import openssl-1.1.1k-7.el8_6
This commit is contained in:
parent
145dc9b8af
commit
bc18edacfc
74
SOURCES/openssl-1.1.1-cve-2022-1292.patch
Normal file
74
SOURCES/openssl-1.1.1-cve-2022-1292.patch
Normal file
@ -0,0 +1,74 @@
|
|||||||
|
From e5fd1728ef4c7a5bf7c7a7163ca60370460a6e23 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Tomas Mraz <tomas@openssl.org>
|
||||||
|
Date: Tue, 26 Apr 2022 12:40:24 +0200
|
||||||
|
Subject: [PATCH] c_rehash: Do not use shell to invoke openssl
|
||||||
|
|
||||||
|
Except on VMS where it is safe.
|
||||||
|
|
||||||
|
This fixes CVE-2022-1292.
|
||||||
|
|
||||||
|
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
|
||||||
|
Reviewed-by: Matt Caswell <matt@openssl.org>
|
||||||
|
Upstream-Status: Backport [https://github.com/openssl/openssl/commit/e5fd1728ef4c7a5bf7c7a7163ca60370460a6e23]
|
||||||
|
---
|
||||||
|
tools/c_rehash.in | 29 +++++++++++++++++++++++++----
|
||||||
|
1 file changed, 25 insertions(+), 4 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/tools/c_rehash.in b/tools/c_rehash.in
|
||||||
|
index fa7c6c9fef91..83c1cc80e08a 100644
|
||||||
|
--- a/tools/c_rehash.in
|
||||||
|
+++ b/tools/c_rehash.in
|
||||||
|
@@ -152,6 +152,23 @@ sub check_file {
|
||||||
|
return ($is_cert, $is_crl);
|
||||||
|
}
|
||||||
|
|
||||||
|
+sub compute_hash {
|
||||||
|
+ my $fh;
|
||||||
|
+ if ( $^O eq "VMS" ) {
|
||||||
|
+ # VMS uses the open through shell
|
||||||
|
+ # The file names are safe there and list form is unsupported
|
||||||
|
+ if (!open($fh, "-|", join(' ', @_))) {
|
||||||
|
+ print STDERR "Cannot compute hash on '$fname'\n";
|
||||||
|
+ return;
|
||||||
|
+ }
|
||||||
|
+ } else {
|
||||||
|
+ if (!open($fh, "-|", @_)) {
|
||||||
|
+ print STDERR "Cannot compute hash on '$fname'\n";
|
||||||
|
+ return;
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+ return (<$fh>, <$fh>);
|
||||||
|
+}
|
||||||
|
|
||||||
|
# Link a certificate to its subject name hash value, each hash is of
|
||||||
|
# the form <hash>.<n> where n is an integer. If the hash value already exists
|
||||||
|
@@ -161,10 +178,12 @@ sub check_file {
|
||||||
|
|
||||||
|
sub link_hash_cert {
|
||||||
|
my $fname = $_[0];
|
||||||
|
- $fname =~ s/\"/\\\"/g;
|
||||||
|
- my ($hash, $fprint) = `"$openssl" x509 $x509hash -fingerprint -noout -in "$fname"`;
|
||||||
|
+ my ($hash, $fprint) = compute_hash($openssl, "x509", $x509hash,
|
||||||
|
+ "-fingerprint", "-noout",
|
||||||
|
+ "-in", $fname);
|
||||||
|
chomp $hash;
|
||||||
|
chomp $fprint;
|
||||||
|
+ return if !$hash;
|
||||||
|
$fprint =~ s/^.*=//;
|
||||||
|
$fprint =~ tr/://d;
|
||||||
|
my $suffix = 0;
|
||||||
|
@@ -202,10 +221,12 @@ sub link_hash_cert {
|
||||||
|
|
||||||
|
sub link_hash_crl {
|
||||||
|
my $fname = $_[0];
|
||||||
|
- $fname =~ s/'/'\\''/g;
|
||||||
|
- my ($hash, $fprint) = `"$openssl" crl $crlhash -fingerprint -noout -in '$fname'`;
|
||||||
|
+ my ($hash, $fprint) = compute_hash($openssl, "crl", $crlhash,
|
||||||
|
+ "-fingerprint", "-noout",
|
||||||
|
+ "-in", $fname);
|
||||||
|
chomp $hash;
|
||||||
|
chomp $fprint;
|
||||||
|
+ return if !$hash;
|
||||||
|
$fprint =~ s/^.*=//;
|
||||||
|
$fprint =~ tr/://d;
|
||||||
|
my $suffix = 0;
|
255
SOURCES/openssl-1.1.1-cve-2022-2068.patch
Normal file
255
SOURCES/openssl-1.1.1-cve-2022-2068.patch
Normal file
@ -0,0 +1,255 @@
|
|||||||
|
From 9639817dac8bbbaa64d09efad7464ccc405527c7 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Daniel Fiala <daniel@openssl.org>
|
||||||
|
Date: Sun, 29 May 2022 20:11:24 +0200
|
||||||
|
Subject: [PATCH] Fix file operations in c_rehash.
|
||||||
|
|
||||||
|
CVE-2022-2068
|
||||||
|
|
||||||
|
Reviewed-by: Matt Caswell <matt@openssl.org>
|
||||||
|
Reviewed-by: Richard Levitte <levitte@openssl.org>
|
||||||
|
Upstream-Status: Backport [https://github.com/openssl/openssl/commit/9639817dac8bbbaa64d09efad7464ccc405527c7]
|
||||||
|
---
|
||||||
|
tools/c_rehash.in | 216 +++++++++++++++++++++++-----------------------
|
||||||
|
1 file changed, 107 insertions(+), 109 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/tools/c_rehash.in b/tools/c_rehash.in
|
||||||
|
index cfd18f5da110..9d2a6f6db73b 100644
|
||||||
|
--- a/tools/c_rehash.in
|
||||||
|
+++ b/tools/c_rehash.in
|
||||||
|
@@ -104,52 +104,78 @@ foreach (@dirlist) {
|
||||||
|
}
|
||||||
|
exit($errorcount);
|
||||||
|
|
||||||
|
+sub copy_file {
|
||||||
|
+ my ($src_fname, $dst_fname) = @_;
|
||||||
|
+
|
||||||
|
+ if (open(my $in, "<", $src_fname)) {
|
||||||
|
+ if (open(my $out, ">", $dst_fname)) {
|
||||||
|
+ print $out $_ while (<$in>);
|
||||||
|
+ close $out;
|
||||||
|
+ } else {
|
||||||
|
+ warn "Cannot open $dst_fname for write, $!";
|
||||||
|
+ }
|
||||||
|
+ close $in;
|
||||||
|
+ } else {
|
||||||
|
+ warn "Cannot open $src_fname for read, $!";
|
||||||
|
+ }
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
sub hash_dir {
|
||||||
|
- my %hashlist;
|
||||||
|
- print "Doing $_[0]\n";
|
||||||
|
- chdir $_[0];
|
||||||
|
- opendir(DIR, ".");
|
||||||
|
- my @flist = sort readdir(DIR);
|
||||||
|
- closedir DIR;
|
||||||
|
- if ( $removelinks ) {
|
||||||
|
- # Delete any existing symbolic links
|
||||||
|
- foreach (grep {/^[\da-f]+\.r{0,1}\d+$/} @flist) {
|
||||||
|
- if (-l $_) {
|
||||||
|
- print "unlink $_" if $verbose;
|
||||||
|
- unlink $_ || warn "Can't unlink $_, $!\n";
|
||||||
|
- }
|
||||||
|
- }
|
||||||
|
- }
|
||||||
|
- FILE: foreach $fname (grep {/\.(pem)|(crt)|(cer)|(crl)$/} @flist) {
|
||||||
|
- # Check to see if certificates and/or CRLs present.
|
||||||
|
- my ($cert, $crl) = check_file($fname);
|
||||||
|
- if (!$cert && !$crl) {
|
||||||
|
- print STDERR "WARNING: $fname does not contain a certificate or CRL: skipping\n";
|
||||||
|
- next;
|
||||||
|
- }
|
||||||
|
- link_hash_cert($fname) if ($cert);
|
||||||
|
- link_hash_crl($fname) if ($crl);
|
||||||
|
- }
|
||||||
|
+ my $dir = shift;
|
||||||
|
+ my %hashlist;
|
||||||
|
+
|
||||||
|
+ print "Doing $dir\n";
|
||||||
|
+
|
||||||
|
+ if (!chdir $dir) {
|
||||||
|
+ print STDERR "WARNING: Cannot chdir to '$dir', $!\n";
|
||||||
|
+ return;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ opendir(DIR, ".") || print STDERR "WARNING: Cannot opendir '.', $!\n";
|
||||||
|
+ my @flist = sort readdir(DIR);
|
||||||
|
+ closedir DIR;
|
||||||
|
+ if ( $removelinks ) {
|
||||||
|
+ # Delete any existing symbolic links
|
||||||
|
+ foreach (grep {/^[\da-f]+\.r{0,1}\d+$/} @flist) {
|
||||||
|
+ if (-l $_) {
|
||||||
|
+ print "unlink $_\n" if $verbose;
|
||||||
|
+ unlink $_ || warn "Can't unlink $_, $!\n";
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+ FILE: foreach $fname (grep {/\.(pem)|(crt)|(cer)|(crl)$/} @flist) {
|
||||||
|
+ # Check to see if certificates and/or CRLs present.
|
||||||
|
+ my ($cert, $crl) = check_file($fname);
|
||||||
|
+ if (!$cert && !$crl) {
|
||||||
|
+ print STDERR "WARNING: $fname does not contain a certificate or CRL: skipping\n";
|
||||||
|
+ next;
|
||||||
|
+ }
|
||||||
|
+ link_hash_cert($fname) if ($cert);
|
||||||
|
+ link_hash_crl($fname) if ($crl);
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ chdir $pwd;
|
||||||
|
}
|
||||||
|
|
||||||
|
sub check_file {
|
||||||
|
- my ($is_cert, $is_crl) = (0,0);
|
||||||
|
- my $fname = $_[0];
|
||||||
|
- open IN, $fname;
|
||||||
|
- while(<IN>) {
|
||||||
|
- if (/^-----BEGIN (.*)-----/) {
|
||||||
|
- my $hdr = $1;
|
||||||
|
- if ($hdr =~ /^(X509 |TRUSTED |)CERTIFICATE$/) {
|
||||||
|
- $is_cert = 1;
|
||||||
|
- last if ($is_crl);
|
||||||
|
- } elsif ($hdr eq "X509 CRL") {
|
||||||
|
- $is_crl = 1;
|
||||||
|
- last if ($is_cert);
|
||||||
|
- }
|
||||||
|
- }
|
||||||
|
- }
|
||||||
|
- close IN;
|
||||||
|
- return ($is_cert, $is_crl);
|
||||||
|
+ my ($is_cert, $is_crl) = (0,0);
|
||||||
|
+ my $fname = $_[0];
|
||||||
|
+
|
||||||
|
+ open(my $in, "<", $fname);
|
||||||
|
+ while(<$in>) {
|
||||||
|
+ if (/^-----BEGIN (.*)-----/) {
|
||||||
|
+ my $hdr = $1;
|
||||||
|
+ if ($hdr =~ /^(X509 |TRUSTED |)CERTIFICATE$/) {
|
||||||
|
+ $is_cert = 1;
|
||||||
|
+ last if ($is_crl);
|
||||||
|
+ } elsif ($hdr eq "X509 CRL") {
|
||||||
|
+ $is_crl = 1;
|
||||||
|
+ last if ($is_cert);
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+ close $in;
|
||||||
|
+ return ($is_cert, $is_crl);
|
||||||
|
}
|
||||||
|
|
||||||
|
sub compute_hash {
|
||||||
|
@@ -177,76 +203,48 @@ sub compute_hash {
|
||||||
|
# certificate fingerprints
|
||||||
|
|
||||||
|
sub link_hash_cert {
|
||||||
|
- my $fname = $_[0];
|
||||||
|
- my ($hash, $fprint) = compute_hash($openssl, "x509", $x509hash,
|
||||||
|
- "-fingerprint", "-noout",
|
||||||
|
- "-in", $fname);
|
||||||
|
- chomp $hash;
|
||||||
|
- chomp $fprint;
|
||||||
|
- return if !$hash;
|
||||||
|
- $fprint =~ s/^.*=//;
|
||||||
|
- $fprint =~ tr/://d;
|
||||||
|
- my $suffix = 0;
|
||||||
|
- # Search for an unused hash filename
|
||||||
|
- while(exists $hashlist{"$hash.$suffix"}) {
|
||||||
|
- # Hash matches: if fingerprint matches its a duplicate cert
|
||||||
|
- if ($hashlist{"$hash.$suffix"} eq $fprint) {
|
||||||
|
- print STDERR "WARNING: Skipping duplicate certificate $fname\n";
|
||||||
|
- return;
|
||||||
|
- }
|
||||||
|
- $suffix++;
|
||||||
|
- }
|
||||||
|
- $hash .= ".$suffix";
|
||||||
|
- if ($symlink_exists) {
|
||||||
|
- print "link $fname -> $hash\n" if $verbose;
|
||||||
|
- symlink $fname, $hash || warn "Can't symlink, $!";
|
||||||
|
- } else {
|
||||||
|
- print "copy $fname -> $hash\n" if $verbose;
|
||||||
|
- if (open($in, "<", $fname)) {
|
||||||
|
- if (open($out,">", $hash)) {
|
||||||
|
- print $out $_ while (<$in>);
|
||||||
|
- close $out;
|
||||||
|
- } else {
|
||||||
|
- warn "can't open $hash for write, $!";
|
||||||
|
- }
|
||||||
|
- close $in;
|
||||||
|
- } else {
|
||||||
|
- warn "can't open $fname for read, $!";
|
||||||
|
- }
|
||||||
|
- }
|
||||||
|
- $hashlist{$hash} = $fprint;
|
||||||
|
+ link_hash($_[0], 'cert');
|
||||||
|
}
|
||||||
|
|
||||||
|
# Same as above except for a CRL. CRL links are of the form <hash>.r<n>
|
||||||
|
|
||||||
|
sub link_hash_crl {
|
||||||
|
- my $fname = $_[0];
|
||||||
|
- my ($hash, $fprint) = compute_hash($openssl, "crl", $crlhash,
|
||||||
|
- "-fingerprint", "-noout",
|
||||||
|
- "-in", $fname);
|
||||||
|
- chomp $hash;
|
||||||
|
- chomp $fprint;
|
||||||
|
- return if !$hash;
|
||||||
|
- $fprint =~ s/^.*=//;
|
||||||
|
- $fprint =~ tr/://d;
|
||||||
|
- my $suffix = 0;
|
||||||
|
- # Search for an unused hash filename
|
||||||
|
- while(exists $hashlist{"$hash.r$suffix"}) {
|
||||||
|
- # Hash matches: if fingerprint matches its a duplicate cert
|
||||||
|
- if ($hashlist{"$hash.r$suffix"} eq $fprint) {
|
||||||
|
- print STDERR "WARNING: Skipping duplicate CRL $fname\n";
|
||||||
|
- return;
|
||||||
|
- }
|
||||||
|
- $suffix++;
|
||||||
|
- }
|
||||||
|
- $hash .= ".r$suffix";
|
||||||
|
- if ($symlink_exists) {
|
||||||
|
- print "link $fname -> $hash\n" if $verbose;
|
||||||
|
- symlink $fname, $hash || warn "Can't symlink, $!";
|
||||||
|
- } else {
|
||||||
|
- print "cp $fname -> $hash\n" if $verbose;
|
||||||
|
- system ("cp", $fname, $hash);
|
||||||
|
- warn "Can't copy, $!" if ($? >> 8) != 0;
|
||||||
|
- }
|
||||||
|
- $hashlist{$hash} = $fprint;
|
||||||
|
+ link_hash($_[0], 'crl');
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+sub link_hash {
|
||||||
|
+ my ($fname, $type) = @_;
|
||||||
|
+ my $is_cert = $type eq 'cert';
|
||||||
|
+
|
||||||
|
+ my ($hash, $fprint) = compute_hash($openssl,
|
||||||
|
+ $is_cert ? "x509" : "crl",
|
||||||
|
+ $is_cert ? $x509hash : $crlhash,
|
||||||
|
+ "-fingerprint", "-noout",
|
||||||
|
+ "-in", $fname);
|
||||||
|
+ chomp $hash;
|
||||||
|
+ chomp $fprint;
|
||||||
|
+ return if !$hash;
|
||||||
|
+ $fprint =~ s/^.*=//;
|
||||||
|
+ $fprint =~ tr/://d;
|
||||||
|
+ my $suffix = 0;
|
||||||
|
+ # Search for an unused hash filename
|
||||||
|
+ my $crlmark = $is_cert ? "" : "r";
|
||||||
|
+ while(exists $hashlist{"$hash.$crlmark$suffix"}) {
|
||||||
|
+ # Hash matches: if fingerprint matches its a duplicate cert
|
||||||
|
+ if ($hashlist{"$hash.$crlmark$suffix"} eq $fprint) {
|
||||||
|
+ my $what = $is_cert ? 'certificate' : 'CRL';
|
||||||
|
+ print STDERR "WARNING: Skipping duplicate $what $fname\n";
|
||||||
|
+ return;
|
||||||
|
+ }
|
||||||
|
+ $suffix++;
|
||||||
|
+ }
|
||||||
|
+ $hash .= ".$crlmark$suffix";
|
||||||
|
+ if ($symlink_exists) {
|
||||||
|
+ print "link $fname -> $hash\n" if $verbose;
|
||||||
|
+ symlink $fname, $hash || warn "Can't symlink, $!";
|
||||||
|
+ } else {
|
||||||
|
+ print "copy $fname -> $hash\n" if $verbose;
|
||||||
|
+ copy_file($fname, $hash);
|
||||||
|
+ }
|
||||||
|
+ $hashlist{$hash} = $fprint;
|
||||||
|
}
|
152
SOURCES/openssl-1.1.1-cve-2022-2097.patch
Normal file
152
SOURCES/openssl-1.1.1-cve-2022-2097.patch
Normal file
@ -0,0 +1,152 @@
|
|||||||
|
From 919925673d6c9cfed3c1085497f5dfbbed5fc431 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Alex Chernyakhovsky <achernya@google.com>
|
||||||
|
Date: Thu, 16 Jun 2022 12:00:22 +1000
|
||||||
|
Subject: [PATCH] Fix AES OCB encrypt/decrypt for x86 AES-NI
|
||||||
|
MIME-Version: 1.0
|
||||||
|
Content-Type: text/plain; charset=UTF-8
|
||||||
|
Content-Transfer-Encoding: 8bit
|
||||||
|
|
||||||
|
aesni_ocb_encrypt and aesni_ocb_decrypt operate by having a fast-path
|
||||||
|
that performs operations on 6 16-byte blocks concurrently (the
|
||||||
|
"grandloop") and then proceeds to handle the "short" tail (which can
|
||||||
|
be anywhere from 0 to 5 blocks) that remain.
|
||||||
|
|
||||||
|
As part of initialization, the assembly initializes $len to the true
|
||||||
|
length, less 96 bytes and converts it to a pointer so that the $inp
|
||||||
|
can be compared to it. Each iteration of "grandloop" checks to see if
|
||||||
|
there's a full 96-byte chunk to process, and if so, continues. Once
|
||||||
|
this has been exhausted, it falls through to "short", which handles
|
||||||
|
the remaining zero to five blocks.
|
||||||
|
|
||||||
|
Unfortunately, the jump at the end of "grandloop" had a fencepost
|
||||||
|
error, doing a `jb` ("jump below") rather than `jbe` (jump below or
|
||||||
|
equal). This should be `jbe`, as $inp is pointing to the *end* of the
|
||||||
|
chunk currently being handled. If $inp == $len, that means that
|
||||||
|
there's a whole 96-byte chunk waiting to be handled. If $inp > $len,
|
||||||
|
then there's 5 or fewer 16-byte blocks left to be handled, and the
|
||||||
|
fall-through is intended.
|
||||||
|
|
||||||
|
The net effect of `jb` instead of `jbe` is that the last 16-byte block
|
||||||
|
of the last 96-byte chunk was completely omitted. The contents of
|
||||||
|
`out` in this position were never written to. Additionally, since
|
||||||
|
those bytes were never processed, the authentication tag generated is
|
||||||
|
also incorrect.
|
||||||
|
|
||||||
|
The same fencepost error, and identical logic, exists in both
|
||||||
|
aesni_ocb_encrypt and aesni_ocb_decrypt.
|
||||||
|
|
||||||
|
This addresses CVE-2022-2097.
|
||||||
|
|
||||||
|
Co-authored-by: Alejandro Sedeño <asedeno@google.com>
|
||||||
|
Co-authored-by: David Benjamin <davidben@google.com>
|
||||||
|
|
||||||
|
Reviewed-by: Paul Dale <pauli@openssl.org>
|
||||||
|
Reviewed-by: Tomas Mraz <tomas@openssl.org>
|
||||||
|
Upstream-Status: Backport [https://github.com/openssl/openssl/commit/919925673d6c9cfed3c1085497f5dfbbed5fc431]
|
||||||
|
---
|
||||||
|
crypto/aes/asm/aesni-x86.pl | 4 ++--
|
||||||
|
1 file changed, 2 insertions(+), 2 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/crypto/aes/asm/aesni-x86.pl b/crypto/aes/asm/aesni-x86.pl
|
||||||
|
index fe2b26542ab6..812758e02e04 100644
|
||||||
|
--- a/crypto/aes/asm/aesni-x86.pl
|
||||||
|
+++ b/crypto/aes/asm/aesni-x86.pl
|
||||||
|
@@ -2027,7 +2027,7 @@ sub aesni_generate6
|
||||||
|
&movdqu (&QWP(-16*2,$out,$inp),$inout4);
|
||||||
|
&movdqu (&QWP(-16*1,$out,$inp),$inout5);
|
||||||
|
&cmp ($inp,$len); # done yet?
|
||||||
|
- &jb (&label("grandloop"));
|
||||||
|
+ &jbe (&label("grandloop"));
|
||||||
|
|
||||||
|
&set_label("short");
|
||||||
|
&add ($len,16*6);
|
||||||
|
@@ -2453,7 +2453,7 @@ sub aesni_generate6
|
||||||
|
&pxor ($rndkey1,$inout5);
|
||||||
|
&movdqu (&QWP(-16*1,$out,$inp),$inout5);
|
||||||
|
&cmp ($inp,$len); # done yet?
|
||||||
|
- &jb (&label("grandloop"));
|
||||||
|
+ &jbe (&label("grandloop"));
|
||||||
|
|
||||||
|
&set_label("short");
|
||||||
|
&add ($len,16*6);
|
||||||
|
From 9131afdca30b6d1650af9ea6179569a80ab8cb06 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Alex Chernyakhovsky <achernya@google.com>
|
||||||
|
Date: Thu, 16 Jun 2022 12:02:37 +1000
|
||||||
|
Subject: [PATCH] AES OCB test vectors
|
||||||
|
MIME-Version: 1.0
|
||||||
|
Content-Type: text/plain; charset=UTF-8
|
||||||
|
Content-Transfer-Encoding: 8bit
|
||||||
|
|
||||||
|
Add test vectors for AES OCB for x86 AES-NI multiple of 96 byte issue.
|
||||||
|
|
||||||
|
Co-authored-by: Alejandro Sedeño <asedeno@google.com>
|
||||||
|
Co-authored-by: David Benjamin <davidben@google.com>
|
||||||
|
|
||||||
|
Reviewed-by: Paul Dale <pauli@openssl.org>
|
||||||
|
Reviewed-by: Tomas Mraz <tomas@openssl.org>
|
||||||
|
Upstream-Status: Backport [https://github.com/openssl/openssl/commit/9131afdca30b6d1650af9ea6179569a80ab8cb06]
|
||||||
|
---
|
||||||
|
test/recipes/30-test_evp_data/evpciph.txt | 50 +++++++++++++++++++++++
|
||||||
|
1 file changed, 50 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/test/recipes/30-test_evp_data/evpciph.txt b/test/recipes/30-test_evp_data/evpciph.txt
|
||||||
|
index 1c02ea1e9c2d..e12670d9a4b4 100644
|
||||||
|
--- a/test/recipes/30-test_evp_data/evpciph.txt
|
||||||
|
+++ b/test/recipes/30-test_evp_data/evpciph.txt
|
||||||
|
@@ -1188,6 +1188,56 @@ Ciphertext = 09A4FD29DE949D9A9AA9924248422097AD4883B4713E6C214FF6567ADA08A967B21
|
||||||
|
Operation = DECRYPT
|
||||||
|
Result = CIPHERFINAL_ERROR
|
||||||
|
|
||||||
|
+#Test vectors generated to validate aesni_ocb_encrypt on x86
|
||||||
|
+Cipher = aes-128-ocb
|
||||||
|
+Key = 000102030405060708090A0B0C0D0E0F
|
||||||
|
+IV = 000000000001020304050607
|
||||||
|
+Tag = C14DFF7D62A13C4A3422456207453190
|
||||||
|
+Plaintext = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
|
||||||
|
+Ciphertext = F5186C9CC3506386919B6FD9443956E05B203313F8AB35E916AB36932EBDDCD2945901BABE7CF29404929F322F954C916065FABF8F1E52F4BD7C538C0F96899519DBC6BC504D837D8EBD1436B45D33F528CB642FA2EB2C403FE604C12B819333
|
||||||
|
+
|
||||||
|
+Cipher = aes-128-ocb
|
||||||
|
+Key = 000102030405060708090A0B0C0D0E0F
|
||||||
|
+IV = 000000000001020304050607
|
||||||
|
+Tag = D47D84F6FF912C79B6A4223AB9BE2DB8
|
||||||
|
+Plaintext = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F
|
||||||
|
+Ciphertext = F5186C9CC3506386919B6FD9443956E05B203313F8AB35E916AB36932EBDDCD2945901BABE7CF29404929F322F954C916065FABF8F1E52F4BD7C538C0F96899519DBC6BC504D837D8EBD1436B45D33F528CB642FA2EB2C403FE604C12B8193332374120A78A1171D23ED9E9CB1ADC204
|
||||||
|
+
|
||||||
|
+Cipher = aes-128-ocb
|
||||||
|
+Key = 000102030405060708090A0B0C0D0E0F
|
||||||
|
+IV = 000000000001020304050607
|
||||||
|
+Tag = 41970D13737B7BD1B5FBF49ED4412CA5
|
||||||
|
+Plaintext = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F7071000102030405060708090A0B0C0D
|
||||||
|
+Ciphertext = F5186C9CC3506386919B6FD9443956E05B203313F8AB35E916AB36932EBDDCD2945901BABE7CF29404929F322F954C916065FABF8F1E52F4BD7C538C0F96899519DBC6BC504D837D8EBD1436B45D33F528CB642FA2EB2C403FE604C12B8193332374120A78A1171D23ED9E9CB1ADC20412C017AD0CA498827C768DDD99B26E91
|
||||||
|
+
|
||||||
|
+Cipher = aes-128-ocb
|
||||||
|
+Key = 000102030405060708090A0B0C0D0E0F
|
||||||
|
+IV = 000000000001020304050607
|
||||||
|
+Tag = BE0228651ED4E48A11BDED68D953F3A0
|
||||||
|
+Plaintext = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F7071000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D
|
||||||
|
+Ciphertext = F5186C9CC3506386919B6FD9443956E05B203313F8AB35E916AB36932EBDDCD2945901BABE7CF29404929F322F954C916065FABF8F1E52F4BD7C538C0F96899519DBC6BC504D837D8EBD1436B45D33F528CB642FA2EB2C403FE604C12B8193332374120A78A1171D23ED9E9CB1ADC20412C017AD0CA498827C768DDD99B26E91EDB8681700FF30366F07AEDE8CEACC1F
|
||||||
|
+
|
||||||
|
+Cipher = aes-128-ocb
|
||||||
|
+Key = 000102030405060708090A0B0C0D0E0F
|
||||||
|
+IV = 000000000001020304050607
|
||||||
|
+Tag = 17BC6E10B16E5FDC52836E7D589518C7
|
||||||
|
+Plaintext = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F7071000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D
|
||||||
|
+Ciphertext = F5186C9CC3506386919B6FD9443956E05B203313F8AB35E916AB36932EBDDCD2945901BABE7CF29404929F322F954C916065FABF8F1E52F4BD7C538C0F96899519DBC6BC504D837D8EBD1436B45D33F528CB642FA2EB2C403FE604C12B8193332374120A78A1171D23ED9E9CB1ADC20412C017AD0CA498827C768DDD99B26E91EDB8681700FF30366F07AEDE8CEACC1F39BE69B91BC808FA7A193F7EEA43137B
|
||||||
|
+
|
||||||
|
+Cipher = aes-128-ocb
|
||||||
|
+Key = 000102030405060708090A0B0C0D0E0F
|
||||||
|
+IV = 000000000001020304050607
|
||||||
|
+Tag = E84AAC18666116990A3A37B3A5FC55BD
|
||||||
|
+Plaintext = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F7071000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D
|
||||||
|
+Ciphertext = F5186C9CC3506386919B6FD9443956E05B203313F8AB35E916AB36932EBDDCD2945901BABE7CF29404929F322F954C916065FABF8F1E52F4BD7C538C0F96899519DBC6BC504D837D8EBD1436B45D33F528CB642FA2EB2C403FE604C12B8193332374120A78A1171D23ED9E9CB1ADC20412C017AD0CA498827C768DDD99B26E91EDB8681700FF30366F07AEDE8CEACC1F39BE69B91BC808FA7A193F7EEA43137B11CF99263D693AEBDF8ADE1A1D838DED
|
||||||
|
+
|
||||||
|
+Cipher = aes-128-ocb
|
||||||
|
+Key = 000102030405060708090A0B0C0D0E0F
|
||||||
|
+IV = 000000000001020304050607
|
||||||
|
+Tag = 3E5EA7EE064FE83B313E28D411E91EAD
|
||||||
|
+Plaintext = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F7071000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D
|
||||||
|
+Ciphertext = F5186C9CC3506386919B6FD9443956E05B203313F8AB35E916AB36932EBDDCD2945901BABE7CF29404929F322F954C916065FABF8F1E52F4BD7C538C0F96899519DBC6BC504D837D8EBD1436B45D33F528CB642FA2EB2C403FE604C12B8193332374120A78A1171D23ED9E9CB1ADC20412C017AD0CA498827C768DDD99B26E91EDB8681700FF30366F07AEDE8CEACC1F39BE69B91BC808FA7A193F7EEA43137B11CF99263D693AEBDF8ADE1A1D838DED48D9E09F452F8E6FBEB76A3DED47611C
|
||||||
|
+
|
||||||
|
Title = AES XTS test vectors from IEEE Std 1619-2007
|
||||||
|
|
||||||
|
# Using the same key twice for encryption is always banned.
|
1176
SOURCES/openssl-1.1.1-replace-expired-certs.patch
Normal file
1176
SOURCES/openssl-1.1.1-replace-expired-certs.patch
Normal file
File diff suppressed because it is too large
Load Diff
@ -22,7 +22,7 @@
|
|||||||
Summary: Utilities from the general purpose cryptography library with TLS implementation
|
Summary: Utilities from the general purpose cryptography library with TLS implementation
|
||||||
Name: openssl
|
Name: openssl
|
||||||
Version: 1.1.1k
|
Version: 1.1.1k
|
||||||
Release: 6%{?dist}
|
Release: 7%{?dist}
|
||||||
Epoch: 1
|
Epoch: 1
|
||||||
# We have to remove certain patented algorithms from the openssl source
|
# We have to remove certain patented algorithms from the openssl source
|
||||||
# tarball with the hobble-openssl script which is included below.
|
# tarball with the hobble-openssl script which is included below.
|
||||||
@ -83,6 +83,10 @@ Patch74: openssl-1.1.1-addrconfig.patch
|
|||||||
Patch75: openssl-1.1.1-tls13-curves.patch
|
Patch75: openssl-1.1.1-tls13-curves.patch
|
||||||
Patch81: openssl-1.1.1-read-buff.patch
|
Patch81: openssl-1.1.1-read-buff.patch
|
||||||
Patch82: openssl-1.1.1-cve-2022-0778.patch
|
Patch82: openssl-1.1.1-cve-2022-0778.patch
|
||||||
|
Patch83: openssl-1.1.1-replace-expired-certs.patch
|
||||||
|
Patch84: openssl-1.1.1-cve-2022-1292.patch
|
||||||
|
Patch85: openssl-1.1.1-cve-2022-2068.patch
|
||||||
|
Patch86: openssl-1.1.1-cve-2022-2097.patch
|
||||||
|
|
||||||
License: OpenSSL and ASL 2.0
|
License: OpenSSL and ASL 2.0
|
||||||
URL: http://www.openssl.org/
|
URL: http://www.openssl.org/
|
||||||
@ -204,7 +208,10 @@ cp %{SOURCE13} test/
|
|||||||
%patch80 -p1 -b .s390x-test-aes
|
%patch80 -p1 -b .s390x-test-aes
|
||||||
%patch81 -p1 -b .read-buff
|
%patch81 -p1 -b .read-buff
|
||||||
%patch82 -p1 -b .cve-2022-0778
|
%patch82 -p1 -b .cve-2022-0778
|
||||||
|
%patch83 -p1 -b .replace-expired-certs
|
||||||
|
%patch84 -p1 -b .cve-2022-1292
|
||||||
|
%patch85 -p1 -b .cve-2022-2068
|
||||||
|
%patch86 -p1 -b .cve-2022-2097
|
||||||
|
|
||||||
%build
|
%build
|
||||||
# Figure out which flags we want to use.
|
# Figure out which flags we want to use.
|
||||||
@ -488,13 +495,23 @@ export LD_LIBRARY_PATH
|
|||||||
%postun libs -p /sbin/ldconfig
|
%postun libs -p /sbin/ldconfig
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Tue Jul 05 2022 Clemens Lang <cllang@redhat.com> - 1:1.1.1k-7
|
||||||
|
- Fix CVE-2022-2097: AES OCB fails to encrypt some bytes on 32-bit x86
|
||||||
|
Resolves: CVE-2022-2097
|
||||||
|
- Update expired certificates used in the testsuite
|
||||||
|
Resolves: rhbz#2100554
|
||||||
|
- Fix CVE-2022-1292: openssl: c_rehash script allows command injection
|
||||||
|
Resolves: rhbz#2090371
|
||||||
|
- Fix CVE-2022-2068: the c_rehash script allows command injection
|
||||||
|
Resolves: rhbz#2098278
|
||||||
|
|
||||||
* Wed Mar 23 2022 Clemens Lang <cllang@redhat.com> - 1:1.1.1k-6
|
* Wed Mar 23 2022 Clemens Lang <cllang@redhat.com> - 1:1.1.1k-6
|
||||||
- Fixes CVE-2022-0778 openssl: Infinite loop in BN_mod_sqrt() reachable when parsing certificates
|
- Fixes CVE-2022-0778 openssl: Infinite loop in BN_mod_sqrt() reachable when parsing certificates
|
||||||
- Resolves: rhbz#2067144
|
- Resolves: rhbz#2067145
|
||||||
|
|
||||||
* Fri Nov 12 2021 Sahana Prasad <sahana@redhat.com> - 1:1.1.1k-5
|
* Tue Nov 16 2021 Sahana Prasad <sahana@redhat.com> - 1:1.1.1k-5
|
||||||
- CVE-2021-3712 openssl: Read buffer overruns processing ASN.1 strings
|
- Fixes CVE-2021-3712 openssl: Read buffer overruns processing ASN.1 strings
|
||||||
- Resolves: rhbz#2005400
|
- Resolves: rhbz#2005402
|
||||||
|
|
||||||
* Fri Jul 16 2021 Sahana Prasad <sahana@redhat.com> - 1:1.1.1k-4
|
* Fri Jul 16 2021 Sahana Prasad <sahana@redhat.com> - 1:1.1.1k-4
|
||||||
- Fixes bugs in s390x AES code.
|
- Fixes bugs in s390x AES code.
|
||||||
|
Loading…
Reference in New Issue
Block a user