diff --git a/CVE-2021-3711-0001-Check-the-plaintext-buffer-is-large-enough-when-decr.patch b/CVE-2021-3711-0001-Check-the-plaintext-buffer-is-large-enough-when-decr.patch new file mode 100644 index 0000000000000000000000000000000000000000..26a3cdc5ba6710bbf6e831ccc8a29574b93caa94 --- /dev/null +++ b/CVE-2021-3711-0001-Check-the-plaintext-buffer-is-large-enough-when-decr.patch @@ -0,0 +1,37 @@ +From 515ac8b5e544dd713a2b4cabfc54b722d122c218 Mon Sep 17 00:00:00 2001 +From: Matt Caswell +Date: Fri, 13 Aug 2021 16:58:21 +0100 +Subject: [PATCH] Check the plaintext buffer is large enough when decrypting + SM2 + +Previously there was no check that the supplied buffer was large enough. +It was just assumed to be sufficient. Instead we should check and fail if +not. + +Reviewed-by: Paul Dale +Reviewed-by: Nicola Tuveri + +Reference: https://github.com/openssl/openssl/commit/515ac8b5e544dd713a2b4cabfc54b722d122c218 +Conflict: NA +--- + crypto/sm2/sm2_crypt.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/crypto/sm2/sm2_crypt.c b/crypto/sm2/sm2_crypt.c +index 1188abfc6b..00055a4e51 100644 +--- a/crypto/sm2/sm2_crypt.c ++++ b/crypto/sm2/sm2_crypt.c +@@ -294,6 +294,10 @@ int sm2_decrypt(const EC_KEY *key, + C2 = sm2_ctext->C2->data; + C3 = sm2_ctext->C3->data; + msg_len = sm2_ctext->C2->length; ++ if (*ptext_len < (size_t)msg_len) { ++ SM2err(SM2_F_SM2_DECRYPT, SM2_R_BUFFER_TOO_SMALL); ++ goto done; ++ } + + ctx = BN_CTX_new(); + if (ctx == NULL) { +-- +2.23.0 + diff --git a/CVE-2021-3711-0002-Correctly-calculate-the-length-of-SM2-plaintext-give.patch b/CVE-2021-3711-0002-Correctly-calculate-the-length-of-SM2-plaintext-give.patch new file mode 100644 index 0000000000000000000000000000000000000000..d7373cafd81d89cb89e3c885cdc8e5c269831a47 --- /dev/null +++ b/CVE-2021-3711-0002-Correctly-calculate-the-length-of-SM2-plaintext-give.patch @@ -0,0 +1,124 @@ +From 59f5e75f3bced8fc0e130d72a3f582cf7b480b46 Mon Sep 17 00:00:00 2001 +From: Matt Caswell +Date: Fri, 13 Aug 2021 14:14:51 +0100 +Subject: [PATCH] Correctly calculate the length of SM2 plaintext given the + ciphertext + +Previously the length of the SM2 plaintext could be incorrectly calculated. +The plaintext length was calculated by taking the ciphertext length and +taking off an "overhead" value. + +The overhead value was assumed to have a "fixed" element of 10 bytes. +This is incorrect since in some circumstances it can be more than 10 bytes. +Additionally the overhead included the length of two integers C1x and C1y, +which were assumed to be the same length as the field size (32 bytes for +the SM2 curve). However in some cases these integers can have an additional +padding byte when the msb is set, to disambiguate them from negative +integers. Additionally the integers can also be less than 32 bytes in +length in some cases. + +If the calculated overhead is incorrect and larger than the actual value +this can result in the calculated plaintext length being too small. +Applications are likely to allocate buffer sizes based on this and therefore +a buffer overrun can occur. + +CVE-2021-3711 + +Issue reported by John Ouyang. + +Reviewed-by: Paul Dale +Reviewed-by: Nicola Tuveri + +Reference: https://github.com/openssl/openssl/commit/59f5e75f3bced8fc0e130d72a3f582cf7b480b46 +Conflict: NA +--- + crypto/sm2/sm2_crypt.c | 23 +++++++---------------- + crypto/sm2/sm2_pmeth.c | 2 +- + include/crypto/sm2.h | 3 +-- + test/sm2_internal_test.c | 2 +- + 4 files changed, 10 insertions(+), 20 deletions(-) + +diff --git a/crypto/sm2/sm2_crypt.c b/crypto/sm2/sm2_crypt.c +index ef505f6441..1188abfc6b 100644 +--- a/crypto/sm2/sm2_crypt.c ++++ b/crypto/sm2/sm2_crypt.c +@@ -61,29 +61,20 @@ static size_t ec_field_size(const EC_GROUP *group) + return field_size; + } + +-int sm2_plaintext_size(const EC_KEY *key, const EVP_MD *digest, size_t msg_len, +- size_t *pt_size) ++int sm2_plaintext_size(const unsigned char *ct, size_t ct_size, size_t *pt_size) + { +- const size_t field_size = ec_field_size(EC_KEY_get0_group(key)); +- const int md_size = EVP_MD_size(digest); +- size_t overhead; ++ struct SM2_Ciphertext_st *sm2_ctext = NULL; + +- if (md_size < 0) { +- SM2err(SM2_F_SM2_PLAINTEXT_SIZE, SM2_R_INVALID_DIGEST); +- return 0; +- } +- if (field_size == 0) { +- SM2err(SM2_F_SM2_PLAINTEXT_SIZE, SM2_R_INVALID_FIELD); +- return 0; +- } ++ sm2_ctext = d2i_SM2_Ciphertext(NULL, &ct, ct_size); + +- overhead = 10 + 2 * field_size + (size_t)md_size; +- if (msg_len <= overhead) { ++ if (sm2_ctext == NULL) { + SM2err(SM2_F_SM2_PLAINTEXT_SIZE, SM2_R_INVALID_ENCODING); + return 0; + } + +- *pt_size = msg_len - overhead; ++ *pt_size = sm2_ctext->C2->length; ++ SM2_Ciphertext_free(sm2_ctext); ++ + return 1; + } + +diff --git a/crypto/sm2/sm2_pmeth.c b/crypto/sm2/sm2_pmeth.c +index b42a14c32f..27025fbf3a 100644 +--- a/crypto/sm2/sm2_pmeth.c ++++ b/crypto/sm2/sm2_pmeth.c +@@ -151,7 +151,7 @@ static int pkey_sm2_decrypt(EVP_PKEY_CTX *ctx, + const EVP_MD *md = (dctx->md == NULL) ? EVP_sm3() : dctx->md; + + if (out == NULL) { +- if (!sm2_plaintext_size(ec, md, inlen, outlen)) ++ if (!sm2_plaintext_size(in, inlen, outlen)) + return -1; + else + return 1; +diff --git a/include/crypto/sm2.h b/include/crypto/sm2.h +index 76ee80baff..50851a83ce 100644 +--- a/include/crypto/sm2.h ++++ b/include/crypto/sm2.h +@@ -60,8 +60,7 @@ int sm2_verify(const unsigned char *dgst, int dgstlen, + int sm2_ciphertext_size(const EC_KEY *key, const EVP_MD *digest, size_t msg_len, + size_t *ct_size); + +-int sm2_plaintext_size(const EC_KEY *key, const EVP_MD *digest, size_t msg_len, +- size_t *pt_size); ++int sm2_plaintext_size(const unsigned char *ct, size_t ct_size, size_t *pt_size); + + int sm2_encrypt(const EC_KEY *key, + const EVP_MD *digest, +diff --git a/test/sm2_internal_test.c b/test/sm2_internal_test.c +index 2bb73947ff..41827bb82f 100644 +--- a/test/sm2_internal_test.c ++++ b/test/sm2_internal_test.c +@@ -185,7 +185,7 @@ static int test_sm2_crypt(const EC_GROUP *group, + if (!TEST_mem_eq(ctext, ctext_len, expected, ctext_len)) + goto done; + +- if (!TEST_true(sm2_plaintext_size(key, digest, ctext_len, &ptext_len)) ++ if (!TEST_true(sm2_plaintext_size(ctext, ctext_len, &ptext_len)) + || !TEST_int_eq(ptext_len, msg_len)) + goto done; + +-- +2.23.0 + diff --git a/CVE-2021-3711-0003-Extend-tests-for-SM2-decryption.patch b/CVE-2021-3711-0003-Extend-tests-for-SM2-decryption.patch new file mode 100644 index 0000000000000000000000000000000000000000..fda5a457021d5ba0fda1e49610c8223f4f4403b7 --- /dev/null +++ b/CVE-2021-3711-0003-Extend-tests-for-SM2-decryption.patch @@ -0,0 +1,42 @@ +From 733fa41c3fc4bcac37f94aa917f7242420f8a5a6 Mon Sep 17 00:00:00 2001 +From: Matt Caswell +Date: Fri, 13 Aug 2021 14:49:47 +0100 +Subject: [PATCH] Extend tests for SM2 decryption + +Check the case where C1y < 32 bytes in length (i.e. short overhead), and +also the case with longer plaintext and C1x and C1y > 32 bytes in length +(i.e. long overhead) + +Reviewed-by: Paul Dale +Reviewed-by: Nicola Tuveri + +Reference: https://github.com/openssl/openssl/commit/733fa41c3fc4bcac37f94aa917f7242420f8a5a6 +Conflict: NA +--- + test/recipes/30-test_evp_data/evppkey.txt | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/test/recipes/30-test_evp_data/evppkey.txt b/test/recipes/30-test_evp_data/evppkey.txt +index 736e0ce4d3..c3947cb000 100644 +--- a/test/recipes/30-test_evp_data/evppkey.txt ++++ b/test/recipes/30-test_evp_data/evppkey.txt +@@ -18444,6 +18444,16 @@ Decrypt = SM2_key1 + Input = 30818A0220466BE2EF5C11782EC77864A0055417F407A5AFC11D653C6BCE69E417BB1D05B6022062B572E21FF0DDF5C726BD3F9FF2EAE56E6294713A607E9B9525628965F62CC804203C1B5713B5DB2728EB7BF775E44F4689FC32668BDC564F52EA45B09E8DF2A5F40422084A9D0CC2997092B7D3C404FCE95956EB604D732B2307A8E5B8900ED6608CA5B197 + Output = "The floofy bunnies hop at midnight" + ++# Test with an C1y value < 32 bytes in length (self generated) ++Decrypt = SM2_key1 ++Input = 3072022070DAD60CDA7C30D64CF4F278A849003581223F5324BFEC9BB329229BFFAD21A6021F18AFAB2B35459D2643243B242BE4EA80C6FA5071D2D847340CC57EB9309E5D04200B772E4DB664B2601E3B85E39C4AA8C2C1910308BE13B331E009C5A9258C29FD040B6D588BE9260A94DA18E0E6 ++Output = "Hello World" ++ ++# Test with an C1x and C1y valuey > 32 bytes in length, and longer plaintext (self generated) ++Decrypt = SM2_key1 ++Input = 3081DD022100CD49634BBCB21CAFFFA6D33669A5A867231CB2A942A14352EF4CAF6DC3344D54022100C35B41D4DEBB3A2735EFEE821B9EBA566BD86900176A0C06672E30EE5CC04E930420C4190A3D80D86C4BD20E99F7E4B59BF6427C6808793533EEA9591D1188EC56B50473747295470E81D951BED279AC1B86A1AFE388CD2833FA9632799EC199C7D364E5663D5A94888BB2358CFCBF6283184DE0CBC41CCEA91D24746E99D231A1DA77AFD83CDF908190ED628B7369724494568A27C782A1D1D7294BCAD80C34569ED22859896301128A8118F48924D8CCD43E998D9533 ++Output = "Some longer plaintext for testing SM2 decryption. Blah blah blah blah blah blah blah blah blah blah blah blah blah." ++ + # This is a "fake" test as it does only verify that the SM2 EVP_PKEY interface + # is capable of creating a signature without failing, but it does not say + # anything about the generated signature being valid, nor does it test the +-- +2.23.0 + diff --git a/CVE-2021-3712-0001-Fix-a-read-buffer-overrun-in-X509_aux_print.patch b/CVE-2021-3712-0001-Fix-a-read-buffer-overrun-in-X509_aux_print.patch new file mode 100644 index 0000000000000000000000000000000000000000..dc9c75781a684bc2679570e4891de489b33018ea --- /dev/null +++ b/CVE-2021-3712-0001-Fix-a-read-buffer-overrun-in-X509_aux_print.patch @@ -0,0 +1,63 @@ +From d9d838ddc0ed083fb4c26dd067e71aad7c65ad16 Mon Sep 17 00:00:00 2001 +From: Ingo Schwarze +Date: Sun, 18 Jul 2021 17:48:06 +0200 +Subject: [PATCH] Fix a read buffer overrun in X509_aux_print(). + +The ASN1_STRING_get0_data(3) manual explitely cautions the reader +that the data is not necessarily NUL-terminated, and the function +X509_alias_set1(3) does not sanitize the data passed into it in any +way either, so we must assume the return value from X509_alias_get0(3) +is merely a byte array and not necessarily a string in the sense +of the C language. + +I found this bug while writing manual pages for X509_print_ex(3) +and related functions. Theo Buehler checked my +patch to fix the same bug in LibreSSL, see + +http://cvsweb.openbsd.org/src/lib/libcrypto/asn1/t_x509a.c#rev1.9 + +As an aside, note that the function still produces incomplete and +misleading results when the data contains a NUL byte in the middle +and that error handling is consistently absent throughout, even +though the function provides an "int" return value obviously intended +to be 1 for success and 0 for failure, and even though this function +is called by another function that also wants to return 1 for success +and 0 for failure and even does so in many of its code paths, though +not in others. But let's stay focussed. Many things would be nice +to have in the wide wild world, but a buffer overflow must not be +allowed to remain in our backyard. + +CLA: trivial + +Reviewed-by: Tim Hudson +Reviewed-by: Paul Dale +Reviewed-by: Tomas Mraz +(Merged from https://github.com/openssl/openssl/pull/16108) + +(cherry picked from commit c5dc9ab965f2a69bca964c709e648158f3e4cd67) + +Reference: https://github.com/openssl/openssl/commit/d9d838ddc0ed083fb4c26dd067e71aad7c65ad16 +Conflict: NA +--- + crypto/x509/t_x509.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/crypto/x509/t_x509.c b/crypto/x509/t_x509.c +index 12d807f705..3ba0b3a045 100644 +--- a/crypto/x509/t_x509.c ++++ b/crypto/x509/t_x509.c +@@ -365,9 +365,9 @@ int X509_aux_print(BIO *out, X509 *x, int indent) + BIO_puts(out, "\n"); + } else + BIO_printf(out, "%*sNo Rejected Uses.\n", indent, ""); +- alias = X509_alias_get0(x, NULL); ++ alias = X509_alias_get0(x, &i); + if (alias) +- BIO_printf(out, "%*sAlias: %s\n", indent, "", alias); ++ BIO_printf(out, "%*sAlias: %.*s\n", indent, "", i, alias); + keyid = X509_keyid_get0(x, &keyidlen); + if (keyid) { + BIO_printf(out, "%*sKey Id: ", indent, ""); +-- +2.23.0 + diff --git a/CVE-2021-3712-0002-Fix-EC_GROUP_new_from_ecparameters-to-check-the-base.patch b/CVE-2021-3712-0002-Fix-EC_GROUP_new_from_ecparameters-to-check-the-base.patch new file mode 100644 index 0000000000000000000000000000000000000000..bb770f1045161a30022219c85637b44d1a032cb9 --- /dev/null +++ b/CVE-2021-3712-0002-Fix-EC_GROUP_new_from_ecparameters-to-check-the-base.patch @@ -0,0 +1,38 @@ +From 94d23fcff9b2a7a8368dfe52214d5c2569882c11 Mon Sep 17 00:00:00 2001 +From: Matt Caswell +Date: Thu, 19 Aug 2021 12:24:17 +0100 +Subject: [PATCH] Fix EC_GROUP_new_from_ecparameters to check the base length + +Check that there's at least one byte in params->base before trying to +read it. + +CVE-2021-3712 + +Reviewed-by: Viktor Dukhovni +Reviewed-by: Paul Dale + +Reference: https://github.com/openssl/openssl/commit/94d23fcff9b2a7a8368dfe52214d5c2569882c11 +Conflict: NA +--- + crypto/ec/ec_asn1.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/crypto/ec/ec_asn1.c b/crypto/ec/ec_asn1.c +index 7b7c75ce84..e497a25909 100644 +--- a/crypto/ec/ec_asn1.c ++++ b/crypto/ec/ec_asn1.c +@@ -761,7 +761,10 @@ EC_GROUP *EC_GROUP_new_from_ecparameters(const ECPARAMETERS *params) + ret->seed_len = params->curve->seed->length; + } + +- if (!params->order || !params->base || !params->base->data) { ++ if (params->order == NULL ++ || params->base == NULL ++ || params->base->data == NULL ++ || params->base->length == 0) { + ECerr(EC_F_EC_GROUP_NEW_FROM_ECPARAMETERS, EC_R_ASN1_ERROR); + goto err; + } +-- +2.23.0 + diff --git a/openssl.spec b/openssl.spec index 6addfa7d9a61d0f58b49bc3cd0d164e0792c2d6f..b18167648ff16fe24558d09baec5554cbb362cda 100644 --- a/openssl.spec +++ b/openssl.spec @@ -2,7 +2,7 @@ Name: openssl Epoch: 1 Version: 1.1.1f -Release: 10 +Release: 11 Summary: Cryptography and SSL/TLS Toolkit License: OpenSSL and SSLeay and GPLv2+ URL: https://www.openssl.org/ @@ -82,6 +82,11 @@ Patch71: CVE-2020-1971-0006-Add-a-test-for-encoding-decoding-using-an-invali Patch72: CVE-2021-23840.patch Patch73: CVE-2021-23841.patch Patch74: CVE-2021-3449.patch +Patch75: CVE-2021-3711-0001-Check-the-plaintext-buffer-is-large-enough-when-decr.patch +Patch76: CVE-2021-3711-0002-Correctly-calculate-the-length-of-SM2-plaintext-give.patch +Patch77: CVE-2021-3711-0003-Extend-tests-for-SM2-decryption.patch +Patch78: CVE-2021-3712-0001-Fix-a-read-buffer-overrun-in-X509_aux_print.patch +Patch79: CVE-2021-3712-0002-Fix-EC_GROUP_new_from_ecparameters-to-check-the-base.patch BuildRequires: gcc make lksctp-tools-devel coreutils util-linux zlib-devel @@ -258,6 +263,9 @@ make test || : %{_pkgdocdir}/html/ %changelog +* Mon Aug 30 2021 openEuler Buildteam - 1:1.1.1f-11 +- fix CVE-2021-3711 and CVE-2021-3712 + * Wed Apr 7 2021 openEuler Buildteam - 1:1.1.1f-10 - fix CVE-2021-3449