto end; ++ ++ if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, ++ &clientssl, NULL, NULL))) ++ goto end; ++ ++ /* ++ * Set the timeout to be more than 1 week ++ * make sure the returned value is the default ++ */ ++ if (!TEST_long_eq(SSL_CTX_set_timeout(sctx, TWO_WEEK_SEC), ++ SSL_get_default_timeout(serverssl))) ++ goto end; ++ ++ if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))) ++ goto end; ++ ++ if (idx == 0) { ++ /* TLSv1.2 uses the set value */ ++ if (!TEST_ulong_eq(SSL_SESSION_get_ticket_lifetime_hint(SSL_get_session(clientssl)), TWO_WEEK_SEC)) ++ goto end; ++ } else { ++ /* TLSv1.3 uses the limited value */ ++ if (!TEST_ulong_le(SSL_SESSION_get_ticket_lifetime_hint(SSL_get_session(clientssl)), ONE_WEEK_SEC)) ++ goto end; ++ } ++ testresult = 1; ++ ++end: ++ SSL_free(serverssl); ++ SSL_free(clientssl); ++ SSL_CTX_free(sctx); ++ SSL_CTX_free(cctx); ++ return testresult; ++} + #endif + + int setup_tests(void) diff --git a/SPECS/openssl.spec b/SPECS/openssl.spec index 6f98819..e203464 100644 --- a/SPECS/openssl.spec +++ b/SPECS/openssl.spec @@ -99,9 +99,11 @@ Patch107: openssl-1.1.1-cve-2023-5678.patch # Backport from OpenSSL 3.2/RHEL 9 # Proper fix for CVE-2020-25659 Patch108: openssl-1.1.1-pkcs1-implicit-rejection.patch -# Backport from OpenSSL 3.2 +# Backport from OpenSSL 3.0 # Fix for CVE-2024-5535 Patch109: openssl-1.1.1-fix-ssl-select-next-proto.patch +Patch110: openssl-1.1.1-cve-2025-9230.patch +Patch111: openssl-1.1.1-ticket_lifetime_hint.patch License: OpenSSL and ASL 2.0 URL: http://www.openssl.org/ @@ -236,6 +238,8 @@ cp %{SOURCE13} test/ %patch107 -p1 -b .cve-2023-5678 %patch108 -p1 -b .pkcs15imprejection %patch109 -p1 -b .cve-2024-5535 +%patch110 -p1 -b .cve-2025-9230 +%patch111 -p1 -b .ticket_lifetime_hint %build # Figure out which flags we want to use. @@ -519,52 +523,61 @@ export LD_LIBRARY_PATH %postun libs -p /sbin/ldconfig %changelog -* Tue Sep 17 2024 Maurizio Barbaro - 1:1.1.1k-14 -- Backport fix SSL_select_next proto from OpenSSL 3.2 +* Mon Dec 08 2025 Nikita Sanjay Patwa - 1:1.1.1k-14 +- Backport fix for Out-of-bounds read & write in RFC 3211 KEK Unwrap + Fix CVE-2025-9230 + Resolves: RHEL-128613 +- Fix bug for ticket_lifetime_hint exceed issue + Resolves: RHEL-119891 + +* Mon Sep 16 2024 Maurizio Barbaro - 1:1.1.1k-13 +- Backport fix SSL_select_next proto from OpenSSL 3.2 Fix CVE-2024-5535 Resolves: RHEL-45654 * Thu Nov 30 2023 Dmitry Belyavskiy - 1:1.1.1k-12 - Backport implicit rejection mechanism for RSA PKCS#1 v1.5 to RHEL-8 series (a proper fix for CVE-2020-25659) - Resolves: RHEL-17694 + Resolves: RHEL-17696 * Wed Nov 15 2023 Clemens Lang - 1:1.1.1k-11 - Fix CVE-2023-5678: Generating excessively long X9.42 DH keys or checking excessively long X9.42 DH keys or parameters may be very slow - Resolves: RHEL-16536 + Resolves: RHEL-16538 * Thu Oct 19 2023 Clemens Lang - 1:1.1.1k-10 - Fix CVE-2023-3446: Excessive time spent checking DH keys and parameters - Resolves: RHEL-14243 + Resolves: RHEL-14245 - Fix CVE-2023-3817: Excessive time spent checking DH q parameter value - Resolves: RHEL-14237 + Resolves: RHEL-14239 -* Thu May 04 2023 Dmitry Belyavskiy - 1:1.1.1k-9 +* Wed Feb 08 2023 Dmitry Belyavskiy - 1:1.1.1k-9 - Fixed Timing Oracle in RSA Decryption Resolves: CVE-2022-4304 - Fixed Double free after calling PEM_read_bio_ex Resolves: CVE-2022-4450 - Fixed Use-after-free following BIO_new_NDEF Resolves: CVE-2023-0215 - -* Wed Feb 08 2023 Dmitry Belyavskiy - 1:1.1.1k-8 - Fixed X.400 address type confusion in X.509 GeneralName Resolves: CVE-2023-0286 +* Thu Jul 21 2022 Dmitry Belyavskiy - 1:1.1.1k-8 +- Fix no-ec build + Resolves: rhbz#2071020 + * Tue Jul 05 2022 Clemens Lang - 1:1.1.1k-7 - Fix CVE-2022-2097: AES OCB fails to encrypt some bytes on 32-bit x86 Resolves: CVE-2022-2097 - Update expired certificates used in the testsuite - Resolves: rhbz#2100554 + Resolves: rhbz#2092462 - Fix CVE-2022-1292: openssl: c_rehash script allows command injection - Resolves: rhbz#2090371 + Resolves: rhbz#2090372 - Fix CVE-2022-2068: the c_rehash script allows command injection - Resolves: rhbz#2098278 + Resolves: rhbz#2098279 * Wed Mar 23 2022 Clemens Lang - 1:1.1.1k-6 - Fixes CVE-2022-0778 openssl: Infinite loop in BN_mod_sqrt() reachable when parsing certificates -- Resolves: rhbz#2067145 +- Resolves: rhbz#2067146 * Tue Nov 16 2021 Sahana Prasad - 1:1.1.1k-5 - Fixes CVE-2021-3712 openssl: Read buffer overruns processing ASN.1 strings