pool/openssl-1_1
SHA256
2
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Accepting request 708112 from home:vitezslav_cizek:branches:factory

Browse Source 
- Use upstream patch for the locale crash (bsc#1135550)
- delete openssl-fix_underflow_in_errstr_handling.patch
- add 0001-build_SYS_str_reasons-Fix-a-crash-caused-by-overlong.patch

- Add s390x vectorized support for ChaCha20 and Poly1305
  (jsc#SLE-6126, jsc#SLE-6129)
  * 0001-s390x-assembly-pack-perlasm-support.patch
  * 0002-crypto-chacha-asm-chacha-s390x.pl-add-vx-code-path.patch
  * 0003-crypto-poly1305-asm-poly1305-s390x.pl-add-vx-code-pa.patch
  * 0004-s390x-assembly-pack-fix-formal-interface-bug-in-chac.patch
  * 0005-s390x-assembly-pack-import-chacha-from-cryptogams-re.patch
  * 0006-s390x-assembly-pack-import-poly-from-cryptogams-repo.patch
- Update to 1.1.1c (bsc#1133925, jsc#SLE-6430)
- drop upstreamed patches:
- update keyring by including Richard Levitte's key

OBS-URL: https://build.opensuse.org/request/show/708112
OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-1_1?expand=0&rev=38
This commit is contained in:
Tomáš Chvátal 2019-06-06 11:11:21 +00:00 committed by Git OBS Bridge
parent 0bd53d7b5f
commit 949eaaafb4
10 changed files with 2868 additions and 73 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

79
0001-build_SYS_str_reasons-Fix-a-crash-caused-by-overlong.patch Normal file
View File

@ -0,0 +1,79 @@
From fac9200a881a83bef038ebed628ebd409786a1a6 Mon Sep 17 00:00:00 2001
From: Vitezslav Cizek <vcizek@suse.com>
Date: Tue, 4 Jun 2019 13:24:59 +0200
Subject: [PATCH] build_SYS_str_reasons: Fix a crash caused by overlong locales
The 4 kB SPACE_SYS_STR_REASONS in crypto/err/err.c isn't enough for some locales.
The Russian locales consume 6856 bytes, Ukrainian even 7000.
build_SYS_str_reasons() contains an overflow check:
if (cnt > sizeof(strerror_pool))
cnt = sizeof(strerror_pool);
But since commit 9f15e5b911ba6053e09578f190354568e01c07d7 it no longer
works as cnt is incremented once more after the condition.
cnt greater than sizeof(strerror_pool) results in an unbounded
OPENSSL_strlcpy() in openssl_strerror_r(), eventually causing a crash.
When the first received error string was empty or contained only
spaces, cur would move in front of the start of the strerror_pool.
Also don't call openssl_strerror_r when the pool is full.
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/8966)
---
crypto/err/err.c | 16 +++++++++-------
1 file changed, 9 insertions(+), 7 deletions(-)
diff --git a/crypto/err/err.c b/crypto/err/err.c
index 57399f82ad..cf3ae4d3b3 100644
--- a/crypto/err/err.c
+++ b/crypto/err/err.c
@@ -188,8 +188,8 @@ static ERR_STRING_DATA *int_err_get_item(const ERR_STRING_DATA *d)
}
#ifndef OPENSSL_NO_ERR
-/* A measurement on Linux 2018-11-21 showed about 3.5kib */
-# define SPACE_SYS_STR_REASONS 4 * 1024
+/* 2019-05-21: Russian and Ukrainian locales on Linux require more than 6,5 kB */
+# define SPACE_SYS_STR_REASONS 8 * 1024
# define NUM_SYS_STR_REASONS 127
static ERR_STRING_DATA SYS_str_reasons[NUM_SYS_STR_REASONS + 1];
@@ -223,21 +223,23 @@ static void build_SYS_str_reasons(void)
ERR_STRING_DATA *str = &SYS_str_reasons[i - 1];
str->error = ERR_PACK(ERR_LIB_SYS, 0, i);
- if (str->string == NULL) {
+ /*
+ * If we have used up all the space in strerror_pool,
+ * there's no point in calling openssl_strerror_r()
+ */
+ if (str->string == NULL && cnt < sizeof(strerror_pool)) {
if (openssl_strerror_r(i, cur, sizeof(strerror_pool) - cnt)) {
size_t l = strlen(cur);
str->string = cur;
cnt += l;
- if (cnt > sizeof(strerror_pool))
- cnt = sizeof(strerror_pool);
cur += l;
/*
* VMS has an unusual quirk of adding spaces at the end of
- * some (most? all?) messages. Lets trim them off.
+ * some (most? all?) messages. Lets trim them off.
*/
- while (ossl_isspace(cur[-1])) {
+ while (cur > strerror_pool && ossl_isspace(cur[-1])) {
cur--;
cnt--;
}
--
2.21.0

2
0001-s390x-assembly-pack-perlasm-support.patch
View File

@ -3085,5 +3085,5 @@ index 0000000000..5f3a49dd0c
+
+1;
--
2.20.1
2.21.0

4
0002-crypto-chacha-asm-chacha-s390x.pl-add-vx-code-path.patch
View File

@ -15,8 +15,8 @@ Reviewed-by: Richard Levitte <levitte@openssl.org>
Index: openssl-1.1.1c/crypto/chacha/asm/chacha-s390x.pl
===================================================================
--- openssl-1.1.1c.orig/crypto/chacha/asm/chacha-s390x.pl 2019-05-30 11:52:55.786294410 +0200
+++ openssl-1.1.1c/crypto/chacha/asm/chacha-s390x.pl 2019-05-30 11:52:58.122308974 +0200
--- openssl-1.1.1c.orig/crypto/chacha/asm/chacha-s390x.pl 2019-06-06 12:15:57.271195550 +0200
+++ openssl-1.1.1c/crypto/chacha/asm/chacha-s390x.pl 2019-06-06 12:16:43.787489780 +0200
@@ -1,5 +1,5 @@
#! /usr/bin/env perl
-# Copyright 2016 The OpenSSL Project Authors. All Rights Reserved.

2
0001-crypto-poly1305-asm-poly1305-s390x.pl-add-vx-code-pa.patch → 0003-crypto-poly1305-asm-poly1305-s390x.pl-add-vx-code-pa.patch
View File

@ -1002,5 +1002,5 @@ index 21ca86055e..390f9eefe7 100755
+
+PERLASM_END();
--
2.20.1
2.21.0

31
0004-s390x-assembly-pack-fix-formal-interface-bug-in-chac.patch Normal file
View File

@ -0,0 +1,31 @@
From b2b580fe445e064da50c13d3e00f71022da16ece Mon Sep 17 00:00:00 2001
From: Patrick Steuer <patrick.steuer@de.ibm.com>
Date: Fri, 15 Feb 2019 22:59:09 +0100
Subject: [PATCH] s390x assembly pack: fix formal interface bug in chacha
module
Signed-off-by: Patrick Steuer <patrick.steuer@de.ibm.com>
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8257)
---
crypto/chacha/asm/chacha-s390x.pl | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/crypto/chacha/asm/chacha-s390x.pl b/crypto/chacha/asm/chacha-s390x.pl
index 005c810e20..abf7283dd8 100755
--- a/crypto/chacha/asm/chacha-s390x.pl
+++ b/crypto/chacha/asm/chacha-s390x.pl
@@ -225,7 +225,7 @@ LABEL ("ChaCha20_ctr32");
larl ("%r1","OPENSSL_s390xcap_P");
lghi ("%r0",64);
-&{$z? \&cgr:\&cr} ($len,"%r0");
+&{$z? \&clgr:\&clr} ($len,"%r0");
jle ("_s390x_chacha_novx");
lg ("%r0","S390X_STFLE+16(%r1)");
--
2.21.0

1094
0005-s390x-assembly-pack-import-chacha-from-cryptogams-re.patch Normal file
View File

File diff suppressed because it is too large Load Diff

1631
0006-s390x-assembly-pack-import-poly-from-cryptogams-repo.patch Normal file
View File

File diff suppressed because it is too large Load Diff

26
openssl-1_1.changes
View File

@ -1,15 +1,27 @@
-------------------------------------------------------------------
Thu May 30 12:19:51 UTC 2019 - Vítězslav Čížek <vcizek@suse.com>
Thu Jun 6 10:06:45 UTC 2019 - Vítězslav Čížek <vcizek@suse.com>
- Update openssl-fix_underflow_in_errstr_handling.patch to use
upstream approved code
- Use upstream patch for the locale crash (bsc#1135550)
* https://github.com/openssl/openssl/pull/8966
- update openssl.keyring to include Richard Levitte's key
- delete openssl-fix_underflow_in_errstr_handling.patch
- add 0001-build_SYS_str_reasons-Fix-a-crash-caused-by-overlong.patch
-------------------------------------------------------------------
Thu Jun 6 10:03:03 UTC 2019 - Vítězslav Čížek <vcizek@suse.com>
- Add s390x vectorized support for ChaCha20 and Poly1305
(jsc#SLE-6126, jsc#SLE-6129)
* 0001-s390x-assembly-pack-perlasm-support.patch
* 0002-crypto-chacha-asm-chacha-s390x.pl-add-vx-code-path.patch
* 0003-crypto-poly1305-asm-poly1305-s390x.pl-add-vx-code-pa.patch
* 0004-s390x-assembly-pack-fix-formal-interface-bug-in-chac.patch
* 0005-s390x-assembly-pack-import-chacha-from-cryptogams-re.patch
* 0006-s390x-assembly-pack-import-poly-from-cryptogams-repo.patch
-------------------------------------------------------------------
Thu May 30 09:55:01 UTC 2019 - Vítězslav Čížek <vcizek@suse.com>
- Update to 1.1.1c
- Update to 1.1.1c (bsc#1133925, jsc#SLE-6430)
* Prevent over long nonces in ChaCha20-Poly1305 (CVE-2019-1543)
ChaCha20-Poly1305 is an AEAD cipher, and requires a unique nonce input
for every encryption operation. RFC 7539 specifies that the nonce value
@ -35,10 +47,10 @@ Thu May 30 09:55:01 UTC 2019 - Vítězslav Čížek <vcizek@suse.com>
* Make OPENSSL_config() error agnostic again.
* Do the error handling in RSA decryption constant time.
* Ensure that SM2 only uses SM3 as digest algorithm
- drop upstream integrated patches
- drop upstreamed patches:
* openssl-fix-handling-of-GNU-strerror_r.patch
* 0001-Fix-for-BIO_get_mem_ptr-and-related-regressions.patch
- refresh 0002-crypto-chacha-asm-chacha-s390x.pl-add-vx-code-path.patch
- update keyring by including Richard Levitte's key
-------------------------------------------------------------------
Tue May 28 08:21:52 UTC 2019 - Jiri Slaby <jslaby@suse.com>

16
openssl-1_1.spec
View File

@ -32,6 +32,7 @@ Source: https://www.%{_rname}.org/source/%{_rname}-%{version}.tar.gz
Source1: %{name}.changes
Source2: baselibs.conf
Source3: https://www.%{_rname}.org/source/%{_rname}-%{version}.tar.gz.asc
# https://www.openssl.org/about/
# http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xA2D29B7BF295C759#/openssl.keyring
Source4: %{_rname}.keyring
Source5: showciphers.c
@ -42,12 +43,15 @@ Patch3: openssl-pkgconfig.patch
Patch4: openssl-DEFAULT_SUSE_cipher.patch
Patch5: openssl-ppc64-config.patch
Patch6: openssl-no-date.patch
# PATCH-FIX-UPSTREAM https://github.com/openssl/openssl/pull/6919 fate#326561
Patch7: 0001-s390x-assembly-pack-perlasm-support.patch
Patch8: 0002-crypto-chacha-asm-chacha-s390x.pl-add-vx-code-path.patch
# PATCH-FIX-UPSTREAM FATE#326351 Add vectorized poly1305 implementation for s390x (https://github.com/openssl/openssl/pull/7991)
Patch9: 0001-crypto-poly1305-asm-poly1305-s390x.pl-add-vx-code-pa.patch
Patch11: openssl-fix_underflow_in_errstr_handling.patch
# PATCH-FIX-UPSTREAM https://github.com/openssl/openssl/pull/8966
Patch7: 0001-build_SYS_str_reasons-Fix-a-crash-caused-by-overlong.patch
# PATCH-FIX-UPSTREAM jsc#SLE-6126 and jsc#SLE-6129
Patch8: 0001-s390x-assembly-pack-perlasm-support.patch
Patch9: 0002-crypto-chacha-asm-chacha-s390x.pl-add-vx-code-path.patch
Patch10: 0003-crypto-poly1305-asm-poly1305-s390x.pl-add-vx-code-pa.patch
Patch11: 0004-s390x-assembly-pack-fix-formal-interface-bug-in-chac.patch
Patch12: 0005-s390x-assembly-pack-import-chacha-from-cryptogams-re.patch
Patch13: 0006-s390x-assembly-pack-import-poly-from-cryptogams-repo.patch
BuildRequires: pkgconfig
Conflicts: ssl
Provides: ssl

56
openssl-fix_underflow_in_errstr_handling.patch
View File

@ -1,56 +0,0 @@
diff --git a/crypto/err/err.c b/crypto/err/err.c
index 345d230206..84ef2fa3d4 100644
--- a/crypto/err/err.c
+++ b/crypto/err/err.c
@@ -187,8 +187,8 @@ static ERR_STRING_DATA *int_err_get_item(const ERR_STRING_DATA *d)
}
#ifndef OPENSSL_NO_ERR
-/* A measurement on Linux 2018-11-21 showed about 3.5kib */
-# define SPACE_SYS_STR_REASONS 4 * 1024
+/* 2019-05-21: Russian and Ukrainian locales on Linux require more than 6,5 kB */
+# define SPACE_SYS_STR_REASONS 4 * 1024
# define NUM_SYS_STR_REASONS 127
static ERR_STRING_DATA SYS_str_reasons[NUM_SYS_STR_REASONS + 1];
@@ -222,26 +222,30 @@ static void build_SYS_str_reasons(void)
ERR_STRING_DATA *str = &SYS_str_reasons[i - 1];
str->error = ERR_PACK(ERR_LIB_SYS, 0, i);
- if (str->string == NULL) {
+ /*
+ * If we have used up all the space in strerror_pool,
+ * there's no point in calling openssl_strerror_r()
+ */
+ if (str->string == NULL && cnt < sizeof(strerror_pool)) {
if (openssl_strerror_r(i, cur, sizeof(strerror_pool) - cnt)) {
- size_t l = strlen(cur);
+ size_t l = strlen(cur) + 1;
str->string = cur;
cnt += l;
- if (cnt > sizeof(strerror_pool))
- cnt = sizeof(strerror_pool);
cur += l;
/*
* VMS has an unusual quirk of adding spaces at the end of
- * some (most? all?) messages. Lets trim them off.
+ * some (most? all?) messages. Lets trim them off.
*/
- while (ossl_isspace(cur[-1])) {
- cur--;
- cnt--;
+ if (cur > strerror_pool && ossl_isspace(cur[-1])) {
+ while (cur > strerror_pool && ossl_isspace(cur[-1])) {
+ cur--;
+ cnt--;
+ }
+ *cur++ = '\0';
+ cnt++;
}
- *cur++ = '\0';
- cnt++;
}
}
if (str->string == NULL)