Accepting request 88591 from Base:System

- AES-NI: Check the return value of Engine_add() 
  if the ENGINE_add() call fails: it ends up adding a reference 
  to a freed up ENGINE which is likely to subsequently contain garbage 
  This will happen if an ENGINE with the same name is added multiple
  times,for example different libraries. [bnc#720601] (forwarded request 88590 from elvigia)

OBS-URL: https://build.opensuse.org/request/show/88591
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openssl?expand=0&rev=69
This commit is contained in:
Stephan Kulow 2011-10-19 11:40:21 +00:00 committed by Git OBS Bridge
parent 8eaf71fb35
commit abc16f3f92
3 changed files with 45 additions and 39 deletions

View File

@ -1,6 +1,5 @@
diff -up openssl-1.0.0b/Configure.aesni openssl-1.0.0b/Configure --- Configure.orig
--- openssl-1.0.0b/Configure.aesni 2010-11-16 17:33:22.000000000 +0100 +++ Configure
+++ openssl-1.0.0b/Configure 2010-11-16 17:35:15.000000000 +0100
@@ -123,11 +123,11 @@ my $tlib="-lnsl -lsocket"; @@ -123,11 +123,11 @@ my $tlib="-lnsl -lsocket";
my $bits1="THIRTY_TWO_BIT "; my $bits1="THIRTY_TWO_BIT ";
my $bits2="SIXTY_FOUR_BIT "; my $bits2="SIXTY_FOUR_BIT ";
@ -24,7 +23,7 @@ diff -up openssl-1.0.0b/Configure.aesni openssl-1.0.0b/Configure
"debug-VC-WIN64I","cl:-W3 -Gs0 -Gy -Zi -nologo -DOPENSSL_SYSNAME_WIN32 -DWIN32_LEAN_AND_MEAN -DL_ENDIAN -DUNICODE -D_UNICODE -D_CRT_SECURE_NO_DEPRECATE:::WIN64I::SIXTY_FOUR_BIT RC4_CHUNK_LL DES_INT EXPORT_VAR_AS_FN:ia64cpuid.o:ia64.o::aes_core.o aes_cbc.o aes-ia64.o::md5-ia64.o:sha1-ia64.o sha256-ia64.o sha512-ia64.o:::::::ias:win32", "debug-VC-WIN64I","cl:-W3 -Gs0 -Gy -Zi -nologo -DOPENSSL_SYSNAME_WIN32 -DWIN32_LEAN_AND_MEAN -DL_ENDIAN -DUNICODE -D_UNICODE -D_CRT_SECURE_NO_DEPRECATE:::WIN64I::SIXTY_FOUR_BIT RC4_CHUNK_LL DES_INT EXPORT_VAR_AS_FN:ia64cpuid.o:ia64.o::aes_core.o aes_cbc.o aes-ia64.o::md5-ia64.o:sha1-ia64.o sha256-ia64.o sha512-ia64.o:::::::ias:win32",
"debug-VC-WIN64A","cl:-W3 -Gs0 -Gy -Zi -nologo -DOPENSSL_SYSNAME_WIN32 -DWIN32_LEAN_AND_MEAN -DL_ENDIAN -DUNICODE -D_UNICODE -D_CRT_SECURE_NO_DEPRECATE:::WIN64A::SIXTY_FOUR_BIT RC4_CHUNK_LL DES_INT EXPORT_VAR_AS_FN:x86_64cpuid.o:bn_asm.o x86_64-mont.o::aes-x86_64.o::md5-x86_64.o:sha1-x86_64.o sha256-x86_64.o sha512-x86_64.o::rc4-x86_64.o:::wp-x86_64.o:cmll-x86_64.o cmll_misc.o:auto:win32", "debug-VC-WIN64A","cl:-W3 -Gs0 -Gy -Zi -nologo -DOPENSSL_SYSNAME_WIN32 -DWIN32_LEAN_AND_MEAN -DL_ENDIAN -DUNICODE -D_UNICODE -D_CRT_SECURE_NO_DEPRECATE:::WIN64A::SIXTY_FOUR_BIT RC4_CHUNK_LL DES_INT EXPORT_VAR_AS_FN:x86_64cpuid.o:bn_asm.o x86_64-mont.o::aes-x86_64.o::md5-x86_64.o:sha1-x86_64.o sha256-x86_64.o sha512-x86_64.o::rc4-x86_64.o:::wp-x86_64.o:cmll-x86_64.o cmll_misc.o:auto:win32",
# x86 Win32 target defaults to ANSI API, if you want UNICODE, complement # x86 Win32 target defaults to ANSI API, if you want UNICODE, complement
@@ -1419,6 +1419,7 @@ if ($rmd160_obj =~ /\.o$/) @@ -1410,6 +1410,7 @@ if ($rmd160_obj =~ /\.o$/)
if ($aes_obj =~ /\.o$/) if ($aes_obj =~ /\.o$/)
{ {
$cflags.=" -DAES_ASM"; $cflags.=" -DAES_ASM";
@ -32,9 +31,8 @@ diff -up openssl-1.0.0b/Configure.aesni openssl-1.0.0b/Configure
} }
else { else {
$aes_obj=$aes_enc; $aes_obj=$aes_enc;
diff -up openssl-1.0.0b/crypto/aes/asm/aesni-x86.pl.aesni openssl-1.0.0b/crypto/aes/asm/aesni-x86.pl --- /dev/null
--- openssl-1.0.0b/crypto/aes/asm/aesni-x86.pl.aesni 2010-11-16 17:33:23.000000000 +0100 +++ crypto/aes/asm/aesni-x86.pl
+++ openssl-1.0.0b/crypto/aes/asm/aesni-x86.pl 2010-11-16 17:33:23.000000000 +0100
@@ -0,0 +1,765 @@ @@ -0,0 +1,765 @@
+#!/usr/bin/env perl +#!/usr/bin/env perl
+ +
@ -801,9 +799,8 @@ diff -up openssl-1.0.0b/crypto/aes/asm/aesni-x86.pl.aesni openssl-1.0.0b/crypto/
+&asciz("AES for Intel AES-NI, CRYPTOGAMS by <appro\@openssl.org>"); +&asciz("AES for Intel AES-NI, CRYPTOGAMS by <appro\@openssl.org>");
+ +
+&asm_finish(); +&asm_finish();
diff -up openssl-1.0.0b/crypto/aes/asm/aesni-x86_64.pl.aesni openssl-1.0.0b/crypto/aes/asm/aesni-x86_64.pl --- /dev/null
--- openssl-1.0.0b/crypto/aes/asm/aesni-x86_64.pl.aesni 2010-11-16 17:33:23.000000000 +0100 +++ crypto/aes/asm/aesni-x86_64.pl
+++ openssl-1.0.0b/crypto/aes/asm/aesni-x86_64.pl 2010-11-16 17:33:23.000000000 +0100
@@ -0,0 +1,991 @@ @@ -0,0 +1,991 @@
+#!/usr/bin/env perl +#!/usr/bin/env perl
+# +#
@ -1796,9 +1793,8 @@ diff -up openssl-1.0.0b/crypto/aes/asm/aesni-x86_64.pl.aesni openssl-1.0.0b/cryp
+print $code; +print $code;
+ +
+close STDOUT; +close STDOUT;
diff -up openssl-1.0.0b/crypto/aes/Makefile.aesni openssl-1.0.0b/crypto/aes/Makefile --- crypto/aes/Makefile.orig
--- openssl-1.0.0b/crypto/aes/Makefile.aesni 2008-12-23 12:33:00.000000000 +0100 +++ crypto/aes/Makefile
+++ openssl-1.0.0b/crypto/aes/Makefile 2010-11-16 17:33:23.000000000 +0100
@@ -50,9 +50,13 @@ aes-ia64.s: asm/aes-ia64.S @@ -50,9 +50,13 @@ aes-ia64.s: asm/aes-ia64.S
aes-586.s: asm/aes-586.pl ../perlasm/x86asm.pl aes-586.s: asm/aes-586.pl ../perlasm/x86asm.pl
@ -1813,9 +1809,8 @@ diff -up openssl-1.0.0b/crypto/aes/Makefile.aesni openssl-1.0.0b/crypto/aes/Make
aes-sparcv9.s: asm/aes-sparcv9.pl aes-sparcv9.s: asm/aes-sparcv9.pl
$(PERL) asm/aes-sparcv9.pl $(CFLAGS) > $@ $(PERL) asm/aes-sparcv9.pl $(CFLAGS) > $@
diff -up openssl-1.0.0b/crypto/engine/eng_aesni.c.aesni openssl-1.0.0b/crypto/engine/eng_aesni.c --- /dev/null
--- openssl-1.0.0b/crypto/engine/eng_aesni.c.aesni 2010-11-16 17:33:23.000000000 +0100 +++ crypto/engine/eng_aesni.c
+++ openssl-1.0.0b/crypto/engine/eng_aesni.c 2010-11-16 17:33:23.000000000 +0100
@@ -0,0 +1,413 @@ @@ -0,0 +1,413 @@
+/* +/*
+ * Support for Intel AES-NI intruction set + * Support for Intel AES-NI intruction set
@ -1923,7 +1918,7 @@ diff -up openssl-1.0.0b/crypto/engine/eng_aesni.c.aesni openssl-1.0.0b/crypto/en
+ ENGINE *toadd = ENGINE_aesni(); + ENGINE *toadd = ENGINE_aesni();
+ if (!toadd) + if (!toadd)
+ return; + return;
+ ENGINE_add (toadd); + if(ENGINE_add (toadd))
+ ENGINE_register_complete (toadd); + ENGINE_register_complete (toadd);
+ ENGINE_free (toadd); + ENGINE_free (toadd);
+ ERR_clear_error (); + ERR_clear_error ();
@ -2230,10 +2225,9 @@ diff -up openssl-1.0.0b/crypto/engine/eng_aesni.c.aesni openssl-1.0.0b/crypto/en
+ +
+#endif /* COMPILE_HW_AESNI */ +#endif /* COMPILE_HW_AESNI */
+#endif /* !defined(OPENSSL_NO_HW) && !defined(OPENSSL_NO_HW_AESNI) && !defined(OPENSSL_NO_AES) */ +#endif /* !defined(OPENSSL_NO_HW) && !defined(OPENSSL_NO_HW_AESNI) && !defined(OPENSSL_NO_AES) */
diff -up openssl-1.0.0b/crypto/engine/eng_all.c.aesni openssl-1.0.0b/crypto/engine/eng_all.c --- crypto/engine/eng_all.c.orig
--- openssl-1.0.0b/crypto/engine/eng_all.c.aesni 2010-11-16 17:33:22.000000000 +0100 +++ crypto/engine/eng_all.c
+++ openssl-1.0.0b/crypto/engine/eng_all.c 2010-11-16 17:33:23.000000000 +0100 @@ -71,6 +71,9 @@ void ENGINE_load_builtin_engines(void)
@@ -85,6 +85,9 @@ void ENGINE_load_builtin_engines(void)
#if !defined(OPENSSL_NO_HW) && (defined(__OpenBSD__) || defined(__FreeBSD__) || defined(HAVE_CRYPTODEV)) #if !defined(OPENSSL_NO_HW) && (defined(__OpenBSD__) || defined(__FreeBSD__) || defined(HAVE_CRYPTODEV))
ENGINE_load_cryptodev(); ENGINE_load_cryptodev();
#endif #endif
@ -2243,10 +2237,9 @@ diff -up openssl-1.0.0b/crypto/engine/eng_all.c.aesni openssl-1.0.0b/crypto/engi
ENGINE_load_dynamic(); ENGINE_load_dynamic();
#ifndef OPENSSL_NO_STATIC_ENGINE #ifndef OPENSSL_NO_STATIC_ENGINE
#ifndef OPENSSL_NO_HW #ifndef OPENSSL_NO_HW
diff -up openssl-1.0.0b/crypto/engine/engine.h.aesni openssl-1.0.0b/crypto/engine/engine.h --- crypto/engine/engine.h.orig
--- openssl-1.0.0b/crypto/engine/engine.h.aesni 2010-11-16 17:33:22.000000000 +0100 +++ crypto/engine/engine.h
+++ openssl-1.0.0b/crypto/engine/engine.h 2010-11-16 17:33:23.000000000 +0100 @@ -344,6 +344,7 @@ void ENGINE_load_gost(void);
@@ -338,6 +338,7 @@ void ENGINE_load_gost(void);
#endif #endif
#endif #endif
void ENGINE_load_cryptodev(void); void ENGINE_load_cryptodev(void);
@ -2254,9 +2247,8 @@ diff -up openssl-1.0.0b/crypto/engine/engine.h.aesni openssl-1.0.0b/crypto/engin
void ENGINE_load_builtin_engines(void); void ENGINE_load_builtin_engines(void);
/* Get and set global flags (ENGINE_TABLE_FLAG_***) for the implementation /* Get and set global flags (ENGINE_TABLE_FLAG_***) for the implementation
diff -up openssl-1.0.0b/crypto/engine/Makefile.aesni openssl-1.0.0b/crypto/engine/Makefile --- crypto/engine/Makefile.orig
--- openssl-1.0.0b/crypto/engine/Makefile.aesni 2010-11-15 15:44:49.000000000 +0100 +++ crypto/engine/Makefile
+++ openssl-1.0.0b/crypto/engine/Makefile 2010-11-16 17:33:23.000000000 +0100
@@ -21,12 +21,14 @@ LIBSRC= eng_err.c eng_lib.c eng_list.c e @@ -21,12 +21,14 @@ LIBSRC= eng_err.c eng_lib.c eng_list.c e
eng_table.c eng_pkey.c eng_fat.c eng_all.c \ eng_table.c eng_pkey.c eng_fat.c eng_all.c \
tb_rsa.c tb_dsa.c tb_ecdsa.c tb_dh.c tb_ecdh.c tb_rand.c tb_store.c \ tb_rsa.c tb_dsa.c tb_ecdsa.c tb_dh.c tb_ecdh.c tb_rand.c tb_store.c \
@ -2274,9 +2266,8 @@ diff -up openssl-1.0.0b/crypto/engine/Makefile.aesni openssl-1.0.0b/crypto/engin
SRC= $(LIBSRC) SRC= $(LIBSRC)
diff -up openssl-1.0.0b/crypto/evp/evp_err.c.aesni openssl-1.0.0b/crypto/evp/evp_err.c --- crypto/evp/evp_err.c.orig
--- openssl-1.0.0b/crypto/evp/evp_err.c.aesni 2010-11-16 17:33:22.000000000 +0100 +++ crypto/evp/evp_err.c
+++ openssl-1.0.0b/crypto/evp/evp_err.c 2010-11-16 17:33:23.000000000 +0100
@@ -1,6 +1,6 @@ @@ -1,6 +1,6 @@
/* crypto/evp/evp_err.c */ /* crypto/evp/evp_err.c */
/* ==================================================================== /* ====================================================================
@ -2302,10 +2293,9 @@ diff -up openssl-1.0.0b/crypto/evp/evp_err.c.aesni openssl-1.0.0b/crypto/evp/evp
{ERR_FUNC(EVP_F_EVP_OPENINIT), "EVP_OpenInit"}, {ERR_FUNC(EVP_F_EVP_OPENINIT), "EVP_OpenInit"},
{ERR_FUNC(EVP_F_EVP_PBE_ALG_ADD), "EVP_PBE_alg_add"}, {ERR_FUNC(EVP_F_EVP_PBE_ALG_ADD), "EVP_PBE_alg_add"},
{ERR_FUNC(EVP_F_EVP_PBE_ALG_ADD_TYPE), "EVP_PBE_alg_add_type"}, {ERR_FUNC(EVP_F_EVP_PBE_ALG_ADD_TYPE), "EVP_PBE_alg_add_type"},
diff -up openssl-1.0.0b/crypto/evp/evp.h.aesni openssl-1.0.0b/crypto/evp/evp.h --- crypto/evp/evp.h.orig
--- openssl-1.0.0b/crypto/evp/evp.h.aesni 2010-11-16 17:33:22.000000000 +0100 +++ crypto/evp/evp.h
+++ openssl-1.0.0b/crypto/evp/evp.h 2010-11-16 17:33:23.000000000 +0100 @@ -1190,6 +1190,7 @@ void ERR_load_EVP_strings(void);
@@ -1167,6 +1167,7 @@ void ERR_load_EVP_strings(void);
/* Error codes for the EVP functions. */ /* Error codes for the EVP functions. */
/* Function codes. */ /* Function codes. */
@ -2313,9 +2303,8 @@ diff -up openssl-1.0.0b/crypto/evp/evp.h.aesni openssl-1.0.0b/crypto/evp/evp.h
#define EVP_F_AES_INIT_KEY 133 #define EVP_F_AES_INIT_KEY 133
#define EVP_F_CAMELLIA_INIT_KEY 159 #define EVP_F_CAMELLIA_INIT_KEY 159
#define EVP_F_D2I_PKEY 100 #define EVP_F_D2I_PKEY 100
diff -up openssl-1.0.0b/test/test_aesni.aesni openssl-1.0.0b/test/test_aesni --- /dev/null
--- openssl-1.0.0b/test/test_aesni.aesni 2010-11-16 17:33:23.000000000 +0100 +++ test/test_aesni
+++ openssl-1.0.0b/test/test_aesni 2010-11-16 17:33:23.000000000 +0100
@@ -0,0 +1,69 @@ @@ -0,0 +1,69 @@
+#!/bin/sh +#!/bin/sh
+ +

View File

@ -1,3 +1,19 @@
-------------------------------------------------------------------
Tue Oct 18 16:43:50 UTC 2011 - crrodriguez@opensuse.org
- AES-NI: Check the return value of Engine_add()
if the ENGINE_add() call fails: it ends up adding a reference
to a freed up ENGINE which is likely to subsequently contain garbage
This will happen if an ENGINE with the same name is added multiple
times,for example different libraries. [bnc#720601]
-------------------------------------------------------------------
Sat Oct 8 21:36:58 UTC 2011 - crrodriguez@opensuse.org
- Build with -DSSL_FORBID_ENULL so servers are not
able to use the NULL encryption ciphers (Those offering no
encryption whatsoever).
------------------------------------------------------------------- -------------------------------------------------------------------
Wed Sep 7 14:29:41 UTC 2011 - crrodriguez@opensuse.org Wed Sep 7 14:29:41 UTC 2011 - crrodriguez@opensuse.org

View File

@ -185,7 +185,7 @@ Authors:
#%patch4 -p1 #%patch4 -p1
#%patch5 -p1 #%patch5 -p1
#%patch6 -p1 #%patch6 -p1
%patch7 -p1 %patch7
#%patch8 -p1 #%patch8 -p1
%patch10 %patch10
cp -p %{S:10} . cp -p %{S:10} .
@ -237,6 +237,7 @@ $RPM_OPT_FLAGS \
-fomit-frame-pointer \ -fomit-frame-pointer \
-DTERMIO \ -DTERMIO \
-DPURIFY \ -DPURIFY \
-DSSL_FORBID_ENULL \
%ifnarch hppa %ifnarch hppa
-Wall \ -Wall \
-fstack-protector " -fstack-protector "