From: Michael Tremer Date: Tue, 27 Mar 2018 14:59:04 +0000 (+0100) Subject: openssl: Update to 1.1.0h X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=166ceacd6b375bc97eed722012a0f1fffd5a15e1;p=people%2Fmfischer%2Fipfire-2.x.git openssl: Update to 1.1.0h CVE-2018-0739 (OpenSSL advisory) [Moderate severity] 27 March 2018: Constructed ASN.1 types with a recursive definition (such as can be found in PKCS7) could eventually exceed the stack given malicious input with excessive recursion. This could result in a Denial Of Service attack. There are no such structures used within SSL/TLS that come from untrusted sources so this is considered safe. Reported by OSS-fuzz. This patch also entirely removes support for SSLv3. The patch to disable it didn't apply and since nobody has been using this before, we will not compile it into OpenSSL any more. Signed-off-by: Michael Tremer --- diff --git a/lfs/openssl b/lfs/openssl index 7a39f14de6..71f2bc826b 100644 --- a/lfs/openssl +++ b/lfs/openssl @@ -24,7 +24,7 @@ include Config -VER = 1.1.0g +VER = 1.1.0h THISAPP = openssl-$(VER) DL_FILE = $(THISAPP).tar.gz @@ -51,8 +51,6 @@ CONFIGURE_OPTIONS = \ enable-md2 \ enable-seed \ enable-rfc3779 \ - enable-ssl3 \ - enable-ssl3-method \ no-idea \ no-mdc2 \ no-rc5 \ @@ -89,7 +87,7 @@ objects = $(DL_FILE) $(DL_FILE) = $(DL_FROM)/$(DL_FILE) -$(DL_FILE)_MD5 = ba5f1b8b835b88cadbce9b35ed9531a6 +$(DL_FILE)_MD5 = 5271477e4d93f4ea032b665ef095ff24 install : $(TARGET) @@ -119,7 +117,6 @@ $(subst %,%_MD5,$(objects)) : $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) @$(PREBUILD) @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar zxf $(DIR_DL)/$(DL_FILE) - cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/openssl-1.1.0-disable-ssl3.patch cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/openssl-1.1.0g-weak-ciphers.patch # Apply our CFLAGS diff --git a/src/patches/openssl-1.1.0-disable-ssl3.patch b/src/patches/openssl-1.1.0-disable-ssl3.patch deleted file mode 100644 index 267c02c620..0000000000 --- a/src/patches/openssl-1.1.0-disable-ssl3.patch +++ /dev/null @@ -1,86 +0,0 @@ -diff -up openssl-1.1.0f/apps/s_client.c.disable-ssl3 openssl-1.1.0f/apps/s_client.c ---- openssl-1.1.0f/apps/s_client.c.disable-ssl3 2017-06-05 15:42:44.838853312 +0200 -+++ openssl-1.1.0f/apps/s_client.c 2017-07-17 14:50:06.468821871 +0200 -@@ -1486,6 +1486,9 @@ int s_client_main(int argc, char **argv) - if (sdebug) - ssl_ctx_security_debug(ctx, sdebug); - -+ if (min_version == SSL3_VERSION && max_version == SSL3_VERSION) -+ SSL_CTX_clear_options(ctx, SSL_OP_NO_SSLv3); -+ - if (ssl_config) { - if (SSL_CTX_config(ctx, ssl_config) == 0) { - BIO_printf(bio_err, "Error using configuration \"%s\"\n", -diff -up openssl-1.1.0f/apps/s_server.c.disable-ssl3 openssl-1.1.0f/apps/s_server.c ---- openssl-1.1.0f/apps/s_server.c.disable-ssl3 2017-05-25 14:46:18.000000000 +0200 -+++ openssl-1.1.0f/apps/s_server.c 2017-07-17 14:49:50.434447583 +0200 -@@ -1614,6 +1614,10 @@ int s_server_main(int argc, char *argv[] - } - if (sdebug) - ssl_ctx_security_debug(ctx, sdebug); -+ -+ if (min_version == SSL3_VERSION && max_version == SSL3_VERSION) -+ SSL_CTX_clear_options(ctx, SSL_OP_NO_SSLv3); -+ - if (ssl_config) { - if (SSL_CTX_config(ctx, ssl_config) == 0) { - BIO_printf(bio_err, "Error using configuration \"%s\"\n", -diff -up openssl-1.1.0/ssl/ssl_lib.c.disable-ssl3 openssl-1.1.0/ssl/ssl_lib.c ---- openssl-1.1.0/ssl/ssl_lib.c.disable-ssl3 2016-08-25 17:29:22.000000000 +0200 -+++ openssl-1.1.0/ssl/ssl_lib.c 2016-09-08 11:08:05.252082263 +0200 -@@ -2470,6 +2470,13 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *m - * or by using the SSL_CONF library. - */ - ret->options |= SSL_OP_NO_COMPRESSION; -+ /* -+ * Disable SSLv3 by default. Applications can -+ * re-enable it by configuring -+ * SSL_CTX_clear_options(ctx, SSL_OP_NO_SSLv3); -+ * or by using the SSL_CONF library. -+ */ -+ ret->options |= SSL_OP_NO_SSLv3; - - ret->tlsext_status_type = -1; - -diff -up openssl-1.1.0/test/ssl_test.c.disable-ssl3 openssl-1.1.0/test/ssl_test.c ---- openssl-1.1.0/test/ssl_test.c.disable-ssl3 2016-09-08 11:08:05.252082263 +0200 -+++ openssl-1.1.0/test/ssl_test.c 2016-09-08 11:11:44.802005886 +0200 -@@ -258,6 +258,7 @@ static int execute_test(SSL_TEST_FIXTURE - SSL_TEST_SERVERNAME_CB_NONE) { - server2_ctx = SSL_CTX_new(TLS_server_method()); - TEST_check(server2_ctx != NULL); -+ SSL_CTX_clear_options(server2_ctx, SSL_OP_NO_SSLv3); - } - client_ctx = SSL_CTX_new(TLS_client_method()); - -@@ -266,11 +267,15 @@ static int execute_test(SSL_TEST_FIXTURE - resume_client_ctx = SSL_CTX_new(TLS_client_method()); - TEST_check(resume_server_ctx != NULL); - TEST_check(resume_client_ctx != NULL); -+ SSL_CTX_clear_options(resume_server_ctx, SSL_OP_NO_SSLv3); -+ SSL_CTX_clear_options(resume_client_ctx, SSL_OP_NO_SSLv3); - } - } - - TEST_check(server_ctx != NULL); - TEST_check(client_ctx != NULL); -+ SSL_CTX_clear_options(server_ctx, SSL_OP_NO_SSLv3); -+ SSL_CTX_clear_options(client_ctx, SSL_OP_NO_SSLv3); - - TEST_check(CONF_modules_load(conf, fixture.test_app, 0) > 0); - -diff -up openssl-1.1.0/test/ssltest_old.c.disable-ssl3 openssl-1.1.0/test/ssltest_old.c ---- openssl-1.1.0/test/ssltest_old.c.disable-ssl3 2016-08-25 17:29:23.000000000 +0200 -+++ openssl-1.1.0/test/ssltest_old.c 2016-09-08 11:08:05.253082286 +0200 -@@ -1456,6 +1456,11 @@ int main(int argc, char *argv[]) - ERR_print_errors(bio_err); - goto end; - } -+ -+ SSL_CTX_clear_options(c_ctx, SSL_OP_NO_SSLv3); -+ SSL_CTX_clear_options(s_ctx, SSL_OP_NO_SSLv3); -+ SSL_CTX_clear_options(s_ctx2, SSL_OP_NO_SSLv3); -+ - /* - * Since we will use low security ciphersuites and keys for testing set - * security level to zero by default. Tests can override this by adding