Compare commits

..

No commits in common. "c8" and "c8s" have entirely different histories.
c8 ... c8s

75 changed files with 264 additions and 19 deletions

48
.gitignore vendored
View File

@ -1 +1,47 @@
SOURCES/openssl-1.1.1k-hobbled.tar.xz .build*.log
clog
000*.patch
*.src.rpm
openssl-1.0.0a-usa.tar.bz2
/openssl-1.0.0b-usa.tar.bz2
/openssl-1.0.0c-usa.tar.bz2
/openssl-1.0.0d-usa.tar.bz2
/openssl-1.0.0e-usa.tar.bz2
/openssl-1.0.0f-usa.tar.bz2
/openssl-1.0.0g-usa.tar.xz
/openssl-1.0.1-beta2-usa.tar.xz
/openssl-1.0.1-beta3-usa.tar.xz
/openssl-1.0.1-usa.tar.xz
/openssl-1.0.1a-usa.tar.xz
/openssl-1.0.1b-usa.tar.xz
/openssl-1.0.1c-usa.tar.xz
/openssl-1.0.1e-usa.tar.xz
/openssl-1.0.1e-hobbled.tar.xz
/openssl-1.0.1g-hobbled.tar.xz
/openssl-1.0.1h-hobbled.tar.xz
/openssl-1.0.1i-hobbled.tar.xz
/openssl-1.0.1j-hobbled.tar.xz
/openssl-1.0.1k-hobbled.tar.xz
/openssl-1.0.2a-hobbled.tar.xz
/openssl-1.0.2c-hobbled.tar.xz
/openssl-1.0.2d-hobbled.tar.xz
/openssl-1.0.2e-hobbled.tar.xz
/openssl-1.0.2f-hobbled.tar.xz
/openssl-1.0.2g-hobbled.tar.xz
/openssl-1.0.2h-hobbled.tar.xz
/openssl-1.0.2i-hobbled.tar.xz
/openssl-1.0.2j-hobbled.tar.xz
/openssl-1.1.0b-hobbled.tar.xz
/openssl-1.1.0c-hobbled.tar.xz
/openssl-1.1.0d-hobbled.tar.xz
/openssl-1.1.0e-hobbled.tar.xz
/openssl-1.1.0f-hobbled.tar.xz
/openssl-1.1.0g-hobbled.tar.xz
/openssl-1.1.0h-hobbled.tar.xz
/openssl-1.1.1-pre8-hobbled.tar.xz
/openssl-1.1.1-pre9-hobbled.tar.xz
/openssl-1.1.1-hobbled.tar.xz
/openssl-1.1.1b-hobbled.tar.xz
/openssl-1.1.1c-hobbled.tar.xz
/openssl-1.1.1g-hobbled.tar.xz
/openssl-1.1.1k-hobbled.tar.xz

View File

@ -1 +0,0 @@
6fde639a66329f2cd9135eb192f2228f2a402c0e SOURCES/openssl-1.1.1k-hobbled.tar.xz

15
fixpatch Executable file
View File

@ -0,0 +1,15 @@
#!/bin/sh
# Fixes patch from upstream tracker view
gawk '
BEGIN {
dir=""
}
/^Index: openssl\// {
dir = $2
}
/^(---|\+\+\+)/ {
$2 = dir
}
{
print
}'

9
gating.yaml Normal file
View File

@ -0,0 +1,9 @@
--- !Policy
product_versions:
- rhel-8
decision_context: osci_compose_gate
rules:
- !PassingTestCaseRule {test_case_name: osci.brew-build.tier0.functional}
- !PassingTestCaseRule {test_case_name: baseos-ci.brew-build.tier1.functional}
- !PassingTestCaseRule {test_case_name: baseos-ci.brew-build.userspace-fips-mode.functional}
- !PassingTestCaseRule {test_case_name: baseos-ci.brew-build.tedude.validation}

View File

@ -1,11 +1,13 @@
diff -up openssl-1.1.1k/ssl/statem/extensions.c.cleanup-reneg openssl-1.1.1k/ssl/statem/extensions.c diff -up openssl-1.1.1k/ssl/statem/extensions.c.cleanup-reneg openssl-1.1.1k/ssl/statem/extensions.c
--- openssl-1.1.1k/ssl/statem/extensions.c.cleanup-reneg 2021-03-25 14:28:38.000000000 +0100 --- openssl-1.1.1k/ssl/statem/extensions.c.cleanup-reneg 2021-03-25 14:28:38.000000000 +0100
+++ openssl-1.1.1k/ssl/statem/extensions.c 2021-06-24 16:16:19.526181743 +0200 +++ openssl-1.1.1k/ssl/statem/extensions.c 2021-06-24 16:16:19.526181743 +0200
@@ -42,6 +42,7 @@ static int tls_parse_certificate_authori @@ -42,6 +42,9 @@ static int tls_parse_certificate_authori
#ifndef OPENSSL_NO_SRP #ifndef OPENSSL_NO_SRP
static int init_srp(SSL *s, unsigned int context); static int init_srp(SSL *s, unsigned int context);
#endif #endif
+#ifndef OPENSSL_NO_EC
+static int init_ec_point_formats(SSL *s, unsigned int context); +static int init_ec_point_formats(SSL *s, unsigned int context);
+#endif
static int init_etm(SSL *s, unsigned int context); static int init_etm(SSL *s, unsigned int context);
static int init_ems(SSL *s, unsigned int context); static int init_ems(SSL *s, unsigned int context);
static int final_ems(SSL *s, unsigned int context, int sent); static int final_ems(SSL *s, unsigned int context, int sent);
@ -18,10 +20,11 @@ diff -up openssl-1.1.1k/ssl/statem/extensions.c.cleanup-reneg openssl-1.1.1k/ssl
tls_construct_stoc_ec_pt_formats, tls_construct_ctos_ec_pt_formats, tls_construct_stoc_ec_pt_formats, tls_construct_ctos_ec_pt_formats,
final_ec_pt_formats final_ec_pt_formats
}, },
@@ -1164,6 +1165,15 @@ static int init_srp(SSL *s, unsigned int @@ -1164,6 +1165,17 @@ static int init_srp(SSL *s, unsigned int
} }
#endif #endif
+#ifndef OPENSSL_NO_EC
+static int init_ec_point_formats(SSL *s, unsigned int context) +static int init_ec_point_formats(SSL *s, unsigned int context)
+{ +{
+ OPENSSL_free(s->ext.peer_ecpointformats); + OPENSSL_free(s->ext.peer_ecpointformats);
@ -30,6 +33,7 @@ diff -up openssl-1.1.1k/ssl/statem/extensions.c.cleanup-reneg openssl-1.1.1k/ssl
+ +
+ return 1; + return 1;
+} +}
+#endif
+ +
static int init_etm(SSL *s, unsigned int context) static int init_etm(SSL *s, unsigned int context)
{ {

View File

@ -0,0 +1,14 @@
Do not return failure when setting version bound on fixed protocol
version method.
diff -up openssl-1.1.1-pre8/ssl/statem/statem_lib.c.ignore-bound openssl-1.1.1-pre8/ssl/statem/statem_lib.c
--- openssl-1.1.1-pre8/ssl/statem/statem_lib.c.ignore-bound 2018-06-20 16:48:13.000000000 +0200
+++ openssl-1.1.1-pre8/ssl/statem/statem_lib.c 2018-08-13 11:07:52.826304045 +0200
@@ -1595,7 +1595,7 @@ int ssl_set_version_bound(int method_ver
* methods are not subject to controls that disable individual protocol
* versions.
*/
- return 0;
+ return 1;
case TLS_ANY_VERSION:
if (version < SSL3_VERSION || version > TLS_MAX_VERSION)

View File

@ -22,7 +22,7 @@
Summary: Utilities from the general purpose cryptography library with TLS implementation Summary: Utilities from the general purpose cryptography library with TLS implementation
Name: openssl Name: openssl
Version: 1.1.1k Version: 1.1.1k
Release: 14%{?dist} Release: 13%{?dist}
Epoch: 1 Epoch: 1
# We have to remove certain patented algorithms from the openssl source # We have to remove certain patented algorithms from the openssl source
# tarball with the hobble-openssl script which is included below. # tarball with the hobble-openssl script which is included below.
@ -99,7 +99,7 @@ Patch107: openssl-1.1.1-cve-2023-5678.patch
# Backport from OpenSSL 3.2/RHEL 9 # Backport from OpenSSL 3.2/RHEL 9
# Proper fix for CVE-2020-25659 # Proper fix for CVE-2020-25659
Patch108: openssl-1.1.1-pkcs1-implicit-rejection.patch Patch108: openssl-1.1.1-pkcs1-implicit-rejection.patch
# Backport from OpenSSL 3.2 # Backport from OpenSSL 3.0
# Fix for CVE-2024-5535 # Fix for CVE-2024-5535
Patch109: openssl-1.1.1-fix-ssl-select-next-proto.patch Patch109: openssl-1.1.1-fix-ssl-select-next-proto.patch
@ -519,52 +519,54 @@ export LD_LIBRARY_PATH
%postun libs -p /sbin/ldconfig %postun libs -p /sbin/ldconfig
%changelog %changelog
* Tue Sep 17 2024 Maurizio Barbaro <mbarbaro@redhat.com> - 1:1.1.1k-14 * Mon Sep 16 2024 Maurizio Barbaro <mbarbaro@redhat.com> - 1:1.1.1k-13
- Backport fix SSL_select_next proto from OpenSSL 3.2 - Backport fix SSL_select_next proto from OpenSSL 3.2
Fix CVE-2024-5535 Fix CVE-2024-5535
Resolves: RHEL-45654 Resolves: RHEL-45654
* Thu Nov 30 2023 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:1.1.1k-12 * Thu Nov 30 2023 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:1.1.1k-12
- Backport implicit rejection mechanism for RSA PKCS#1 v1.5 to RHEL-8 series - Backport implicit rejection mechanism for RSA PKCS#1 v1.5 to RHEL-8 series
(a proper fix for CVE-2020-25659) (a proper fix for CVE-2020-25659)
Resolves: RHEL-17694 Resolves: RHEL-17696
* Wed Nov 15 2023 Clemens Lang <cllang@redhat.com> - 1:1.1.1k-11 * Wed Nov 15 2023 Clemens Lang <cllang@redhat.com> - 1:1.1.1k-11
- Fix CVE-2023-5678: Generating excessively long X9.42 DH keys or checking - Fix CVE-2023-5678: Generating excessively long X9.42 DH keys or checking
excessively long X9.42 DH keys or parameters may be very slow excessively long X9.42 DH keys or parameters may be very slow
Resolves: RHEL-16536 Resolves: RHEL-16538
* Thu Oct 19 2023 Clemens Lang <cllang@redhat.com> - 1:1.1.1k-10 * Thu Oct 19 2023 Clemens Lang <cllang@redhat.com> - 1:1.1.1k-10
- Fix CVE-2023-3446: Excessive time spent checking DH keys and parameters - Fix CVE-2023-3446: Excessive time spent checking DH keys and parameters
Resolves: RHEL-14243 Resolves: RHEL-14245
- Fix CVE-2023-3817: Excessive time spent checking DH q parameter value - Fix CVE-2023-3817: Excessive time spent checking DH q parameter value
Resolves: RHEL-14237 Resolves: RHEL-14239
* Thu May 04 2023 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:1.1.1k-9 * Wed Feb 08 2023 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:1.1.1k-9
- Fixed Timing Oracle in RSA Decryption - Fixed Timing Oracle in RSA Decryption
Resolves: CVE-2022-4304 Resolves: CVE-2022-4304
- Fixed Double free after calling PEM_read_bio_ex - Fixed Double free after calling PEM_read_bio_ex
Resolves: CVE-2022-4450 Resolves: CVE-2022-4450
- Fixed Use-after-free following BIO_new_NDEF - Fixed Use-after-free following BIO_new_NDEF
Resolves: CVE-2023-0215 Resolves: CVE-2023-0215
* Wed Feb 08 2023 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:1.1.1k-8
- Fixed X.400 address type confusion in X.509 GeneralName - Fixed X.400 address type confusion in X.509 GeneralName
Resolves: CVE-2023-0286 Resolves: CVE-2023-0286
* Thu Jul 21 2022 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:1.1.1k-8
- Fix no-ec build
Resolves: rhbz#2071020
* Tue Jul 05 2022 Clemens Lang <cllang@redhat.com> - 1:1.1.1k-7 * Tue Jul 05 2022 Clemens Lang <cllang@redhat.com> - 1:1.1.1k-7
- Fix CVE-2022-2097: AES OCB fails to encrypt some bytes on 32-bit x86 - Fix CVE-2022-2097: AES OCB fails to encrypt some bytes on 32-bit x86
Resolves: CVE-2022-2097 Resolves: CVE-2022-2097
- Update expired certificates used in the testsuite - Update expired certificates used in the testsuite
Resolves: rhbz#2100554 Resolves: rhbz#2092462
- Fix CVE-2022-1292: openssl: c_rehash script allows command injection - Fix CVE-2022-1292: openssl: c_rehash script allows command injection
Resolves: rhbz#2090371 Resolves: rhbz#2090372
- Fix CVE-2022-2068: the c_rehash script allows command injection - Fix CVE-2022-2068: the c_rehash script allows command injection
Resolves: rhbz#2098278 Resolves: rhbz#2098279
* Wed Mar 23 2022 Clemens Lang <cllang@redhat.com> - 1:1.1.1k-6 * Wed Mar 23 2022 Clemens Lang <cllang@redhat.com> - 1:1.1.1k-6
- Fixes CVE-2022-0778 openssl: Infinite loop in BN_mod_sqrt() reachable when parsing certificates - Fixes CVE-2022-0778 openssl: Infinite loop in BN_mod_sqrt() reachable when parsing certificates
- Resolves: rhbz#2067145 - Resolves: rhbz#2067146
* Tue Nov 16 2021 Sahana Prasad <sahana@redhat.com> - 1:1.1.1k-5 * Tue Nov 16 2021 Sahana Prasad <sahana@redhat.com> - 1:1.1.1k-5
- Fixes CVE-2021-3712 openssl: Read buffer overruns processing ASN.1 strings - Fixes CVE-2021-3712 openssl: Read buffer overruns processing ASN.1 strings

1
sources Normal file
View File

@ -0,0 +1 @@
SHA512 (openssl-1.1.1k-hobbled.tar.xz) = dd48b6200bcda1938c362888789bf0dbac7dbcc80b15a32794e25f6cbe8f727b6f8d1302a2bc43708da79124db9e5a5d27446ec1c91cf1e270aba1d8664d65d8

View File

@ -0,0 +1,63 @@
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#
# Makefile of /CoreOS/openssl/Sanity/simple-rsapss-test
# Description: Test if RSA-PSS signature scheme is supported
# Author: Hubert Kario <hkario@redhat.com>
#
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#
# Copyright (c) 2013 Red Hat, Inc. All rights reserved.
#
# This copyrighted material is made available to anyone wishing
# to use, modify, copy, or redistribute it subject to the terms
# and conditions of the GNU General Public License version 2.
#
# This program is distributed in the hope that it will be
# useful, but WITHOUT ANY WARRANTY; without even the implied
# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
# PURPOSE. See the GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public
# License along with this program; if not, write to the Free
# Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
# Boston, MA 02110-1301, USA.
#
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
export TEST=/CoreOS/openssl/Sanity/simple-rsapss-test
export TESTVERSION=1.0
BUILT_FILES=
FILES=$(METADATA) runtest.sh Makefile PURPOSE
.PHONY: all install download clean
run: $(FILES) build
./runtest.sh
build: $(BUILT_FILES)
test -x runtest.sh || chmod a+x runtest.sh
clean:
rm -f *~ $(BUILT_FILES)
-include /usr/share/rhts/lib/rhts-make.include
$(METADATA): Makefile
@echo "Owner: Hubert Kario <hkario@redhat.com>" > $(METADATA)
@echo "Name: $(TEST)" >> $(METADATA)
@echo "TestVersion: $(TESTVERSION)" >> $(METADATA)
@echo "Path: $(TEST_DIR)" >> $(METADATA)
@echo "Description: Test if RSA-PSS signature scheme is supported" >> $(METADATA)
@echo "Type: Sanity" >> $(METADATA)
@echo "TestTime: 1m" >> $(METADATA)
@echo "RunFor: openssl" >> $(METADATA)
@echo "Requires: openssl man man-db" >> $(METADATA)
@echo "Priority: Normal" >> $(METADATA)
@echo "License: GPLv2" >> $(METADATA)
@echo "Confidential: no" >> $(METADATA)
@echo "Destructive: no" >> $(METADATA)
rhts-lint $(METADATA)

View File

@ -0,0 +1,3 @@
PURPOSE of /CoreOS/openssl/Sanity/simple-rsapss-test
Description: Test if RSA-PSS signature scheme is supported
Author: Hubert Kario <hkario@redhat.com>

View File

@ -0,0 +1,74 @@
#!/bin/bash
# vim: dict=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#
# runtest.sh of /CoreOS/openssl/Sanity/simple-rsapss-test
# Description: Test if RSA-PSS signature scheme is supported
# Author: Hubert Kario <hkario@redhat.com>
#
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#
# Copyright (c) 2013 Red Hat, Inc. All rights reserved.
#
# This copyrighted material is made available to anyone wishing
# to use, modify, copy, or redistribute it subject to the terms
# and conditions of the GNU General Public License version 2.
#
# This program is distributed in the hope that it will be
# useful, but WITHOUT ANY WARRANTY; without even the implied
# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
# PURPOSE. See the GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public
# License along with this program; if not, write to the Free
# Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
# Boston, MA 02110-1301, USA.
#
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
# Include Beaker environment
. /usr/share/beakerlib/beakerlib.sh || exit 1
PACKAGE="openssl"
PUB_KEY="rsa_pubkey.pem"
PRIV_KEY="rsa_key.pem"
FILE="text.txt"
SIG="text.sig"
rlJournalStart
rlPhaseStartSetup
rlAssertRpm $PACKAGE
rlRun "TmpDir=\$(mktemp -d)" 0 "Creating tmp directory"
rlRun "pushd $TmpDir"
rlRun "openssl genrsa -out $PRIV_KEY 2048" 0 "Generate RSA key"
rlRun "openssl rsa -in $PRIV_KEY -out $PUB_KEY -pubout" 0 "Split the public key from private key"
rlRun "echo 'sign me!' > $FILE" 0 "Create file for signing"
rlAssertExists $FILE
rlAssertExists $PRIV_KEY
rlAssertExists $PUB_KEY
rlPhaseEnd
rlPhaseStartTest "Test RSA-PSS padding mode"
set -o pipefail
rlRun "openssl dgst -sha256 -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:32 -out $SIG -sign $PRIV_KEY $FILE" 0 "Sign the file"
rlRun "openssl dgst -sha256 -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:32 -prverify $PRIV_KEY -signature $SIG $FILE | grep 'Verified OK'" 0 "Verify the signature using the private key file"
rlRun "openssl dgst -sha256 -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:32 -verify $PUB_KEY -signature $SIG $FILE | grep 'Verified OK'" 0 "Verify the signature using public key file"
rlRun "openssl dgst -sha256 -sigopt rsa_padding_mode:pss -prverify $PRIV_KEY -signature $SIG $FILE | grep 'Verified OK'" 0 "Verify the signature using the private key file without specifying salt length"
rlRun "openssl dgst -sha256 -sigopt rsa_padding_mode:pss -verify $PUB_KEY -signature $SIG $FILE | grep 'Verified OK'" 0 "Verify the signature using public key file without specifying salt length"
set +o pipefail
rlRun "sed -i 's/sign/Sign/' $FILE" 0 "Modify signed file"
rlRun "openssl dgst -sha256 -sigopt rsa_padding_mode:pss -verify $PUB_KEY -signature $SIG $FILE | grep 'Verification Failure'" 0 "Verify that the signature is no longer valid"
rlPhaseEnd
rlPhaseStartTest "Documentation check"
[ -e "$(rpm -ql openssl | grep dgst)"] && rlRun "man dgst | col -b | grep -- -sigopt" 0 "Check if -sigopt option is described in man page"
rlRun "openssl dgst -help 2>&1 | grep -- -sigopt" 0 "Check if -sigopt option is present in help message"
rlPhaseEnd
rlPhaseStartCleanup
rlRun "popd"
rlRun "rm -r $TmpDir" 0 "Removing tmp directory"
rlPhaseEnd
rlJournalPrintText
rlJournalEnd

15
tests/tests.yml Normal file
View File

@ -0,0 +1,15 @@
---
# This first play always runs on the local staging system
- hosts: localhost
roles:
- role: standard-test-beakerlib
tags:
- classic
- container
tests:
- simple-rsapss-test
required_packages:
- findutils # beakerlib needs find command
- man # needed by simple-rsapss-test
- man-db # needed by simple-rsapss-test
- openssl # needed by simple-rsapss-test