From c2e3151786ff607299496e6bae712e9001f8e276 Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Fri, 13 Jul 2012 14:23:34 +0200 Subject: [PATCH] do not move libcrypto to /lib - do not use environment variables if __libc_enable_secure is on - fix strict aliasing problems in modes --- openssl-1.0.1c-aliasing.patch | 12 ++ openssl-1.0.1c-secure-getenv.patch | 206 +++++++++++++++++++++++++++++ openssl.spec | 25 ++-- 3 files changed, 232 insertions(+), 11 deletions(-) create mode 100644 openssl-1.0.1c-aliasing.patch create mode 100644 openssl-1.0.1c-secure-getenv.patch diff --git a/openssl-1.0.1c-aliasing.patch b/openssl-1.0.1c-aliasing.patch new file mode 100644 index 0000000..582418c --- /dev/null +++ b/openssl-1.0.1c-aliasing.patch @@ -0,0 +1,12 @@ +diff -up openssl-1.0.1c/crypto/modes/Makefile.aliasing openssl-1.0.1c/crypto/modes/Makefile +--- openssl-1.0.1c/crypto/modes/Makefile.aliasing 2011-08-12 00:36:17.000000000 +0200 ++++ openssl-1.0.1c/crypto/modes/Makefile 2012-07-13 11:32:10.767829077 +0200 +@@ -12,7 +12,7 @@ AR= ar r + + MODES_ASM_OBJ= + +-CFLAGS= $(INCLUDES) $(CFLAG) ++CFLAGS= $(INCLUDES) $(CFLAG) -fno-strict-aliasing + ASFLAGS= $(INCLUDES) $(ASFLAG) + AFLAGS= $(ASFLAGS) + diff --git a/openssl-1.0.1c-secure-getenv.patch b/openssl-1.0.1c-secure-getenv.patch new file mode 100644 index 0000000..2a0e5eb --- /dev/null +++ b/openssl-1.0.1c-secure-getenv.patch @@ -0,0 +1,206 @@ +diff -up openssl-1.0.1c/Configure.secure-getenv openssl-1.0.1c/Configure +--- openssl-1.0.1c/Configure.secure-getenv 2012-07-13 13:34:37.309433776 +0200 ++++ openssl-1.0.1c/Configure 2012-07-13 13:34:37.309433776 +0200 +@@ -1437,6 +1437,10 @@ if ($target =~ /^BSD\-/) + $shared_ldflag.=" -Wl,-rpath,\$(LIBRPATH)" if ($prefix !~ m|^/usr[/]*$|); + } + ++if ($target =~ /^linux/i) { ++ $cflags .= " -DLIBC_ENABLE_SECURE"; ++} ++ + if ($sys_id ne "") + { + #$cflags="-DOPENSSL_SYSNAME_$sys_id $cflags"; +diff -up openssl-1.0.1c/crypto/conf/conf_api.c.secure-getenv openssl-1.0.1c/crypto/conf/conf_api.c +--- openssl-1.0.1c/crypto/conf/conf_api.c.secure-getenv 2011-09-02 13:20:32.000000000 +0200 ++++ openssl-1.0.1c/crypto/conf/conf_api.c 2012-07-13 13:34:37.277433033 +0200 +@@ -140,7 +140,7 @@ char *_CONF_get_string(const CONF *conf, + vv.section=(char *)section; + v=lh_CONF_VALUE_retrieve(conf->data,&vv); + if (v != NULL) return(v->value); +- if (strcmp(section,"ENV") == 0) ++ if (!OPENSSL_issetugid() && (strcmp(section,"ENV") == 0)) + { + p=getenv(name); + if (p != NULL) return(p); +@@ -155,7 +155,7 @@ char *_CONF_get_string(const CONF *conf, + return(NULL); + } + else +- return(getenv(name)); ++ return (OPENSSL_issetugid() ? NULL : getenv(name)); + } + + #if 0 /* There's no way to provide error checking with this function, so +diff -up openssl-1.0.1c/crypto/conf/conf_mod.c.secure-getenv openssl-1.0.1c/crypto/conf/conf_mod.c +--- openssl-1.0.1c/crypto/conf/conf_mod.c.secure-getenv 2008-11-05 19:38:55.000000000 +0100 ++++ openssl-1.0.1c/crypto/conf/conf_mod.c 2012-07-13 13:34:37.277433033 +0200 +@@ -548,8 +548,8 @@ char *CONF_get1_default_config_file(void + char *file; + int len; + +- file = getenv("OPENSSL_CONF"); +- if (file) ++ if (!OPENSSL_issetugid() && ++ (file = getenv("OPENSSL_CONF")) != NULL); + return BUF_strdup(file); + + len = strlen(X509_get_default_cert_area()); +diff -up openssl-1.0.1c/crypto/engine/eng_list.c.secure-getenv openssl-1.0.1c/crypto/engine/eng_list.c +--- openssl-1.0.1c/crypto/engine/eng_list.c.secure-getenv 2010-03-27 19:28:13.000000000 +0100 ++++ openssl-1.0.1c/crypto/engine/eng_list.c 2012-07-13 13:34:37.278433056 +0200 +@@ -399,9 +399,9 @@ ENGINE *ENGINE_by_id(const char *id) + if (strcmp(id, "dynamic")) + { + #ifdef OPENSSL_SYS_VMS +- if((load_dir = getenv("OPENSSL_ENGINES")) == 0) load_dir = "SSLROOT:[ENGINES]"; ++ if(OPENSSL_issetugid() || (load_dir = getenv("OPENSSL_ENGINES")) == 0) load_dir = "SSLROOT:[ENGINES]"; + #else +- if((load_dir = getenv("OPENSSL_ENGINES")) == 0) load_dir = ENGINESDIR; ++ if(OPENSSL_issetugid() || (load_dir = getenv("OPENSSL_ENGINES")) == 0) load_dir = ENGINESDIR; + #endif + iterator = ENGINE_by_id("dynamic"); + if(!iterator || !ENGINE_ctrl_cmd_string(iterator, "ID", id, 0) || +diff -up openssl-1.0.1c/crypto/md5/md5_dgst.c.secure-getenv openssl-1.0.1c/crypto/md5/md5_dgst.c +--- openssl-1.0.1c/crypto/md5/md5_dgst.c.secure-getenv 2012-07-13 13:34:37.000000000 +0200 ++++ openssl-1.0.1c/crypto/md5/md5_dgst.c 2012-07-13 13:37:27.709392052 +0200 +@@ -74,7 +74,7 @@ const char MD5_version[]="MD5" OPENSSL_V + int MD5_Init(MD5_CTX *c) + #ifdef OPENSSL_FIPS + { +- if (FIPS_mode() && getenv("OPENSSL_FIPS_NON_APPROVED_MD5_ALLOW") == NULL) ++ if (FIPS_mode() && (OPENSSL_issetugid() || getenv("OPENSSL_FIPS_NON_APPROVED_MD5_ALLOW") == NULL)) + OpenSSLDie(__FILE__, __LINE__, \ + "Digest MD5 forbidden in FIPS mode!"); + return private_MD5_Init(c); +diff -up openssl-1.0.1c/crypto/o_init.c.secure-getenv openssl-1.0.1c/crypto/o_init.c +--- openssl-1.0.1c/crypto/o_init.c.secure-getenv 2012-07-13 13:34:37.237432103 +0200 ++++ openssl-1.0.1c/crypto/o_init.c 2012-07-13 13:34:37.278433056 +0200 +@@ -71,7 +71,7 @@ static void init_fips_mode(void) + char buf[2] = "0"; + int fd; + +- if (getenv("OPENSSL_FORCE_FIPS_MODE") != NULL) ++ if (!OPENSSL_issetugid() && getenv("OPENSSL_FORCE_FIPS_MODE") != NULL) + { + buf[0] = '1'; + } +diff -up openssl-1.0.1c/crypto/uid.c.secure-getenv openssl-1.0.1c/crypto/uid.c +--- openssl-1.0.1c/crypto/uid.c.secure-getenv 2003-11-28 14:10:55.000000000 +0100 ++++ openssl-1.0.1c/crypto/uid.c 2012-07-13 13:34:37.278433056 +0200 +@@ -77,8 +77,26 @@ int OPENSSL_issetugid(void) + #include OPENSSL_UNISTD + #include + ++#ifdef LIBC_ENABLE_SECURE ++extern int __libc_enable_secure; ++#endif ++#ifdef PRCTL_DUMPABLE ++#include ++#endif ++ + int OPENSSL_issetugid(void) + { ++#ifdef LIBC_ENABLE_SECURE ++ if (__libc_enable_secure) return 1; ++#endif ++#ifdef PRCTL_DUMPABLE ++ /* 0 -> not dumpable, 2 -> dumpable by root only from ++ * Linux kernel 2.6.13 - 2.6.17, so we require dumpable ++ * flag to be == 1 to accept non-secure mode. ++ */ ++ if (prctl(PR_GET_DUMPABLE, 0, 0, 0, 0) != 1) ++ return 1; ++#endif + if (getuid() != geteuid()) return 1; + if (getgid() != getegid()) return 1; + return 0; +diff -up openssl-1.0.1c/crypto/x509/by_dir.c.secure-getenv openssl-1.0.1c/crypto/x509/by_dir.c +--- openssl-1.0.1c/crypto/x509/by_dir.c.secure-getenv 2010-02-19 19:26:23.000000000 +0100 ++++ openssl-1.0.1c/crypto/x509/by_dir.c 2012-07-13 13:34:37.279433079 +0200 +@@ -135,7 +135,8 @@ static int dir_ctrl(X509_LOOKUP *ctx, in + case X509_L_ADD_DIR: + if (argl == X509_FILETYPE_DEFAULT) + { +- dir=(char *)getenv(X509_get_default_cert_dir_env()); ++ if (!OPENSSL_issetugid()) ++ dir=(char *)getenv(X509_get_default_cert_dir_env()); + if (dir) + ret=add_cert_dir(ld,dir,X509_FILETYPE_PEM); + else +diff -up openssl-1.0.1c/crypto/x509/by_file.c.secure-getenv openssl-1.0.1c/crypto/x509/by_file.c +--- openssl-1.0.1c/crypto/x509/by_file.c.secure-getenv 2012-07-13 13:34:37.187430942 +0200 ++++ openssl-1.0.1c/crypto/x509/by_file.c 2012-07-13 13:34:37.279433079 +0200 +@@ -93,14 +93,15 @@ static int by_file_ctrl(X509_LOOKUP *ctx + char **ret) + { + int ok=0; +- char *file; ++ char *file = NULL; + + switch (cmd) + { + case X509_L_FILE_LOAD: + if (argl == X509_FILETYPE_DEFAULT) + { +- file = (char *)getenv(X509_get_default_cert_file_env()); ++ if (!OPENSSL_issetugid()) ++ file = (char *)getenv(X509_get_default_cert_file_env()); + if (file) + ok = (X509_load_cert_crl_file(ctx,file, + X509_FILETYPE_PEM) != 0); +diff -up openssl-1.0.1c/crypto/x509/x509_vfy.c.secure-getenv openssl-1.0.1c/crypto/x509/x509_vfy.c +--- openssl-1.0.1c/crypto/x509/x509_vfy.c.secure-getenv 2011-09-23 15:39:35.000000000 +0200 ++++ openssl-1.0.1c/crypto/x509/x509_vfy.c 2012-07-13 13:34:37.280433102 +0200 +@@ -456,7 +456,7 @@ static int check_chain_extensions(X509_S + int (*cb)(int xok,X509_STORE_CTX *xctx); + int proxy_path_length = 0; + int purpose; +- int allow_proxy_certs; ++ int allow_proxy_certs = 0; + cb=ctx->verify_cb; + + /* must_be_ca can have 1 of 3 values: +@@ -481,7 +481,7 @@ static int check_chain_extensions(X509_S + !!(ctx->param->flags & X509_V_FLAG_ALLOW_PROXY_CERTS); + /* A hack to keep people who don't want to modify their + software happy */ +- if (getenv("OPENSSL_ALLOW_PROXY_CERTS")) ++ if (!OPENSSL_issetugid() && getenv("OPENSSL_ALLOW_PROXY_CERTS")) + allow_proxy_certs = 1; + purpose = ctx->param->purpose; + } +diff -up openssl-1.0.1c/engines/ccgost/gost_ctl.c.secure-getenv openssl-1.0.1c/engines/ccgost/gost_ctl.c +--- openssl-1.0.1c/engines/ccgost/gost_ctl.c.secure-getenv 2008-03-16 22:05:44.000000000 +0100 ++++ openssl-1.0.1c/engines/ccgost/gost_ctl.c 2012-07-13 13:34:37.280433102 +0200 +@@ -59,13 +59,14 @@ int gost_control_func(ENGINE *e,int cmd, + + const char *get_gost_engine_param(int param) + { +- char *tmp; ++ char *tmp = NULL; + if (param <0 || param >GOST_PARAM_MAX) return NULL; + if (gost_params[param]!=NULL) + { + return gost_params[param]; + } +- tmp = getenv(gost_envnames[param]); ++ if (!OPENSSL_issetugid()) ++ tmp = getenv(gost_envnames[param]); + if (tmp) + { + if (gost_params[param]) OPENSSL_free(gost_params[param]); +@@ -77,9 +78,10 @@ const char *get_gost_engine_param(int pa + + int gost_set_default_param(int param, const char *value) + { +- const char *tmp; ++ const char *tmp = NULL; + if (param <0 || param >GOST_PARAM_MAX) return 0; +- tmp = getenv(gost_envnames[param]); ++ if (!OPENSSL_issetugid()) ++ tmp = getenv(gost_envnames[param]); + /* if there is value in the environment, use it, else -passed string * */ + if (!tmp) tmp=value; + if (gost_params[param]) OPENSSL_free(gost_params[param]); diff --git a/openssl.spec b/openssl.spec index ea4c8d0..1b4a5dd 100644 --- a/openssl.spec +++ b/openssl.spec @@ -43,6 +43,7 @@ Patch5: openssl-0.9.8a-no-rpath.patch Patch6: openssl-0.9.8b-test-use-localhost.patch Patch7: openssl-1.0.0-timezone.patch Patch8: openssl-1.0.1c-perlfind.patch +Patch9: openssl-1.0.1c-aliasing.patch # Bug fixes Patch23: openssl-1.0.0-beta4-default-paths.patch # Functionality changes @@ -65,6 +66,7 @@ Patch63: openssl-1.0.0d-xmpp-starttls.patch Patch65: openssl-1.0.0e-chil-fixes.patch Patch66: openssl-1.0.1-pkgconfig-krb5.patch Patch67: openssl-1.0.0-fips-pkcs8.patch +Patch68: openssl-1.0.1c-secure-getenv.patch # Backported fixes including security fixes Patch81: openssl-1.0.1-beta2-padlock64.patch Patch82: openssl-1.0.1c-backports.patch @@ -143,6 +145,7 @@ from other formats to the formats used by the OpenSSL toolkit. %patch6 -p1 -b .use-localhost %patch7 -p1 -b .timezone %patch8 -p1 -b .perlfind +%patch9 -p1 -b .aliasing %patch23 -p1 -b .default-paths @@ -165,6 +168,7 @@ from other formats to the formats used by the OpenSSL toolkit. %patch65 -p1 -b .chil %patch66 -p1 -b .krb5 %patch67 -p1 -b .pkcs8 +%patch68 -p1 -b .secure-getenv %patch81 -p1 -b .padlock64 %patch82 -p1 -b .backports @@ -260,8 +264,8 @@ make -C test apps tests %{?__debug_package:%{__debug_install_post}} \ %{__arch_install_post} \ %{__os_install_post} \ - crypto/fips/fips_standalone_hmac $RPM_BUILD_ROOT/%{_lib}/libcrypto.so.%{version} >$RPM_BUILD_ROOT/%{_lib}/.libcrypto.so.%{version}.hmac \ - ln -sf .libcrypto.so.%{version}.hmac $RPM_BUILD_ROOT/%{_lib}/.libcrypto.so.%{soversion}.hmac \ + crypto/fips/fips_standalone_hmac $RPM_BUILD_ROOT%{_libdir}/libcrypto.so.%{version} >$RPM_BUILD_ROOT%{_libdir}/.libcrypto.so.%{version}.hmac \ + ln -sf .libcrypto.so.%{version}.hmac $RPM_BUILD_ROOT%{_libdir}/.libcrypto.so.%{soversion}.hmac \ crypto/fips/fips_standalone_hmac $RPM_BUILD_ROOT%{_libdir}/libssl.so.%{version} >$RPM_BUILD_ROOT%{_libdir}/.libssl.so.%{version}.hmac \ ln -sf .libssl.so.%{version}.hmac $RPM_BUILD_ROOT%{_libdir}/.libssl.so.%{soversion}.hmac \ %{nil} @@ -279,17 +283,11 @@ mv $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/man/* $RPM_BUILD_ROOT%{_mandir}/ rmdir $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/man rename so.%{soversion} so.%{version} $RPM_BUILD_ROOT%{_libdir}/*.so.%{soversion} mkdir $RPM_BUILD_ROOT/%{_lib} -mv $RPM_BUILD_ROOT%{_libdir}/libcrypto.so.%{version} $RPM_BUILD_ROOT/%{_lib} for lib in $RPM_BUILD_ROOT%{_libdir}/*.so.%{version} ; do chmod 755 ${lib} ln -s -f `basename ${lib}` $RPM_BUILD_ROOT%{_libdir}/`basename ${lib} .%{version}` ln -s -f `basename ${lib}` $RPM_BUILD_ROOT%{_libdir}/`basename ${lib} .%{version}`.%{soversion} done -for lib in $RPM_BUILD_ROOT/%{_lib}/*.so.%{version} ; do - chmod 755 ${lib} - ln -s -f ../../%{_lib}/`basename ${lib}` $RPM_BUILD_ROOT%{_libdir}/`basename ${lib} .%{version}` - ln -s -f `basename ${lib}` $RPM_BUILD_ROOT/%{_lib}/`basename ${lib} .%{version}`.%{soversion} -done # Install a makefile for generating keys and self-signed certs, and a script # for generating them on the fly. @@ -396,11 +394,11 @@ rm -rf $RPM_BUILD_ROOT/%{_libdir}/fipscanister.* %dir %{_sysconfdir}/pki/tls/misc %dir %{_sysconfdir}/pki/tls/private %config(noreplace) %{_sysconfdir}/pki/tls/openssl.cnf -%attr(0755,root,root) /%{_lib}/libcrypto.so.%{version} -%attr(0755,root,root) /%{_lib}/libcrypto.so.%{soversion} +%attr(0755,root,root) %{_libdir}/libcrypto.so.%{version} +%attr(0755,root,root) %{_libdir}/libcrypto.so.%{soversion} %attr(0755,root,root) %{_libdir}/libssl.so.%{version} %attr(0755,root,root) %{_libdir}/libssl.so.%{soversion} -%attr(0644,root,root) /%{_lib}/.libcrypto.so.*.hmac +%attr(0644,root,root) %{_libdir}/.libcrypto.so.*.hmac %attr(0644,root,root) %{_libdir}/.libssl.so.*.hmac %attr(0755,root,root) %{_libdir}/openssl @@ -427,6 +425,11 @@ rm -rf $RPM_BUILD_ROOT/%{_libdir}/fipscanister.* %postun libs -p /sbin/ldconfig %changelog +* Fri Jul 13 2012 Tomas Mraz 1.0.1c-4 +- do not move libcrypto to /lib +- do not use environment variables if __libc_enable_secure is on +- fix strict aliasing problems in modes + * Thu Jul 12 2012 Tomas Mraz 1.0.1c-3 - fix DSA key generation in FIPS mode (#833866) - allow duplicate FIPS_mode_set(1)