Accepting request 88591 from Base:System

- AES-NI: Check the return value of Engine_add() 
  if the ENGINE_add() call fails: it ends up adding a reference 
  to a freed up ENGINE which is likely to subsequently contain garbage 
  This will happen if an ENGINE with the same name is added multiple
  times,for example different libraries. [bnc#720601] (forwarded request 88590 from elvigia)

OBS-URL: https://build.opensuse.org/request/show/88591
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openssl?expand=0&rev=69
This commit is contained in:
Stephan Kulow 2011-10-19 11:40:21 +00:00 committed by Git OBS Bridge
parent 8eaf71fb35
commit abc16f3f92
3 changed files with 45 additions and 39 deletions

View File

@ -1,6 +1,5 @@
diff -up openssl-1.0.0b/Configure.aesni openssl-1.0.0b/Configure
--- openssl-1.0.0b/Configure.aesni 2010-11-16 17:33:22.000000000 +0100
+++ openssl-1.0.0b/Configure 2010-11-16 17:35:15.000000000 +0100
--- Configure.orig
+++ Configure
@@ -123,11 +123,11 @@ my $tlib="-lnsl -lsocket";
my $bits1="THIRTY_TWO_BIT ";
my $bits2="SIXTY_FOUR_BIT ";
@ -24,7 +23,7 @@ diff -up openssl-1.0.0b/Configure.aesni openssl-1.0.0b/Configure
"debug-VC-WIN64I","cl:-W3 -Gs0 -Gy -Zi -nologo -DOPENSSL_SYSNAME_WIN32 -DWIN32_LEAN_AND_MEAN -DL_ENDIAN -DUNICODE -D_UNICODE -D_CRT_SECURE_NO_DEPRECATE:::WIN64I::SIXTY_FOUR_BIT RC4_CHUNK_LL DES_INT EXPORT_VAR_AS_FN:ia64cpuid.o:ia64.o::aes_core.o aes_cbc.o aes-ia64.o::md5-ia64.o:sha1-ia64.o sha256-ia64.o sha512-ia64.o:::::::ias:win32",
"debug-VC-WIN64A","cl:-W3 -Gs0 -Gy -Zi -nologo -DOPENSSL_SYSNAME_WIN32 -DWIN32_LEAN_AND_MEAN -DL_ENDIAN -DUNICODE -D_UNICODE -D_CRT_SECURE_NO_DEPRECATE:::WIN64A::SIXTY_FOUR_BIT RC4_CHUNK_LL DES_INT EXPORT_VAR_AS_FN:x86_64cpuid.o:bn_asm.o x86_64-mont.o::aes-x86_64.o::md5-x86_64.o:sha1-x86_64.o sha256-x86_64.o sha512-x86_64.o::rc4-x86_64.o:::wp-x86_64.o:cmll-x86_64.o cmll_misc.o:auto:win32",
# x86 Win32 target defaults to ANSI API, if you want UNICODE, complement
@@ -1419,6 +1419,7 @@ if ($rmd160_obj =~ /\.o$/)
@@ -1410,6 +1410,7 @@ if ($rmd160_obj =~ /\.o$/)
if ($aes_obj =~ /\.o$/)
{
$cflags.=" -DAES_ASM";
@ -32,9 +31,8 @@ diff -up openssl-1.0.0b/Configure.aesni openssl-1.0.0b/Configure
}
else {
$aes_obj=$aes_enc;
diff -up openssl-1.0.0b/crypto/aes/asm/aesni-x86.pl.aesni openssl-1.0.0b/crypto/aes/asm/aesni-x86.pl
--- openssl-1.0.0b/crypto/aes/asm/aesni-x86.pl.aesni 2010-11-16 17:33:23.000000000 +0100
+++ openssl-1.0.0b/crypto/aes/asm/aesni-x86.pl 2010-11-16 17:33:23.000000000 +0100
--- /dev/null
+++ crypto/aes/asm/aesni-x86.pl
@@ -0,0 +1,765 @@
+#!/usr/bin/env perl
+
@ -801,9 +799,8 @@ diff -up openssl-1.0.0b/crypto/aes/asm/aesni-x86.pl.aesni openssl-1.0.0b/crypto/
+&asciz("AES for Intel AES-NI, CRYPTOGAMS by <appro\@openssl.org>");
+
+&asm_finish();
diff -up openssl-1.0.0b/crypto/aes/asm/aesni-x86_64.pl.aesni openssl-1.0.0b/crypto/aes/asm/aesni-x86_64.pl
--- openssl-1.0.0b/crypto/aes/asm/aesni-x86_64.pl.aesni 2010-11-16 17:33:23.000000000 +0100
+++ openssl-1.0.0b/crypto/aes/asm/aesni-x86_64.pl 2010-11-16 17:33:23.000000000 +0100
--- /dev/null
+++ crypto/aes/asm/aesni-x86_64.pl
@@ -0,0 +1,991 @@
+#!/usr/bin/env perl
+#
@ -1796,9 +1793,8 @@ diff -up openssl-1.0.0b/crypto/aes/asm/aesni-x86_64.pl.aesni openssl-1.0.0b/cryp
+print $code;
+
+close STDOUT;
diff -up openssl-1.0.0b/crypto/aes/Makefile.aesni openssl-1.0.0b/crypto/aes/Makefile
--- openssl-1.0.0b/crypto/aes/Makefile.aesni 2008-12-23 12:33:00.000000000 +0100
+++ openssl-1.0.0b/crypto/aes/Makefile 2010-11-16 17:33:23.000000000 +0100
--- crypto/aes/Makefile.orig
+++ crypto/aes/Makefile
@@ -50,9 +50,13 @@ aes-ia64.s: asm/aes-ia64.S
aes-586.s: asm/aes-586.pl ../perlasm/x86asm.pl
@ -1813,9 +1809,8 @@ diff -up openssl-1.0.0b/crypto/aes/Makefile.aesni openssl-1.0.0b/crypto/aes/Make
aes-sparcv9.s: asm/aes-sparcv9.pl
$(PERL) asm/aes-sparcv9.pl $(CFLAGS) > $@
diff -up openssl-1.0.0b/crypto/engine/eng_aesni.c.aesni openssl-1.0.0b/crypto/engine/eng_aesni.c
--- openssl-1.0.0b/crypto/engine/eng_aesni.c.aesni 2010-11-16 17:33:23.000000000 +0100
+++ openssl-1.0.0b/crypto/engine/eng_aesni.c 2010-11-16 17:33:23.000000000 +0100
--- /dev/null
+++ crypto/engine/eng_aesni.c
@@ -0,0 +1,413 @@
+/*
+ * Support for Intel AES-NI intruction set
@ -1923,7 +1918,7 @@ diff -up openssl-1.0.0b/crypto/engine/eng_aesni.c.aesni openssl-1.0.0b/crypto/en
+ ENGINE *toadd = ENGINE_aesni();
+ if (!toadd)
+ return;
+ ENGINE_add (toadd);
+ if(ENGINE_add (toadd))
+ ENGINE_register_complete (toadd);
+ ENGINE_free (toadd);
+ ERR_clear_error ();
@ -2230,10 +2225,9 @@ diff -up openssl-1.0.0b/crypto/engine/eng_aesni.c.aesni openssl-1.0.0b/crypto/en
+
+#endif /* COMPILE_HW_AESNI */
+#endif /* !defined(OPENSSL_NO_HW) && !defined(OPENSSL_NO_HW_AESNI) && !defined(OPENSSL_NO_AES) */
diff -up openssl-1.0.0b/crypto/engine/eng_all.c.aesni openssl-1.0.0b/crypto/engine/eng_all.c
--- openssl-1.0.0b/crypto/engine/eng_all.c.aesni 2010-11-16 17:33:22.000000000 +0100
+++ openssl-1.0.0b/crypto/engine/eng_all.c 2010-11-16 17:33:23.000000000 +0100
@@ -85,6 +85,9 @@ void ENGINE_load_builtin_engines(void)
--- crypto/engine/eng_all.c.orig
+++ crypto/engine/eng_all.c
@@ -71,6 +71,9 @@ void ENGINE_load_builtin_engines(void)
#if !defined(OPENSSL_NO_HW) && (defined(__OpenBSD__) || defined(__FreeBSD__) || defined(HAVE_CRYPTODEV))
ENGINE_load_cryptodev();
#endif
@ -2243,10 +2237,9 @@ diff -up openssl-1.0.0b/crypto/engine/eng_all.c.aesni openssl-1.0.0b/crypto/engi
ENGINE_load_dynamic();
#ifndef OPENSSL_NO_STATIC_ENGINE
#ifndef OPENSSL_NO_HW
diff -up openssl-1.0.0b/crypto/engine/engine.h.aesni openssl-1.0.0b/crypto/engine/engine.h
--- openssl-1.0.0b/crypto/engine/engine.h.aesni 2010-11-16 17:33:22.000000000 +0100
+++ openssl-1.0.0b/crypto/engine/engine.h 2010-11-16 17:33:23.000000000 +0100
@@ -338,6 +338,7 @@ void ENGINE_load_gost(void);
--- crypto/engine/engine.h.orig
+++ crypto/engine/engine.h
@@ -344,6 +344,7 @@ void ENGINE_load_gost(void);
#endif
#endif
void ENGINE_load_cryptodev(void);
@ -2254,9 +2247,8 @@ diff -up openssl-1.0.0b/crypto/engine/engine.h.aesni openssl-1.0.0b/crypto/engin
void ENGINE_load_builtin_engines(void);
/* Get and set global flags (ENGINE_TABLE_FLAG_***) for the implementation
diff -up openssl-1.0.0b/crypto/engine/Makefile.aesni openssl-1.0.0b/crypto/engine/Makefile
--- openssl-1.0.0b/crypto/engine/Makefile.aesni 2010-11-15 15:44:49.000000000 +0100
+++ openssl-1.0.0b/crypto/engine/Makefile 2010-11-16 17:33:23.000000000 +0100
--- crypto/engine/Makefile.orig
+++ crypto/engine/Makefile
@@ -21,12 +21,14 @@ LIBSRC= eng_err.c eng_lib.c eng_list.c e
eng_table.c eng_pkey.c eng_fat.c eng_all.c \
tb_rsa.c tb_dsa.c tb_ecdsa.c tb_dh.c tb_ecdh.c tb_rand.c tb_store.c \
@ -2274,9 +2266,8 @@ diff -up openssl-1.0.0b/crypto/engine/Makefile.aesni openssl-1.0.0b/crypto/engin
SRC= $(LIBSRC)
diff -up openssl-1.0.0b/crypto/evp/evp_err.c.aesni openssl-1.0.0b/crypto/evp/evp_err.c
--- openssl-1.0.0b/crypto/evp/evp_err.c.aesni 2010-11-16 17:33:22.000000000 +0100
+++ openssl-1.0.0b/crypto/evp/evp_err.c 2010-11-16 17:33:23.000000000 +0100
--- crypto/evp/evp_err.c.orig
+++ crypto/evp/evp_err.c
@@ -1,6 +1,6 @@
/* crypto/evp/evp_err.c */
/* ====================================================================
@ -2302,10 +2293,9 @@ diff -up openssl-1.0.0b/crypto/evp/evp_err.c.aesni openssl-1.0.0b/crypto/evp/evp
{ERR_FUNC(EVP_F_EVP_OPENINIT), "EVP_OpenInit"},
{ERR_FUNC(EVP_F_EVP_PBE_ALG_ADD), "EVP_PBE_alg_add"},
{ERR_FUNC(EVP_F_EVP_PBE_ALG_ADD_TYPE), "EVP_PBE_alg_add_type"},
diff -up openssl-1.0.0b/crypto/evp/evp.h.aesni openssl-1.0.0b/crypto/evp/evp.h
--- openssl-1.0.0b/crypto/evp/evp.h.aesni 2010-11-16 17:33:22.000000000 +0100
+++ openssl-1.0.0b/crypto/evp/evp.h 2010-11-16 17:33:23.000000000 +0100
@@ -1167,6 +1167,7 @@ void ERR_load_EVP_strings(void);
--- crypto/evp/evp.h.orig
+++ crypto/evp/evp.h
@@ -1190,6 +1190,7 @@ void ERR_load_EVP_strings(void);
/* Error codes for the EVP functions. */
/* Function codes. */
@ -2313,9 +2303,8 @@ diff -up openssl-1.0.0b/crypto/evp/evp.h.aesni openssl-1.0.0b/crypto/evp/evp.h
#define EVP_F_AES_INIT_KEY 133
#define EVP_F_CAMELLIA_INIT_KEY 159
#define EVP_F_D2I_PKEY 100
diff -up openssl-1.0.0b/test/test_aesni.aesni openssl-1.0.0b/test/test_aesni
--- openssl-1.0.0b/test/test_aesni.aesni 2010-11-16 17:33:23.000000000 +0100
+++ openssl-1.0.0b/test/test_aesni 2010-11-16 17:33:23.000000000 +0100
--- /dev/null
+++ test/test_aesni
@@ -0,0 +1,69 @@
+#!/bin/sh
+

View File

@ -1,3 +1,19 @@
-------------------------------------------------------------------
Tue Oct 18 16:43:50 UTC 2011 - crrodriguez@opensuse.org
- AES-NI: Check the return value of Engine_add()
if the ENGINE_add() call fails: it ends up adding a reference
to a freed up ENGINE which is likely to subsequently contain garbage
This will happen if an ENGINE with the same name is added multiple
times,for example different libraries. [bnc#720601]
-------------------------------------------------------------------
Sat Oct 8 21:36:58 UTC 2011 - crrodriguez@opensuse.org
- Build with -DSSL_FORBID_ENULL so servers are not
able to use the NULL encryption ciphers (Those offering no
encryption whatsoever).
-------------------------------------------------------------------
Wed Sep 7 14:29:41 UTC 2011 - crrodriguez@opensuse.org

View File

@ -185,7 +185,7 @@ Authors:
#%patch4 -p1
#%patch5 -p1
#%patch6 -p1
%patch7 -p1
%patch7
#%patch8 -p1
%patch10
cp -p %{S:10} .
@ -237,6 +237,7 @@ $RPM_OPT_FLAGS \
-fomit-frame-pointer \
-DTERMIO \
-DPURIFY \
-DSSL_FORBID_ENULL \
%ifnarch hppa
-Wall \
-fstack-protector "