diff --git a/openssl-1.0.1k-alt-chains.patch b/openssl-1.0.1k-alt-chains.patch index 6424d66..98b8bea 100644 --- a/openssl-1.0.1k-alt-chains.patch +++ b/openssl-1.0.1k-alt-chains.patch @@ -1,6 +1,6 @@ diff -up openssl-1.0.1k/apps/apps.c.alt-chains openssl-1.0.1k/apps/apps.c ---- openssl-1.0.1k/apps/apps.c.alt-chains 2015-04-30 14:14:40.000000000 +0200 -+++ openssl-1.0.1k/apps/apps.c 2015-04-30 14:25:49.220873338 +0200 +--- openssl-1.0.1k/apps/apps.c.alt-chains 2015-07-09 14:58:55.949753674 +0200 ++++ openssl-1.0.1k/apps/apps.c 2015-07-09 14:58:55.970754174 +0200 @@ -2365,6 +2365,8 @@ int args_verify(char ***pargs, int *parg flags |= X509_V_FLAG_NOTIFY_POLICY; else if (!strcmp(arg, "-check_ss_sig")) @@ -11,8 +11,8 @@ diff -up openssl-1.0.1k/apps/apps.c.alt-chains openssl-1.0.1k/apps/apps.c flags |= X509_V_FLAG_TRUSTED_FIRST; else diff -up openssl-1.0.1k/apps/cms.c.alt-chains openssl-1.0.1k/apps/cms.c ---- openssl-1.0.1k/apps/cms.c.alt-chains 2015-04-30 14:14:40.000000000 +0200 -+++ openssl-1.0.1k/apps/cms.c 2015-04-30 14:27:12.129773347 +0200 +--- openssl-1.0.1k/apps/cms.c.alt-chains 2015-07-09 14:58:55.949753674 +0200 ++++ openssl-1.0.1k/apps/cms.c 2015-07-09 14:58:55.970754174 +0200 @@ -642,6 +642,7 @@ int MAIN(int argc, char **argv) BIO_printf (bio_err, "-text include or delete text MIME headers\n"); BIO_printf (bio_err, "-CApath dir trusted certificates directory\n"); @@ -22,8 +22,8 @@ diff -up openssl-1.0.1k/apps/cms.c.alt-chains openssl-1.0.1k/apps/cms.c BIO_printf (bio_err, "-crl_check check revocation status of signer's certificate using CRLs\n"); BIO_printf (bio_err, "-crl_check_all check revocation status of signer's certificate chain using CRLs\n"); diff -up openssl-1.0.1k/apps/ocsp.c.alt-chains openssl-1.0.1k/apps/ocsp.c ---- openssl-1.0.1k/apps/ocsp.c.alt-chains 2015-04-30 14:14:40.000000000 +0200 -+++ openssl-1.0.1k/apps/ocsp.c 2015-04-30 14:28:12.975167730 +0200 +--- openssl-1.0.1k/apps/ocsp.c.alt-chains 2015-07-09 14:58:55.949753674 +0200 ++++ openssl-1.0.1k/apps/ocsp.c 2015-07-09 14:58:55.971754198 +0200 @@ -605,6 +605,7 @@ int MAIN(int argc, char **argv) BIO_printf (bio_err, "-path path to use in OCSP request\n"); BIO_printf (bio_err, "-CApath dir trusted certificates directory\n"); @@ -33,8 +33,8 @@ diff -up openssl-1.0.1k/apps/ocsp.c.alt-chains openssl-1.0.1k/apps/ocsp.c BIO_printf (bio_err, "-VAfile file validator certificates file\n"); BIO_printf (bio_err, "-validity_period n maximum validity discrepancy in seconds\n"); diff -up openssl-1.0.1k/apps/s_client.c.alt-chains openssl-1.0.1k/apps/s_client.c ---- openssl-1.0.1k/apps/s_client.c.alt-chains 2015-04-30 14:14:40.000000000 +0200 -+++ openssl-1.0.1k/apps/s_client.c 2015-04-30 14:29:33.254006312 +0200 +--- openssl-1.0.1k/apps/s_client.c.alt-chains 2015-07-09 14:58:55.956753841 +0200 ++++ openssl-1.0.1k/apps/s_client.c 2015-07-09 14:58:55.971754198 +0200 @@ -299,6 +299,7 @@ static void sc_usage(void) BIO_printf(bio_err," -pass arg - private key file pass phrase source\n"); BIO_printf(bio_err," -CApath arg - PEM format directory of CA's\n"); @@ -44,8 +44,8 @@ diff -up openssl-1.0.1k/apps/s_client.c.alt-chains openssl-1.0.1k/apps/s_client. BIO_printf(bio_err," -reconnect - Drop and re-make the connection with the same Session-ID\n"); BIO_printf(bio_err," -pause - sleep(1) after each read(2) and write(2) system call\n"); diff -up openssl-1.0.1k/apps/smime.c.alt-chains openssl-1.0.1k/apps/smime.c ---- openssl-1.0.1k/apps/smime.c.alt-chains 2015-04-30 14:14:40.000000000 +0200 -+++ openssl-1.0.1k/apps/smime.c 2015-04-30 14:30:44.456633094 +0200 +--- openssl-1.0.1k/apps/smime.c.alt-chains 2015-07-09 14:58:55.950753698 +0200 ++++ openssl-1.0.1k/apps/smime.c 2015-07-09 14:58:55.971754198 +0200 @@ -479,6 +479,7 @@ int MAIN(int argc, char **argv) BIO_printf (bio_err, "-text include or delete text MIME headers\n"); BIO_printf (bio_err, "-CApath dir trusted certificates directory\n"); @@ -55,8 +55,8 @@ diff -up openssl-1.0.1k/apps/smime.c.alt-chains openssl-1.0.1k/apps/smime.c BIO_printf (bio_err, "-crl_check check revocation status of signer's certificate using CRLs\n"); BIO_printf (bio_err, "-crl_check_all check revocation status of signer's certificate chain using CRLs\n"); diff -up openssl-1.0.1k/apps/s_server.c.alt-chains openssl-1.0.1k/apps/s_server.c ---- openssl-1.0.1k/apps/s_server.c.alt-chains 2015-04-30 14:14:40.000000000 +0200 -+++ openssl-1.0.1k/apps/s_server.c 2015-04-30 14:30:06.420764081 +0200 +--- openssl-1.0.1k/apps/s_server.c.alt-chains 2015-07-09 14:58:55.950753698 +0200 ++++ openssl-1.0.1k/apps/s_server.c 2015-07-09 14:58:55.971754198 +0200 @@ -502,6 +502,7 @@ static void sv_usage(void) BIO_printf(bio_err," -state - Print the SSL states\n"); BIO_printf(bio_err," -CApath arg - PEM format directory of CA's\n"); @@ -66,8 +66,8 @@ diff -up openssl-1.0.1k/apps/s_server.c.alt-chains openssl-1.0.1k/apps/s_server. BIO_printf(bio_err," -nocert - Don't use any certificates (Anon-DH)\n"); BIO_printf(bio_err," -cipher arg - play with 'openssl ciphers' to see what goes here\n"); diff -up openssl-1.0.1k/apps/verify.c.alt-chains openssl-1.0.1k/apps/verify.c ---- openssl-1.0.1k/apps/verify.c.alt-chains 2015-04-30 14:14:40.000000000 +0200 -+++ openssl-1.0.1k/apps/verify.c 2015-04-30 14:31:20.055446426 +0200 +--- openssl-1.0.1k/apps/verify.c.alt-chains 2015-07-09 14:58:55.951753722 +0200 ++++ openssl-1.0.1k/apps/verify.c 2015-07-09 14:58:55.972754221 +0200 @@ -238,7 +238,7 @@ int MAIN(int argc, char **argv) end: if (ret == 1) { @@ -78,8 +78,8 @@ diff -up openssl-1.0.1k/apps/verify.c.alt-chains openssl-1.0.1k/apps/verify.c BIO_printf(bio_err," [-engine e]"); #endif diff -up openssl-1.0.1k/crypto/x509/x509_vfy.c.alt-chains openssl-1.0.1k/crypto/x509/x509_vfy.c ---- openssl-1.0.1k/crypto/x509/x509_vfy.c.alt-chains 2015-04-30 14:14:40.000000000 +0200 -+++ openssl-1.0.1k/crypto/x509/x509_vfy.c 2015-04-30 14:22:37.183472452 +0200 +--- openssl-1.0.1k/crypto/x509/x509_vfy.c.alt-chains 2015-07-09 14:58:55.951753722 +0200 ++++ openssl-1.0.1k/crypto/x509/x509_vfy.c 2015-07-09 15:28:03.630442145 +0200 @@ -154,11 +154,11 @@ static int x509_subject_cmp(X509 **a, X5 int X509_verify_cert(X509_STORE_CTX *ctx) @@ -94,7 +94,44 @@ diff -up openssl-1.0.1k/crypto/x509/x509_vfy.c.alt-chains openssl-1.0.1k/crypto/ int (*cb)(int xok,X509_STORE_CTX *xctx); STACK_OF(X509) *sktmp=NULL; if (ctx->cert == NULL) -@@ -247,10 +247,14 @@ int X509_verify_cert(X509_STORE_CTX *ctx +@@ -167,21 +167,27 @@ int X509_verify_cert(X509_STORE_CTX *ctx + return -1; + } + ++ if (ctx->chain != NULL) { ++ /* ++ * This X509_STORE_CTX has already been used to verify a cert. We ++ * cannot do another one. ++ */ ++ X509err(X509_F_X509_VERIFY_CERT, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); ++ return -1; ++ } ++ + cb=ctx->verify_cb; + + /* first we make sure the chain we are going to build is + * present and that the first entry is in place */ +- if (ctx->chain == NULL) ++ if ( ((ctx->chain=sk_X509_new_null()) == NULL) || ++ (!sk_X509_push(ctx->chain,ctx->cert))) + { +- if ( ((ctx->chain=sk_X509_new_null()) == NULL) || +- (!sk_X509_push(ctx->chain,ctx->cert))) +- { +- X509err(X509_F_X509_VERIFY_CERT,ERR_R_MALLOC_FAILURE); +- goto end; +- } +- CRYPTO_add(&ctx->cert->references,1,CRYPTO_LOCK_X509); +- ctx->last_untrusted=1; ++ X509err(X509_F_X509_VERIFY_CERT,ERR_R_MALLOC_FAILURE); ++ goto end; + } ++ CRYPTO_add(&ctx->cert->references,1,CRYPTO_LOCK_X509); ++ ctx->last_untrusted=1; + + /* We use a temporary STACK so we can chop and hack at it */ + if (ctx->untrusted != NULL +@@ -247,10 +253,14 @@ int X509_verify_cert(X509_STORE_CTX *ctx break; } @@ -109,7 +146,7 @@ diff -up openssl-1.0.1k/crypto/x509/x509_vfy.c.alt-chains openssl-1.0.1k/crypto/ /* Examine last certificate in chain and see if it * is self signed. */ -@@ -294,6 +298,7 @@ int X509_verify_cert(X509_STORE_CTX *ctx +@@ -294,6 +304,7 @@ int X509_verify_cert(X509_STORE_CTX *ctx chain_ss=sk_X509_pop(ctx->chain); ctx->last_untrusted--; num--; @@ -117,7 +154,7 @@ diff -up openssl-1.0.1k/crypto/x509/x509_vfy.c.alt-chains openssl-1.0.1k/crypto/ x=sk_X509_value(ctx->chain,num-1); } } -@@ -322,7 +327,42 @@ int X509_verify_cert(X509_STORE_CTX *ctx +@@ -322,7 +333,42 @@ int X509_verify_cert(X509_STORE_CTX *ctx num++; } @@ -128,7 +165,7 @@ diff -up openssl-1.0.1k/crypto/x509/x509_vfy.c.alt-chains openssl-1.0.1k/crypto/ + * if the user hasn't switched off alternate chain checking + */ + retry = 0; -+ if (j == ctx->last_untrusted && ++ if (num == ctx->last_untrusted && + !(ctx->param->flags & X509_V_FLAG_NO_ALT_CHAINS)) { + while (j-- > 1) { + xtmp2 = sk_X509_value(ctx->chain, j - 1); @@ -150,8 +187,8 @@ diff -up openssl-1.0.1k/crypto/x509/x509_vfy.c.alt-chains openssl-1.0.1k/crypto/ + xtmp = sk_X509_pop(ctx->chain); + X509_free(xtmp); + num--; -+ ctx->last_untrusted--; + } ++ ctx->last_untrusted = j; + retry = 1; + break; + } @@ -162,8 +199,8 @@ diff -up openssl-1.0.1k/crypto/x509/x509_vfy.c.alt-chains openssl-1.0.1k/crypto/ /* Is last certificate looked up self signed? */ if (!ctx->check_issued(ctx,x,x)) diff -up openssl-1.0.1k/crypto/x509/x509_vfy.h.alt-chains openssl-1.0.1k/crypto/x509/x509_vfy.h ---- openssl-1.0.1k/crypto/x509/x509_vfy.h.alt-chains 2015-04-30 14:14:40.000000000 +0200 -+++ openssl-1.0.1k/crypto/x509/x509_vfy.h 2015-04-30 14:16:56.818672373 +0200 +--- openssl-1.0.1k/crypto/x509/x509_vfy.h.alt-chains 2015-07-09 14:58:55.951753722 +0200 ++++ openssl-1.0.1k/crypto/x509/x509_vfy.h 2015-07-09 14:58:55.972754221 +0200 @@ -391,7 +391,12 @@ void X509_STORE_CTX_set_depth(X509_STORE #define X509_V_FLAG_CHECK_SS_SIGNATURE 0x4000 /* Use trusted store first */ @@ -179,8 +216,8 @@ diff -up openssl-1.0.1k/crypto/x509/x509_vfy.h.alt-chains openssl-1.0.1k/crypto/ #define X509_VP_FLAG_DEFAULT 0x1 #define X509_VP_FLAG_OVERWRITE 0x2 diff -up openssl-1.0.1k/doc/apps/cms.pod.alt-chains openssl-1.0.1k/doc/apps/cms.pod ---- openssl-1.0.1k/doc/apps/cms.pod.alt-chains 2015-04-30 14:32:50.736518235 +0200 -+++ openssl-1.0.1k/doc/apps/cms.pod 2015-04-30 14:36:11.989116293 +0200 +--- openssl-1.0.1k/doc/apps/cms.pod.alt-chains 2015-07-09 14:58:55.951753722 +0200 ++++ openssl-1.0.1k/doc/apps/cms.pod 2015-07-09 14:58:55.972754221 +0200 @@ -35,6 +35,7 @@ B B [B<-print>] [B<-CAfile file>] @@ -199,8 +236,8 @@ diff -up openssl-1.0.1k/doc/apps/cms.pod.alt-chains openssl-1.0.1k/doc/apps/cms. Set various certificate chain valiadition option. See the L|verify(1)> manual page for details. diff -up openssl-1.0.1k/doc/apps/ocsp.pod.alt-chains openssl-1.0.1k/doc/apps/ocsp.pod ---- openssl-1.0.1k/doc/apps/ocsp.pod.alt-chains 2015-04-30 14:14:40.000000000 +0200 -+++ openssl-1.0.1k/doc/apps/ocsp.pod 2015-04-30 14:34:40.398023692 +0200 +--- openssl-1.0.1k/doc/apps/ocsp.pod.alt-chains 2015-07-09 14:58:55.951753722 +0200 ++++ openssl-1.0.1k/doc/apps/ocsp.pod 2015-07-09 14:58:55.973754245 +0200 @@ -29,6 +29,7 @@ B B [B<-path>] [B<-CApath dir>] @@ -221,8 +258,8 @@ diff -up openssl-1.0.1k/doc/apps/ocsp.pod.alt-chains openssl-1.0.1k/doc/apps/ocs Use certificates in CA file or CA directory over certificates provided diff -up openssl-1.0.1k/doc/apps/s_client.pod.alt-chains openssl-1.0.1k/doc/apps/s_client.pod ---- openssl-1.0.1k/doc/apps/s_client.pod.alt-chains 2015-04-30 14:14:40.000000000 +0200 -+++ openssl-1.0.1k/doc/apps/s_client.pod 2015-04-30 14:35:23.284003518 +0200 +--- openssl-1.0.1k/doc/apps/s_client.pod.alt-chains 2015-07-09 14:58:55.952753746 +0200 ++++ openssl-1.0.1k/doc/apps/s_client.pod 2015-07-09 14:58:55.973754245 +0200 @@ -19,6 +19,7 @@ B B [B<-pass arg>] [B<-CApath directory>] @@ -241,8 +278,8 @@ diff -up openssl-1.0.1k/doc/apps/s_client.pod.alt-chains openssl-1.0.1k/doc/apps Set various certificate chain valiadition option. See the L|verify(1)> manual page for details. diff -up openssl-1.0.1k/doc/apps/smime.pod.alt-chains openssl-1.0.1k/doc/apps/smime.pod ---- openssl-1.0.1k/doc/apps/smime.pod.alt-chains 2015-04-30 14:14:40.000000000 +0200 -+++ openssl-1.0.1k/doc/apps/smime.pod 2015-04-30 14:37:58.832557366 +0200 +--- openssl-1.0.1k/doc/apps/smime.pod.alt-chains 2015-07-09 14:58:55.952753746 +0200 ++++ openssl-1.0.1k/doc/apps/smime.pod 2015-07-09 14:58:55.973754245 +0200 @@ -17,6 +17,7 @@ B B [B<-in file>] [B<-CAfile file>] @@ -261,8 +298,8 @@ diff -up openssl-1.0.1k/doc/apps/smime.pod.alt-chains openssl-1.0.1k/doc/apps/sm Set various options of certificate chain verification. See L|verify(1)> manual page for details. diff -up openssl-1.0.1k/doc/apps/s_server.pod.alt-chains openssl-1.0.1k/doc/apps/s_server.pod ---- openssl-1.0.1k/doc/apps/s_server.pod.alt-chains 2015-04-30 14:14:40.000000000 +0200 -+++ openssl-1.0.1k/doc/apps/s_server.pod 2015-04-30 14:37:02.850278328 +0200 +--- openssl-1.0.1k/doc/apps/s_server.pod.alt-chains 2015-07-09 14:58:55.952753746 +0200 ++++ openssl-1.0.1k/doc/apps/s_server.pod 2015-07-09 14:58:55.973754245 +0200 @@ -33,6 +33,7 @@ B B [B<-state>] [B<-CApath directory>] @@ -283,8 +320,8 @@ diff -up openssl-1.0.1k/doc/apps/s_server.pod.alt-chains openssl-1.0.1k/doc/apps Use certificates in CA file or CA directory before other certificates diff -up openssl-1.0.1k/doc/apps/verify.pod.alt-chains openssl-1.0.1k/doc/apps/verify.pod ---- openssl-1.0.1k/doc/apps/verify.pod.alt-chains 2015-04-30 14:14:40.000000000 +0200 -+++ openssl-1.0.1k/doc/apps/verify.pod 2015-04-30 14:38:32.853334645 +0200 +--- openssl-1.0.1k/doc/apps/verify.pod.alt-chains 2015-07-09 14:58:55.952753746 +0200 ++++ openssl-1.0.1k/doc/apps/verify.pod 2015-07-09 14:58:55.973754245 +0200 @@ -23,6 +23,7 @@ B B [B<-extended_crl>] [B<-use_deltas>] @@ -308,9 +345,45 @@ diff -up openssl-1.0.1k/doc/apps/verify.pod.alt-chains openssl-1.0.1k/doc/apps/v =item B<-policy_print> Print out diagnostics related to policy processing. +diff -up openssl-1.0.1k/doc/crypto/X509_STORE_CTX_new.pod.alt-chains openssl-1.0.1k/doc/crypto/X509_STORE_CTX_new.pod +--- openssl-1.0.1k/doc/crypto/X509_STORE_CTX_new.pod.alt-chains 2014-10-15 15:49:15.000000000 +0200 ++++ openssl-1.0.1k/doc/crypto/X509_STORE_CTX_new.pod 2015-07-09 15:29:16.461174414 +0200 +@@ -39,10 +39,15 @@ X509_STORE_CTX_free() completely frees u + is no longer valid. + + X509_STORE_CTX_init() sets up B for a subsequent verification operation. +-The trusted certificate store is set to B, the end entity certificate +-to be verified is set to B and a set of additional certificates (which +-will be untrusted but may be used to build the chain) in B. Any or +-all of the B, B and B parameters can be B. ++It must be called before each call to X509_verify_cert(), i.e. a B is only ++good for one call to X509_verify_cert(); if you want to verify a second ++certificate with the same B then you must call X509_XTORE_CTX_cleanup() ++and then X509_STORE_CTX_init() again before the second call to ++X509_verify_cert(). The trusted certificate store is set to B, the end ++entity certificate to be verified is set to B and a set of additional ++certificates (which will be untrusted but may be used to build the chain) in ++B. Any or all of the B, B and B parameters can be ++B. + + X509_STORE_CTX_trusted_stack() sets the set of trusted certificates of B + to B. This is an alternative way of specifying trusted certificates +diff -up openssl-1.0.1k/doc/crypto/X509_verify_cert.pod.alt-chains openssl-1.0.1k/doc/crypto/X509_verify_cert.pod +--- openssl-1.0.1k/doc/crypto/X509_verify_cert.pod.alt-chains 2014-10-15 15:49:15.000000000 +0200 ++++ openssl-1.0.1k/doc/crypto/X509_verify_cert.pod 2015-07-09 15:29:16.461174414 +0200 +@@ -32,7 +32,8 @@ OpenSSL internally for certificate valid + SSL/TLS code. + + The negative return value from X509_verify_cert() can only occur if no +-certificate is set in B (due to a programming error) or if a retry ++certificate is set in B (due to a programming error); if X509_verify_cert() ++twice without reinitialising B in between; or if a retry + operation is requested during internal lookups (which never happens with + standard lookup methods). It is however recommended that application check + for <= 0 return value on error. diff -up openssl-1.0.1k/doc/crypto/X509_VERIFY_PARAM_set_flags.pod.alt-chains openssl-1.0.1k/doc/crypto/X509_VERIFY_PARAM_set_flags.pod ---- openssl-1.0.1k/doc/crypto/X509_VERIFY_PARAM_set_flags.pod.alt-chains 2014-10-15 14:51:06.000000000 +0200 -+++ openssl-1.0.1k/doc/crypto/X509_VERIFY_PARAM_set_flags.pod 2015-04-30 14:39:34.951753420 +0200 +--- openssl-1.0.1k/doc/crypto/X509_VERIFY_PARAM_set_flags.pod.alt-chains 2015-01-08 15:00:36.000000000 +0100 ++++ openssl-1.0.1k/doc/crypto/X509_VERIFY_PARAM_set_flags.pod 2015-07-09 14:58:55.973754245 +0200 @@ -133,6 +133,12 @@ verification. If this flag is set then a to the verification callback and it B be prepared to handle such cases without assuming they are hard errors. diff --git a/openssl.spec b/openssl.spec index 73667c8..a441667 100644 --- a/openssl.spec +++ b/openssl.spec @@ -23,7 +23,7 @@ Summary: Utilities from the general purpose cryptography library with TLS implementation Name: openssl Version: 1.0.1k -Release: 10%{?dist} +Release: 11%{?dist} Epoch: 1 # We have to remove certain patented algorithms from the openssl source # tarball with the hobble-openssl script which is included below. @@ -504,6 +504,9 @@ rm -rf $RPM_BUILD_ROOT/%{_libdir}/fipscanister.* %postun libs -p /sbin/ldconfig %changelog +* Thu Jul 9 2015 Tomáš Mráz 1.0.1k-11 +- fix CVE-2015-1793 - certificate verification forgery + * Mon Jun 15 2015 Tomáš Mráz 1.0.1k-10 - fix CVE-2015-1789 - out-of-bounds read in X509_cmp_time - fix CVE-2015-1790 - PKCS7 crash with missing EncryptedContent