From 0c6f4a599c949a6ece9595915a9843818a6ef2d0 Mon Sep 17 00:00:00 2001 From: Sahana Prasad Date: Tue, 10 Aug 2021 16:52:53 +0200 Subject: [PATCH] - Fixes core dump in openssl req -modulus - Fixes 'openssl req' to not ask for password when non-encrypted private key is used - cms: Do not try to check binary format on stdin and -rctform fix - Resolves: rhbz#1988137, rhbz#1988468, rhbz#1988137 Signed-off-by: Sahana Prasad --- 0021-fix-core-dump-req.patch | 38 +++++++++++++++++++++++++++++ 0022-fix-openssl-req-password.patch | 33 +++++++++++++++++++++++++ 0023-cms-stdin.patch | 38 +++++++++++++++++++++++++++++ openssl.spec | 15 +++++++++++- 4 files changed, 123 insertions(+), 1 deletion(-) create mode 100644 0021-fix-core-dump-req.patch create mode 100644 0022-fix-openssl-req-password.patch create mode 100644 0023-cms-stdin.patch diff --git a/0021-fix-core-dump-req.patch b/0021-fix-core-dump-req.patch new file mode 100644 index 0000000..e4cf377 --- /dev/null +++ b/0021-fix-core-dump-req.patch @@ -0,0 +1,38 @@ +diff -up openssl-3.0.0-beta2/apps/req.c.req-segfault openssl-3.0.0-beta2/apps/req.c +--- openssl-3.0.0-beta2/apps/req.c.req-segfault 2021-08-10 16:24:58.784384336 +0200 ++++ openssl-3.0.0-beta2/apps/req.c 2021-08-10 16:26:38.347688172 +0200 +@@ -996,8 +996,8 @@ int req_main(int argc, char **argv) + if (EVP_PKEY_is_a(tpubkey, "RSA")) { + BIGNUM *n = NULL; + +- /* Every RSA key has an 'n' */ +- EVP_PKEY_get_bn_param(pkey, "n", &n); ++ if (!EVP_PKEY_get_bn_param(tpubkey, "n", &n)) ++ goto end; + BN_print(out, n); + BN_free(n); + } else { +diff -up openssl-3.0.0-beta2/test/recipes/25-test_req.t.req-segfault openssl-3.0.0-beta2/test/recipes/25-test_req.t +--- openssl-3.0.0-beta2/test/recipes/25-test_req.t.req-segfault 2021-08-10 16:26:53.305884053 +0200 ++++ openssl-3.0.0-beta2/test/recipes/25-test_req.t 2021-08-10 16:28:33.674221058 +0200 +@@ -78,7 +78,7 @@ subtest "generating alt certificate requ + + + subtest "generating certificate requests with RSA" => sub { +- plan tests => 7; ++ plan tests => 8; + + SKIP: { + skip "RSA is not supported by this OpenSSL build", 2 +@@ -105,6 +105,11 @@ subtest "generating certificate requests + + ok(run(app(["openssl", "req", + "-config", srctop_file("test", "test.cnf"), ++ "-modulus", "-in", "testreq-rsa.pem", "-noout"])), ++ "Printing a modulus of the request key"); ++ ++ ok(run(app(["openssl", "req", ++ "-config", srctop_file("test", "test.cnf"), + "-new", "-out", "testreq_withattrs_pem.pem", "-utf8", + "-key", srctop_file("test", "testrsa_withattrs.pem")])), + "Generating request from a key with extra attributes - PEM"); diff --git a/0022-fix-openssl-req-password.patch b/0022-fix-openssl-req-password.patch new file mode 100644 index 0000000..077b4c5 --- /dev/null +++ b/0022-fix-openssl-req-password.patch @@ -0,0 +1,33 @@ +diff -up openssl-3.0.0-beta2/apps/req.c.req-password openssl-3.0.0-beta2/apps/req.c +--- openssl-3.0.0-beta2/apps/req.c.req-password 2021-08-10 16:31:04.726233653 +0200 ++++ openssl-3.0.0-beta2/apps/req.c 2021-08-10 16:31:58.286947297 +0200 +@@ -686,7 +686,7 @@ int req_main(int argc, char **argv) + EVP_PKEY_CTX_free(genctx); + genctx = NULL; + } +- if (keyout == NULL) { ++ if (keyout == NULL && keyfile == NULL) { + keyout = NCONF_get_string(req_conf, section, KEYFILE); + if (keyout == NULL) + ERR_clear_error(); +diff -up openssl-3.0.0-beta2/doc/man1/openssl-req.pod.in.req-password openssl-3.0.0-beta2/doc/man1/openssl-req.pod.in +--- openssl-3.0.0-beta2/doc/man1/openssl-req.pod.in.req-password 2021-08-10 16:32:21.863261416 +0200 ++++ openssl-3.0.0-beta2/doc/man1/openssl-req.pod.in 2021-08-10 16:33:19.173025012 +0200 +@@ -205,11 +205,12 @@ See L for det + =item B<-keyout> I + + This gives the filename to write any private key to that has been newly created +-or read from B<-key>. +-If the B<-keyout> option is not given the filename specified in the +-configuration file with the B option is used, if present. +-If a new key is generated and no filename is specified +-the key is written to standard output. ++or read from B<-key>. If neither the B<-keyout> option nor the B<-key> option ++are given then the filename specified in the configuration file with the ++B option is used, if present. Thus, if you want to write the ++private key and the B<-key> option is provided, you should provide the ++B<-keyout> option explicitly. If a new key is generated and no filename is ++specified the key is written to standard output. + + =item B<-noenc> + diff --git a/0023-cms-stdin.patch b/0023-cms-stdin.patch new file mode 100644 index 0000000..0c18c12 --- /dev/null +++ b/0023-cms-stdin.patch @@ -0,0 +1,38 @@ +diff -up openssl-3.0.0-beta2/apps/cms.c.cms-stdin openssl-3.0.0-beta2/apps/cms.c +--- openssl-3.0.0-beta2/apps/cms.c.cms-stdin 2021-08-10 16:20:07.787573587 +0200 ++++ openssl-3.0.0-beta2/apps/cms.c 2021-08-10 16:23:08.500940124 +0200 +@@ -278,6 +278,8 @@ static void warn_binary(const char *file + unsigned char linebuf[1024], *cur, *end; + int len; + ++ if (file == NULL) ++ return; /* cannot give a warning for stdin input */ + if ((bio = bio_open_default(file, 'r', FORMAT_BINARY)) == NULL) + return; /* cannot give a proper warning since there is an error */ + while ((len = BIO_read(bio, linebuf, sizeof(linebuf))) > 0) { +@@ -482,13 +484,9 @@ int cms_main(int argc, char **argv) + rr_allorfirst = 1; + break; + case OPT_RCTFORM: +- if (rctformat == FORMAT_ASN1) { +- if (!opt_format(opt_arg(), +- OPT_FMT_PEMDER | OPT_FMT_SMIME, &rctformat)) +- goto opthelp; +- } else { +- rcms = load_content_info(rctformat, rctin, 0, NULL, "recipient"); +- } ++ if (!opt_format(opt_arg(), ++ OPT_FMT_PEMDER | OPT_FMT_SMIME, &rctformat)) ++ goto opthelp; + break; + case OPT_CERTFILE: + certfile = opt_arg(); +@@ -954,7 +952,7 @@ int cms_main(int argc, char **argv) + goto end; + } + +- rcms = load_content_info(rctformat, rctin, 0, NULL, "recipient"); ++ rcms = load_content_info(rctformat, rctin, 0, NULL, "receipt"); + if (rcms == NULL) + goto end; + } diff --git a/openssl.spec b/openssl.spec index 64e409d..86d283a 100644 --- a/openssl.spec +++ b/openssl.spec @@ -15,7 +15,7 @@ Summary: Utilities from the general purpose cryptography library with TLS implementation Name: openssl Version: 3.0.0 -Release: 0.beta2.2%{?dist}.1 +Release: 0.beta2.3%{?dist} Epoch: 1 # We have to remove certain patented algorithms from the openssl source # tarball with the hobble-openssl script which is included below. @@ -56,6 +56,12 @@ Patch11: 0011-Remove-EC-curves.patch Patch19: 0019-dual-abi.patch # Update alerts according to #1965017 Patch20: 0020-sigalgs-fix-alerts.patch +# Fixes core dump in openssl req -modulus +Patch21: 0021-fix-core-dump-req.patch +# Fixes 'openssl req' to not ask for password when non-encrypted key +Patch22: 0022-fix-openssl-req-password.patch +# cms: Do not try to check binary format on stdin and -rctform fix +Patch23: 0023-cms-stdin.patch License: ASL 2.0 URL: http://www.openssl.org/ @@ -378,6 +384,13 @@ install -m644 %{SOURCE9} \ %ldconfig_scriptlets libs %changelog +* Tue Aug 10 2021 Sahana Prasad - 3.0.0-0.beta2.3 +- Fixes core dump in openssl req -modulus +- Fixes 'openssl req' to not ask for password when non-encrypted private key + is used +- cms: Do not try to check binary format on stdin and -rctform fix +- Resolves: rhbz#1988137, rhbz#1988468, rhbz#1988137 + * Mon Aug 09 2021 Mohan Boddu - 1:3.0.0-0.beta2.2.1 - Rebuilt for IMA sigs, glibc 2.34, aarch64 flags Related: rhbz#1991688