From 54387ef1436386ad2a116f2a5eeb956d0574f756 Mon Sep 17 00:00:00 2001 From: Michael Tremer Date: Tue, 30 Jan 2024 15:09:54 +0000 Subject: [PATCH] openssl: Update to 3.2.1 MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit * A file in PKCS12 format can contain certificates and keys and may come from an untrusted source. The PKCS12 specification allows certain fields to be NULL, but OpenSSL did not correctly check for this case. A fix has been applied to prevent a NULL pointer dereference that results in OpenSSL crashing. If an application processes PKCS12 files from an untrusted source using the OpenSSL APIs then that application will be vulnerable to this issue prior to this fix. OpenSSL APIs that were vulnerable to this are: PKCS12_parse(), PKCS12_unpack_p7data(), PKCS12_unpack_p7encdata(), PKCS12_unpack_authsafes() and PKCS12_newpass(). We have also fixed a similar issue in SMIME_write_PKCS7(). However since this function is related to writing data we do not consider it security significant. ([CVE-2024-0727]) *Matt Caswell* * When function EVP_PKEY_public_check() is called on RSA public keys, a computation is done to confirm that the RSA modulus, n, is composite. For valid RSA keys, n is a product of two or more large primes and this computation completes quickly. However, if n is an overly large prime, then this computation would take a long time. An application that calls EVP_PKEY_public_check() and supplies an RSA key obtained from an untrusted source could be vulnerable to a Denial of Service attack. The function EVP_PKEY_public_check() is not called from other OpenSSL functions however it is called from the OpenSSL pkey command line application. For that reason that application is also vulnerable if used with the "-pubin" and "-check" options on untrusted data. To resolve this issue RSA keys larger than OPENSSL_RSA_MAX_MODULUS_BITS will now fail the check immediately with an RSA_R_MODULUS_TOO_LARGE error reason. ([CVE-2023-6237]) *Tomáš Mráz* * Restore the encoding of SM2 PrivateKeyInfo and SubjectPublicKeyInfo to have the contained AlgorithmIdentifier.algorithm set to id-ecPublicKey rather than SM2. *Richard Levitte* * The POLY1305 MAC (message authentication code) implementation in OpenSSL for PowerPC CPUs saves the contents of vector registers in different order than they are restored. Thus the contents of some of these vector registers is corrupted when returning to the caller. The vulnerable code is used only on newer PowerPC processors supporting the PowerISA 2.07 instructions. The consequences of this kind of internal application state corruption can be various - from no consequences, if the calling application does not depend on the contents of non-volatile XMM registers at all, to the worst consequences, where the attacker could get complete control of the application process. However unless the compiler uses the vector registers for storing pointers, the most likely consequence, if any, would be an incorrect result of some application dependent calculations or a crash leading to a denial of service. ([CVE-2023-6129]) *Rohan McLure* * Fix excessive time spent in DH check / generation with large Q parameter value. Applications that use the functions DH_generate_key() to generate an X9.42 DH key may experience long delays. Likewise, applications that use DH_check_pub_key(), DH_check_pub_key_ex() or EVP_PKEY_public_check() to check an X9.42 DH key or X9.42 DH parameters may experience long delays. Where the key or parameters that are being checked have been obtained from an untrusted source this may lead to a Denial of Service. ([CVE-2023-5678]) *Richard Levitte* * Disable building QUIC server utility when OpenSSL is configured with `no-apps`. *Vitalii Koshura* Signed-off-by: Michael Tremer --- config/rootfiles/common/openssl | 69 +++++++++++++++++++++++++++++++++ lfs/openssl | 4 +- 2 files changed, 71 insertions(+), 2 deletions(-) diff --git a/config/rootfiles/common/openssl b/config/rootfiles/common/openssl index 118b15e85d..a3664a5219 100644 --- a/config/rootfiles/common/openssl +++ b/config/rootfiles/common/openssl @@ -329,6 +329,7 @@ usr/lib/ossl-modules/legacy.so #usr/share/doc/openssl/html/man3/CMS_get1_ReceiptRequest.html #usr/share/doc/openssl/html/man3/CMS_sign.html #usr/share/doc/openssl/html/man3/CMS_sign_receipt.html +#usr/share/doc/openssl/html/man3/CMS_signed_get_attr.html #usr/share/doc/openssl/html/man3/CMS_uncompress.html #usr/share/doc/openssl/html/man3/CMS_verify.html #usr/share/doc/openssl/html/man3/CMS_verify_receipt.html @@ -431,6 +432,7 @@ usr/lib/ossl-modules/legacy.so #usr/share/doc/openssl/html/man3/EVP_PKEY_encapsulate.html #usr/share/doc/openssl/html/man3/EVP_PKEY_encrypt.html #usr/share/doc/openssl/html/man3/EVP_PKEY_fromdata.html +#usr/share/doc/openssl/html/man3/EVP_PKEY_get_attr.html #usr/share/doc/openssl/html/man3/EVP_PKEY_get_default_digest_nid.html #usr/share/doc/openssl/html/man3/EVP_PKEY_get_field_type.html #usr/share/doc/openssl/html/man3/EVP_PKEY_get_group_name.html @@ -812,6 +814,7 @@ usr/lib/ossl-modules/legacy.so #usr/share/doc/openssl/html/man3/X509V3_get_d2i.html #usr/share/doc/openssl/html/man3/X509V3_set_ctx.html #usr/share/doc/openssl/html/man3/X509_ALGOR_dup.html +#usr/share/doc/openssl/html/man3/X509_ATTRIBUTE.html #usr/share/doc/openssl/html/man3/X509_CRL_get0_by_serial.html #usr/share/doc/openssl/html/man3/X509_EXTENSION_set_object.html #usr/share/doc/openssl/html/man3/X509_LOOKUP.html @@ -823,6 +826,7 @@ usr/lib/ossl-modules/legacy.so #usr/share/doc/openssl/html/man3/X509_NAME_get_index_by_NID.html #usr/share/doc/openssl/html/man3/X509_NAME_print_ex.html #usr/share/doc/openssl/html/man3/X509_PUBKEY_new.html +#usr/share/doc/openssl/html/man3/X509_REQ_get_attr.html #usr/share/doc/openssl/html/man3/X509_REQ_get_extensions.html #usr/share/doc/openssl/html/man3/X509_SIG_get0.html #usr/share/doc/openssl/html/man3/X509_STORE_CTX_get_by_subject.html @@ -1812,7 +1816,27 @@ usr/lib/ossl-modules/legacy.so #usr/share/man/man3/CMS_sign.3ossl #usr/share/man/man3/CMS_sign_ex.3ossl #usr/share/man/man3/CMS_sign_receipt.3ossl +#usr/share/man/man3/CMS_signed_add1_attr.3ossl +#usr/share/man/man3/CMS_signed_add1_attr_by_NID.3ossl +#usr/share/man/man3/CMS_signed_add1_attr_by_OBJ.3ossl +#usr/share/man/man3/CMS_signed_add1_attr_by_txt.3ossl +#usr/share/man/man3/CMS_signed_delete_attr.3ossl +#usr/share/man/man3/CMS_signed_get0_data_by_OBJ.3ossl +#usr/share/man/man3/CMS_signed_get_attr.3ossl +#usr/share/man/man3/CMS_signed_get_attr_by_NID.3ossl +#usr/share/man/man3/CMS_signed_get_attr_by_OBJ.3ossl +#usr/share/man/man3/CMS_signed_get_attr_count.3ossl #usr/share/man/man3/CMS_uncompress.3ossl +#usr/share/man/man3/CMS_unsigned_add1_attr.3ossl +#usr/share/man/man3/CMS_unsigned_add1_attr_by_NID.3ossl +#usr/share/man/man3/CMS_unsigned_add1_attr_by_OBJ.3ossl +#usr/share/man/man3/CMS_unsigned_add1_attr_by_txt.3ossl +#usr/share/man/man3/CMS_unsigned_delete_attr.3ossl +#usr/share/man/man3/CMS_unsigned_get0_data_by_OBJ.3ossl +#usr/share/man/man3/CMS_unsigned_get_attr.3ossl +#usr/share/man/man3/CMS_unsigned_get_attr_by_NID.3ossl +#usr/share/man/man3/CMS_unsigned_get_attr_by_OBJ.3ossl +#usr/share/man/man3/CMS_unsigned_get_attr_count.3ossl #usr/share/man/man3/CMS_verify.3ossl #usr/share/man/man3/CMS_verify_receipt.3ossl #usr/share/man/man3/COMP_CTX_free.3ossl @@ -2881,6 +2905,10 @@ usr/lib/ossl-modules/legacy.so #usr/share/man/man3/EVP_PKEY_CTX_settable_params.3ossl #usr/share/man/man3/EVP_PKEY_METHOD.3ossl #usr/share/man/man3/EVP_PKEY_Q_keygen.3ossl +#usr/share/man/man3/EVP_PKEY_add1_attr.3ossl +#usr/share/man/man3/EVP_PKEY_add1_attr_by_NID.3ossl +#usr/share/man/man3/EVP_PKEY_add1_attr_by_OBJ.3ossl +#usr/share/man/man3/EVP_PKEY_add1_attr_by_txt.3ossl #usr/share/man/man3/EVP_PKEY_asn1_add0.3ossl #usr/share/man/man3/EVP_PKEY_asn1_add_alias.3ossl #usr/share/man/man3/EVP_PKEY_asn1_copy.3ossl @@ -2926,6 +2954,7 @@ usr/lib/ossl-modules/legacy.so #usr/share/man/man3/EVP_PKEY_decrypt.3ossl #usr/share/man/man3/EVP_PKEY_decrypt_init.3ossl #usr/share/man/man3/EVP_PKEY_decrypt_init_ex.3ossl +#usr/share/man/man3/EVP_PKEY_delete_attr.3ossl #usr/share/man/man3/EVP_PKEY_derive.3ossl #usr/share/man/man3/EVP_PKEY_derive_init.3ossl #usr/share/man/man3/EVP_PKEY_derive_init_ex.3ossl @@ -2965,6 +2994,10 @@ usr/lib/ossl-modules/legacy.so #usr/share/man/man3/EVP_PKEY_get1_RSA.3ossl #usr/share/man/man3/EVP_PKEY_get1_encoded_public_key.3ossl #usr/share/man/man3/EVP_PKEY_get1_tls_encodedpoint.3ossl +#usr/share/man/man3/EVP_PKEY_get_attr.3ossl +#usr/share/man/man3/EVP_PKEY_get_attr_by_NID.3ossl +#usr/share/man/man3/EVP_PKEY_get_attr_by_OBJ.3ossl +#usr/share/man/man3/EVP_PKEY_get_attr_count.3ossl #usr/share/man/man3/EVP_PKEY_get_base_id.3ossl #usr/share/man/man3/EVP_PKEY_get_bits.3ossl #usr/share/man/man3/EVP_PKEY_get_bn_param.3ossl @@ -3558,13 +3591,16 @@ usr/lib/ossl-modules/legacy.so #usr/share/man/man3/OPENSSL_LH_error.3ossl #usr/share/man/man3/OPENSSL_LH_flush.3ossl #usr/share/man/man3/OPENSSL_LH_free.3ossl +#usr/share/man/man3/OPENSSL_LH_get_down_load.3ossl #usr/share/man/man3/OPENSSL_LH_insert.3ossl #usr/share/man/man3/OPENSSL_LH_new.3ossl #usr/share/man/man3/OPENSSL_LH_node_stats.3ossl #usr/share/man/man3/OPENSSL_LH_node_stats_bio.3ossl #usr/share/man/man3/OPENSSL_LH_node_usage_stats.3ossl #usr/share/man/man3/OPENSSL_LH_node_usage_stats_bio.3ossl +#usr/share/man/man3/OPENSSL_LH_num_items.3ossl #usr/share/man/man3/OPENSSL_LH_retrieve.3ossl +#usr/share/man/man3/OPENSSL_LH_set_down_load.3ossl #usr/share/man/man3/OPENSSL_LH_stats.3ossl #usr/share/man/man3/OPENSSL_LH_stats_bio.3ossl #usr/share/man/man3/OPENSSL_LINE.3ossl @@ -5669,9 +5705,20 @@ usr/lib/ossl-modules/legacy.so #usr/share/man/man3/X509_ALGOR_new.3ossl #usr/share/man/man3/X509_ALGOR_set0.3ossl #usr/share/man/man3/X509_ALGOR_set_md.3ossl +#usr/share/man/man3/X509_ATTRIBUTE.3ossl +#usr/share/man/man3/X509_ATTRIBUTE_count.3ossl +#usr/share/man/man3/X509_ATTRIBUTE_create.3ossl +#usr/share/man/man3/X509_ATTRIBUTE_create_by_NID.3ossl +#usr/share/man/man3/X509_ATTRIBUTE_create_by_OBJ.3ossl +#usr/share/man/man3/X509_ATTRIBUTE_create_by_txt.3ossl #usr/share/man/man3/X509_ATTRIBUTE_dup.3ossl #usr/share/man/man3/X509_ATTRIBUTE_free.3ossl +#usr/share/man/man3/X509_ATTRIBUTE_get0_data.3ossl +#usr/share/man/man3/X509_ATTRIBUTE_get0_object.3ossl +#usr/share/man/man3/X509_ATTRIBUTE_get0_type.3ossl #usr/share/man/man3/X509_ATTRIBUTE_new.3ossl +#usr/share/man/man3/X509_ATTRIBUTE_set1_data.3ossl +#usr/share/man/man3/X509_ATTRIBUTE_set1_object.3ossl #usr/share/man/man3/X509_CERT_AUX_free.3ossl #usr/share/man/man3/X509_CERT_AUX_new.3ossl #usr/share/man/man3/X509_CINF_free.3ossl @@ -5826,9 +5873,14 @@ usr/lib/ossl-modules/legacy.so #usr/share/man/man3/X509_PUBKEY_set0_public_key.3ossl #usr/share/man/man3/X509_REQ_INFO_free.3ossl #usr/share/man/man3/X509_REQ_INFO_new.3ossl +#usr/share/man/man3/X509_REQ_add1_attr.3ossl +#usr/share/man/man3/X509_REQ_add1_attr_by_NID.3ossl +#usr/share/man/man3/X509_REQ_add1_attr_by_OBJ.3ossl +#usr/share/man/man3/X509_REQ_add1_attr_by_txt.3ossl #usr/share/man/man3/X509_REQ_add_extensions.3ossl #usr/share/man/man3/X509_REQ_add_extensions_nid.3ossl #usr/share/man/man3/X509_REQ_check_private_key.3ossl +#usr/share/man/man3/X509_REQ_delete_attr.3ossl #usr/share/man/man3/X509_REQ_digest.3ossl #usr/share/man/man3/X509_REQ_dup.3ossl #usr/share/man/man3/X509_REQ_free.3ossl @@ -5836,6 +5888,10 @@ usr/lib/ossl-modules/legacy.so #usr/share/man/man3/X509_REQ_get0_pubkey.3ossl #usr/share/man/man3/X509_REQ_get0_signature.3ossl #usr/share/man/man3/X509_REQ_get_X509_PUBKEY.3ossl +#usr/share/man/man3/X509_REQ_get_attr.3ossl +#usr/share/man/man3/X509_REQ_get_attr_by_NID.3ossl +#usr/share/man/man3/X509_REQ_get_attr_by_OBJ.3ossl +#usr/share/man/man3/X509_REQ_get_attr_count.3ossl #usr/share/man/man3/X509_REQ_get_extensions.3ossl #usr/share/man/man3/X509_REQ_get_pubkey.3ossl #usr/share/man/man3/X509_REQ_get_signature_nid.3ossl @@ -6126,6 +6182,16 @@ usr/lib/ossl-modules/legacy.so #usr/share/man/man3/X509_verify.3ossl #usr/share/man/man3/X509_verify_cert.3ossl #usr/share/man/man3/X509_verify_cert_error_string.3ossl +#usr/share/man/man3/X509at_add1_attr.3ossl +#usr/share/man/man3/X509at_add1_attr_by_NID.3ossl +#usr/share/man/man3/X509at_add1_attr_by_OBJ.3ossl +#usr/share/man/man3/X509at_add1_attr_by_txt.3ossl +#usr/share/man/man3/X509at_delete_attr.3ossl +#usr/share/man/man3/X509at_get0_data_by_OBJ.3ossl +#usr/share/man/man3/X509at_get_attr.3ossl +#usr/share/man/man3/X509at_get_attr_by_NID.3ossl +#usr/share/man/man3/X509at_get_attr_by_OBJ.3ossl +#usr/share/man/man3/X509at_get_attr_count.3ossl #usr/share/man/man3/X509v3_add_ext.3ossl #usr/share/man/man3/X509v3_delete_ext.3ossl #usr/share/man/man3/X509v3_get_ext.3ossl @@ -6598,9 +6664,12 @@ usr/lib/ossl-modules/legacy.so #usr/share/man/man3/lh_TYPE_error.3ossl #usr/share/man/man3/lh_TYPE_flush.3ossl #usr/share/man/man3/lh_TYPE_free.3ossl +#usr/share/man/man3/lh_TYPE_get_down_load.3ossl #usr/share/man/man3/lh_TYPE_insert.3ossl #usr/share/man/man3/lh_TYPE_new.3ossl +#usr/share/man/man3/lh_TYPE_num_items.3ossl #usr/share/man/man3/lh_TYPE_retrieve.3ossl +#usr/share/man/man3/lh_TYPE_set_down_load.3ossl #usr/share/man/man3/o2i_SCT.3ossl #usr/share/man/man3/o2i_SCT_LIST.3ossl #usr/share/man/man3/pem_password_cb.3ossl diff --git a/lfs/openssl b/lfs/openssl index 2a9de717a5..6950357424 100644 --- a/lfs/openssl +++ b/lfs/openssl @@ -24,7 +24,7 @@ include Config -VER = 3.2.0 +VER = 3.2.1 THISAPP = openssl-$(VER) DL_FILE = $(THISAPP).tar.gz @@ -72,7 +72,7 @@ objects = $(DL_FILE) $(DL_FILE) = $(DL_FROM)/$(DL_FILE) -$(DL_FILE)_BLAKE2 = 776123929796d2eb0f3974bf6ee3a55df9187231632837576bf5ded7b5917f052683cdfc756693c1bee6fe1ffc7c3cb1ebcf833018d3caf51886f4f4e7a495f1 +$(DL_FILE)_BLAKE2 = 960222e0305166160e5ab000e29650b92063bf726551ee9ad46060166d99738d1e3a5b86fd28b14c8f4fb3a72f5aa70850defb87c02990acff3dbcbdac40b347 install : $(TARGET) -- 2.39.2