- Fixes core dump in openssl req -modulus

- Fixes 'openssl req' to not ask for password when non-encrypted private key
  is used
- cms: Do not try to check binary format on stdin and -rctform fix
- Resolves: rhbz#1988137, rhbz#1988468, rhbz#1988137

Signed-off-by: Sahana Prasad <sahana@redhat.com>
This commit is contained in:
Sahana Prasad 2021-08-10 16:52:53 +02:00
parent 2862adca42
commit 0c6f4a599c
4 changed files with 123 additions and 1 deletions

View File

@ -0,0 +1,38 @@
diff -up openssl-3.0.0-beta2/apps/req.c.req-segfault openssl-3.0.0-beta2/apps/req.c
--- openssl-3.0.0-beta2/apps/req.c.req-segfault 2021-08-10 16:24:58.784384336 +0200
+++ openssl-3.0.0-beta2/apps/req.c 2021-08-10 16:26:38.347688172 +0200
@@ -996,8 +996,8 @@ int req_main(int argc, char **argv)
if (EVP_PKEY_is_a(tpubkey, "RSA")) {
BIGNUM *n = NULL;
- /* Every RSA key has an 'n' */
- EVP_PKEY_get_bn_param(pkey, "n", &n);
+ if (!EVP_PKEY_get_bn_param(tpubkey, "n", &n))
+ goto end;
BN_print(out, n);
BN_free(n);
} else {
diff -up openssl-3.0.0-beta2/test/recipes/25-test_req.t.req-segfault openssl-3.0.0-beta2/test/recipes/25-test_req.t
--- openssl-3.0.0-beta2/test/recipes/25-test_req.t.req-segfault 2021-08-10 16:26:53.305884053 +0200
+++ openssl-3.0.0-beta2/test/recipes/25-test_req.t 2021-08-10 16:28:33.674221058 +0200
@@ -78,7 +78,7 @@ subtest "generating alt certificate requ
subtest "generating certificate requests with RSA" => sub {
- plan tests => 7;
+ plan tests => 8;
SKIP: {
skip "RSA is not supported by this OpenSSL build", 2
@@ -105,6 +105,11 @@ subtest "generating certificate requests
ok(run(app(["openssl", "req",
"-config", srctop_file("test", "test.cnf"),
+ "-modulus", "-in", "testreq-rsa.pem", "-noout"])),
+ "Printing a modulus of the request key");
+
+ ok(run(app(["openssl", "req",
+ "-config", srctop_file("test", "test.cnf"),
"-new", "-out", "testreq_withattrs_pem.pem", "-utf8",
"-key", srctop_file("test", "testrsa_withattrs.pem")])),
"Generating request from a key with extra attributes - PEM");

View File

@ -0,0 +1,33 @@
diff -up openssl-3.0.0-beta2/apps/req.c.req-password openssl-3.0.0-beta2/apps/req.c
--- openssl-3.0.0-beta2/apps/req.c.req-password 2021-08-10 16:31:04.726233653 +0200
+++ openssl-3.0.0-beta2/apps/req.c 2021-08-10 16:31:58.286947297 +0200
@@ -686,7 +686,7 @@ int req_main(int argc, char **argv)
EVP_PKEY_CTX_free(genctx);
genctx = NULL;
}
- if (keyout == NULL) {
+ if (keyout == NULL && keyfile == NULL) {
keyout = NCONF_get_string(req_conf, section, KEYFILE);
if (keyout == NULL)
ERR_clear_error();
diff -up openssl-3.0.0-beta2/doc/man1/openssl-req.pod.in.req-password openssl-3.0.0-beta2/doc/man1/openssl-req.pod.in
--- openssl-3.0.0-beta2/doc/man1/openssl-req.pod.in.req-password 2021-08-10 16:32:21.863261416 +0200
+++ openssl-3.0.0-beta2/doc/man1/openssl-req.pod.in 2021-08-10 16:33:19.173025012 +0200
@@ -205,11 +205,12 @@ See L<openssl-format-options(1)> for det
=item B<-keyout> I<filename>
This gives the filename to write any private key to that has been newly created
-or read from B<-key>.
-If the B<-keyout> option is not given the filename specified in the
-configuration file with the B<default_keyfile> option is used, if present.
-If a new key is generated and no filename is specified
-the key is written to standard output.
+or read from B<-key>. If neither the B<-keyout> option nor the B<-key> option
+are given then the filename specified in the configuration file with the
+B<default_keyfile> option is used, if present. Thus, if you want to write the
+private key and the B<-key> option is provided, you should provide the
+B<-keyout> option explicitly. If a new key is generated and no filename is
+specified the key is written to standard output.
=item B<-noenc>

38
0023-cms-stdin.patch Normal file
View File

@ -0,0 +1,38 @@
diff -up openssl-3.0.0-beta2/apps/cms.c.cms-stdin openssl-3.0.0-beta2/apps/cms.c
--- openssl-3.0.0-beta2/apps/cms.c.cms-stdin 2021-08-10 16:20:07.787573587 +0200
+++ openssl-3.0.0-beta2/apps/cms.c 2021-08-10 16:23:08.500940124 +0200
@@ -278,6 +278,8 @@ static void warn_binary(const char *file
unsigned char linebuf[1024], *cur, *end;
int len;
+ if (file == NULL)
+ return; /* cannot give a warning for stdin input */
if ((bio = bio_open_default(file, 'r', FORMAT_BINARY)) == NULL)
return; /* cannot give a proper warning since there is an error */
while ((len = BIO_read(bio, linebuf, sizeof(linebuf))) > 0) {
@@ -482,13 +484,9 @@ int cms_main(int argc, char **argv)
rr_allorfirst = 1;
break;
case OPT_RCTFORM:
- if (rctformat == FORMAT_ASN1) {
- if (!opt_format(opt_arg(),
- OPT_FMT_PEMDER | OPT_FMT_SMIME, &rctformat))
- goto opthelp;
- } else {
- rcms = load_content_info(rctformat, rctin, 0, NULL, "recipient");
- }
+ if (!opt_format(opt_arg(),
+ OPT_FMT_PEMDER | OPT_FMT_SMIME, &rctformat))
+ goto opthelp;
break;
case OPT_CERTFILE:
certfile = opt_arg();
@@ -954,7 +952,7 @@ int cms_main(int argc, char **argv)
goto end;
}
- rcms = load_content_info(rctformat, rctin, 0, NULL, "recipient");
+ rcms = load_content_info(rctformat, rctin, 0, NULL, "receipt");
if (rcms == NULL)
goto end;
}

View File

@ -15,7 +15,7 @@
Summary: Utilities from the general purpose cryptography library with TLS implementation
Name: openssl
Version: 3.0.0
Release: 0.beta2.2%{?dist}.1
Release: 0.beta2.3%{?dist}
Epoch: 1
# We have to remove certain patented algorithms from the openssl source
# tarball with the hobble-openssl script which is included below.
@ -56,6 +56,12 @@ Patch11: 0011-Remove-EC-curves.patch
Patch19: 0019-dual-abi.patch
# Update alerts according to #1965017
Patch20: 0020-sigalgs-fix-alerts.patch
# Fixes core dump in openssl req -modulus
Patch21: 0021-fix-core-dump-req.patch
# Fixes 'openssl req' to not ask for password when non-encrypted key
Patch22: 0022-fix-openssl-req-password.patch
# cms: Do not try to check binary format on stdin and -rctform fix
Patch23: 0023-cms-stdin.patch
License: ASL 2.0
URL: http://www.openssl.org/
@ -378,6 +384,13 @@ install -m644 %{SOURCE9} \
%ldconfig_scriptlets libs
%changelog
* Tue Aug 10 2021 Sahana Prasad <sahana@redhat.com> - 3.0.0-0.beta2.3
- Fixes core dump in openssl req -modulus
- Fixes 'openssl req' to not ask for password when non-encrypted private key
is used
- cms: Do not try to check binary format on stdin and -rctform fix
- Resolves: rhbz#1988137, rhbz#1988468, rhbz#1988137
* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 1:3.0.0-0.beta2.2.1
- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
Related: rhbz#1991688