From 68f387b1c4b565556e15fc49848632b22c47d1af Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Fri, 12 Oct 2018 17:35:34 +0200 Subject: [PATCH] fix SECLEVEL 3 support fix some issues found in Coverity scan --- openssl-1.1.1-fips.patch | 31 ++++++++++++++++++------------- openssl-1.1.1-seclevel.patch | 19 +++++++++++++++---- openssl.spec | 8 ++++++-- 3 files changed, 39 insertions(+), 19 deletions(-) diff --git a/openssl-1.1.1-fips.patch b/openssl-1.1.1-fips.patch index 3365a23..069cfde 100644 --- a/openssl-1.1.1-fips.patch +++ b/openssl-1.1.1-fips.patch @@ -453,11 +453,11 @@ diff -up openssl-1.1.1/crypto/dsa/dsa_gen.c.fips openssl-1.1.1/crypto/dsa/dsa_ge + ctx = BN_CTX_new(); + if (ctx == NULL) + return -1; -+ BN_CTX_start(ctx); + if (BN_cmp(dsa->g, BN_value_one()) <= 0) + return 0; + if (BN_cmp(dsa->g, dsa->p) >= 0) + return 0; ++ BN_CTX_start(ctx); + tmp = BN_CTX_get(ctx); + if (tmp == NULL) + goto err; @@ -697,7 +697,7 @@ diff -up openssl-1.1.1/crypto/ec/ecdsa_ossl.c.fips openssl-1.1.1/crypto/ec/ecdsa +#ifdef OPENSSL_FIPS + if (FIPS_selftest_failed()) { + FIPSerr(FIPS_F_OSSL_ECDSA_VERIFY_SIG, FIPS_R_FIPS_SELFTEST_FAILED); -+ return NULL; ++ return -1; + } +#endif + @@ -2093,7 +2093,7 @@ diff -up openssl-1.1.1/crypto/fips/fips.c.fips openssl-1.1.1/crypto/fips/fips.c + int ret = 0; + + if (!RUN_ONCE(&fips_lock_init, do_fips_lock_init)) -+ return NULL; ++ return 0; + + fips_w_lock(); + fips_started = 1; @@ -4255,7 +4255,7 @@ diff -up openssl-1.1.1/crypto/fips/fips_drbg_lib.c.fips openssl-1.1.1/crypto/fip diff -up openssl-1.1.1/crypto/fips/fips_drbg_rand.c.fips openssl-1.1.1/crypto/fips/fips_drbg_rand.c --- openssl-1.1.1/crypto/fips/fips_drbg_rand.c.fips 2018-09-13 08:51:22.110520923 +0200 +++ openssl-1.1.1/crypto/fips/fips_drbg_rand.c 2018-09-13 08:51:22.110520923 +0200 -@@ -0,0 +1,183 @@ +@@ -0,0 +1,185 @@ +/* fips/rand/fips_drbg_rand.c */ +/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL + * project. @@ -4409,21 +4409,23 @@ diff -up openssl-1.1.1/crypto/fips/fips_drbg_rand.c.fips openssl-1.1.1/crypto/fi +static int fips_drbg_seed(const void *seed, int seedlen) +{ + DRBG_CTX *dctx = &ossl_dctx; ++ int ret = 1; + CRYPTO_THREAD_write_lock(fips_rand_lock); + if (dctx->rand_seed_cb) -+ return dctx->rand_seed_cb(dctx, seed, seedlen); ++ ret = dctx->rand_seed_cb(dctx, seed, seedlen); + CRYPTO_THREAD_unlock(fips_rand_lock); -+ return 1; ++ return ret; +} + +static int fips_drbg_add(const void *seed, int seedlen, double add_entropy) +{ + DRBG_CTX *dctx = &ossl_dctx; ++ int ret = 1; + CRYPTO_THREAD_write_lock(fips_rand_lock); + if (dctx->rand_add_cb) -+ return dctx->rand_add_cb(dctx, seed, seedlen, add_entropy); ++ ret = dctx->rand_add_cb(dctx, seed, seedlen, add_entropy); + CRYPTO_THREAD_unlock(fips_rand_lock); -+ return 1; ++ return ret; +} + +static const RAND_METHOD rand_drbg_meth = { @@ -9699,7 +9701,7 @@ diff -up openssl-1.1.1/crypto/fips/fips_standalone_hmac.c.fips openssl-1.1.1/cry + } + + for (;;) { -+ char buf[1024]; ++ unsigned char buf[1024]; + size_t l = fread(buf, 1, sizeof buf, f); + + if (l == 0) { @@ -9856,8 +9858,12 @@ diff -up openssl-1.1.1/crypto/include/internal/fips_int.h.fips openssl-1.1.1/cry +#endif diff -up openssl-1.1.1/crypto/o_fips.c.fips openssl-1.1.1/crypto/o_fips.c --- openssl-1.1.1/crypto/o_fips.c.fips 2018-09-11 14:48:21.000000000 +0200 -+++ openssl-1.1.1/crypto/o_fips.c 2018-09-13 08:51:22.114520830 +0200 -@@ -11,14 +11,25 @@ ++++ openssl-1.1.1/crypto/o_fips.c 2018-10-09 18:12:06.787802422 +0200 +@@ -8,17 +8,28 @@ + */ + + #include "internal/cryptlib.h" ++#include "internal/fips_int.h" int FIPS_mode(void) { @@ -9874,8 +9880,7 @@ diff -up openssl-1.1.1/crypto/o_fips.c.fips openssl-1.1.1/crypto/o_fips.c +#ifdef OPENSSL_FIPS + if (r && FIPS_module_mode()) /* can be implicitly initialized by OPENSSL_init() */ + return 1; -+ if (!FIPS_module_mode_set(r)) -+ return 0; ++ return FIPS_module_mode_set(r); +#else if (r == 0) return 1; diff --git a/openssl-1.1.1-seclevel.patch b/openssl-1.1.1-seclevel.patch index 0871c9d..8b6a77a 100644 --- a/openssl-1.1.1-seclevel.patch +++ b/openssl-1.1.1-seclevel.patch @@ -1,6 +1,6 @@ diff -up openssl-1.1.1/crypto/x509/x509_vfy.c.seclevel openssl-1.1.1/crypto/x509/x509_vfy.c --- openssl-1.1.1/crypto/x509/x509_vfy.c.seclevel 2018-09-11 14:48:22.000000000 +0200 -+++ openssl-1.1.1/crypto/x509/x509_vfy.c 2018-09-14 11:47:39.715317617 +0200 ++++ openssl-1.1.1/crypto/x509/x509_vfy.c 2018-10-01 09:52:23.535298908 +0200 @@ -3220,6 +3220,7 @@ static int build_chain(X509_STORE_CTX *c } @@ -22,7 +22,7 @@ diff -up openssl-1.1.1/crypto/x509/x509_vfy.c.seclevel openssl-1.1.1/crypto/x509 } diff -up openssl-1.1.1/doc/man3/SSL_CTX_set_security_level.pod.seclevel openssl-1.1.1/doc/man3/SSL_CTX_set_security_level.pod --- openssl-1.1.1/doc/man3/SSL_CTX_set_security_level.pod.seclevel 2018-09-11 14:48:22.000000000 +0200 -+++ openssl-1.1.1/doc/man3/SSL_CTX_set_security_level.pod 2018-09-14 11:47:39.715317617 +0200 ++++ openssl-1.1.1/doc/man3/SSL_CTX_set_security_level.pod 2018-10-01 09:52:23.535298908 +0200 @@ -81,8 +81,10 @@ using MD5 for the MAC is also prohibited =item B @@ -38,7 +38,18 @@ diff -up openssl-1.1.1/doc/man3/SSL_CTX_set_security_level.pod.seclevel openssl- diff -up openssl-1.1.1/ssl/ssl_cert.c.seclevel openssl-1.1.1/ssl/ssl_cert.c --- openssl-1.1.1/ssl/ssl_cert.c.seclevel 2018-09-11 14:48:23.000000000 +0200 -+++ openssl-1.1.1/ssl/ssl_cert.c 2018-09-14 11:47:39.716317598 +0200 ++++ openssl-1.1.1/ssl/ssl_cert.c 2018-10-12 15:29:12.673799305 +0200 +@@ -951,8 +951,8 @@ static int ssl_security_default_callback + if (level >= 2 && c->algorithm_enc == SSL_RC4) + return 0; + /* Level 3: forward secure ciphersuites only */ +- if (level >= 3 && (c->min_tls != TLS1_3_VERSION || +- !(c->algorithm_mkey & (SSL_kEDH | SSL_kEECDH)))) ++ if (level >= 3 && c->min_tls != TLS1_3_VERSION && ++ !(c->algorithm_mkey & (SSL_kEDH | SSL_kEECDH))) + return 0; + break; + } @@ -983,6 +983,9 @@ static int ssl_security_default_callback return 0; break; @@ -51,7 +62,7 @@ diff -up openssl-1.1.1/ssl/ssl_cert.c.seclevel openssl-1.1.1/ssl/ssl_cert.c } diff -up openssl-1.1.1/test/recipes/25-test_verify.t.seclevel openssl-1.1.1/test/recipes/25-test_verify.t --- openssl-1.1.1/test/recipes/25-test_verify.t.seclevel 2018-09-11 14:48:24.000000000 +0200 -+++ openssl-1.1.1/test/recipes/25-test_verify.t 2018-09-14 12:36:40.021812399 +0200 ++++ openssl-1.1.1/test/recipes/25-test_verify.t 2018-10-01 09:52:23.535298908 +0200 @@ -342,8 +342,8 @@ ok(verify("ee-pss-sha1-cert", "sslserver ok(verify("ee-pss-sha256-cert", "sslserver", ["root-cert"], ["ca-cert"], ), "CA with PSS signature using SHA256"); diff --git a/openssl.spec b/openssl.spec index dfef25a..705fb24 100644 --- a/openssl.spec +++ b/openssl.spec @@ -22,7 +22,7 @@ Summary: Utilities from the general purpose cryptography library with TLS implementation Name: openssl Version: 1.1.1 -Release: 5%{?dist} +Release: 6%{?dist} Epoch: 1 # We have to remove certain patented algorithms from the openssl source # tarball with the hobble-openssl script which is included below. @@ -227,7 +227,7 @@ sslarch=linux-generic64 # marked as not requiring an executable stack. # Also add -DPURIFY to make using valgrind with openssl easier as we do not # want to depend on the uninitialized memory as a source of entropy anyway. -RPM_OPT_FLAGS="$RPM_OPT_FLAGS -Wa,--noexecstack -DPURIFY $RPM_LD_FLAGS" +RPM_OPT_FLAGS="$RPM_OPT_FLAGS -Wa,--noexecstack -Wa,--generate-missing-build-notes=yes -DPURIFY $RPM_LD_FLAGS" export HASHBANGPERL=/usr/bin/perl @@ -449,6 +449,10 @@ export LD_LIBRARY_PATH %postun libs -p /sbin/ldconfig %changelog +* Fri Oct 12 2018 Tomáš Mráz 1.1.1-6 +- fix SECLEVEL 3 support +- fix some issues found in Coverity scan + * Thu Sep 27 2018 Charalampos Stratakis - 1:1.1.1-5 - Correctly invoke sed for defining OPENSSL_NO_SSL3