Update to the 1.1.1i release fixing CVE-2020-1971

This commit is contained in:
Tomas Mraz 2020-12-09 10:48:08 +01:00
parent 3413ff9700
commit a07706cf0e
6 changed files with 2369 additions and 93 deletions

1
.gitignore vendored
View File

@ -49,3 +49,4 @@ openssl-1.0.0a-usa.tar.bz2
/openssl-1.1.1f-hobbled.tar.xz /openssl-1.1.1f-hobbled.tar.xz
/openssl-1.1.1g-hobbled.tar.xz /openssl-1.1.1g-hobbled.tar.xz
/openssl-1.1.1h-hobbled.tar.xz /openssl-1.1.1h-hobbled.tar.xz
/openssl-1.1.1i-hobbled.tar.xz

File diff suppressed because it is too large Load Diff

View File

@ -1,6 +1,6 @@
diff -up openssl-1.1.1e/crypto/fips/fips.c.fips-post-rand openssl-1.1.1e/crypto/fips/fips.c diff -up openssl-1.1.1i/crypto/fips/fips.c.fips-post-rand openssl-1.1.1i/crypto/fips/fips.c
--- openssl-1.1.1e/crypto/fips/fips.c.fips-post-rand 2020-03-17 18:06:16.822418854 +0100 --- openssl-1.1.1i/crypto/fips/fips.c.fips-post-rand 2020-12-09 10:26:41.634106328 +0100
+++ openssl-1.1.1e/crypto/fips/fips.c 2020-03-17 18:06:16.861418172 +0100 +++ openssl-1.1.1i/crypto/fips/fips.c 2020-12-09 10:26:41.652106475 +0100
@@ -68,6 +68,7 @@ @@ -68,6 +68,7 @@
# include <openssl/fips.h> # include <openssl/fips.h>
@ -51,10 +51,10 @@ diff -up openssl-1.1.1e/crypto/fips/fips.c.fips-post-rand openssl-1.1.1e/crypto/
ret = 1; ret = 1;
goto end; goto end;
} }
diff -up openssl-1.1.1e/crypto/rand/drbg_lib.c.fips-post-rand openssl-1.1.1e/crypto/rand/drbg_lib.c diff -up openssl-1.1.1i/crypto/rand/drbg_lib.c.fips-post-rand openssl-1.1.1i/crypto/rand/drbg_lib.c
--- openssl-1.1.1e/crypto/rand/drbg_lib.c.fips-post-rand 2020-03-17 15:31:17.000000000 +0100 --- openssl-1.1.1i/crypto/rand/drbg_lib.c.fips-post-rand 2020-12-08 14:20:59.000000000 +0100
+++ openssl-1.1.1e/crypto/rand/drbg_lib.c 2020-03-17 18:07:35.305045521 +0100 +++ openssl-1.1.1i/crypto/rand/drbg_lib.c 2020-12-09 10:26:41.652106475 +0100
@@ -1009,6 +1009,20 @@ size_t rand_drbg_seedlen(RAND_DRBG *drbg @@ -1005,6 +1005,20 @@ size_t rand_drbg_seedlen(RAND_DRBG *drbg
return min_entropy > min_entropylen ? min_entropy : min_entropylen; return min_entropy > min_entropylen ? min_entropy : min_entropylen;
} }
@ -75,9 +75,9 @@ diff -up openssl-1.1.1e/crypto/rand/drbg_lib.c.fips-post-rand openssl-1.1.1e/cry
/* Implements the default OpenSSL RAND_add() method */ /* Implements the default OpenSSL RAND_add() method */
static int drbg_add(const void *buf, int num, double randomness) static int drbg_add(const void *buf, int num, double randomness)
{ {
diff -up openssl-1.1.1e/crypto/rand/rand_unix.c.fips-post-rand openssl-1.1.1e/crypto/rand/rand_unix.c diff -up openssl-1.1.1i/crypto/rand/rand_unix.c.fips-post-rand openssl-1.1.1i/crypto/rand/rand_unix.c
--- openssl-1.1.1e/crypto/rand/rand_unix.c.fips-post-rand 2020-03-17 15:31:17.000000000 +0100 --- openssl-1.1.1i/crypto/rand/rand_unix.c.fips-post-rand 2020-12-08 14:20:59.000000000 +0100
+++ openssl-1.1.1e/crypto/rand/rand_unix.c 2020-03-17 18:09:01.503537189 +0100 +++ openssl-1.1.1i/crypto/rand/rand_unix.c 2020-12-09 10:36:59.531221903 +0100
@@ -17,10 +17,12 @@ @@ -17,10 +17,12 @@
#include <openssl/crypto.h> #include <openssl/crypto.h>
#include "rand_local.h" #include "rand_local.h"
@ -91,7 +91,7 @@ diff -up openssl-1.1.1e/crypto/rand/rand_unix.c.fips-post-rand openssl-1.1.1e/cr
# ifdef DEVRANDOM_WAIT # ifdef DEVRANDOM_WAIT
# include <sys/shm.h> # include <sys/shm.h>
# include <sys/utsname.h> # include <sys/utsname.h>
@@ -342,7 +344,7 @@ static ssize_t sysctl_random(char *buf, @@ -344,7 +346,7 @@ static ssize_t sysctl_random(char *buf,
* syscall_random(): Try to get random data using a system call * syscall_random(): Try to get random data using a system call
* returns the number of bytes returned in buf, or < 0 on error. * returns the number of bytes returned in buf, or < 0 on error.
*/ */
@ -100,15 +100,15 @@ diff -up openssl-1.1.1e/crypto/rand/rand_unix.c.fips-post-rand openssl-1.1.1e/cr
{ {
/* /*
* Note: 'buflen' equals the size of the buffer which is used by the * Note: 'buflen' equals the size of the buffer which is used by the
@@ -364,6 +366,7 @@ static ssize_t syscall_random(void *buf, @@ -369,6 +371,7 @@ static ssize_t syscall_random(void *buf,
* - Linux since 3.17 with glibc 2.25 * Note: Sometimes getentropy() can be provided but not implemented
* - FreeBSD since 12.0 (1200061) * internally. So we need to check errno for ENOSYS
*/ */
+# if 0 +# if 0
# if defined(__GNUC__) && __GNUC__>=2 && defined(__ELF__) && !defined(__hpux) # if defined(__GNUC__) && __GNUC__>=2 && defined(__ELF__) && !defined(__hpux)
extern int getentropy(void *buffer, size_t length) __attribute__((weak)); extern int getentropy(void *buffer, size_t length) __attribute__((weak));
@@ -385,10 +388,10 @@ static ssize_t syscall_random(void *buf, @@ -394,10 +397,10 @@ static ssize_t syscall_random(void *buf,
if (p_getentropy.p != NULL) if (p_getentropy.p != NULL)
return p_getentropy.f(buf, buflen) == 0 ? (ssize_t)buflen : -1; return p_getentropy.f(buf, buflen) == 0 ? (ssize_t)buflen : -1;
# endif # endif
@ -122,7 +122,7 @@ diff -up openssl-1.1.1e/crypto/rand/rand_unix.c.fips-post-rand openssl-1.1.1e/cr
# elif (defined(__FreeBSD__) || defined(__NetBSD__)) && defined(KERN_ARND) # elif (defined(__FreeBSD__) || defined(__NetBSD__)) && defined(KERN_ARND)
return sysctl_random(buf, buflen); return sysctl_random(buf, buflen);
# else # else
@@ -623,6 +626,9 @@ size_t rand_pool_acquire_entropy(RAND_PO @@ -633,6 +636,9 @@ size_t rand_pool_acquire_entropy(RAND_PO
size_t entropy_available; size_t entropy_available;
# if defined(OPENSSL_RAND_SEED_GETRANDOM) # if defined(OPENSSL_RAND_SEED_GETRANDOM)
@ -132,7 +132,7 @@ diff -up openssl-1.1.1e/crypto/rand/rand_unix.c.fips-post-rand openssl-1.1.1e/cr
{ {
size_t bytes_needed; size_t bytes_needed;
unsigned char *buffer; unsigned char *buffer;
@@ -633,7 +639,7 @@ size_t rand_pool_acquire_entropy(RAND_PO @@ -643,7 +649,7 @@ size_t rand_pool_acquire_entropy(RAND_PO
bytes_needed = rand_pool_bytes_needed(pool, 1 /*entropy_factor*/); bytes_needed = rand_pool_bytes_needed(pool, 1 /*entropy_factor*/);
while (bytes_needed != 0 && attempts-- > 0) { while (bytes_needed != 0 && attempts-- > 0) {
buffer = rand_pool_add_begin(pool, bytes_needed); buffer = rand_pool_add_begin(pool, bytes_needed);
@ -141,7 +141,7 @@ diff -up openssl-1.1.1e/crypto/rand/rand_unix.c.fips-post-rand openssl-1.1.1e/cr
if (bytes > 0) { if (bytes > 0) {
rand_pool_add_end(pool, bytes, 8 * bytes); rand_pool_add_end(pool, bytes, 8 * bytes);
bytes_needed -= bytes; bytes_needed -= bytes;
@@ -668,8 +674,10 @@ size_t rand_pool_acquire_entropy(RAND_PO @@ -678,8 +684,10 @@ size_t rand_pool_acquire_entropy(RAND_PO
int attempts = 3; int attempts = 3;
const int fd = get_random_device(i); const int fd = get_random_device(i);
@ -153,7 +153,7 @@ diff -up openssl-1.1.1e/crypto/rand/rand_unix.c.fips-post-rand openssl-1.1.1e/cr
while (bytes_needed != 0 && attempts-- > 0) { while (bytes_needed != 0 && attempts-- > 0) {
buffer = rand_pool_add_begin(pool, bytes_needed); buffer = rand_pool_add_begin(pool, bytes_needed);
@@ -732,7 +740,9 @@ size_t rand_pool_acquire_entropy(RAND_PO @@ -742,7 +750,9 @@ size_t rand_pool_acquire_entropy(RAND_PO
return entropy_available; return entropy_available;
} }
# endif # endif
@ -164,9 +164,9 @@ diff -up openssl-1.1.1e/crypto/rand/rand_unix.c.fips-post-rand openssl-1.1.1e/cr
return rand_pool_entropy_available(pool); return rand_pool_entropy_available(pool);
# endif # endif
} }
diff -up openssl-1.1.1e/include/crypto/fips.h.fips-post-rand openssl-1.1.1e/include/crypto/fips.h diff -up openssl-1.1.1i/include/crypto/fips.h.fips-post-rand openssl-1.1.1i/include/crypto/fips.h
--- openssl-1.1.1e/include/crypto/fips.h.fips-post-rand 2020-03-17 18:06:16.831418696 +0100 --- openssl-1.1.1i/include/crypto/fips.h.fips-post-rand 2020-12-09 10:26:41.639106369 +0100
+++ openssl-1.1.1e/include/crypto/fips.h 2020-03-17 18:06:16.861418172 +0100 +++ openssl-1.1.1i/include/crypto/fips.h 2020-12-09 10:26:41.657106516 +0100
@@ -77,6 +77,8 @@ int FIPS_selftest_hmac(void); @@ -77,6 +77,8 @@ int FIPS_selftest_hmac(void);
int FIPS_selftest_drbg(void); int FIPS_selftest_drbg(void);
int FIPS_selftest_cmac(void); int FIPS_selftest_cmac(void);
@ -176,9 +176,9 @@ diff -up openssl-1.1.1e/include/crypto/fips.h.fips-post-rand openssl-1.1.1e/incl
int fips_pkey_signature_test(EVP_PKEY *pkey, int fips_pkey_signature_test(EVP_PKEY *pkey,
const unsigned char *tbs, int tbslen, const unsigned char *tbs, int tbslen,
const unsigned char *kat, const unsigned char *kat,
diff -up openssl-1.1.1e/include/crypto/rand.h.fips-post-rand openssl-1.1.1e/include/crypto/rand.h diff -up openssl-1.1.1i/include/crypto/rand.h.fips-post-rand openssl-1.1.1i/include/crypto/rand.h
--- openssl-1.1.1e/include/crypto/rand.h.fips-post-rand 2020-03-17 15:31:17.000000000 +0100 --- openssl-1.1.1i/include/crypto/rand.h.fips-post-rand 2020-12-08 14:20:59.000000000 +0100
+++ openssl-1.1.1e/include/crypto/rand.h 2020-03-17 18:07:35.303045555 +0100 +++ openssl-1.1.1i/include/crypto/rand.h 2020-12-09 10:26:41.657106516 +0100
@@ -24,6 +24,7 @@ @@ -24,6 +24,7 @@
typedef struct rand_pool_st RAND_POOL; typedef struct rand_pool_st RAND_POOL;

View File

@ -1,12 +1,12 @@
diff -up openssl-1.1.1g/include/openssl/opensslv.h.version-override openssl-1.1.1g/include/openssl/opensslv.h diff -up openssl-1.1.1i/include/openssl/opensslv.h.version-override openssl-1.1.1i/include/openssl/opensslv.h
--- openssl-1.1.1g/include/openssl/opensslv.h.version-override 2020-04-23 13:29:37.802673513 +0200 --- openssl-1.1.1i/include/openssl/opensslv.h.version-override 2020-12-09 10:25:12.042374409 +0100
+++ openssl-1.1.1g/include/openssl/opensslv.h 2020-04-23 13:30:13.064008458 +0200 +++ openssl-1.1.1i/include/openssl/opensslv.h 2020-12-09 10:26:00.362769170 +0100
@@ -40,7 +40,7 @@ extern "C" { @@ -40,7 +40,7 @@ extern "C" {
* major minor fix final patch/beta) * major minor fix final patch/beta)
*/ */
# define OPENSSL_VERSION_NUMBER 0x1010108fL # define OPENSSL_VERSION_NUMBER 0x1010109fL
-# define OPENSSL_VERSION_TEXT "OpenSSL 1.1.1h 22 Sep 2020" -# define OPENSSL_VERSION_TEXT "OpenSSL 1.1.1i 8 Dec 2020"
+# define OPENSSL_VERSION_TEXT "OpenSSL 1.1.1h FIPS 22 Sep 2020" +# define OPENSSL_VERSION_TEXT "OpenSSL 1.1.1i FIPS 8 Dec 2020"
/*- /*-
* The macros below are to be used for shared library (.so, .dll, ...) * The macros below are to be used for shared library (.so, .dll, ...)

View File

@ -21,7 +21,7 @@
Summary: Utilities from the general purpose cryptography library with TLS implementation Summary: Utilities from the general purpose cryptography library with TLS implementation
Name: openssl Name: openssl
Version: 1.1.1h Version: 1.1.1i
Release: 1%{?dist} Release: 1%{?dist}
Epoch: 1 Epoch: 1
# We have to remove certain patented algorithms from the openssl source # We have to remove certain patented algorithms from the openssl source
@ -473,6 +473,9 @@ export LD_LIBRARY_PATH
%ldconfig_scriptlets libs %ldconfig_scriptlets libs
%changelog %changelog
* Wed Dec 9 2020 Tomáš Mráz <tmraz@redhat.com> 1.1.1i-1
- Update to the 1.1.1i release fixing CVE-2020-1971
* Mon Nov 9 2020 Sahana Prasad <sahana@redhat.com> - 1.1.1h-1 * Mon Nov 9 2020 Sahana Prasad <sahana@redhat.com> - 1.1.1h-1
- Upgrade to version 1.1.1.h - Upgrade to version 1.1.1.h

View File

@ -1 +1 @@
SHA512 (openssl-1.1.1h-hobbled.tar.xz) = 75e1d3f34f93462b97db92aa6538fd4f2f091ad717438e51d147508738be720d7d0bf4a9b1fda3a1943a4c13aae2a39da3add05f7da833b3c6de40a97bc97908 SHA512 (openssl-1.1.1i-hobbled.tar.xz) = e131a05e88690a7be7c3d74cbb26620130498ced2ce3d7fd55979aab5ea736ec8b268ba92268bd5bc347989325a3950a066883007cb20c2dd9739fd1eafc513f