From 90bf702df6a977860dc2764e2a12a64b633df21a Mon Sep 17 00:00:00 2001 From: Sahana Prasad Date: Tue, 6 Jul 2021 22:35:53 +0200 Subject: [PATCH] - Fixes override of openssl_conf in openssl.cnf - Use AI_ADDRCONFIG only when explicit host name is given - Temporarily remove fipsmodule.cnf for arch i686 - Fixes segmentation fault in BN_lebin2bn Resolves: rhbz#1975847, rhbz#1976845, rhbz#1973477, rhbz#1975855 Signed-off-by: Sahana Prasad --- 0017-use-AI-ADDRCONFIG-explicit-hostname.patch | 12 ++++++++++++ 0018-Fix-crash-BN_lebin2bn.patch | 12 ++++++++++++ openssl.spec | 16 ++++++++++++++-- 3 files changed, 38 insertions(+), 2 deletions(-) create mode 100644 0017-use-AI-ADDRCONFIG-explicit-hostname.patch create mode 100644 0018-Fix-crash-BN_lebin2bn.patch diff --git a/0017-use-AI-ADDRCONFIG-explicit-hostname.patch b/0017-use-AI-ADDRCONFIG-explicit-hostname.patch new file mode 100644 index 0000000..15d9199 --- /dev/null +++ b/0017-use-AI-ADDRCONFIG-explicit-hostname.patch @@ -0,0 +1,12 @@ +diff -up openssl-3.0.0-alpha16/crypto/bio/b_addr.c.use-explicit openssl-3.0.0-alpha16/crypto/bio/b_addr.c +--- openssl-3.0.0-alpha16/crypto/bio/b_addr.c.use-explicit 2021-07-06 14:06:05.706578389 +0200 ++++ openssl-3.0.0-alpha16/crypto/bio/b_addr.c 2021-07-06 14:07:24.482329505 +0200 +@@ -696,7 +696,7 @@ int BIO_lookup_ex(const char *host, cons + hints.ai_protocol = protocol; + # ifdef AI_ADDRCONFIG + # ifdef AF_UNSPEC +- if (family == AF_UNSPEC) ++ if (host != NULL && family == AF_UNSPEC) + # endif + hints.ai_flags |= AI_ADDRCONFIG; + # endif diff --git a/0018-Fix-crash-BN_lebin2bn.patch b/0018-Fix-crash-BN_lebin2bn.patch new file mode 100644 index 0000000..375c960 --- /dev/null +++ b/0018-Fix-crash-BN_lebin2bn.patch @@ -0,0 +1,12 @@ +diff -up openssl-3.0.0-alpha16/apps/x509.c.segfault-bn openssl-3.0.0-alpha16/apps/x509.c +--- openssl-3.0.0-alpha16/apps/x509.c.segfault-bn 2021-07-06 22:12:37.021406952 +0200 ++++ openssl-3.0.0-alpha16/apps/x509.c 2021-07-06 22:13:40.540996922 +0200 +@@ -934,7 +934,7 @@ int x509_main(int argc, char **argv) + } else if (i == modulus) { + BIO_printf(out, "Modulus="); + if (EVP_PKEY_is_a(pkey, "RSA")) { +- BIGNUM *n; ++ BIGNUM *n = NULL; + + /* Every RSA key has an 'n' */ + EVP_PKEY_get_bn_param(pkey, "n", &n); diff --git a/openssl.spec b/openssl.spec index 19f22de..0eb6b9c 100644 --- a/openssl.spec +++ b/openssl.spec @@ -64,6 +64,10 @@ Patch14: 0014-Return0-OPENSSL-init-crypto-cleanup.patch Patch15: 0015-Cleanup-peer-point-formats-regotiation.patch # Fix default digest to SHA256 Patch16: 0016-Fix-default-digest-SHA256.patch +# Use AI_ADDRCONFIG only when explicit host name is given +Patch17: 0017-use-AI-ADDRCONFIG-explicit-hostname.patch +# Fix segmentation fault in BN_lebin2bn() +Patch18: 0018-Fix-crash-BN_lebin2bn.patch License: ASL 2.0 URL: http://www.openssl.org/ @@ -296,6 +300,9 @@ touch -r %{SOURCE2} $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/ct_log_list.cnf rm -f $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/openssl.cnf.dist rm -f $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/ct_log_list.cnf.dist +%ifarch i686 +rm -f $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/fipsmodule.cnf +%endif # Determine which arch opensslconf.h is going to try to #include. basearch=%{_arch} @@ -352,7 +359,6 @@ export LD_LIBRARY_PATH %dir %{_sysconfdir}/pki/tls/misc %dir %{_sysconfdir}/pki/tls/private %config(noreplace) %{_sysconfdir}/pki/tls/openssl.cnf -%config(noreplace) %{_sysconfdir}/pki/tls/fipsmodule.cnf %config(noreplace) %{_sysconfdir}/pki/tls/ct_log_list.cnf %attr(0755,root,root) %{_libdir}/libcrypto.so.%{version} %{_libdir}/libcrypto.so.%{soversion} @@ -360,6 +366,9 @@ export LD_LIBRARY_PATH %{_libdir}/libssl.so.%{soversion} %attr(0755,root,root) %{_libdir}/engines-%{soversion} %attr(0755,root,root) %{_libdir}/ossl-modules +%ifnarch i686 +%config(noreplace) %{_sysconfdir}/pki/tls/fipsmodule.cnf +%endif %files devel %doc CHANGES.md doc/dir-locals.example.el doc/openssl-c-indent.el @@ -385,7 +394,10 @@ export LD_LIBRARY_PATH %changelog * Tue Jul 06 2021 Sahana Prasad 3.0.0-0.alpha16.7 - Fixes override of openssl_conf in openssl.cnf -- Resolves: rhbz#1975847 +- Use AI_ADDRCONFIG only when explicit host name is given +- Temporarily remove fipsmodule.cnf for arch i686 +- Fixes segmentation fault in BN_lebin2bn +- Resolves: rhbz#1975847, rhbz#1976845, rhbz#1973477, rhbz#1975855 * Fri Jul 02 2021 Sahana Prasad 3.0.0-0.alpha16.6 - Adds FIPS mode compatibility patch (sahana@redhat.com)