diff -Nru openssl-1.0.2g/debian/changelog openssl-1.0.2g/debian/changelog --- openssl-1.0.2g/debian/changelog 2017-05-19 08:27:58.000000000 +0000 +++ openssl-1.0.2g/debian/changelog 2021-06-28 13:05:36.000000000 +0000 @@ -1,3 +1,179 @@ +openssl (1.0.2g-1ubuntu4.20) xenial-security; urgency=medium + + * Enable X509_V_FLAG_TRUSTED_FIRST by default, such that letsencrypt + connection with the default chain remains trusted even after the + expiry of the redundant CA certificate. LP: #1928989 + + -- Dimitri John Ledkov Mon, 28 Jun 2021 14:05:36 +0100 + +openssl (1.0.2g-1ubuntu4.19) xenial-security; urgency=medium + + * SECURITY UPDATE: Integer overflow in CipherUpdate + - debian/patches/CVE-2021-23840-pre1.patch: add new EVP error codes in + crypto/evp/evp_err.c, crypto/evp/evp.h. + - debian/patches/CVE-2021-23840-pre2.patch: add a new EVP error code in + crypto/evp/evp_err.c, crypto/evp/evp.h. + - debian/patches/CVE-2021-23840.patch: don't overflow the output length + in EVP_CipherUpdate calls in crypto/evp/evp_enc.c, + crypto/evp/evp_err.c, crypto/evp/evp.h. + - CVE-2021-23840 + * SECURITY UPDATE: Null pointer deref in X509_issuer_and_serial_hash() + - debian/patches/CVE-2021-23841.patch: fix Null pointer deref in + crypto/x509/x509_cmp.c. + - CVE-2021-23841 + + -- Marc Deslauriers Wed, 17 Feb 2021 08:14:40 -0500 + +openssl (1.0.2g-1ubuntu4.18) xenial-security; urgency=medium + + * SECURITY UPDATE: EDIPARTYNAME NULL pointer de-ref + - debian/patches/CVE-2020-1971-1.patch: use explicit tagging for + DirectoryString in crypto/x509v3/v3_genn.c. + - debian/patches/CVE-2020-1971-2.patch: correctly compare EdiPartyName + in crypto/x509v3/v3_genn.c. + - debian/patches/CVE-2020-1971-3.patch: check that multi-strings/CHOICE + types don't use implicit tagging in crypto/asn1/asn1_err.c, + crypto/asn1/tasn_dec.c, crypto/asn1/asn1.h. + - debian/patches/CVE-2020-1971-4.patch: complain if we are attempting + to encode with an invalid ASN.1 template in crypto/asn1/asn1_err.c, + crypto/asn1/tasn_enc.c, crypto/asn1/asn1.h. + - debian/patches/CVE-2020-1971-5.patch: add a test for GENERAL_NAME_cmp + in crypto/x509v3/v3nametest.c. + - CVE-2020-1971 + + -- Marc Deslauriers Wed, 02 Dec 2020 10:43:58 -0500 + +openssl (1.0.2g-1ubuntu4.17) xenial-security; urgency=medium + + * SECURITY UPDATE: Raccoon Attack + - debian/patches/CVE-2020-1968.patch: disable ciphers that reuse the + DH secret across multiple TLS connections in ssl/s3_lib.c. + - CVE-2020-1968 + + -- Marc Deslauriers Tue, 15 Sep 2020 14:13:51 -0400 + +openssl (1.0.2g-1ubuntu4.16) xenial-security; urgency=medium + + * SECURITY UPDATE: ECDSA remote timing attack + - debian/patches/CVE-2019-1547.patch: for ECC parameters with NULL or + zero cofactor, compute it in crypto/ec/ec.h, crypto/ec/ec_err.c, + crypto/ec/ec_lib.c. + - CVE-2019-1547 + * SECURITY UPDATE: rsaz_512_sqr overflow bug on x86_64 + - debian/patches/CVE-2019-1551.patch: fix an overflow bug in + rsaz_512_sqr in crypto/bn/asm/rsaz-x86_64.pl. + - CVE-2019-1551 + * SECURITY UPDATE: Padding Oracle issue + - debian/patches/CVE-2019-1563.patch: fix a padding oracle in + PKCS7_dataDecode and CMS_decrypt_set1_pkey in crypto/cms/cms_env.c, + crypto/cms/cms_lcl.h, crypto/cms/cms_smime.c, + crypto/pkcs7/pk7_doit.c. + - CVE-2019-1563 + + -- Marc Deslauriers Wed, 27 May 2020 15:17:49 -0400 + +openssl (1.0.2g-1ubuntu4.15) xenial-security; urgency=medium + + * SECURITY UPDATE: 0-byte record padding oracle + - debian/patches/CVE-2019-1559.patch: go into the error state if a + fatal alert is sent or received in ssl/d1_pkt.c, ssl/s3_pkt.c. + - CVE-2019-1559 + + -- Marc Deslauriers Tue, 26 Feb 2019 13:16:01 -0500 + +openssl (1.0.2g-1ubuntu4.14) xenial-security; urgency=medium + + * SECURITY UPDATE: PortSmash side channel attack + - debian/patches/CVE-2018-5407.patch: fix timing vulnerability in + crypto/bn/bn_lib.c, crypto/ec/ec_mult.c. + - CVE-2018-5407 + * SECURITY UPDATE: timing side channel attack in DSA + - debian/patches/CVE-2018-0734-pre1.patch: address a timing side + channel in crypto/dsa/dsa_ossl.c. + - debian/patches/CVE-2018-0734-1.patch: fix timing vulnerability in + crypto/dsa/dsa_ossl.c. + - debian/patches/CVE-2018-0734-2.patch: fix mod inverse in + crypto/dsa/dsa_ossl.c. + - debian/patches/CVE-2018-0734-3.patch: add a constant time flag in + crypto/dsa/dsa_ossl.c. + - CVE-2018-0734 + + -- Marc Deslauriers Tue, 04 Dec 2018 08:38:18 -0500 + +openssl (1.0.2g-1ubuntu4.13) xenial-security; urgency=medium + + * SECURITY UPDATE: ECDSA key extraction side channel + - debian/patches/CVE-2018-0495.patch: add blinding to an ECDSA + signature in crypto/ecdsa/ecdsatest.c, crypto/ecdsa/ecs_ossl.c. + - CVE-2018-0495 + * SECURITY UPDATE: denial of service via long prime values + - debian/patches/CVE-2018-0732.patch: reject excessively large primes + in DH key generation in crypto/dh/dh_key.c. + - CVE-2018-0732 + * SECURITY UPDATE: RSA cache timing side channel attack + (previous update was incomplete) + - debian/patches/CVE-2018-0737-1.patch: replaced variable-time GCD in + crypto/rsa/rsa_gen.c. + - debian/patches/CVE-2018-0737-2.patch: used ERR set/pop mark in + crypto/rsa/rsa_gen.c. + - debian/patches/CVE-2018-0737-3.patch: consttime flag changed in + crypto/rsa/rsa_gen.c. + - debian/patches/CVE-2018-0737-4.patch: ensure BN_mod_inverse and + BN_mod_exp_mont both get called with BN_FLG_CONSTTIME flag set in + crypto/rsa/rsa_gen.c. + - CVE-2018-0737 + + -- Marc Deslauriers Wed, 20 Jun 2018 07:38:22 -0400 + +openssl (1.0.2g-1ubuntu4.12) xenial-security; urgency=medium + + * SECURITY UPDATE: Cache timing side channel + - debian/patches/CVE-2018-0737.patch: ensure BN_mod_inverse + and BN_mod_exp_mont get called with BN_FLG_CONSTTIME flag set + in crypto/rsa/rsa_gen.c. + - CVE-2018-0737 + + -- Leonidas S. Barbosa Wed, 18 Apr 2018 15:35:17 -0300 + +openssl (1.0.2g-1ubuntu4.11) xenial-security; urgency=medium + + * SECURITY UPDATE: DoS via ASN.1 types with a recursive definition + - debian/patches/CVE-2018-0739.patch: limit stack depth in + crypto/asn1/asn1.h, crypto/asn1/asn1_err.c, crypto/asn1/tasn_dec.c. + - CVE-2018-0739 + + -- Marc Deslauriers Tue, 27 Mar 2018 14:18:33 -0400 + +openssl (1.0.2g-1ubuntu4.10) xenial-security; urgency=medium + + * SECURITY UPDATE: Read/write after SSL object in error state + - debian/patches/CVE-2017-3737-pre.patch: add test/ssltestlib.*, + add to test/Makefile. + - debian/patches/CVE-2017-3737-1.patch: don't allow read/write after + fatal error in ssl/ssl.h. + - debian/patches/CVE-2017-3737-2.patch: add test to ssl/Makefile, + ssl/fatalerrtest.c, test/Makefile. + - CVE-2017-3737 + * SECURITY UPDATE: rsaz_1024_mul_avx2 overflow bug on x86_64 + - debian/patches/CVE-2017-3738.patch: fix digit correction bug in + crypto/bn/asm/rsaz-avx2.pl. + - CVE-2017-3738 + + -- Marc Deslauriers Thu, 07 Dec 2017 13:17:37 -0500 + +openssl (1.0.2g-1ubuntu4.9) xenial-security; urgency=medium + + * SECURITY UPDATE: Malformed X.509 IPAddressFamily could cause OOB read + - debian/patches/CVE-2017-3735.patch: avoid out-of-bounds read in + crypto/x509v3/v3_addr.c. + - CVE-2017-3735 + * SECURITY UPDATE: bn_sqrx8x_internal carry bug on x86_64 + - debian/patches/CVE-2017-3736.patch: fix carry bug in + bn_sqrx8x_internal in crypto/bn/asm/x86_64-mont5.pl. + - CVE-2017-3736 + + -- Marc Deslauriers Thu, 02 Nov 2017 11:28:46 -0400 + openssl (1.0.2g-1ubuntu4.8) xenial; urgency=medium * aes/asm/aesni-sha*-x86_64.pl: fix IV handling in SHAEXT paths. diff -Nru openssl-1.0.2g/debian/patches/CVE-2017-3735.patch openssl-1.0.2g/debian/patches/CVE-2017-3735.patch --- openssl-1.0.2g/debian/patches/CVE-2017-3735.patch 1970-01-01 00:00:00.000000000 +0000 +++ openssl-1.0.2g/debian/patches/CVE-2017-3735.patch 2017-11-02 15:28:38.000000000 +0000 @@ -0,0 +1,39 @@ +From 31c8b265591a0aaa462a1f3eb5770661aaac67db Mon Sep 17 00:00:00 2001 +From: Rich Salz +Date: Tue, 22 Aug 2017 11:44:41 -0400 +Subject: [PATCH] Avoid out-of-bounds read + +Fixes CVE 2017-3735 + +Reviewed-by: Kurt Roeckx +(Merged from https://github.com/openssl/openssl/pull/4276) + +(cherry picked from commit b23171744b01e473ebbfd6edad70c1c3825ffbcd) +--- + crypto/x509v3/v3_addr.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +diff --git a/crypto/x509v3/v3_addr.c b/crypto/x509v3/v3_addr.c +index 1290dec..af080a0 100644 +--- a/crypto/x509v3/v3_addr.c ++++ b/crypto/x509v3/v3_addr.c +@@ -130,10 +130,12 @@ static int length_from_afi(const unsigned afi) + */ + unsigned int v3_addr_get_afi(const IPAddressFamily *f) + { +- return ((f != NULL && +- f->addressFamily != NULL && f->addressFamily->data != NULL) +- ? ((f->addressFamily->data[0] << 8) | (f->addressFamily->data[1])) +- : 0); ++ if (f == NULL ++ || f->addressFamily == NULL ++ || f->addressFamily->data == NULL ++ || f->addressFamily->length < 2) ++ return 0; ++ return (f->addressFamily->data[0] << 8) | f->addressFamily->data[1]; + } + + /* +-- +2.7.4 + diff -Nru openssl-1.0.2g/debian/patches/CVE-2017-3736.patch openssl-1.0.2g/debian/patches/CVE-2017-3736.patch --- openssl-1.0.2g/debian/patches/CVE-2017-3736.patch 1970-01-01 00:00:00.000000000 +0000 +++ openssl-1.0.2g/debian/patches/CVE-2017-3736.patch 2017-11-02 15:28:42.000000000 +0000 @@ -0,0 +1,40 @@ +From 38d600147331d36e74174ebbd4008b63188b321b Mon Sep 17 00:00:00 2001 +From: Andy Polyakov +Date: Thu, 17 Aug 2017 21:08:57 +0200 +Subject: [PATCH] bn/asm/x86_64-mont5.pl: fix carry bug in bn_sqrx8x_internal. + +Credit to OSS-Fuzz for finding this. + +CVE-2017-3736 + +Reviewed-by: Rich Salz +--- + crypto/bn/asm/x86_64-mont5.pl | 12 ++++++++++-- + 1 file changed, 10 insertions(+), 2 deletions(-) + +Index: openssl-1.0.2g/crypto/bn/asm/x86_64-mont5.pl +=================================================================== +--- openssl-1.0.2g.orig/crypto/bn/asm/x86_64-mont5.pl 2017-11-02 11:22:37.839716578 -0400 ++++ openssl-1.0.2g/crypto/bn/asm/x86_64-mont5.pl 2017-11-02 11:22:37.839716578 -0400 +@@ -2977,11 +2977,19 @@ $code.=<<___; + + .align 32 + .Lsqrx8x_break: +- sub 16+8(%rsp),%r8 # consume last carry ++ xor $zero,$zero ++ sub 16+8(%rsp),%rbx # mov 16(%rsp),%cf ++ adcx $zero,%r8 + mov 24+8(%rsp),$carry # initial $tptr, borrow $carry ++ adcx $zero,%r9 + mov 0*8($aptr),%rdx # a[8], modulo-scheduled +- xor %ebp,%ebp # xor $zero,$zero ++ adc \$0,%r10 + mov %r8,0*8($tptr) ++ adc \$0,%r11 ++ adc \$0,%r12 ++ adc \$0,%r13 ++ adc \$0,%r14 ++ adc \$0,%r15 + cmp $carry,$tptr # cf=0, of=0 + je .Lsqrx8x_outer_loop + diff -Nru openssl-1.0.2g/debian/patches/CVE-2017-3737-1.patch openssl-1.0.2g/debian/patches/CVE-2017-3737-1.patch --- openssl-1.0.2g/debian/patches/CVE-2017-3737-1.patch 1970-01-01 00:00:00.000000000 +0000 +++ openssl-1.0.2g/debian/patches/CVE-2017-3737-1.patch 2017-12-07 18:17:22.000000000 +0000 @@ -0,0 +1,47 @@ +From 898fb884b706aaeb283de4812340bb0bde8476dc Mon Sep 17 00:00:00 2001 +From: Matt Caswell +Date: Wed, 29 Nov 2017 14:04:01 +0000 +Subject: [PATCH] Don't allow read/write after fatal error + +OpenSSL 1.0.2 (starting from version 1.0.2b) introduced an "error state" +mechanism. The intent was that if a fatal error occurred during a handshake +then OpenSSL would move into the error state and would immediately fail if +you attempted to continue the handshake. This works as designed for the +explicit handshake functions (SSL_do_handshake(), SSL_accept() and +SSL_connect()), however due to a bug it does not work correctly if +SSL_read() or SSL_write() is called directly. In that scenario, if the +handshake fails then a fatal error will be returned in the initial function +call. If SSL_read()/SSL_write() is subsequently called by the application +for the same SSL object then it will succeed and the data is passed without +being decrypted/encrypted directly from the SSL/TLS record layer. + +In order to exploit this issue an attacker would have to trick an +application into behaving incorrectly by issuing an SSL_read()/SSL_write() +after having already received a fatal error. + +Thanks to David Benjamin (Google) for reporting this issue and suggesting +this fix. + +CVE-2017-3737 + +Reviewed-by: Rich Salz +--- + ssl/ssl.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/ssl/ssl.h b/ssl/ssl.h +index 90aeb0c..3cf96a2 100644 +--- a/ssl/ssl.h ++++ b/ssl/ssl.h +@@ -1727,7 +1727,7 @@ extern "C" { + # define SSL_ST_BEFORE 0x4000 + # define SSL_ST_OK 0x03 + # define SSL_ST_RENEGOTIATE (0x04|SSL_ST_INIT) +-# define SSL_ST_ERR 0x05 ++# define SSL_ST_ERR (0x05|SSL_ST_INIT) + + # define SSL_CB_LOOP 0x01 + # define SSL_CB_EXIT 0x02 +-- +2.7.4 + diff -Nru openssl-1.0.2g/debian/patches/CVE-2017-3737-2.patch openssl-1.0.2g/debian/patches/CVE-2017-3737-2.patch --- openssl-1.0.2g/debian/patches/CVE-2017-3737-2.patch 1970-01-01 00:00:00.000000000 +0000 +++ openssl-1.0.2g/debian/patches/CVE-2017-3737-2.patch 2017-12-07 19:15:12.000000000 +0000 @@ -0,0 +1,242 @@ +Backport of: + +From c7383fb5f21aa3451f76bb98bdd5a96b070a2c47 Mon Sep 17 00:00:00 2001 +From: Matt Caswell +Date: Wed, 29 Nov 2017 13:56:15 +0000 +Subject: [PATCH] Add a test for CVE-2017-3737 + +Test reading/writing to an SSL object after a fatal error has been +detected. + +Reviewed-by: Rich Salz +--- + ssl/Makefile | 3 +- + ssl/fatalerrtest.c | 109 +++++++++++++++++++++++++++++++++++++++++++++++++++++ + test/Makefile | 35 +++++++++++++++-- + 3 files changed, 142 insertions(+), 5 deletions(-) + create mode 100644 ssl/fatalerrtest.c + +Index: openssl-1.0.2g/ssl/Makefile +=================================================================== +--- openssl-1.0.2g.orig/ssl/Makefile 2017-12-07 14:14:46.757872550 -0500 ++++ openssl-1.0.2g/ssl/Makefile 2017-12-07 14:14:46.757872550 -0500 +@@ -15,7 +15,8 @@ KRB5_INCLUDES= + CFLAGS= $(INCLUDES) $(CFLAG) + + GENERAL=Makefile README ssl-lib.com install.com +-TEST=ssltest.c heartbeat_test.c clienthellotest.c sslv2conftest.c ++TEST=ssltest.c heartbeat_test.c clienthellotest.c sslv2conftest.c \ ++ fatalerrtest.c + APPS= + + LIB=$(TOP)/libssl.a +Index: openssl-1.0.2g/ssl/fatalerrtest.c +=================================================================== +--- /dev/null 1970-01-01 00:00:00.000000000 +0000 ++++ openssl-1.0.2g/ssl/fatalerrtest.c 2017-12-07 14:14:46.757872550 -0500 +@@ -0,0 +1,109 @@ ++/* ++ * Copyright 2017 The OpenSSL Project Authors. All Rights Reserved. ++ * ++ * Licensed under the OpenSSL license (the "License"). You may not use ++ * this file except in compliance with the License. You can obtain a copy ++ * in the file LICENSE in the source distribution or at ++ * https://www.openssl.org/source/license.html ++ */ ++ ++#include ++#include ++#include "ssltestlib.h" ++ ++int main(int argc, char *argv[]) ++{ ++ SSL_CTX *sctx, *cctx; ++ SSL *sssl, *cssl; ++ const char *msg = "Dummy"; ++ BIO *err = NULL, *wbio = NULL; ++ int ret = 1, len; ++ char buf[80]; ++ unsigned char dummyrec[] = { ++ 0x17, 0x03, 0x03, 0x00, 0x05, 'D', 'u', 'm', 'm', 'y' ++ }; ++ ++ if (argc != 3) { ++ printf("Incorrect number of parameters\n"); ++ return 1; ++ } ++ ++ SSL_library_init(); ++ SSL_load_error_strings(); ++ err = BIO_new_fp(stderr, BIO_NOCLOSE | BIO_FP_TEXT); ++ CRYPTO_malloc_debug_init(); ++ CRYPTO_set_mem_debug_options(V_CRYPTO_MDEBUG_ALL); ++ CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON); ++ ++ if (!create_ssl_ctx_pair(SSLv23_method(), SSLv23_method(), &sctx, &cctx, ++ argv[1], argv[2])) { ++ printf("Failed to create SSL_CTX pair\n"); ++ goto err; ++ } ++ ++ /* ++ * Deliberately set the cipher lists for client and server to be different ++ * to force a handshake failure. ++ */ ++ if (!SSL_CTX_set_cipher_list(sctx, "AES128-SHA") ++ || !SSL_CTX_set_cipher_list(cctx, "AES256-SHA")) { ++ printf("Failed to set cipher lists\n"); ++ goto err; ++ } ++ ++ if (!create_ssl_objects(sctx, cctx, &sssl, &cssl, NULL, NULL)) { ++ printf("Failed to create SSL objectx\n"); ++ goto err; ++ } ++ ++ wbio = SSL_get_wbio(cssl); ++ if (wbio == NULL) { ++ printf("Unexpected NULL bio received\n"); ++ goto err; ++ } ++ ++ if (create_ssl_connection(sssl, cssl)) { ++ printf("Unexpected success creating a connection\n"); ++ goto err; ++ } ++ ++ ERR_clear_error(); ++ ++ /* Inject a plaintext record from client to server */ ++ if (BIO_write(wbio, dummyrec, sizeof(dummyrec)) <= 0) { ++ printf("Unexpected failure injecting dummy record\n"); ++ goto err; ++ } ++ ++ /* SSL_read()/SSL_write should fail because of a previous fatal error */ ++ if ((len = SSL_read(sssl, buf, sizeof(buf - 1))) > 0) { ++ buf[len] = '\0'; ++ printf("Unexpected success reading data: %s\n", buf); ++ goto err; ++ } ++ if (SSL_write(sssl, msg, strlen(msg)) > 0) { ++ printf("Unexpected success writing data\n"); ++ goto err; ++ } ++ ++ ret = 0; ++ err: ++ SSL_free(sssl); ++ SSL_free(cssl); ++ SSL_CTX_free(sctx); ++ SSL_CTX_free(cctx); ++ ERR_print_errors_fp(stderr); ++ ++ if (ret) { ++ printf("Fatal err test: FAILED\n"); ++ } ++ ++ ERR_free_strings(); ++ ERR_remove_thread_state(NULL); ++ EVP_cleanup(); ++ CRYPTO_cleanup_all_ex_data(); ++ CRYPTO_mem_leaks(err); ++ BIO_free(err); ++ ++ return ret; ++} +Index: openssl-1.0.2g/test/Makefile +=================================================================== +--- openssl-1.0.2g.orig/test/Makefile 2017-12-07 14:14:46.757872550 -0500 ++++ openssl-1.0.2g/test/Makefile 2017-12-07 14:15:01.518055205 -0500 +@@ -71,6 +71,7 @@ CONSTTIMETEST= constant_time_test + VERIFYEXTRATEST= verify_extra_test + CLIENTHELLOTEST= clienthellotest + SSLV2CONFTEST = sslv2conftest ++FATALERRTEST = fatalerrtest + + TESTS= alltests + +@@ -84,7 +85,7 @@ EXE= $(BNTEST)$(EXE_EXT) $(ECTEST)$(EXE_ + $(EVPTEST)$(EXE_EXT) $(EVPEXTRATEST)$(EXE_EXT) $(IGETEST)$(EXE_EXT) $(JPAKETEST)$(EXE_EXT) $(SRPTEST)$(EXE_EXT) \ + $(ASN1TEST)$(EXE_EXT) $(V3NAMETEST)$(EXE_EXT) $(HEARTBEATTEST)$(EXE_EXT) \ + $(CONSTTIMETEST)$(EXE_EXT) $(VERIFYEXTRATEST)$(EXE_EXT) \ +- $(CLIENTHELLOTEST)$(EXE_EXT) $(SSLV2CONFTEST)$(EXE_EXT) ++ $(CLIENTHELLOTEST)$(EXE_EXT) $(SSLV2CONFTEST)$(EXE_EXT) $(FATALERRTEST)$(EXE_EXT) + + # $(METHTEST)$(EXE_EXT) + +@@ -98,7 +99,7 @@ OBJ= $(BNTEST).o $(ECTEST).o $(ECDSATES + $(BFTEST).o $(SSLTEST).o $(DSATEST).o $(EXPTEST).o $(RSATEST).o \ + $(EVPTEST).o $(EVPEXTRATEST).o $(IGETEST).o $(JPAKETEST).o $(ASN1TEST).o $(V3NAMETEST).o \ + $(HEARTBEATTEST).o $(CONSTTIMETEST).o $(VERIFYEXTRATEST).o \ +- $(CLIENTHELLOTEST).o $(SSLV2CONFTEST).o ssltestlib.o ++ $(CLIENTHELLOTEST).o $(SSLV2CONFTEST).o ssltestlib.o $(FATALERRTEST).o + + SRC= $(BNTEST).c $(ECTEST).c $(ECDSATEST).c $(ECDHTEST).c $(IDEATEST).c \ + $(MD2TEST).c $(MD4TEST).c $(MD5TEST).c \ +@@ -109,7 +110,7 @@ SRC= $(BNTEST).c $(ECTEST).c $(ECDSATES + $(BFTEST).c $(SSLTEST).c $(DSATEST).c $(EXPTEST).c $(RSATEST).c \ + $(EVPTEST).c $(EVPEXTRATEST).c $(IGETEST).c $(JPAKETEST).c $(SRPTEST).c $(ASN1TEST).c \ + $(V3NAMETEST).c $(HEARTBEATTEST).c $(CONSTTIMETEST).c $(VERIFYEXTRATEST).c \ +- $(CLIENTHELLOTEST).c $(SSLV2CONFTEST).c ssltestlib.c ++ $(CLIENTHELLOTEST).c $(SSLV2CONFTEST).c ssltestlib.c $(FATALERRTEST).c + + EXHEADER= + HEADER= testutil.h ssltestlib.h $(EXHEADER) +@@ -153,7 +154,8 @@ alltests: \ + test_gen test_req test_pkcs7 test_verify test_dh test_dsa \ + test_ss test_ca test_engine test_evp test_evp_extra test_ssl test_tsa test_ige \ + test_jpake test_srp test_cms test_ocsp test_v3name test_heartbeat \ +- test_constant_time test_verify_extra test_clienthello test_sslv2conftest ++ test_constant_time test_verify_extra test_clienthello test_sslv2conftest \ ++ test_fatalerr + + test_evp: $(EVPTEST)$(EXE_EXT) evptests.txt + ../util/shlib_wrap.sh ./$(EVPTEST) evptests.txt +@@ -362,6 +364,10 @@ test_clienthello: $(CLIENTHELLOTEST)$(EX + @echo $(START) $@ + ../util/shlib_wrap.sh ./$(CLIENTHELLOTEST) + ++test_fatalerr: $(FATALERRTEST)$(EXE_EXT) ++ @echo $(START) $@ ++ ../util/shlib_wrap.sh ./$(FATALERRTEST) ../apps/server.pem ../apps/server.pem ++ + test_sslv2conftest: $(SSLV2CONFTEST)$(EXE_EXT) + @echo $(START) $@ + ../util/shlib_wrap.sh ./$(SSLV2CONFTEST) +@@ -543,6 +549,9 @@ $(VERIFYEXTRATEST)$(EXE_EXT): $(VERIFYEX + $(CLIENTHELLOTEST)$(EXE_EXT): $(CLIENTHELLOTEST).o + @target=$(CLIENTHELLOTEST) $(BUILD_CMD) + ++$(FATALERRTEST)$(EXE_EXT): $(FATALERRTEST).o ssltestlib.o $(DLIBSSL) $(DLIBCRYPTO) ++ @target=$(FATALERRTEST); exobj=ssltestlib.o; $(BUILD_CMD) ++ + $(SSLV2CONFTEST)$(EXE_EXT): $(SSLV2CONFTEST).o + @target=$(SSLV2CONFTEST) $(BUILD_CMD) + +@@ -717,6 +726,25 @@ exptest.o: ../include/openssl/opensslcon + exptest.o: ../include/openssl/ossl_typ.h ../include/openssl/rand.h + exptest.o: ../include/openssl/safestack.h ../include/openssl/stack.h + exptest.o: ../include/openssl/symhacks.h exptest.c ++fatalerrtest.o: ../include/openssl/asn1.h ../include/openssl/bio.h ++fatalerrtest.o: ../include/openssl/buffer.h ../include/openssl/comp.h ++fatalerrtest.o: ../include/openssl/crypto.h ../include/openssl/dtls1.h ++fatalerrtest.o: ../include/openssl/e_os2.h ../include/openssl/ec.h ++fatalerrtest.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h ++fatalerrtest.o: ../include/openssl/err.h ../include/openssl/evp.h ++fatalerrtest.o: ../include/openssl/hmac.h ../include/openssl/kssl.h ++fatalerrtest.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h ++fatalerrtest.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h ++fatalerrtest.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h ++fatalerrtest.o: ../include/openssl/pem.h ../include/openssl/pem2.h ++fatalerrtest.o: ../include/openssl/pkcs7.h ../include/openssl/pqueue.h ++fatalerrtest.o: ../include/openssl/safestack.h ../include/openssl/sha.h ++fatalerrtest.o: ../include/openssl/srtp.h ../include/openssl/ssl.h ++fatalerrtest.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h ++fatalerrtest.o: ../include/openssl/ssl3.h ../include/openssl/stack.h ++fatalerrtest.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h ++fatalerrtest.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h ++fatalerrtest.o: fatalerrtest.c ssltestlib.h + heartbeat_test.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h + heartbeat_test.o: ../include/openssl/buffer.h ../include/openssl/comp.h + heartbeat_test.o: ../include/openssl/crypto.h ../include/openssl/dsa.h diff -Nru openssl-1.0.2g/debian/patches/CVE-2017-3737-pre.patch openssl-1.0.2g/debian/patches/CVE-2017-3737-pre.patch --- openssl-1.0.2g/debian/patches/CVE-2017-3737-pre.patch 1970-01-01 00:00:00.000000000 +0000 +++ openssl-1.0.2g/debian/patches/CVE-2017-3737-pre.patch 2017-12-07 19:14:42.000000000 +0000 @@ -0,0 +1,809 @@ +From 48e8df6e399ec1bef53500457f16b54d798198d3 Mon Sep 17 00:00:00 2001 +From: Matt Caswell +Date: Tue, 5 Jul 2016 11:36:10 +0100 +Subject: [PATCH] Back port ssltestlib code to 1.0.2 + +Enables the testing of DTLS code in 1.0.2 + +Reviewed-by: Richard Levitte +--- + .gitignore | 1 + + test/ssltestlib.c | 687 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ + test/ssltestlib.h | 36 +++ + 3 files changed, 724 insertions(+) + create mode 100644 test/ssltestlib.c + create mode 100644 test/ssltestlib.h + +Index: openssl-1.0.2g/test/ssltestlib.c +=================================================================== +--- /dev/null 1970-01-01 00:00:00.000000000 +0000 ++++ openssl-1.0.2g/test/ssltestlib.c 2017-12-07 14:13:22.916839708 -0500 +@@ -0,0 +1,687 @@ ++/* ++ * Copyright 2016 The OpenSSL Project Authors. All Rights Reserved. ++ * ++ * Licensed under the OpenSSL license (the "License"). You may not use ++ * this file except in compliance with the License. You can obtain a copy ++ * in the file LICENSE in the source distribution or at ++ * https://www.openssl.org/source/license.html ++ */ ++ ++#include ++#include ++ ++#include "ssltestlib.h" ++ ++#define SSL_IS_DTLS(s) (s->method->version == DTLS_ANY_VERSION \ ++ || s->method->version == DTLS1_2_VERSION \ ++ || s->method->version == DTLS1_VERSION) ++ ++static int tls_dump_new(BIO *bi); ++static int tls_dump_free(BIO *a); ++static int tls_dump_read(BIO *b, char *out, int outl); ++static int tls_dump_write(BIO *b, const char *in, int inl); ++static long tls_dump_ctrl(BIO *b, int cmd, long num, void *ptr); ++static int tls_dump_gets(BIO *bp, char *buf, int size); ++static int tls_dump_puts(BIO *bp, const char *str); ++ ++/* Choose a sufficiently large type likely to be unused for this custom BIO */ ++# define BIO_TYPE_TLS_DUMP_FILTER (0x80 | BIO_TYPE_FILTER) ++ ++# define BIO_TYPE_MEMPACKET_TEST 0x81 ++ ++static BIO_METHOD method_tls_dump = { ++ BIO_TYPE_TLS_DUMP_FILTER, ++ "TLS dump filter", ++ tls_dump_write, ++ tls_dump_read, ++ tls_dump_puts, ++ tls_dump_gets, ++ tls_dump_ctrl, ++ tls_dump_new, ++ tls_dump_free ++}; ++ ++BIO_METHOD *bio_f_tls_dump_filter(void) ++{ ++ return &method_tls_dump; ++} ++ ++static int tls_dump_new(BIO *bio) ++{ ++ bio->init = 1; ++ return 1; ++} ++ ++static int tls_dump_free(BIO *bio) ++{ ++ bio->init = 0; ++ ++ return 1; ++} ++ ++static void copy_flags(BIO *bio) ++{ ++ int flags; ++ BIO *next = BIO_next(bio); ++ ++ flags = BIO_test_flags(next, BIO_FLAGS_SHOULD_RETRY | BIO_FLAGS_RWS); ++ BIO_clear_flags(bio, BIO_FLAGS_SHOULD_RETRY | BIO_FLAGS_RWS); ++ BIO_set_flags(bio, flags); ++} ++ ++#define RECORD_CONTENT_TYPE 0 ++#define RECORD_VERSION_HI 1 ++#define RECORD_VERSION_LO 2 ++#define RECORD_EPOCH_HI 3 ++#define RECORD_EPOCH_LO 4 ++#define RECORD_SEQUENCE_START 5 ++#define RECORD_SEQUENCE_END 10 ++#define RECORD_LEN_HI 11 ++#define RECORD_LEN_LO 12 ++ ++#define MSG_TYPE 0 ++#define MSG_LEN_HI 1 ++#define MSG_LEN_MID 2 ++#define MSG_LEN_LO 3 ++#define MSG_SEQ_HI 4 ++#define MSG_SEQ_LO 5 ++#define MSG_FRAG_OFF_HI 6 ++#define MSG_FRAG_OFF_MID 7 ++#define MSG_FRAG_OFF_LO 8 ++#define MSG_FRAG_LEN_HI 9 ++#define MSG_FRAG_LEN_MID 10 ++#define MSG_FRAG_LEN_LO 11 ++ ++ ++static void dump_data(const char *data, int len) ++{ ++ int rem, i, content, reclen, msglen, fragoff, fraglen, epoch; ++ unsigned char *rec; ++ ++ printf("---- START OF PACKET ----\n"); ++ ++ rem = len; ++ rec = (unsigned char *)data; ++ ++ while (rem > 0) { ++ if (rem != len) ++ printf("*\n"); ++ printf("*---- START OF RECORD ----\n"); ++ if (rem < DTLS1_RT_HEADER_LENGTH) { ++ printf("*---- RECORD TRUNCATED ----\n"); ++ break; ++ } ++ content = rec[RECORD_CONTENT_TYPE]; ++ printf("** Record Content-type: %d\n", content); ++ printf("** Record Version: %02x%02x\n", ++ rec[RECORD_VERSION_HI], rec[RECORD_VERSION_LO]); ++ epoch = (rec[RECORD_EPOCH_HI] << 8) | rec[RECORD_EPOCH_LO]; ++ printf("** Record Epoch: %d\n", epoch); ++ printf("** Record Sequence: "); ++ for (i = RECORD_SEQUENCE_START; i <= RECORD_SEQUENCE_END; i++) ++ printf("%02x", rec[i]); ++ reclen = (rec[RECORD_LEN_HI] << 8) | rec[RECORD_LEN_LO]; ++ printf("\n** Record Length: %d\n", reclen); ++ ++ /* Now look at message */ ++ rec += DTLS1_RT_HEADER_LENGTH; ++ rem -= DTLS1_RT_HEADER_LENGTH; ++ if (content == SSL3_RT_HANDSHAKE) { ++ printf("**---- START OF HANDSHAKE MESSAGE FRAGMENT ----\n"); ++ if (epoch > 0) { ++ printf("**---- HANDSHAKE MESSAGE FRAGMENT ENCRYPTED ----\n"); ++ } else if (rem < DTLS1_HM_HEADER_LENGTH ++ || reclen < DTLS1_HM_HEADER_LENGTH) { ++ printf("**---- HANDSHAKE MESSAGE FRAGMENT TRUNCATED ----\n"); ++ } else { ++ printf("*** Message Type: %d\n", rec[MSG_TYPE]); ++ msglen = (rec[MSG_LEN_HI] << 16) | (rec[MSG_LEN_MID] << 8) ++ | rec[MSG_LEN_LO]; ++ printf("*** Message Length: %d\n", msglen); ++ printf("*** Message sequence: %d\n", ++ (rec[MSG_SEQ_HI] << 8) | rec[MSG_SEQ_LO]); ++ fragoff = (rec[MSG_FRAG_OFF_HI] << 16) ++ | (rec[MSG_FRAG_OFF_MID] << 8) ++ | rec[MSG_FRAG_OFF_LO]; ++ printf("*** Message Fragment offset: %d\n", fragoff); ++ fraglen = (rec[MSG_FRAG_LEN_HI] << 16) ++ | (rec[MSG_FRAG_LEN_MID] << 8) ++ | rec[MSG_FRAG_LEN_LO]; ++ printf("*** Message Fragment len: %d\n", fraglen); ++ if (fragoff + fraglen > msglen) ++ printf("***---- HANDSHAKE MESSAGE FRAGMENT INVALID ----\n"); ++ else if(reclen < fraglen) ++ printf("**---- HANDSHAKE MESSAGE FRAGMENT TRUNCATED ----\n"); ++ else ++ printf("**---- END OF HANDSHAKE MESSAGE FRAGMENT ----\n"); ++ } ++ } ++ if (rem < reclen) { ++ printf("*---- RECORD TRUNCATED ----\n"); ++ rem = 0; ++ } else { ++ rec += reclen; ++ rem -= reclen; ++ printf("*---- END OF RECORD ----\n"); ++ } ++ } ++ printf("---- END OF PACKET ----\n\n"); ++ fflush(stdout); ++} ++ ++static int tls_dump_read(BIO *bio, char *out, int outl) ++{ ++ int ret; ++ BIO *next = BIO_next(bio); ++ ++ ret = BIO_read(next, out, outl); ++ copy_flags(bio); ++ ++ if (ret > 0) { ++ dump_data(out, ret); ++ } ++ ++ return ret; ++} ++ ++static int tls_dump_write(BIO *bio, const char *in, int inl) ++{ ++ int ret; ++ BIO *next = BIO_next(bio); ++ ++ ret = BIO_write(next, in, inl); ++ copy_flags(bio); ++ ++ return ret; ++} ++ ++static long tls_dump_ctrl(BIO *bio, int cmd, long num, void *ptr) ++{ ++ long ret; ++ BIO *next = BIO_next(bio); ++ ++ if (next == NULL) ++ return 0; ++ ++ switch (cmd) { ++ case BIO_CTRL_DUP: ++ ret = 0L; ++ break; ++ default: ++ ret = BIO_ctrl(next, cmd, num, ptr); ++ break; ++ } ++ return ret; ++} ++ ++static int tls_dump_gets(BIO *bio, char *buf, int size) ++{ ++ /* We don't support this - not needed anyway */ ++ return -1; ++} ++ ++static int tls_dump_puts(BIO *bio, const char *str) ++{ ++ return tls_dump_write(bio, str, strlen(str)); ++} ++ ++ ++typedef struct mempacket_st { ++ unsigned char *data; ++ int len; ++ unsigned int num; ++ unsigned int type; ++} MEMPACKET; ++ ++/* ++ * These defines would normally be auto-generated and in safestack.h...but this ++ * is just for tests so its probably not an appropriate place ++ */ ++# define sk_MEMPACKET_new(cmp) SKM_sk_new(MEMPACKET, (cmp)) ++# define sk_MEMPACKET_new_null() SKM_sk_new_null(MEMPACKET) ++# define sk_MEMPACKET_free(st) SKM_sk_free(MEMPACKET, (st)) ++# define sk_MEMPACKET_num(st) SKM_sk_num(MEMPACKET, (st)) ++# define sk_MEMPACKET_value(st, i) SKM_sk_value(MEMPACKET, (st), (i)) ++# define sk_MEMPACKET_set(st, i, val) SKM_sk_set(MEMPACKET, (st), (i), (val)) ++# define sk_MEMPACKET_zero(st) SKM_sk_zero(MEMPACKET, (st)) ++# define sk_MEMPACKET_push(st, val) SKM_sk_push(MEMPACKET, (st), (val)) ++# define sk_MEMPACKET_unshift(st, val) SKM_sk_unshift(MEMPACKET, (st), (val)) ++# define sk_MEMPACKET_find(st, val) SKM_sk_find(MEMPACKET, (st), (val)) ++# define sk_MEMPACKET_find_ex(st, val) SKM_sk_find_ex(MEMPACKET, (st), (val)) ++# define sk_MEMPACKET_delete(st, i) SKM_sk_delete(MEMPACKET, (st), (i)) ++# define sk_MEMPACKET_delete_ptr(st, ptr) SKM_sk_delete_ptr(MEMPACKET, (st), (ptr)) ++# define sk_MEMPACKET_insert(st, val, i) SKM_sk_insert(MEMPACKET, (st), (val), (i)) ++# define sk_MEMPACKET_set_cmp_func(st, cmp) SKM_sk_set_cmp_func(MEMPACKET, (st), (cmp)) ++# define sk_MEMPACKET_dup(st) SKM_sk_dup(MEMPACKET, st) ++# define sk_MEMPACKET_pop_free(st, free_func) SKM_sk_pop_free(MEMPACKET, (st), (free_func)) ++# define sk_MEMPACKET_deep_copy(st, copy_func, free_func) SKM_sk_deep_copy(MEMPACKET, (st), (copy_func), (free_func)) ++# define sk_MEMPACKET_shift(st) SKM_sk_shift(MEMPACKET, (st)) ++# define sk_MEMPACKET_pop(st) SKM_sk_pop(MEMPACKET, (st)) ++# define sk_MEMPACKET_sort(st) SKM_sk_sort(MEMPACKET, (st)) ++# define sk_MEMPACKET_is_sorted(st) SKM_sk_is_sorted(MEMPACKET, (st)) ++ ++static void mempacket_free(MEMPACKET *pkt) ++{ ++ if (pkt->data != NULL) ++ OPENSSL_free(pkt->data); ++ OPENSSL_free(pkt); ++} ++ ++typedef struct mempacket_test_ctx_st { ++ STACK_OF(MEMPACKET) *pkts; ++ unsigned int epoch; ++ unsigned int currrec; ++ unsigned int currpkt; ++ unsigned int lastpkt; ++ unsigned int noinject; ++} MEMPACKET_TEST_CTX; ++ ++static int mempacket_test_new(BIO *bi); ++static int mempacket_test_free(BIO *a); ++static int mempacket_test_read(BIO *b, char *out, int outl); ++static int mempacket_test_write(BIO *b, const char *in, int inl); ++static long mempacket_test_ctrl(BIO *b, int cmd, long num, void *ptr); ++static int mempacket_test_gets(BIO *bp, char *buf, int size); ++static int mempacket_test_puts(BIO *bp, const char *str); ++ ++static BIO_METHOD method_mempacket_test = { ++ BIO_TYPE_MEMPACKET_TEST, ++ "Mem Packet Test", ++ mempacket_test_write, ++ mempacket_test_read, ++ mempacket_test_puts, ++ mempacket_test_gets, ++ mempacket_test_ctrl, ++ mempacket_test_new, ++ mempacket_test_free ++}; ++ ++BIO_METHOD *bio_s_mempacket_test(void) ++{ ++ return &method_mempacket_test; ++} ++ ++static int mempacket_test_new(BIO *bio) ++{ ++ MEMPACKET_TEST_CTX *ctx = OPENSSL_malloc(sizeof(*ctx)); ++ if (ctx == NULL) ++ return 0; ++ memset(ctx, 0, sizeof(*ctx)); ++ ++ ctx->pkts = sk_MEMPACKET_new_null(); ++ if (ctx->pkts == NULL) { ++ OPENSSL_free(ctx); ++ return 0; ++ } ++ bio->init = 1; ++ bio->ptr = ctx; ++ return 1; ++} ++ ++static int mempacket_test_free(BIO *bio) ++{ ++ MEMPACKET_TEST_CTX *ctx = bio->ptr; ++ ++ sk_MEMPACKET_pop_free(ctx->pkts, mempacket_free); ++ OPENSSL_free(ctx); ++ bio->ptr = NULL; ++ bio->init = 0; ++ ++ return 1; ++} ++ ++/* Record Header values */ ++#define EPOCH_HI 4 ++#define EPOCH_LO 5 ++#define RECORD_SEQUENCE 10 ++#define RECORD_LEN_HI 11 ++#define RECORD_LEN_LO 12 ++ ++#define STANDARD_PACKET 0 ++ ++static int mempacket_test_read(BIO *bio, char *out, int outl) ++{ ++ MEMPACKET_TEST_CTX *ctx = bio->ptr; ++ MEMPACKET *thispkt; ++ unsigned char *rec; ++ int rem; ++ unsigned int seq, offset, len, epoch; ++ ++ BIO_clear_retry_flags(bio); ++ ++ thispkt = sk_MEMPACKET_value(ctx->pkts, 0); ++ if (thispkt == NULL || thispkt->num != ctx->currpkt) { ++ /* Probably run out of data */ ++ BIO_set_retry_read(bio); ++ return -1; ++ } ++ sk_MEMPACKET_shift(ctx->pkts); ++ ctx->currpkt++; ++ ++ if (outl > thispkt->len) ++ outl = thispkt->len; ++ ++ if (thispkt->type != INJECT_PACKET_IGNORE_REC_SEQ) { ++ /* ++ * Overwrite the record sequence number. We strictly number them in ++ * the order received. Since we are actually a reliable transport ++ * we know that there won't be any re-ordering. We overwrite to deal ++ * with any packets that have been injected ++ */ ++ rem = thispkt->len; ++ rec = thispkt->data; ++ while (rem > 0) { ++ if (rem < DTLS1_RT_HEADER_LENGTH) { ++ return -1; ++ } ++ epoch = (rec[EPOCH_HI] << 8) | rec[EPOCH_LO]; ++ if (epoch != ctx->epoch) { ++ ctx->epoch = epoch; ++ ctx->currrec = 0; ++ } ++ seq = ctx->currrec; ++ offset = 0; ++ do { ++ rec[RECORD_SEQUENCE - offset] = seq & 0xFF; ++ seq >>= 8; ++ offset++; ++ } while (seq > 0); ++ ctx->currrec++; ++ ++ len = ((rec[RECORD_LEN_HI] << 8) | rec[RECORD_LEN_LO]) ++ + DTLS1_RT_HEADER_LENGTH; ++ ++ rec += len; ++ rem -= len; ++ } ++ } ++ ++ memcpy(out, thispkt->data, outl); ++ ++ mempacket_free(thispkt); ++ ++ return outl; ++} ++ ++int mempacket_test_inject(BIO *bio, const char *in, int inl, int pktnum, ++ int type) ++{ ++ MEMPACKET_TEST_CTX *ctx = bio->ptr; ++ MEMPACKET *thispkt, *looppkt, *nextpkt; ++ int i; ++ ++ if (ctx == NULL) ++ return -1; ++ ++ /* We only allow injection before we've started writing any data */ ++ if (pktnum >= 0) { ++ if (ctx->noinject) ++ return -1; ++ } else { ++ ctx->noinject = 1; ++ } ++ ++ thispkt = OPENSSL_malloc(sizeof(MEMPACKET)); ++ if (thispkt == NULL) ++ return -1; ++ ++ thispkt->data = OPENSSL_malloc(inl); ++ if (thispkt->data == NULL) { ++ mempacket_free(thispkt); ++ return -1; ++ } ++ ++ memcpy(thispkt->data, in, inl); ++ thispkt->len = inl; ++ thispkt->num = (pktnum >= 0) ? (unsigned int)pktnum : ctx->lastpkt; ++ thispkt->type = type; ++ ++ for(i = 0; (looppkt = sk_MEMPACKET_value(ctx->pkts, i)) != NULL; i++) { ++ /* Check if we found the right place to insert this packet */ ++ if (looppkt->num > thispkt->num) { ++ if (sk_MEMPACKET_insert(ctx->pkts, thispkt, i) == 0) { ++ mempacket_free(thispkt); ++ return -1; ++ } ++ /* If we're doing up front injection then we're done */ ++ if (pktnum >= 0) ++ return inl; ++ /* ++ * We need to do some accounting on lastpkt. We increment it first, ++ * but it might now equal the value of injected packets, so we need ++ * to skip over those ++ */ ++ ctx->lastpkt++; ++ do { ++ i++; ++ nextpkt = sk_MEMPACKET_value(ctx->pkts, i); ++ if (nextpkt != NULL && nextpkt->num == ctx->lastpkt) ++ ctx->lastpkt++; ++ else ++ return inl; ++ } while(1); ++ } else if(looppkt->num == thispkt->num) { ++ if (!ctx->noinject) { ++ /* We injected two packets with the same packet number! */ ++ return -1; ++ } ++ ctx->lastpkt++; ++ thispkt->num++; ++ } ++ } ++ /* ++ * We didn't find any packets with a packet number equal to or greater than ++ * this one, so we just add it onto the end ++ */ ++ if (!sk_MEMPACKET_push(ctx->pkts, thispkt)) { ++ mempacket_free(thispkt); ++ return -1; ++ } ++ ++ if (pktnum < 0) ++ ctx->lastpkt++; ++ ++ return inl; ++} ++ ++static int mempacket_test_write(BIO *bio, const char *in, int inl) ++{ ++ return mempacket_test_inject(bio, in, inl, -1, STANDARD_PACKET); ++} ++ ++static long mempacket_test_ctrl(BIO *bio, int cmd, long num, void *ptr) ++{ ++ long ret = 1; ++ MEMPACKET_TEST_CTX *ctx = bio->ptr; ++ MEMPACKET *thispkt; ++ ++ switch (cmd) { ++ case BIO_CTRL_EOF: ++ ret = (long)(sk_MEMPACKET_num(ctx->pkts) == 0); ++ break; ++ case BIO_CTRL_GET_CLOSE: ++ ret = bio->shutdown; ++ break; ++ case BIO_CTRL_SET_CLOSE: ++ bio->shutdown = (int)num; ++ break; ++ case BIO_CTRL_WPENDING: ++ ret = 0L; ++ break; ++ case BIO_CTRL_PENDING: ++ thispkt = sk_MEMPACKET_value(ctx->pkts, 0); ++ if (thispkt == NULL) ++ ret = 0; ++ else ++ ret = thispkt->len; ++ break; ++ case BIO_CTRL_FLUSH: ++ ret = 1; ++ break; ++ case BIO_CTRL_RESET: ++ case BIO_CTRL_DUP: ++ case BIO_CTRL_PUSH: ++ case BIO_CTRL_POP: ++ default: ++ ret = 0; ++ break; ++ } ++ return ret; ++} ++ ++static int mempacket_test_gets(BIO *bio, char *buf, int size) ++{ ++ /* We don't support this - not needed anyway */ ++ return -1; ++} ++ ++static int mempacket_test_puts(BIO *bio, const char *str) ++{ ++ return mempacket_test_write(bio, str, strlen(str)); ++} ++ ++int create_ssl_ctx_pair(const SSL_METHOD *sm, const SSL_METHOD *cm, ++ SSL_CTX **sctx, SSL_CTX **cctx, char *certfile, ++ char *privkeyfile) ++{ ++ SSL_CTX *serverctx = NULL; ++ SSL_CTX *clientctx = NULL; ++ ++ serverctx = SSL_CTX_new(sm); ++ clientctx = SSL_CTX_new(cm); ++ if (serverctx == NULL || clientctx == NULL) { ++ printf("Failed to create SSL_CTX\n"); ++ goto err; ++ } ++ ++ if (SSL_CTX_use_certificate_file(serverctx, certfile, ++ SSL_FILETYPE_PEM) <= 0) { ++ printf("Failed to load server certificate\n"); ++ goto err; ++ } ++ if (SSL_CTX_use_PrivateKey_file(serverctx, privkeyfile, ++ SSL_FILETYPE_PEM) <= 0) { ++ printf("Failed to load server private key\n"); ++ } ++ if (SSL_CTX_check_private_key(serverctx) <= 0) { ++ printf("Failed to check private key\n"); ++ goto err; ++ } ++ ++ *sctx = serverctx; ++ *cctx = clientctx; ++ ++ return 1; ++ err: ++ SSL_CTX_free(serverctx); ++ SSL_CTX_free(clientctx); ++ return 0; ++} ++ ++#define MAXLOOPS 100000 ++ ++/* ++ * NOTE: Transfers control of the BIOs - this function will free them on error ++ */ ++int create_ssl_objects(SSL_CTX *serverctx, SSL_CTX *clientctx, SSL **sssl, ++ SSL **cssl, BIO *s_to_c_fbio, BIO *c_to_s_fbio) ++{ ++ SSL *serverssl, *clientssl; ++ BIO *s_to_c_bio = NULL, *c_to_s_bio = NULL; ++ ++ serverssl = SSL_new(serverctx); ++ clientssl = SSL_new(clientctx); ++ ++ if (serverssl == NULL || clientssl == NULL) { ++ printf("Failed to create SSL object\n"); ++ goto error; ++ } ++ ++ if (SSL_IS_DTLS(clientssl)) { ++ s_to_c_bio = BIO_new(bio_s_mempacket_test()); ++ c_to_s_bio = BIO_new(bio_s_mempacket_test());; ++ } else { ++ s_to_c_bio = BIO_new(BIO_s_mem()); ++ c_to_s_bio = BIO_new(BIO_s_mem()); ++ } ++ if (s_to_c_bio == NULL || c_to_s_bio == NULL) { ++ printf("Failed to create mem BIOs\n"); ++ goto error; ++ } ++ ++ if (s_to_c_fbio != NULL) ++ s_to_c_bio = BIO_push(s_to_c_fbio, s_to_c_bio); ++ if (c_to_s_fbio != NULL) ++ c_to_s_bio = BIO_push(c_to_s_fbio, c_to_s_bio); ++ if (s_to_c_bio == NULL || c_to_s_bio == NULL) { ++ printf("Failed to create chained BIOs\n"); ++ goto error; ++ } ++ ++ /* Set Non-blocking IO behaviour */ ++ BIO_set_mem_eof_return(s_to_c_bio, -1); ++ BIO_set_mem_eof_return(c_to_s_bio, -1); ++ ++ /* Up ref these as we are passing them to two SSL objects */ ++ CRYPTO_add(&s_to_c_bio->references, 1, CRYPTO_LOCK_BIO); ++ CRYPTO_add(&c_to_s_bio->references, 1, CRYPTO_LOCK_BIO); ++ ++ SSL_set_bio(serverssl, c_to_s_bio, s_to_c_bio); ++ SSL_set_bio(clientssl, s_to_c_bio, c_to_s_bio); ++ ++ /* BIOs will now be freed when SSL objects are freed */ ++ s_to_c_bio = c_to_s_bio = NULL; ++ s_to_c_fbio = c_to_s_fbio = NULL; ++ ++ *sssl = serverssl; ++ *cssl = clientssl; ++ ++ return 1; ++ ++ error: ++ SSL_free(serverssl); ++ SSL_free(clientssl); ++ BIO_free(s_to_c_bio); ++ BIO_free(c_to_s_bio); ++ BIO_free(s_to_c_fbio); ++ BIO_free(c_to_s_fbio); ++ ++ return 0; ++} ++ ++int create_ssl_connection(SSL *serverssl, SSL *clientssl) ++{ ++ int retc = -1, rets = -1, err, abortctr = 0; ++ ++ do { ++ err = SSL_ERROR_WANT_WRITE; ++ while (retc <= 0 && err == SSL_ERROR_WANT_WRITE) { ++ retc = SSL_connect(clientssl); ++ if (retc <= 0) ++ err = SSL_get_error(clientssl, retc); ++ } ++ ++ if (retc <= 0 && err != SSL_ERROR_WANT_READ) { ++ printf("SSL_connect() failed %d, %d\n", retc, err); ++ return 0; ++ } ++ ++ err = SSL_ERROR_WANT_WRITE; ++ while (rets <= 0 && err == SSL_ERROR_WANT_WRITE) { ++ rets = SSL_accept(serverssl); ++ if (rets <= 0) ++ err = SSL_get_error(serverssl, rets); ++ } ++ ++ if (rets <= 0 && err != SSL_ERROR_WANT_READ) { ++ printf("SSL_accept() failed %d, %d\n", retc, err); ++ return 0; ++ } ++ if (++abortctr == MAXLOOPS) { ++ printf("No progress made\n"); ++ return 0; ++ } ++ } while (retc <=0 || rets <= 0); ++ ++ return 1; ++} +Index: openssl-1.0.2g/test/ssltestlib.h +=================================================================== +--- /dev/null 1970-01-01 00:00:00.000000000 +0000 ++++ openssl-1.0.2g/test/ssltestlib.h 2017-12-07 14:13:22.916839708 -0500 +@@ -0,0 +1,36 @@ ++/* ++ * Copyright 2016 The OpenSSL Project Authors. All Rights Reserved. ++ * ++ * Licensed under the OpenSSL license (the "License"). You may not use ++ * this file except in compliance with the License. You can obtain a copy ++ * in the file LICENSE in the source distribution or at ++ * https://www.openssl.org/source/license.html ++ */ ++ ++#ifndef HEADER_SSLTESTLIB_H ++# define HEADER_SSLTESTLIB_H ++ ++# include ++ ++int create_ssl_ctx_pair(const SSL_METHOD *sm, const SSL_METHOD *cm, ++ SSL_CTX **sctx, SSL_CTX **cctx, char *certfile, ++ char *privkeyfile); ++int create_ssl_objects(SSL_CTX *serverctx, SSL_CTX *clientctx, SSL **sssl, ++ SSL **cssl, BIO *s_to_c_fbio, BIO *c_to_s_fbio); ++int create_ssl_connection(SSL *serverssl, SSL *clientssl); ++ ++/* Note: Not thread safe! */ ++BIO_METHOD *bio_f_tls_dump_filter(void); ++void bio_f_tls_dump_filter_free(void); ++ ++BIO_METHOD *bio_s_mempacket_test(void); ++void bio_s_mempacket_test_free(void); ++ ++/* Packet types - value 0 is reserved */ ++#define INJECT_PACKET 1 ++#define INJECT_PACKET_IGNORE_REC_SEQ 2 ++ ++int mempacket_test_inject(BIO *bio, const char *in, int inl, int pktnum, ++ int type); ++ ++#endif /* HEADER_SSLTESTLIB_H */ +Index: openssl-1.0.2g/test/Makefile +=================================================================== +--- openssl-1.0.2g.orig/test/Makefile 2017-12-07 14:13:22.920839758 -0500 ++++ openssl-1.0.2g/test/Makefile 2017-12-07 14:14:36.649747970 -0500 +@@ -98,7 +98,7 @@ OBJ= $(BNTEST).o $(ECTEST).o $(ECDSATES + $(BFTEST).o $(SSLTEST).o $(DSATEST).o $(EXPTEST).o $(RSATEST).o \ + $(EVPTEST).o $(EVPEXTRATEST).o $(IGETEST).o $(JPAKETEST).o $(ASN1TEST).o $(V3NAMETEST).o \ + $(HEARTBEATTEST).o $(CONSTTIMETEST).o $(VERIFYEXTRATEST).o \ +- $(CLIENTHELLOTEST).o $(SSLV2CONFTEST).o ++ $(CLIENTHELLOTEST).o $(SSLV2CONFTEST).o ssltestlib.o + + SRC= $(BNTEST).c $(ECTEST).c $(ECDSATEST).c $(ECDHTEST).c $(IDEATEST).c \ + $(MD2TEST).c $(MD4TEST).c $(MD5TEST).c \ +@@ -109,10 +109,10 @@ SRC= $(BNTEST).c $(ECTEST).c $(ECDSATES + $(BFTEST).c $(SSLTEST).c $(DSATEST).c $(EXPTEST).c $(RSATEST).c \ + $(EVPTEST).c $(EVPEXTRATEST).c $(IGETEST).c $(JPAKETEST).c $(SRPTEST).c $(ASN1TEST).c \ + $(V3NAMETEST).c $(HEARTBEATTEST).c $(CONSTTIMETEST).c $(VERIFYEXTRATEST).c \ +- $(CLIENTHELLOTEST).c $(SSLV2CONFTEST).c ++ $(CLIENTHELLOTEST).c $(SSLV2CONFTEST).c ssltestlib.c + + EXHEADER= +-HEADER= testutil.h $(EXHEADER) ++HEADER= testutil.h ssltestlib.h $(EXHEADER) + + ALL= $(GENERAL) $(SRC) $(HEADER) + +@@ -397,7 +397,7 @@ BUILD_CMD=shlib_target=; if [ -n "$(SHAR + fi; \ + LIBRARIES="$(LIBSSL) $(LIBCRYPTO) $(LIBKRB5)"; \ + $(MAKE) -f $(TOP)/Makefile.shared -e \ +- CC="$${CC}" APPNAME=$$target$(EXE_EXT) OBJECTS="$$target.o" \ ++ CC="$${CC}" APPNAME=$$target$(EXE_EXT) OBJECTS="$$target.o $$exobj" \ + LIBDEPS="$(PEX_LIBS) $$LIBRARIES $(EX_LIBS)" \ + link_app.$${shlib_target} + +@@ -856,6 +856,24 @@ ssltest.o: ../include/openssl/ssl3.h ../ + ssltest.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h + ssltest.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h + ssltest.o: ../include/openssl/x509v3.h ssltest.c ++ssltestlib.o: ../include/openssl/asn1.h ../include/openssl/bio.h ++ssltestlib.o: ../include/openssl/buffer.h ../include/openssl/comp.h ++ssltestlib.o: ../include/openssl/crypto.h ../include/openssl/dtls1.h ++ssltestlib.o: ../include/openssl/e_os2.h ../include/openssl/ec.h ++ssltestlib.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h ++ssltestlib.o: ../include/openssl/evp.h ../include/openssl/hmac.h ++ssltestlib.o: ../include/openssl/kssl.h ../include/openssl/lhash.h ++ssltestlib.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h ++ssltestlib.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h ++ssltestlib.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h ++ssltestlib.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h ++ssltestlib.o: ../include/openssl/pqueue.h ../include/openssl/safestack.h ++ssltestlib.o: ../include/openssl/sha.h ../include/openssl/srtp.h ++ssltestlib.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h ++ssltestlib.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h ++ssltestlib.o: ../include/openssl/stack.h ../include/openssl/symhacks.h ++ssltestlib.o: ../include/openssl/tls1.h ../include/openssl/x509.h ++ssltestlib.o: ../include/openssl/x509_vfy.h ssltestlib.c ssltestlib.h + sslv2conftest.o: ../include/openssl/asn1.h ../include/openssl/bio.h + sslv2conftest.o: ../include/openssl/buffer.h ../include/openssl/comp.h + sslv2conftest.o: ../include/openssl/crypto.h ../include/openssl/dtls1.h diff -Nru openssl-1.0.2g/debian/patches/CVE-2017-3738.patch openssl-1.0.2g/debian/patches/CVE-2017-3738.patch --- openssl-1.0.2g/debian/patches/CVE-2017-3738.patch 1970-01-01 00:00:00.000000000 +0000 +++ openssl-1.0.2g/debian/patches/CVE-2017-3738.patch 2017-12-07 18:17:30.000000000 +0000 @@ -0,0 +1,80 @@ +From ca51bafc1a88d8b8348f5fd97adc5d6ca93f8e76 Mon Sep 17 00:00:00 2001 +From: Andy Polyakov +Date: Fri, 24 Nov 2017 11:35:50 +0100 +Subject: [PATCH] bn/asm/rsaz-avx2.pl: fix digit correction bug in + rsaz_1024_mul_avx2. + +Credit to OSS-Fuzz for finding this. + +CVE-2017-3738 + +Reviewed-by: Rich Salz +--- + crypto/bn/asm/rsaz-avx2.pl | 15 +++++++-------- + 1 file changed, 7 insertions(+), 8 deletions(-) + +diff --git a/crypto/bn/asm/rsaz-avx2.pl b/crypto/bn/asm/rsaz-avx2.pl +index 712a77f..2b3f8b0 100755 +--- a/crypto/bn/asm/rsaz-avx2.pl ++++ b/crypto/bn/asm/rsaz-avx2.pl +@@ -239,7 +239,7 @@ $code.=<<___; + vmovdqu 32*8-128($ap), $ACC8 + + lea 192(%rsp), $tp0 # 64+128=192 +- vpbroadcastq .Land_mask(%rip), $AND_MASK ++ vmovdqu .Land_mask(%rip), $AND_MASK + jmp .LOOP_GRANDE_SQR_1024 + + .align 32 +@@ -1070,10 +1070,10 @@ $code.=<<___; + vpmuludq 32*6-128($np),$Yi,$TEMP1 + vpaddq $TEMP1,$ACC6,$ACC6 + vpmuludq 32*7-128($np),$Yi,$TEMP2 +- vpblendd \$3, $ZERO, $ACC9, $ACC9 # correct $ACC3 ++ vpblendd \$3, $ZERO, $ACC9, $TEMP1 # correct $ACC3 + vpaddq $TEMP2,$ACC7,$ACC7 + vpmuludq 32*8-128($np),$Yi,$TEMP0 +- vpaddq $ACC9, $ACC3, $ACC3 # correct $ACC3 ++ vpaddq $TEMP1, $ACC3, $ACC3 # correct $ACC3 + vpaddq $TEMP0,$ACC8,$ACC8 + + mov %rbx, %rax +@@ -1086,7 +1086,9 @@ $code.=<<___; + vmovdqu -8+32*2-128($ap),$TEMP2 + + mov $r1, %rax ++ vpblendd \$0xfc, $ZERO, $ACC9, $ACC9 # correct $ACC3 + imull $n0, %eax ++ vpaddq $ACC9,$ACC4,$ACC4 # correct $ACC3 + and \$0x1fffffff, %eax + + imulq 16-128($ap),%rbx +@@ -1322,15 +1324,12 @@ ___ + # But as we underutilize resources, it's possible to correct in + # each iteration with marginal performance loss. But then, as + # we do it in each iteration, we can correct less digits, and +-# avoid performance penalties completely. Also note that we +-# correct only three digits out of four. This works because +-# most significant digit is subjected to less additions. ++# avoid performance penalties completely. + + $TEMP0 = $ACC9; + $TEMP3 = $Bi; + $TEMP4 = $Yi; + $code.=<<___; +- vpermq \$0, $AND_MASK, $AND_MASK + vpaddq (%rsp), $TEMP1, $ACC0 + + vpsrlq \$29, $ACC0, $TEMP1 +@@ -1763,7 +1762,7 @@ $code.=<<___; + + .align 64 + .Land_mask: +- .quad 0x1fffffff,0x1fffffff,0x1fffffff,-1 ++ .quad 0x1fffffff,0x1fffffff,0x1fffffff,0x1fffffff + .Lscatter_permd: + .long 0,2,4,6,7,7,7,7 + .Lgather_permd: +-- +2.7.4 + diff -Nru openssl-1.0.2g/debian/patches/CVE-2018-0495.patch openssl-1.0.2g/debian/patches/CVE-2018-0495.patch --- openssl-1.0.2g/debian/patches/CVE-2018-0495.patch 1970-01-01 00:00:00.000000000 +0000 +++ openssl-1.0.2g/debian/patches/CVE-2018-0495.patch 2018-06-20 11:37:55.000000000 +0000 @@ -0,0 +1,218 @@ +From 949ff36623eafc3523a9f91784992965018ffb05 Mon Sep 17 00:00:00 2001 +From: Matt Caswell +Date: Fri, 25 May 2018 12:10:13 +0100 +Subject: [PATCH] Add blinding to an ECDSA signature + +Keegan Ryan (NCC Group) has demonstrated a side channel attack on an +ECDSA signature operation. During signing the signer calculates: + +s:= k^-1 * (m + r * priv_key) mod order + +The addition operation above provides a sufficient signal for a +flush+reload attack to derive the private key given sufficient signature +operations. + +As a mitigation (based on a suggestion from Keegan) we add blinding to +the operation so that: + +s := k^-1 * blind^-1 (blind * m + blind * r * priv_key) mod order + +Since this attack is a localhost side channel only no CVE is assigned. + +Reviewed-by: Rich Salz +--- + CHANGES | 4 +++ + crypto/ecdsa/ecdsatest.c | 9 +++++- + crypto/ecdsa/ecs_ossl.c | 82 +++++++++++++++++++++++++++++++++++++++--------- + 3 files changed, 79 insertions(+), 16 deletions(-) + +#diff --git a/CHANGES b/CHANGES +#index f17fbbf..a3861ab 100644 +#--- a/CHANGES +#+++ b/CHANGES +#@@ -9,6 +9,10 @@ +# +# Changes between 1.0.2o and 1.0.2p [xx XXX xxxx] +# +#+ *) Add blinding to an ECDSA signature to protect against side channel attacks +#+ discovered by Keegan Ryan (NCC Group). +#+ [Matt Caswell] +#+ +# *) When unlocking a pass phrase protected PEM file or PKCS#8 container, we +# now allow empty (zero character) pass phrases. +# [Richard Levitte] +Index: openssl-1.0.2g/crypto/ecdsa/ecdsatest.c +=================================================================== +--- openssl-1.0.2g.orig/crypto/ecdsa/ecdsatest.c 2018-06-20 07:30:04.909513406 -0400 ++++ openssl-1.0.2g/crypto/ecdsa/ecdsatest.c 2018-06-20 07:30:04.905513403 -0400 +@@ -137,7 +137,7 @@ int restore_rand(void) + return 1; + } + +-static int fbytes_counter = 0; ++static int fbytes_counter = 0, use_fake = 0; + static const char *numbers[8] = { + "651056770906015076056810763456358567190100156695615665659", + "6140507067065001063065065565667405560006161556565665656654", +@@ -158,6 +158,11 @@ int fbytes(unsigned char *buf, int num) + int ret; + BIGNUM *tmp = NULL; + ++ if (use_fake == 0) ++ return old_rand->bytes(buf, num); ++ ++ use_fake = 0; ++ + if (fbytes_counter >= 8) + return 0; + tmp = BN_new(); +@@ -199,11 +204,13 @@ int x9_62_test_internal(BIO *out, int ni + /* create the key */ + if ((key = EC_KEY_new_by_curve_name(nid)) == NULL) + goto x962_int_err; ++ use_fake = 1; + if (!EC_KEY_generate_key(key)) + goto x962_int_err; + BIO_printf(out, "."); + (void)BIO_flush(out); + /* create the signature */ ++ use_fake = 1; + signature = ECDSA_do_sign(digest, 20, key); + if (signature == NULL) + goto x962_int_err; +Index: openssl-1.0.2g/crypto/ecdsa/ecs_ossl.c +=================================================================== +--- openssl-1.0.2g.orig/crypto/ecdsa/ecs_ossl.c 2018-06-20 07:30:04.909513406 -0400 ++++ openssl-1.0.2g/crypto/ecdsa/ecs_ossl.c 2018-06-20 07:30:04.905513403 -0400 +@@ -238,6 +238,7 @@ static ECDSA_SIG *ecdsa_do_sign(const un + { + int ok = 0, i; + BIGNUM *kinv = NULL, *s, *m = NULL, *tmp = NULL, *order = NULL; ++ BIGNUM *blind = NULL, *blindm = NULL; + const BIGNUM *ckinv; + BN_CTX *ctx = NULL; + const EC_GROUP *group; +@@ -255,14 +256,25 @@ static ECDSA_SIG *ecdsa_do_sign(const un + } + + ret = ECDSA_SIG_new(); +- if (!ret) { ++ if (ret == NULL) { + ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ERR_R_MALLOC_FAILURE); + return NULL; + } + s = ret->s; + +- if ((ctx = BN_CTX_new()) == NULL || (order = BN_new()) == NULL || +- (tmp = BN_new()) == NULL || (m = BN_new()) == NULL) { ++ ctx = BN_CTX_new(); ++ if (ctx == NULL) { ++ ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ERR_R_MALLOC_FAILURE); ++ goto err; ++ } ++ ++ BN_CTX_start(ctx); ++ order = BN_CTX_get(ctx); ++ tmp = BN_CTX_get(ctx); ++ m = BN_CTX_get(ctx); ++ blind = BN_CTX_get(ctx); ++ blindm = BN_CTX_get(ctx); ++ if (blindm == NULL) { + ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ERR_R_MALLOC_FAILURE); + goto err; + } +@@ -301,26 +313,70 @@ static ECDSA_SIG *ecdsa_do_sign(const un + } + } + +- if (!BN_mod_mul(tmp, priv_key, ret->r, order, ctx)) { ++ /* ++ * The normal signature calculation is: ++ * ++ * s := k^-1 * (m + r * priv_key) mod order ++ * ++ * We will blind this to protect against side channel attacks ++ * ++ * s := k^-1 * blind^-1 * (blind * m + blind * r * priv_key) mod order ++ */ ++ ++ /* Generate a blinding value */ ++ do { ++ if (!BN_rand(blind, BN_num_bits(order) - 1, -1, 0)) ++ goto err; ++ } while (BN_is_zero(blind)); ++ BN_set_flags(blind, BN_FLG_CONSTTIME); ++ BN_set_flags(blindm, BN_FLG_CONSTTIME); ++ BN_set_flags(tmp, BN_FLG_CONSTTIME); ++ ++ /* tmp := blind * priv_key * r mod order */ ++ if (!BN_mod_mul(tmp, blind, priv_key, order, ctx)) { ++ ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ERR_R_BN_LIB); ++ goto err; ++ } ++ if (!BN_mod_mul(tmp, tmp, ret->r, order, ctx)) { ++ ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ERR_R_BN_LIB); ++ goto err; ++ } ++ ++ /* blindm := blind * m mod order */ ++ if (!BN_mod_mul(blindm, blind, m, order, ctx)) { ++ ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ERR_R_BN_LIB); ++ goto err; ++ } ++ ++ /* s : = (blind * priv_key * r) + (blind * m) mod order */ ++ if (!BN_mod_add_quick(s, tmp, blindm, order)) { ++ ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ERR_R_BN_LIB); ++ goto err; ++ } ++ ++ /* s:= s * blind^-1 mod order */ ++ if (BN_mod_inverse(blind, blind, order, ctx) == NULL) { + ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ERR_R_BN_LIB); + goto err; + } +- if (!BN_mod_add_quick(s, tmp, m, order)) { ++ if (!BN_mod_mul(s, s, blind, order, ctx)) { + ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ERR_R_BN_LIB); + goto err; + } ++ ++ /* s := s * k^-1 mod order */ + if (!BN_mod_mul(s, s, ckinv, order, ctx)) { + ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ERR_R_BN_LIB); + goto err; + } ++ + if (BN_is_zero(s)) { + /* + * if kinv and r have been supplied by the caller don't to + * generate new kinv and r values + */ + if (in_kinv != NULL && in_r != NULL) { +- ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, +- ECDSA_R_NEED_NEW_SETUP_VALUES); ++ ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ECDSA_R_NEED_NEW_SETUP_VALUES); + goto err; + } + } else +@@ -335,15 +391,11 @@ static ECDSA_SIG *ecdsa_do_sign(const un + ECDSA_SIG_free(ret); + ret = NULL; + } +- if (ctx) ++ if (ctx != NULL) { ++ BN_CTX_end(ctx); + BN_CTX_free(ctx); +- if (m) +- BN_clear_free(m); +- if (tmp) +- BN_clear_free(tmp); +- if (order) +- BN_free(order); +- if (kinv) ++ } ++ if (kinv != NULL) + BN_clear_free(kinv); + return ret; + } diff -Nru openssl-1.0.2g/debian/patches/CVE-2018-0732.patch openssl-1.0.2g/debian/patches/CVE-2018-0732.patch --- openssl-1.0.2g/debian/patches/CVE-2018-0732.patch 1970-01-01 00:00:00.000000000 +0000 +++ openssl-1.0.2g/debian/patches/CVE-2018-0732.patch 2018-06-20 11:38:01.000000000 +0000 @@ -0,0 +1,42 @@ +From 3984ef0b72831da8b3ece4745cac4f8575b19098 Mon Sep 17 00:00:00 2001 +From: Guido Vranken +Date: Mon, 11 Jun 2018 19:38:54 +0200 +Subject: [PATCH] Reject excessively large primes in DH key generation. + +CVE-2018-0732 + +Signed-off-by: Guido Vranken + +(cherry picked from commit 91f7361f47b082ae61ffe1a7b17bb2adf213c7fe) + +Reviewed-by: Tim Hudson +Reviewed-by: Matt Caswell +(Merged from https://github.com/openssl/openssl/pull/6457) +--- + crypto/dh/dh_key.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/crypto/dh/dh_key.c b/crypto/dh/dh_key.c +index 387558f..f235e0d 100644 +--- a/crypto/dh/dh_key.c ++++ b/crypto/dh/dh_key.c +@@ -130,10 +130,15 @@ static int generate_key(DH *dh) + int ok = 0; + int generate_new_key = 0; + unsigned l; +- BN_CTX *ctx; ++ BN_CTX *ctx = NULL; + BN_MONT_CTX *mont = NULL; + BIGNUM *pub_key = NULL, *priv_key = NULL; + ++ if (BN_num_bits(dh->p) > OPENSSL_DH_MAX_MODULUS_BITS) { ++ DHerr(DH_F_GENERATE_KEY, DH_R_MODULUS_TOO_LARGE); ++ return 0; ++ } ++ + ctx = BN_CTX_new(); + if (ctx == NULL) + goto err; +-- +2.7.4 + diff -Nru openssl-1.0.2g/debian/patches/CVE-2018-0734-1.patch openssl-1.0.2g/debian/patches/CVE-2018-0734-1.patch --- openssl-1.0.2g/debian/patches/CVE-2018-0734-1.patch 1970-01-01 00:00:00.000000000 +0000 +++ openssl-1.0.2g/debian/patches/CVE-2018-0734-1.patch 2018-12-04 13:37:51.000000000 +0000 @@ -0,0 +1,24 @@ +From 43e6a58d4991a451daf4891ff05a48735df871ac Mon Sep 17 00:00:00 2001 +From: Pauli +Date: Mon, 29 Oct 2018 08:24:22 +1000 +Subject: [PATCH] Merge DSA reallocation timing fix CVE-2018-0734. + +Reviewed-by: Richard Levitte +(Merged from https://github.com/openssl/openssl/pull/7513) +--- + crypto/dsa/dsa_ossl.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +Index: openssl-1.0.2g/crypto/dsa/dsa_ossl.c +=================================================================== +--- openssl-1.0.2g.orig/crypto/dsa/dsa_ossl.c 2018-12-04 08:37:46.938084461 -0500 ++++ openssl-1.0.2g/crypto/dsa/dsa_ossl.c 2018-12-04 08:37:46.930084388 -0500 +@@ -248,7 +248,7 @@ static int dsa_sign_setup(DSA *dsa, BN_C + goto err; + + /* Preallocate space */ +- q_bits = BN_num_bits(dsa->q); ++ q_bits = BN_num_bits(dsa->q) + sizeof(dsa->q->d[0]) * 16; + if (!BN_set_bit(&k, q_bits) + || !BN_set_bit(&l, q_bits) + || !BN_set_bit(&m, q_bits)) diff -Nru openssl-1.0.2g/debian/patches/CVE-2018-0734-2.patch openssl-1.0.2g/debian/patches/CVE-2018-0734-2.patch --- openssl-1.0.2g/debian/patches/CVE-2018-0734-2.patch 1970-01-01 00:00:00.000000000 +0000 +++ openssl-1.0.2g/debian/patches/CVE-2018-0734-2.patch 2018-12-04 13:37:57.000000000 +0000 @@ -0,0 +1,74 @@ +From ebf65dbe1a67682d7e1f58db9c53ef737fb37f32 Mon Sep 17 00:00:00 2001 +From: Pauli +Date: Mon, 29 Oct 2018 07:18:09 +1000 +Subject: [PATCH] Merge to 1.0.2: DSA mod inverse fix. + +There is a side channel attack against the division used to calculate one of +the modulo inverses in the DSA algorithm. This change takes advantage of the +primality of the modulo and Fermat's little theorem to calculate the inverse +without leaking information. + +Thanks to Samuel Weiser for finding and reporting this. + +Reviewed-by: Richard Levitte +(Merged from https://github.com/openssl/openssl/pull/7512) +--- + crypto/dsa/dsa_ossl.c | 34 ++++++++++++++++++++++++++++++++-- + 1 file changed, 32 insertions(+), 2 deletions(-) + +Index: openssl-1.0.2g/crypto/dsa/dsa_ossl.c +=================================================================== +--- openssl-1.0.2g.orig/crypto/dsa/dsa_ossl.c 2018-12-04 08:37:55.130158103 -0500 ++++ openssl-1.0.2g/crypto/dsa/dsa_ossl.c 2018-12-04 08:37:55.126158067 -0500 +@@ -73,6 +73,8 @@ static int dsa_do_verify(const unsigned + DSA_SIG *sig, DSA *dsa); + static int dsa_init(DSA *dsa); + static int dsa_finish(DSA *dsa); ++static BIGNUM *dsa_mod_inverse_fermat(const BIGNUM *k, const BIGNUM *q, ++ BN_CTX *ctx); + + static DSA_METHOD openssl_dsa_meth = { + "OpenSSL DSA method", +@@ -302,8 +304,8 @@ static int dsa_sign_setup(DSA *dsa, BN_C + if (!BN_mod(r, r, dsa->q, ctx)) + goto err; + +- /* Compute part of 's = inv(k) (m + xr) mod q' */ +- if ((kinv = BN_mod_inverse(NULL, &k, dsa->q, ctx)) == NULL) ++ /* Compute part of 's = inv(k) (m + xr) mod q' */ ++ if ((kinv = dsa_mod_inverse_fermat(&k, dsa->q, ctx)) == NULL) + goto err; + + if (*kinvp != NULL) +@@ -437,3 +439,31 @@ static int dsa_finish(DSA *dsa) + BN_MONT_CTX_free(dsa->method_mont_p); + return (1); + } ++ ++/* ++ * Compute the inverse of k modulo q. ++ * Since q is prime, Fermat's Little Theorem applies, which reduces this to ++ * mod-exp operation. Both the exponent and modulus are public information ++ * so a mod-exp that doesn't leak the base is sufficient. A newly allocated ++ * BIGNUM is returned which the caller must free. ++ */ ++static BIGNUM *dsa_mod_inverse_fermat(const BIGNUM *k, const BIGNUM *q, ++ BN_CTX *ctx) ++{ ++ BIGNUM *res = NULL; ++ BIGNUM *r, e; ++ ++ if ((r = BN_new()) == NULL) ++ return NULL; ++ ++ BN_init(&e); ++ ++ if (BN_set_word(r, 2) ++ && BN_sub(&e, q, r) ++ && BN_mod_exp_mont(r, k, &e, q, ctx, NULL)) ++ res = r; ++ else ++ BN_free(r); ++ BN_free(&e); ++ return res; ++} diff -Nru openssl-1.0.2g/debian/patches/CVE-2018-0734-3.patch openssl-1.0.2g/debian/patches/CVE-2018-0734-3.patch --- openssl-1.0.2g/debian/patches/CVE-2018-0734-3.patch 1970-01-01 00:00:00.000000000 +0000 +++ openssl-1.0.2g/debian/patches/CVE-2018-0734-3.patch 2018-12-04 13:38:03.000000000 +0000 @@ -0,0 +1,29 @@ +From 880d1c76ed9916cddb97fe05fb4c144f0f6f1012 Mon Sep 17 00:00:00 2001 +From: Pauli +Date: Thu, 1 Nov 2018 08:44:11 +1000 +Subject: [PATCH] Add a constant time flag to one of the bignums to avoid a + timing leak. + +Reviewed-by: Tim Hudson +(Merged from https://github.com/openssl/openssl/pull/7549) + +(cherry picked from commit 00496b6423605391864fbbd1693f23631a1c5239) +--- + crypto/dsa/dsa_ossl.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +Index: openssl-1.0.2g/crypto/dsa/dsa_ossl.c +=================================================================== +--- openssl-1.0.2g.orig/crypto/dsa/dsa_ossl.c 2018-12-04 08:38:01.090211298 -0500 ++++ openssl-1.0.2g/crypto/dsa/dsa_ossl.c 2018-12-04 08:38:01.086211262 -0500 +@@ -264,9 +264,9 @@ static int dsa_sign_setup(DSA *dsa, BN_C + + if ((dsa->flags & DSA_FLAG_NO_EXP_CONSTTIME) == 0) { + BN_set_flags(&k, BN_FLG_CONSTTIME); ++ BN_set_flags(&l, BN_FLG_CONSTTIME); + } + +- + if (dsa->flags & DSA_FLAG_CACHE_MONT_P) { + if (!BN_MONT_CTX_set_locked(&dsa->method_mont_p, + CRYPTO_LOCK_DSA, dsa->p, ctx)) diff -Nru openssl-1.0.2g/debian/patches/CVE-2018-0734-pre1.patch openssl-1.0.2g/debian/patches/CVE-2018-0734-pre1.patch --- openssl-1.0.2g/debian/patches/CVE-2018-0734-pre1.patch 1970-01-01 00:00:00.000000000 +0000 +++ openssl-1.0.2g/debian/patches/CVE-2018-0734-pre1.patch 2018-12-04 13:37:41.000000000 +0000 @@ -0,0 +1,118 @@ +From b96bebacfe814deb99fb64a3ed2296d95c573600 Mon Sep 17 00:00:00 2001 +From: Pauli +Date: Wed, 1 Nov 2017 06:58:13 +1000 +Subject: [PATCH] Address a timing side channel whereby it is possible to + determine some + +information about the length of a value used in DSA operations from +a large number of signatures. + +This doesn't rate as a CVE because: + +* For the non-constant time code, there are easier ways to extract + more information. + +* For the constant time code, it requires a significant number of signatures + to leak a small amount of information. + +Thanks to Neals Fournaise, Eliane Jaulmes and Jean-Rene Reinhard for +reporting this issue. + +Original commit by Paul Dale. Backported to 1.0.2 by Matt Caswell + +Reviewed-by: Andy Polyakov +Reviewed-by: Matt Caswell +(Merged from https://github.com/openssl/openssl/pull/4642) +--- + crypto/dsa/dsa_ossl.c | 42 +++++++++++++++++++++++++++--------------- + 1 file changed, 27 insertions(+), 15 deletions(-) + +diff --git a/crypto/dsa/dsa_ossl.c b/crypto/dsa/dsa_ossl.c +index 58013a4..aa10dd1 100644 +--- a/crypto/dsa/dsa_ossl.c ++++ b/crypto/dsa/dsa_ossl.c +@@ -224,7 +224,9 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, + { + BN_CTX *ctx; + BIGNUM k, kq, *K, *kinv = NULL, *r = NULL; ++ BIGNUM l, m; + int ret = 0; ++ int q_bits; + + if (!dsa->p || !dsa->q || !dsa->g) { + DSAerr(DSA_F_DSA_SIGN_SETUP, DSA_R_MISSING_PARAMETERS); +@@ -233,6 +235,8 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, + + BN_init(&k); + BN_init(&kq); ++ BN_init(&l); ++ BN_init(&m); + + if (ctx_in == NULL) { + if ((ctx = BN_CTX_new()) == NULL) +@@ -243,6 +247,13 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, + if ((r = BN_new()) == NULL) + goto err; + ++ /* Preallocate space */ ++ q_bits = BN_num_bits(dsa->q); ++ if (!BN_set_bit(&k, q_bits) ++ || !BN_set_bit(&l, q_bits) ++ || !BN_set_bit(&m, q_bits)) ++ goto err; ++ + /* Get random k */ + do + if (!BN_rand_range(&k, dsa->q)) +@@ -263,24 +274,23 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, + /* Compute r = (g^k mod p) mod q */ + + if ((dsa->flags & DSA_FLAG_NO_EXP_CONSTTIME) == 0) { +- if (!BN_copy(&kq, &k)) +- goto err; +- +- BN_set_flags(&kq, BN_FLG_CONSTTIME); +- + /* + * We do not want timing information to leak the length of k, so we +- * compute g^k using an equivalent exponent of fixed length. (This +- * is a kludge that we need because the BN_mod_exp_mont() does not +- * let us specify the desired timing behaviour.) ++ * compute G^k using an equivalent scalar of fixed bit-length. ++ * ++ * We unconditionally perform both of these additions to prevent a ++ * small timing information leakage. We then choose the sum that is ++ * one bit longer than the modulus. ++ * ++ * TODO: revisit the BN_copy aiming for a memory access agnostic ++ * conditional copy. + */ +- +- if (!BN_add(&kq, &kq, dsa->q)) ++ if (!BN_add(&l, &k, dsa->q) ++ || !BN_add(&m, &l, dsa->q) ++ || !BN_copy(&kq, BN_num_bits(&l) > q_bits ? &l : &m)) + goto err; +- if (BN_num_bits(&kq) <= BN_num_bits(dsa->q)) { +- if (!BN_add(&kq, &kq, dsa->q)) +- goto err; +- } ++ ++ BN_set_flags(&kq, BN_FLG_CONSTTIME); + + K = &kq; + } else { +@@ -314,7 +324,9 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, + BN_CTX_free(ctx); + BN_clear_free(&k); + BN_clear_free(&kq); +- return (ret); ++ BN_clear_free(&l); ++ BN_clear_free(&m); ++ return ret; + } + + static int dsa_do_verify(const unsigned char *dgst, int dgst_len, +-- +2.7.4 + diff -Nru openssl-1.0.2g/debian/patches/CVE-2018-0737-1.patch openssl-1.0.2g/debian/patches/CVE-2018-0737-1.patch --- openssl-1.0.2g/debian/patches/CVE-2018-0737-1.patch 1970-01-01 00:00:00.000000000 +0000 +++ openssl-1.0.2g/debian/patches/CVE-2018-0737-1.patch 2018-06-20 11:38:07.000000000 +0000 @@ -0,0 +1,81 @@ +Backport of: + +From 0b199a883e9170cdfe8e61c150bbaf8d8951f3e7 Mon Sep 17 00:00:00 2001 +From: Samuel Weiser +Date: Tue, 5 Dec 2017 15:55:17 +0100 +Subject: [PATCH] Replaced variable-time GCD with consttime inversion to avoid + side-channel attacks on RSA key generation + +Reviewed-by: Rich Salz +Reviewed-by: Kurt Roeckx +Reviewed-by: Matt Caswell +(Merged from https://github.com/openssl/openssl/pull/5170) + +(cherry picked from commit 9db724cfede4ba7a3668bff533973ee70145ec07) +--- + crypto/rsa/rsa_gen.c | 30 ++++++++++++++++++++++++------ + 1 file changed, 24 insertions(+), 6 deletions(-) + +Index: openssl-1.0.2g/crypto/rsa/rsa_gen.c +=================================================================== +--- openssl-1.0.2g.orig/crypto/rsa/rsa_gen.c 2018-06-20 07:30:18.121523563 -0400 ++++ openssl-1.0.2g/crypto/rsa/rsa_gen.c 2018-06-20 07:30:18.117523561 -0400 +@@ -109,6 +109,7 @@ static int rsa_builtin_keygen(RSA *rsa, + BIGNUM *pr0, *d, *p; + int bitsp, bitsq, ok = -1, n = 0; + BN_CTX *ctx = NULL; ++ unsigned long error = 0; + + ctx = BN_CTX_new(); + if (ctx == NULL) +@@ -144,16 +145,25 @@ static int rsa_builtin_keygen(RSA *rsa, + + BN_copy(rsa->e, e_value); + ++ BN_set_flags(rsa->e, BN_FLG_CONSTTIME); + /* generate p and q */ + for (;;) { + if (!BN_generate_prime_ex(rsa->p, bitsp, 0, NULL, NULL, cb)) + goto err; + if (!BN_sub(r2, rsa->p, BN_value_one())) + goto err; +- if (!BN_gcd(r1, r2, rsa->e, ctx)) +- goto err; +- if (BN_is_one(r1)) ++ if (BN_mod_inverse(r1, r2, rsa->e, ctx) != NULL) { ++ /* GCD == 1 since inverse exists */ + break; ++ } ++ error = ERR_peek_last_error(); ++ if (ERR_GET_LIB(error) == ERR_LIB_BN ++ && ERR_GET_REASON(error) == BN_R_NO_INVERSE) { ++ /* GCD != 1 */ ++ ERR_clear_error(); ++ } else { ++ goto err; ++ } + if (!BN_GENCB_call(cb, 2, n++)) + goto err; + } +@@ -177,10 +187,18 @@ static int rsa_builtin_keygen(RSA *rsa, + } + if (!BN_sub(r2, rsa->q, BN_value_one())) + goto err; +- if (!BN_gcd(r1, r2, rsa->e, ctx)) +- goto err; +- if (BN_is_one(r1)) ++ if (BN_mod_inverse(r1, r2, rsa->e, ctx) != NULL) { ++ /* GCD == 1 since inverse exists */ + break; ++ } ++ error = ERR_peek_last_error(); ++ if (ERR_GET_LIB(error) == ERR_LIB_BN ++ && ERR_GET_REASON(error) == BN_R_NO_INVERSE) { ++ /* GCD != 1 */ ++ ERR_clear_error(); ++ } else { ++ goto err; ++ } + if (!BN_GENCB_call(cb, 2, n++)) + goto err; + } diff -Nru openssl-1.0.2g/debian/patches/CVE-2018-0737-2.patch openssl-1.0.2g/debian/patches/CVE-2018-0737-2.patch --- openssl-1.0.2g/debian/patches/CVE-2018-0737-2.patch 1970-01-01 00:00:00.000000000 +0000 +++ openssl-1.0.2g/debian/patches/CVE-2018-0737-2.patch 2018-06-20 11:38:11.000000000 +0000 @@ -0,0 +1,55 @@ +Backport of: + +From 64eb614ccc7ccf30cc412b736f509f1d82bbf897 Mon Sep 17 00:00:00 2001 +From: Samuel Weiser +Date: Wed, 31 Jan 2018 13:10:55 +0100 +Subject: [PATCH] used ERR set/pop mark + +Reviewed-by: Rich Salz +Reviewed-by: Kurt Roeckx +Reviewed-by: Matt Caswell +(Merged from https://github.com/openssl/openssl/pull/5170) + +(cherry picked from commit 011f82e66f4bf131c733fd41a8390039859aafb2) +--- + crypto/rsa/rsa_gen.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +Index: openssl-1.0.2g/crypto/rsa/rsa_gen.c +=================================================================== +--- openssl-1.0.2g.orig/crypto/rsa/rsa_gen.c 2018-06-20 07:31:12.537565425 -0400 ++++ openssl-1.0.2g/crypto/rsa/rsa_gen.c 2018-06-20 07:31:12.529565420 -0400 +@@ -152,6 +152,7 @@ static int rsa_builtin_keygen(RSA *rsa, + goto err; + if (!BN_sub(r2, rsa->p, BN_value_one())) + goto err; ++ ERR_set_mark(); + if (BN_mod_inverse(r1, r2, rsa->e, ctx) != NULL) { + /* GCD == 1 since inverse exists */ + break; +@@ -160,7 +161,7 @@ static int rsa_builtin_keygen(RSA *rsa, + if (ERR_GET_LIB(error) == ERR_LIB_BN + && ERR_GET_REASON(error) == BN_R_NO_INVERSE) { + /* GCD != 1 */ +- ERR_clear_error(); ++ ERR_pop_to_mark(); + } else { + goto err; + } +@@ -187,6 +188,7 @@ static int rsa_builtin_keygen(RSA *rsa, + } + if (!BN_sub(r2, rsa->q, BN_value_one())) + goto err; ++ ERR_set_mark(); + if (BN_mod_inverse(r1, r2, rsa->e, ctx) != NULL) { + /* GCD == 1 since inverse exists */ + break; +@@ -195,7 +197,7 @@ static int rsa_builtin_keygen(RSA *rsa, + if (ERR_GET_LIB(error) == ERR_LIB_BN + && ERR_GET_REASON(error) == BN_R_NO_INVERSE) { + /* GCD != 1 */ +- ERR_clear_error(); ++ ERR_pop_to_mark(); + } else { + goto err; + } diff -Nru openssl-1.0.2g/debian/patches/CVE-2018-0737-3.patch openssl-1.0.2g/debian/patches/CVE-2018-0737-3.patch --- openssl-1.0.2g/debian/patches/CVE-2018-0737-3.patch 1970-01-01 00:00:00.000000000 +0000 +++ openssl-1.0.2g/debian/patches/CVE-2018-0737-3.patch 2018-06-20 11:38:15.000000000 +0000 @@ -0,0 +1,30 @@ +Backport of: + +From 0d6710289307d277ebc3354105c965b6e8ba8eb0 Mon Sep 17 00:00:00 2001 +From: Samuel Weiser +Date: Fri, 9 Feb 2018 14:11:47 +0100 +Subject: [PATCH] consttime flag changed + +Reviewed-by: Rich Salz +Reviewed-by: Kurt Roeckx +Reviewed-by: Matt Caswell +(Merged from https://github.com/openssl/openssl/pull/5170) + +(cherry picked from commit 7150a4720af7913cae16f2e4eaf768b578c0b298) +--- + crypto/rsa/rsa_gen.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +Index: openssl-1.0.2g/crypto/rsa/rsa_gen.c +=================================================================== +--- openssl-1.0.2g.orig/crypto/rsa/rsa_gen.c 2018-06-20 07:31:18.793570241 -0400 ++++ openssl-1.0.2g/crypto/rsa/rsa_gen.c 2018-06-20 07:31:18.785570235 -0400 +@@ -145,7 +145,7 @@ static int rsa_builtin_keygen(RSA *rsa, + + BN_copy(rsa->e, e_value); + +- BN_set_flags(rsa->e, BN_FLG_CONSTTIME); ++ BN_set_flags(r2, BN_FLG_CONSTTIME); + /* generate p and q */ + for (;;) { + if (!BN_generate_prime_ex(rsa->p, bitsp, 0, NULL, NULL, cb)) diff -Nru openssl-1.0.2g/debian/patches/CVE-2018-0737-4.patch openssl-1.0.2g/debian/patches/CVE-2018-0737-4.patch --- openssl-1.0.2g/debian/patches/CVE-2018-0737-4.patch 1970-01-01 00:00:00.000000000 +0000 +++ openssl-1.0.2g/debian/patches/CVE-2018-0737-4.patch 2018-06-20 11:38:18.000000000 +0000 @@ -0,0 +1,30 @@ +Backport of: + +From 349a41da1ad88ad87825414752a8ff5fdd6a6c3f Mon Sep 17 00:00:00 2001 +From: Billy Brumley +Date: Wed, 11 Apr 2018 10:10:58 +0300 +Subject: [PATCH] RSA key generation: ensure BN_mod_inverse and BN_mod_exp_mont + both get called with BN_FLG_CONSTTIME flag set. + +CVE-2018-0737 + +Reviewed-by: Rich Salz +Reviewed-by: Matt Caswell +(cherry picked from commit 6939eab03a6e23d2bd2c3f5e34fe1d48e542e787) +--- + crypto/rsa/rsa_gen.c | 2 ++ + 1 file changed, 2 insertions(+) + +Index: openssl-1.0.2g/crypto/rsa/rsa_gen.c +=================================================================== +--- openssl-1.0.2g.orig/crypto/rsa/rsa_gen.c 2018-06-20 07:31:24.941574975 -0400 ++++ openssl-1.0.2g/crypto/rsa/rsa_gen.c 2018-06-20 07:31:24.933574969 -0400 +@@ -145,6 +145,8 @@ static int rsa_builtin_keygen(RSA *rsa, + + BN_copy(rsa->e, e_value); + ++ BN_set_flags(rsa->p, BN_FLG_CONSTTIME); ++ BN_set_flags(rsa->q, BN_FLG_CONSTTIME); + BN_set_flags(r2, BN_FLG_CONSTTIME); + /* generate p and q */ + for (;;) { diff -Nru openssl-1.0.2g/debian/patches/CVE-2018-0739.patch openssl-1.0.2g/debian/patches/CVE-2018-0739.patch --- openssl-1.0.2g/debian/patches/CVE-2018-0739.patch 1970-01-01 00:00:00.000000000 +0000 +++ openssl-1.0.2g/debian/patches/CVE-2018-0739.patch 2018-03-27 18:18:29.000000000 +0000 @@ -0,0 +1,232 @@ +From 9310d45087ae546e27e61ddf8f6367f29848220d Mon Sep 17 00:00:00 2001 +From: Matt Caswell +Date: Thu, 22 Mar 2018 10:05:40 +0000 +Subject: [PATCH] Limit ASN.1 constructed types recursive definition depth + +Constructed types with a recursive definition (such as can be found in +PKCS7) could eventually exceed the stack given malicious input with +excessive recursion. Therefore we limit the stack depth. + +CVE-2018-0739 + +Credit to OSSFuzz for finding this issue. + +Reviewed-by: Rich Salz +--- + crypto/asn1/asn1.h | 1 + + crypto/asn1/asn1_err.c | 3 ++- + crypto/asn1/tasn_dec.c | 62 +++++++++++++++++++++++++++++++++----------------- + 3 files changed, 44 insertions(+), 22 deletions(-) + +Index: openssl-1.0.2g/crypto/asn1/asn1.h +=================================================================== +--- openssl-1.0.2g.orig/crypto/asn1/asn1.h 2018-03-27 14:17:12.462114719 -0400 ++++ openssl-1.0.2g/crypto/asn1/asn1.h 2018-03-27 14:17:12.458114714 -0400 +@@ -1373,6 +1373,7 @@ void ERR_load_ASN1_strings(void); + # define ASN1_R_MSTRING_NOT_UNIVERSAL 139 + # define ASN1_R_MSTRING_WRONG_TAG 140 + # define ASN1_R_NESTED_ASN1_STRING 197 ++# define ASN1_R_NESTED_TOO_DEEP 219 + # define ASN1_R_NON_HEX_CHARACTERS 141 + # define ASN1_R_NOT_ASCII_FORMAT 190 + # define ASN1_R_NOT_ENOUGH_DATA 142 +Index: openssl-1.0.2g/crypto/asn1/asn1_err.c +=================================================================== +--- openssl-1.0.2g.orig/crypto/asn1/asn1_err.c 2018-03-27 14:17:12.462114719 -0400 ++++ openssl-1.0.2g/crypto/asn1/asn1_err.c 2018-03-27 14:17:12.458114714 -0400 +@@ -1,6 +1,6 @@ + /* crypto/asn1/asn1_err.c */ + /* ==================================================================== +- * Copyright (c) 1999-2014 The OpenSSL Project. All rights reserved. ++ * Copyright (c) 1999-2018 The OpenSSL Project. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions +@@ -279,6 +279,7 @@ static ERR_STRING_DATA ASN1_str_reasons[ + {ERR_REASON(ASN1_R_MSTRING_NOT_UNIVERSAL), "mstring not universal"}, + {ERR_REASON(ASN1_R_MSTRING_WRONG_TAG), "mstring wrong tag"}, + {ERR_REASON(ASN1_R_NESTED_ASN1_STRING), "nested asn1 string"}, ++ {ERR_REASON(ASN1_R_NESTED_TOO_DEEP), "nested too deep"}, + {ERR_REASON(ASN1_R_NON_HEX_CHARACTERS), "non hex characters"}, + {ERR_REASON(ASN1_R_NOT_ASCII_FORMAT), "not ascii format"}, + {ERR_REASON(ASN1_R_NOT_ENOUGH_DATA), "not enough data"}, +Index: openssl-1.0.2g/crypto/asn1/tasn_dec.c +=================================================================== +--- openssl-1.0.2g.orig/crypto/asn1/tasn_dec.c 2018-03-27 14:17:12.462114719 -0400 ++++ openssl-1.0.2g/crypto/asn1/tasn_dec.c 2018-03-27 14:17:12.458114714 -0400 +@@ -65,6 +65,14 @@ + #include + #include + ++/* ++ * Constructed types with a recursive definition (such as can be found in PKCS7) ++ * could eventually exceed the stack given malicious input with excessive ++ * recursion. Therefore we limit the stack depth. This is the maximum number of ++ * recursive invocations of asn1_item_embed_d2i(). ++ */ ++#define ASN1_MAX_CONSTRUCTED_NEST 30 ++ + static int asn1_check_eoc(const unsigned char **in, long len); + static int asn1_find_end(const unsigned char **in, long len, char inf); + +@@ -81,11 +89,11 @@ static int asn1_check_tlen(long *olen, i + static int asn1_template_ex_d2i(ASN1_VALUE **pval, + const unsigned char **in, long len, + const ASN1_TEMPLATE *tt, char opt, +- ASN1_TLC *ctx); ++ ASN1_TLC *ctx, int depth); + static int asn1_template_noexp_d2i(ASN1_VALUE **val, + const unsigned char **in, long len, + const ASN1_TEMPLATE *tt, char opt, +- ASN1_TLC *ctx); ++ ASN1_TLC *ctx, int depth); + static int asn1_d2i_ex_primitive(ASN1_VALUE **pval, + const unsigned char **in, long len, + const ASN1_ITEM *it, +@@ -154,17 +162,16 @@ int ASN1_template_d2i(ASN1_VALUE **pval, + { + ASN1_TLC c; + asn1_tlc_clear_nc(&c); +- return asn1_template_ex_d2i(pval, in, len, tt, 0, &c); ++ return asn1_template_ex_d2i(pval, in, len, tt, 0, &c, 0); + } + + /* + * Decode an item, taking care of IMPLICIT tagging, if any. If 'opt' set and + * tag mismatch return -1 to handle OPTIONAL + */ +- +-int ASN1_item_ex_d2i(ASN1_VALUE **pval, const unsigned char **in, long len, +- const ASN1_ITEM *it, +- int tag, int aclass, char opt, ASN1_TLC *ctx) ++static int asn1_item_ex_d2i(ASN1_VALUE **pval, const unsigned char **in, ++ long len, const ASN1_ITEM *it, int tag, int aclass, ++ char opt, ASN1_TLC *ctx, int depth) + { + const ASN1_TEMPLATE *tt, *errtt = NULL; + const ASN1_COMPAT_FUNCS *cf; +@@ -189,6 +196,11 @@ int ASN1_item_ex_d2i(ASN1_VALUE **pval, + else + asn1_cb = 0; + ++ if (++depth > ASN1_MAX_CONSTRUCTED_NEST) { ++ ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, ASN1_R_NESTED_TOO_DEEP); ++ goto err; ++ } ++ + switch (it->itype) { + case ASN1_ITYPE_PRIMITIVE: + if (it->templates) { +@@ -204,7 +216,7 @@ int ASN1_item_ex_d2i(ASN1_VALUE **pval, + goto err; + } + return asn1_template_ex_d2i(pval, in, len, +- it->templates, opt, ctx); ++ it->templates, opt, ctx, depth); + } + return asn1_d2i_ex_primitive(pval, in, len, it, + tag, aclass, opt, ctx); +@@ -326,7 +338,7 @@ int ASN1_item_ex_d2i(ASN1_VALUE **pval, + /* + * We mark field as OPTIONAL so its absence can be recognised. + */ +- ret = asn1_template_ex_d2i(pchptr, &p, len, tt, 1, ctx); ++ ret = asn1_template_ex_d2i(pchptr, &p, len, tt, 1, ctx, depth); + /* If field not present, try the next one */ + if (ret == -1) + continue; +@@ -442,7 +454,8 @@ int ASN1_item_ex_d2i(ASN1_VALUE **pval, + * attempt to read in field, allowing each to be OPTIONAL + */ + +- ret = asn1_template_ex_d2i(pseqval, &p, len, seqtt, isopt, ctx); ++ ret = asn1_template_ex_d2i(pseqval, &p, len, seqtt, isopt, ctx, ++ depth); + if (!ret) { + errtt = seqtt; + goto err; +@@ -512,6 +525,13 @@ int ASN1_item_ex_d2i(ASN1_VALUE **pval, + return 0; + } + ++int ASN1_item_ex_d2i(ASN1_VALUE **pval, const unsigned char **in, long len, ++ const ASN1_ITEM *it, ++ int tag, int aclass, char opt, ASN1_TLC *ctx) ++{ ++ return asn1_item_ex_d2i(pval, in, len, it, tag, aclass, opt, ctx, 0); ++} ++ + /* + * Templates are handled with two separate functions. One handles any + * EXPLICIT tag and the other handles the rest. +@@ -520,7 +540,7 @@ int ASN1_item_ex_d2i(ASN1_VALUE **pval, + static int asn1_template_ex_d2i(ASN1_VALUE **val, + const unsigned char **in, long inlen, + const ASN1_TEMPLATE *tt, char opt, +- ASN1_TLC *ctx) ++ ASN1_TLC *ctx, int depth) + { + int flags, aclass; + int ret; +@@ -555,7 +575,7 @@ static int asn1_template_ex_d2i(ASN1_VAL + return 0; + } + /* We've found the field so it can't be OPTIONAL now */ +- ret = asn1_template_noexp_d2i(val, &p, len, tt, 0, ctx); ++ ret = asn1_template_noexp_d2i(val, &p, len, tt, 0, ctx, depth); + if (!ret) { + ASN1err(ASN1_F_ASN1_TEMPLATE_EX_D2I, ERR_R_NESTED_ASN1_ERROR); + return 0; +@@ -579,7 +599,7 @@ static int asn1_template_ex_d2i(ASN1_VAL + } + } + } else +- return asn1_template_noexp_d2i(val, in, inlen, tt, opt, ctx); ++ return asn1_template_noexp_d2i(val, in, inlen, tt, opt, ctx, depth); + + *in = p; + return 1; +@@ -592,7 +612,7 @@ static int asn1_template_ex_d2i(ASN1_VAL + static int asn1_template_noexp_d2i(ASN1_VALUE **val, + const unsigned char **in, long len, + const ASN1_TEMPLATE *tt, char opt, +- ASN1_TLC *ctx) ++ ASN1_TLC *ctx, int depth) + { + int flags, aclass; + int ret; +@@ -663,8 +683,8 @@ static int asn1_template_noexp_d2i(ASN1_ + break; + } + skfield = NULL; +- if (!ASN1_item_ex_d2i(&skfield, &p, len, +- ASN1_ITEM_ptr(tt->item), -1, 0, 0, ctx)) { ++ if (!asn1_item_ex_d2i(&skfield, &p, len, ASN1_ITEM_ptr(tt->item), ++ -1, 0, 0, ctx, depth)) { + ASN1err(ASN1_F_ASN1_TEMPLATE_NOEXP_D2I, + ERR_R_NESTED_ASN1_ERROR); + goto err; +@@ -681,9 +701,8 @@ static int asn1_template_noexp_d2i(ASN1_ + } + } else if (flags & ASN1_TFLG_IMPTAG) { + /* IMPLICIT tagging */ +- ret = ASN1_item_ex_d2i(val, &p, len, +- ASN1_ITEM_ptr(tt->item), tt->tag, aclass, opt, +- ctx); ++ ret = asn1_item_ex_d2i(val, &p, len, ASN1_ITEM_ptr(tt->item), tt->tag, ++ aclass, opt, ctx, depth); + if (!ret) { + ASN1err(ASN1_F_ASN1_TEMPLATE_NOEXP_D2I, ERR_R_NESTED_ASN1_ERROR); + goto err; +@@ -691,8 +710,9 @@ static int asn1_template_noexp_d2i(ASN1_ + return -1; + } else { + /* Nothing special */ +- ret = ASN1_item_ex_d2i(val, &p, len, ASN1_ITEM_ptr(tt->item), +- -1, tt->flags & ASN1_TFLG_COMBINE, opt, ctx); ++ ret = asn1_item_ex_d2i(val, &p, len, ASN1_ITEM_ptr(tt->item), ++ -1, tt->flags & ASN1_TFLG_COMBINE, opt, ctx, ++ depth); + if (!ret) { + ASN1err(ASN1_F_ASN1_TEMPLATE_NOEXP_D2I, ERR_R_NESTED_ASN1_ERROR); + goto err; diff -Nru openssl-1.0.2g/debian/patches/CVE-2018-5407.patch openssl-1.0.2g/debian/patches/CVE-2018-5407.patch --- openssl-1.0.2g/debian/patches/CVE-2018-5407.patch 1970-01-01 00:00:00.000000000 +0000 +++ openssl-1.0.2g/debian/patches/CVE-2018-5407.patch 2018-12-04 14:32:11.000000000 +0000 @@ -0,0 +1,342 @@ +Backport of: + +From b18162a7c9bbfb57112459a4d6631fa258fd8c0c Mon Sep 17 00:00:00 2001 +From: Billy Brumley +Date: Thu, 8 Nov 2018 13:57:54 +0200 +Subject: [PATCH] CVE-2018-5407 fix: ECC ladder + +Reviewed-by: Matt Caswell +Reviewed-by: Paul Dale +Reviewed-by: Nicola Tuveri +(Merged from https://github.com/openssl/openssl/pull/7593) +--- + CHANGES | 13 +++ + crypto/bn/bn_lib.c | 32 +++++++ + crypto/ec/ec_mult.c | 246 ++++++++++++++++++++++++++++++++++++++++++++++++++++ + 3 files changed, 291 insertions(+) + +#diff --git a/CHANGES b/CHANGES +#index b574074..fde66b5 100644 +#--- a/CHANGES +#+++ b/CHANGES +#@@ -9,6 +9,19 @@ +# +# Changes between 1.0.2p and 1.0.2q [xx XXX xxxx] +# +#+ *) Microarchitecture timing vulnerability in ECC scalar multiplication +#+ +#+ OpenSSL ECC scalar multiplication, used in e.g. ECDSA and ECDH, has been +#+ shown to be vulnerable to a microarchitecture timing side channel attack. +#+ An attacker with sufficient access to mount local timing attacks during +#+ ECDSA signature generation could recover the private key. +#+ +#+ This issue was reported to OpenSSL on 26th October 2018 by Alejandro +#+ Cabrera Aldaya, Billy Brumley, Sohaib ul Hassan, Cesar Pereida Garcia and +#+ Nicola Tuveri. +#+ (CVE-2018-5407) +#+ [Billy Brumley] +#+ +# *) Resolve a compatibility issue in EC_GROUP handling with the FIPS Object +# Module, accidentally introduced while backporting security fixes from the +# development branch and hindering the use of ECC in FIPS mode. +Index: openssl-1.0.2g/crypto/bn/bn_lib.c +=================================================================== +--- openssl-1.0.2g.orig/crypto/bn/bn_lib.c 2018-12-04 09:29:25.320463460 -0500 ++++ openssl-1.0.2g/crypto/bn/bn_lib.c 2018-12-04 09:30:33.432686833 -0500 +@@ -879,6 +879,32 @@ void BN_consttime_swap(BN_ULONG conditio + a->top ^= t; + b->top ^= t; + ++ t = (a->neg ^ b->neg) & condition; ++ a->neg ^= t; ++ b->neg ^= t; ++ ++ /*- ++ * BN_FLG_STATIC_DATA: indicates that data may not be written to. Intention ++ * is actually to treat it as it's read-only data, and some (if not most) ++ * of it does reside in read-only segment. In other words observation of ++ * BN_FLG_STATIC_DATA in BN_consttime_swap should be treated as fatal ++ * condition. It would either cause SEGV or effectively cause data ++ * corruption. ++ * ++ * BN_FLG_MALLOCED: refers to BN structure itself, and hence must be ++ * preserved. ++ * ++ * BN_FLG_SECURE: must be preserved, because it determines how x->d was ++ * allocated and hence how to free it. ++ * ++ * BN_FLG_CONSTTIME: sufficient to mask and swap ++ * ++ */ ++ ++ t = ((a->flags ^ b->flags) & BN_FLG_CONSTTIME) & condition; ++ a->flags ^= t; ++ b->flags ^= t; ++ + #define BN_CONSTTIME_SWAP(ind) \ + do { \ + t = (a->d[ind] ^ b->d[ind]) & condition; \ +Index: openssl-1.0.2g/crypto/ec/ec_mult.c +=================================================================== +--- openssl-1.0.2g.orig/crypto/ec/ec_mult.c 2018-12-04 09:29:25.320463460 -0500 ++++ openssl-1.0.2g/crypto/ec/ec_mult.c 2018-12-04 09:29:25.320463460 -0500 +@@ -306,6 +306,224 @@ static signed char *compute_wNAF(const B + return r; + } + ++#define EC_POINT_BN_set_flags(P, flags) do { \ ++ BN_set_flags(&(P)->X, (flags)); \ ++ BN_set_flags(&(P)->Y, (flags)); \ ++ BN_set_flags(&(P)->Z, (flags)); \ ++} while(0) ++ ++/*- ++ * This functions computes (in constant time) a point multiplication over the ++ * EC group. ++ * ++ * At a high level, it is Montgomery ladder with conditional swaps. ++ * ++ * It performs either a fixed scalar point multiplication ++ * (scalar * generator) ++ * when point is NULL, or a generic scalar point multiplication ++ * (scalar * point) ++ * when point is not NULL. ++ * ++ * scalar should be in the range [0,n) otherwise all constant time bets are off. ++ * ++ * NB: This says nothing about EC_POINT_add and EC_POINT_dbl, ++ * which of course are not constant time themselves. ++ * ++ * The product is stored in r. ++ * ++ * Returns 1 on success, 0 otherwise. ++ */ ++static int ec_mul_consttime(const EC_GROUP *group, EC_POINT *r, ++ const BIGNUM *scalar, const EC_POINT *point, ++ BN_CTX *ctx) ++{ ++ int i, cardinality_bits, group_top, kbit, pbit, Z_is_one; ++ EC_POINT *s = NULL; ++ BIGNUM *k = NULL; ++ BIGNUM *lambda = NULL; ++ BIGNUM *cardinality = NULL; ++ BN_CTX *new_ctx = NULL; ++ int ret = 0; ++ ++ if (ctx == NULL && (ctx = new_ctx = BN_CTX_new()) == NULL) ++ return 0; ++ ++ BN_CTX_start(ctx); ++ ++ s = EC_POINT_new(group); ++ if (s == NULL) ++ goto err; ++ ++ if (point == NULL) { ++ if (!EC_POINT_copy(s, group->generator)) ++ goto err; ++ } else { ++ if (!EC_POINT_copy(s, point)) ++ goto err; ++ } ++ ++ EC_POINT_BN_set_flags(s, BN_FLG_CONSTTIME); ++ ++ cardinality = BN_CTX_get(ctx); ++ lambda = BN_CTX_get(ctx); ++ k = BN_CTX_get(ctx); ++ if (k == NULL || !BN_mul(cardinality, &group->order, &group->cofactor, ctx)) ++ goto err; ++ ++ /* ++ * Group cardinalities are often on a word boundary. ++ * So when we pad the scalar, some timing diff might ++ * pop if it needs to be expanded due to carries. ++ * So expand ahead of time. ++ */ ++ cardinality_bits = BN_num_bits(cardinality); ++ group_top = cardinality->top; ++ if ((bn_wexpand(k, group_top + 2) == NULL) ++ || (bn_wexpand(lambda, group_top + 2) == NULL)) ++ goto err; ++ ++ if (!BN_copy(k, scalar)) ++ goto err; ++ ++ BN_set_flags(k, BN_FLG_CONSTTIME); ++ ++ if ((BN_num_bits(k) > cardinality_bits) || (BN_is_negative(k))) { ++ /*- ++ * this is an unusual input, and we don't guarantee ++ * constant-timeness ++ */ ++ if (!BN_nnmod(k, k, cardinality, ctx)) ++ goto err; ++ } ++ ++ if (!BN_add(lambda, k, cardinality)) ++ goto err; ++ BN_set_flags(lambda, BN_FLG_CONSTTIME); ++ if (!BN_add(k, lambda, cardinality)) ++ goto err; ++ /* ++ * lambda := scalar + cardinality ++ * k := scalar + 2*cardinality ++ */ ++ kbit = BN_is_bit_set(lambda, cardinality_bits); ++ BN_consttime_swap(kbit, k, lambda, group_top + 2); ++ ++ group_top = group->field.top; ++ if ((bn_wexpand(&s->X, group_top) == NULL) ++ || (bn_wexpand(&s->Y, group_top) == NULL) ++ || (bn_wexpand(&s->Z, group_top) == NULL) ++ || (bn_wexpand(&r->X, group_top) == NULL) ++ || (bn_wexpand(&r->Y, group_top) == NULL) ++ || (bn_wexpand(&r->Z, group_top) == NULL)) ++ goto err; ++ ++ /* top bit is a 1, in a fixed pos */ ++ if (!EC_POINT_copy(r, s)) ++ goto err; ++ ++ EC_POINT_BN_set_flags(r, BN_FLG_CONSTTIME); ++ ++ if (!EC_POINT_dbl(group, s, s, ctx)) ++ goto err; ++ ++ pbit = 0; ++ ++#define EC_POINT_CSWAP(c, a, b, w, t) do { \ ++ BN_consttime_swap(c, &(a)->X, &(b)->X, w); \ ++ BN_consttime_swap(c, &(a)->Y, &(b)->Y, w); \ ++ BN_consttime_swap(c, &(a)->Z, &(b)->Z, w); \ ++ t = ((a)->Z_is_one ^ (b)->Z_is_one) & (c); \ ++ (a)->Z_is_one ^= (t); \ ++ (b)->Z_is_one ^= (t); \ ++} while(0) ++ ++ /*- ++ * The ladder step, with branches, is ++ * ++ * k[i] == 0: S = add(R, S), R = dbl(R) ++ * k[i] == 1: R = add(S, R), S = dbl(S) ++ * ++ * Swapping R, S conditionally on k[i] leaves you with state ++ * ++ * k[i] == 0: T, U = R, S ++ * k[i] == 1: T, U = S, R ++ * ++ * Then perform the ECC ops. ++ * ++ * U = add(T, U) ++ * T = dbl(T) ++ * ++ * Which leaves you with state ++ * ++ * k[i] == 0: U = add(R, S), T = dbl(R) ++ * k[i] == 1: U = add(S, R), T = dbl(S) ++ * ++ * Swapping T, U conditionally on k[i] leaves you with state ++ * ++ * k[i] == 0: R, S = T, U ++ * k[i] == 1: R, S = U, T ++ * ++ * Which leaves you with state ++ * ++ * k[i] == 0: S = add(R, S), R = dbl(R) ++ * k[i] == 1: R = add(S, R), S = dbl(S) ++ * ++ * So we get the same logic, but instead of a branch it's a ++ * conditional swap, followed by ECC ops, then another conditional swap. ++ * ++ * Optimization: The end of iteration i and start of i-1 looks like ++ * ++ * ... ++ * CSWAP(k[i], R, S) ++ * ECC ++ * CSWAP(k[i], R, S) ++ * (next iteration) ++ * CSWAP(k[i-1], R, S) ++ * ECC ++ * CSWAP(k[i-1], R, S) ++ * ... ++ * ++ * So instead of two contiguous swaps, you can merge the condition ++ * bits and do a single swap. ++ * ++ * k[i] k[i-1] Outcome ++ * 0 0 No Swap ++ * 0 1 Swap ++ * 1 0 Swap ++ * 1 1 No Swap ++ * ++ * This is XOR. pbit tracks the previous bit of k. ++ */ ++ ++ for (i = cardinality_bits - 1; i >= 0; i--) { ++ kbit = BN_is_bit_set(k, i) ^ pbit; ++ EC_POINT_CSWAP(kbit, r, s, group_top, Z_is_one); ++ if (!EC_POINT_add(group, s, r, s, ctx)) ++ goto err; ++ if (!EC_POINT_dbl(group, r, r, ctx)) ++ goto err; ++ /* ++ * pbit logic merges this cswap with that of the ++ * next iteration ++ */ ++ pbit ^= kbit; ++ } ++ /* one final cswap to move the right value into r */ ++ EC_POINT_CSWAP(pbit, r, s, group_top, Z_is_one); ++#undef EC_POINT_CSWAP ++ ++ ret = 1; ++ ++ err: ++ EC_POINT_free(s); ++ BN_CTX_end(ctx); ++ BN_CTX_free(new_ctx); ++ ++ return ret; ++} ++ ++#undef EC_POINT_BN_set_flags ++ + /* + * TODO: table should be optimised for the wNAF-based implementation, + * sometimes smaller windows will give better performance (thus the +@@ -365,6 +583,34 @@ int ec_wNAF_mul(const EC_GROUP *group, E + return EC_POINT_set_to_infinity(group, r); + } + ++ if (!BN_is_zero(&group->order) && !BN_is_zero(&group->cofactor)) { ++ /*- ++ * Handle the common cases where the scalar is secret, enforcing a constant ++ * time scalar multiplication algorithm. ++ */ ++ if ((scalar != NULL) && (num == 0)) { ++ /*- ++ * In this case we want to compute scalar * GeneratorPoint: this ++ * codepath is reached most prominently by (ephemeral) key generation ++ * of EC cryptosystems (i.e. ECDSA keygen and sign setup, ECDH ++ * keygen/first half), where the scalar is always secret. This is why ++ * we ignore if BN_FLG_CONSTTIME is actually set and we always call the ++ * constant time version. ++ */ ++ return ec_mul_consttime(group, r, scalar, NULL, ctx); ++ } ++ if ((scalar == NULL) && (num == 1)) { ++ /*- ++ * In this case we want to compute scalar * GenericPoint: this codepath ++ * is reached most prominently by the second half of ECDH, where the ++ * secret scalar is multiplied by the peer's public point. To protect ++ * the secret scalar, we ignore if BN_FLG_CONSTTIME is actually set and ++ * we always call the constant time version. ++ */ ++ return ec_mul_consttime(group, r, scalars[0], points[0], ctx); ++ } ++ } ++ + for (i = 0; i < num; i++) { + if (group->meth != points[i]->meth) { + ECerr(EC_F_EC_WNAF_MUL, EC_R_INCOMPATIBLE_OBJECTS); diff -Nru openssl-1.0.2g/debian/patches/CVE-2019-1547.patch openssl-1.0.2g/debian/patches/CVE-2019-1547.patch --- openssl-1.0.2g/debian/patches/CVE-2019-1547.patch 1970-01-01 00:00:00.000000000 +0000 +++ openssl-1.0.2g/debian/patches/CVE-2019-1547.patch 2020-05-27 19:17:07.000000000 +0000 @@ -0,0 +1,230 @@ +From 21c856b75d81eff61aa63b4f036bb64a85bf6d46 Mon Sep 17 00:00:00 2001 +From: Billy Brumley +Date: Sat, 7 Sep 2019 10:50:58 +0300 +Subject: [PATCH] [crypto/ec] for ECC parameters with NULL or zero cofactor, + compute it + +The cofactor argument to EC_GROUP_set_generator is optional, and SCA +mitigations for ECC currently use it. So the library currently falls +back to very old SCA-vulnerable code if the cofactor is not present. + +This PR allows EC_GROUP_set_generator to compute the cofactor for all +curves of cryptographic interest. Steering scalar multiplication to more +SCA-robust code. + +This issue affects persisted private keys in explicit parameter form, +where the (optional) cofactor field is zero or absent. + +It also affects curves not built-in to the library, but constructed +programatically with explicit parameters, then calling +EC_GROUP_set_generator with a nonsensical value (NULL, zero). + +The very old scalar multiplication code is known to be vulnerable to +local uarch attacks, outside of the OpenSSL threat model. New results +suggest the code path is also vulnerable to traditional wall clock +timing attacks. + +CVE-2019-1547 + +Reviewed-by: Nicola Tuveri +Reviewed-by: Matt Caswell +(Merged from https://github.com/openssl/openssl/pull/9799) +--- + CHANGES | 7 ++++ + crypto/ec/ec.h | 6 ++- + crypto/ec/ec_err.c | 3 +- + crypto/ec/ec_lib.c | 102 +++++++++++++++++++++++++++++++++++++++++---- + 4 files changed, 108 insertions(+), 10 deletions(-) + +#diff --git a/CHANGES b/CHANGES +#index d804f325b4..ee272f2266 100644 +#--- a/CHANGES +#+++ b/CHANGES +#@@ -9,6 +9,13 @@ +# +# Changes between 1.0.2s and 1.0.2t [xx XXX xxxx] +# +#+ *) Compute ECC cofactors if not provided during EC_GROUP construction. Before +#+ this change, EC_GROUP_set_generator would accept order and/or cofactor as +#+ NULL. After this change, only the cofactor parameter can be NULL. It also +#+ does some minimal sanity checks on the passed order. +#+ (CVE-2019-1547) +#+ [Billy Bob Brumley] +#+ +# *) Document issue with installation paths in diverse Windows builds +# +# '/usr/local/ssl' is an unsafe prefix for location to install OpenSSL +--- a/crypto/ec/ec.h ++++ b/crypto/ec/ec.h +@@ -1073,6 +1073,7 @@ int EC_KEY_print_fp(FILE *fp, const EC_K + * The following lines are auto generated by the script mkerr.pl. Any changes + * made after this point may be overwritten when the script is next run. + */ ++ + void ERR_load_EC_strings(void); + + /* Error codes for the EC functions. */ +@@ -1270,13 +1271,14 @@ void ERR_load_EC_strings(void); + # define EC_R_SLOT_FULL 108 + # define EC_R_UNDEFINED_GENERATOR 113 + # define EC_R_UNDEFINED_ORDER 128 ++# define EC_R_UNKNOWN_COFACTOR 152 + # define EC_R_UNKNOWN_GROUP 129 + # define EC_R_UNKNOWN_ORDER 114 + # define EC_R_UNSUPPORTED_FIELD 131 + # define EC_R_WRONG_CURVE_PARAMETERS 145 + # define EC_R_WRONG_ORDER 130 + +-#ifdef __cplusplus ++# ifdef __cplusplus + } +-#endif ++# endif + #endif +--- a/crypto/ec/ec_err.c ++++ b/crypto/ec/ec_err.c +@@ -1,6 +1,6 @@ + /* crypto/ec/ec_err.c */ + /* ==================================================================== +- * Copyright (c) 1999-2015 The OpenSSL Project. All rights reserved. ++ * Copyright (c) 1999-2019 The OpenSSL Project. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions +@@ -310,6 +310,7 @@ static ERR_STRING_DATA EC_str_reasons[] + {ERR_REASON(EC_R_SLOT_FULL), "slot full"}, + {ERR_REASON(EC_R_UNDEFINED_GENERATOR), "undefined generator"}, + {ERR_REASON(EC_R_UNDEFINED_ORDER), "undefined order"}, ++ {ERR_REASON(EC_R_UNKNOWN_COFACTOR), "unknown cofactor"}, + {ERR_REASON(EC_R_UNKNOWN_GROUP), "unknown group"}, + {ERR_REASON(EC_R_UNKNOWN_ORDER), "unknown order"}, + {ERR_REASON(EC_R_UNSUPPORTED_FIELD), "unsupported field"}, +--- a/crypto/ec/ec_lib.c ++++ b/crypto/ec/ec_lib.c +@@ -290,6 +290,67 @@ int EC_METHOD_get_field_type(const EC_ME + return meth->field_type; + } + ++/*- ++ * Try computing cofactor from the generator order (n) and field cardinality (q). ++ * This works for all curves of cryptographic interest. ++ * ++ * Hasse thm: q + 1 - 2*sqrt(q) <= n*h <= q + 1 + 2*sqrt(q) ++ * h_min = (q + 1 - 2*sqrt(q))/n ++ * h_max = (q + 1 + 2*sqrt(q))/n ++ * h_max - h_min = 4*sqrt(q)/n ++ * So if n > 4*sqrt(q) holds, there is only one possible value for h: ++ * h = \lfloor (h_min + h_max)/2 \rceil = \lfloor (q + 1)/n \rceil ++ * ++ * Otherwise, zero cofactor and return success. ++ */ ++static int ec_guess_cofactor(EC_GROUP *group) { ++ int ret = 0; ++ BN_CTX *ctx = NULL; ++ BIGNUM *q = NULL; ++ ++ /*- ++ * If the cofactor is too large, we cannot guess it. ++ * The RHS of below is a strict overestimate of lg(4 * sqrt(q)) ++ */ ++ if (BN_num_bits(&group->order) <= (BN_num_bits(&group->field) + 1) / 2 + 3) { ++ /* default to 0 */ ++ BN_zero(&group->cofactor); ++ /* return success */ ++ return 1; ++ } ++ ++ if ((ctx = BN_CTX_new()) == NULL) ++ return 0; ++ ++ BN_CTX_start(ctx); ++ if ((q = BN_CTX_get(ctx)) == NULL) ++ goto err; ++ ++ /* set q = 2**m for binary fields; q = p otherwise */ ++ if (group->meth->field_type == NID_X9_62_characteristic_two_field) { ++ BN_zero(q); ++ if (!BN_set_bit(q, BN_num_bits(&group->field) - 1)) ++ goto err; ++ } else { ++ if (!BN_copy(q, &group->field)) ++ goto err; ++ } ++ ++ /* compute h = \lfloor (q + 1)/n \rceil = \lfloor (q + 1 + n/2)/n \rfloor */ ++ if (!BN_rshift1(&group->cofactor, &group->order) /* n/2 */ ++ || !BN_add(&group->cofactor, &group->cofactor, q) /* q + n/2 */ ++ /* q + 1 + n/2 */ ++ || !BN_add(&group->cofactor, &group->cofactor, BN_value_one()) ++ /* (q + 1 + n/2)/n */ ++ || !BN_div(&group->cofactor, NULL, &group->cofactor, &group->order, ctx)) ++ goto err; ++ ret = 1; ++ err: ++ BN_CTX_end(ctx); ++ BN_CTX_free(ctx); ++ return ret; ++} ++ + int EC_GROUP_set_generator(EC_GROUP *group, const EC_POINT *generator, + const BIGNUM *order, const BIGNUM *cofactor) + { +@@ -298,6 +359,33 @@ int EC_GROUP_set_generator(EC_GROUP *gro + return 0; + } + ++ /* require group->field >= 1 */ ++ if (BN_is_zero(&group->field) || BN_is_negative(&group->field)) { ++ ECerr(EC_F_EC_GROUP_SET_GENERATOR, EC_R_INVALID_FIELD); ++ return 0; ++ } ++ ++ /*- ++ * - require order >= 1 ++ * - enforce upper bound due to Hasse thm: order can be no more than one bit ++ * longer than field cardinality ++ */ ++ if (order == NULL || BN_is_zero(order) || BN_is_negative(order) ++ || BN_num_bits(order) > BN_num_bits(&group->field) + 1) { ++ ECerr(EC_F_EC_GROUP_SET_GENERATOR, EC_R_INVALID_GROUP_ORDER); ++ return 0; ++ } ++ ++ /*- ++ * Unfortunately the cofactor is an optional field in many standards. ++ * Internally, the lib uses 0 cofactor as a marker for "unknown cofactor". ++ * So accept cofactor == NULL or cofactor >= 0. ++ */ ++ if (cofactor != NULL && BN_is_negative(cofactor)) { ++ ECerr(EC_F_EC_GROUP_SET_GENERATOR, EC_R_UNKNOWN_COFACTOR); ++ return 0; ++ } ++ + if (group->generator == NULL) { + group->generator = EC_POINT_new(group); + if (group->generator == NULL) +@@ -306,17 +394,17 @@ int EC_GROUP_set_generator(EC_GROUP *gro + if (!EC_POINT_copy(group->generator, generator)) + return 0; + +- if (order != NULL) { +- if (!BN_copy(&group->order, order)) +- return 0; +- } else +- BN_zero(&group->order); ++ if (!BN_copy(&group->order, order)) ++ return 0; + +- if (cofactor != NULL) { ++ /* Either take the provided positive cofactor, or try to compute it */ ++ if (cofactor != NULL && !BN_is_zero(cofactor)) { + if (!BN_copy(&group->cofactor, cofactor)) + return 0; +- } else ++ } else if (!ec_guess_cofactor(group)) { + BN_zero(&group->cofactor); ++ return 0; ++ } + + /* + * We ignore the return value because some groups have an order with diff -Nru openssl-1.0.2g/debian/patches/CVE-2019-1551.patch openssl-1.0.2g/debian/patches/CVE-2019-1551.patch --- openssl-1.0.2g/debian/patches/CVE-2019-1551.patch 1970-01-01 00:00:00.000000000 +0000 +++ openssl-1.0.2g/debian/patches/CVE-2019-1551.patch 2020-05-27 19:17:36.000000000 +0000 @@ -0,0 +1,766 @@ +From f1c5eea8a817075d31e43f5876993c6710238c98 Mon Sep 17 00:00:00 2001 +From: Andy Polyakov +Date: Wed, 4 Dec 2019 12:48:21 +0100 +Subject: [PATCH] Fix an overflow bug in rsaz_512_sqr + +There is an overflow bug in the x64_64 Montgomery squaring procedure used in +exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis +suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a +result of this defect would be very difficult to perform and are not believed +likely. Attacks against DH512 are considered just feasible. However, for an +attack the target would have to re-use the DH512 private key, which is not +recommended anyway. Also applications directly using the low level API +BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. + +CVE-2019-1551 + +Reviewed-by: Paul Dale +Reviewed-by: Bernd Edlinger +(Merged from https://github.com/openssl/openssl/pull/10576) +--- + crypto/bn/asm/rsaz-x86_64.pl | 399 ++++++++++++++++++----------------- + 1 file changed, 206 insertions(+), 193 deletions(-) + +diff --git a/crypto/bn/asm/rsaz-x86_64.pl b/crypto/bn/asm/rsaz-x86_64.pl +index 87ce2c34d9..e0da6d9ae5 100755 +--- a/crypto/bn/asm/rsaz-x86_64.pl ++++ b/crypto/bn/asm/rsaz-x86_64.pl +@@ -140,7 +140,7 @@ rsaz_512_sqr: # 25-29% faster than rsaz_512_mul + + subq \$128+24, %rsp + .Lsqr_body: +- movq $mod, %rbp # common argument ++ movq $mod, %xmm1 # common off-load + movq ($inp), %rdx + movq 8($inp), %rax + movq $n0, 128(%rsp) +@@ -158,7 +158,8 @@ $code.=<<___; + .Loop_sqr: + movl $times,128+8(%rsp) + #first iteration +- movq %rdx, %rbx ++ movq %rdx, %rbx # 0($inp) ++ mov %rax, %rbp # 8($inp) + mulq %rdx + movq %rax, %r8 + movq 16($inp), %rax +@@ -197,31 +198,29 @@ $code.=<<___; + mulq %rbx + addq %rax, %r14 + movq %rbx, %rax +- movq %rdx, %r15 +- adcq \$0, %r15 ++ adcq \$0, %rdx + +- addq %r8, %r8 #shlq \$1, %r8 +- movq %r9, %rcx +- adcq %r9, %r9 #shld \$1, %r8, %r9 ++ xorq %rcx,%rcx # rcx:r8 = r8 << 1 ++ addq %r8, %r8 ++ movq %rdx, %r15 ++ adcq \$0, %rcx + + mulq %rax +- movq %rax, (%rsp) +- addq %rdx, %r8 +- adcq \$0, %r9 ++ addq %r8, %rdx ++ adcq \$0, %rcx + +- movq %r8, 8(%rsp) +- shrq \$63, %rcx ++ movq %rax, (%rsp) ++ movq %rdx, 8(%rsp) + + #second iteration +- movq 8($inp), %r8 + movq 16($inp), %rax +- mulq %r8 ++ mulq %rbp + addq %rax, %r10 + movq 24($inp), %rax + movq %rdx, %rbx + adcq \$0, %rbx + +- mulq %r8 ++ mulq %rbp + addq %rax, %r11 + movq 32($inp), %rax + adcq \$0, %rdx +@@ -229,7 +228,7 @@ $code.=<<___; + movq %rdx, %rbx + adcq \$0, %rbx + +- mulq %r8 ++ mulq %rbp + addq %rax, %r12 + movq 40($inp), %rax + adcq \$0, %rdx +@@ -237,7 +236,7 @@ $code.=<<___; + movq %rdx, %rbx + adcq \$0, %rbx + +- mulq %r8 ++ mulq %rbp + addq %rax, %r13 + movq 48($inp), %rax + adcq \$0, %rdx +@@ -245,7 +244,7 @@ $code.=<<___; + movq %rdx, %rbx + adcq \$0, %rbx + +- mulq %r8 ++ mulq %rbp + addq %rax, %r14 + movq 56($inp), %rax + adcq \$0, %rdx +@@ -253,39 +252,39 @@ $code.=<<___; + movq %rdx, %rbx + adcq \$0, %rbx + +- mulq %r8 ++ mulq %rbp + addq %rax, %r15 +- movq %r8, %rax ++ movq %rbp, %rax + adcq \$0, %rdx + addq %rbx, %r15 +- movq %rdx, %r8 +- movq %r10, %rdx +- adcq \$0, %r8 ++ adcq \$0, %rdx + +- add %rdx, %rdx +- lea (%rcx,%r10,2), %r10 #shld \$1, %rcx, %r10 +- movq %r11, %rbx +- adcq %r11, %r11 #shld \$1, %r10, %r11 ++ xorq %rbx, %rbx # rbx:r10:r9 = r10:r9 << 1 ++ addq %r9, %r9 ++ movq %rdx, %r8 ++ adcq %r10, %r10 ++ adcq \$0, %rbx + + mulq %rax ++ addq %rcx, %rax ++ movq 16($inp), %rbp ++ adcq \$0, %rdx + addq %rax, %r9 ++ movq 24($inp), %rax + adcq %rdx, %r10 +- adcq \$0, %r11 ++ adcq \$0, %rbx + + movq %r9, 16(%rsp) + movq %r10, 24(%rsp) +- shrq \$63, %rbx +- ++ + #third iteration +- movq 16($inp), %r9 +- movq 24($inp), %rax +- mulq %r9 ++ mulq %rbp + addq %rax, %r12 + movq 32($inp), %rax + movq %rdx, %rcx + adcq \$0, %rcx + +- mulq %r9 ++ mulq %rbp + addq %rax, %r13 + movq 40($inp), %rax + adcq \$0, %rdx +@@ -293,7 +292,7 @@ $code.=<<___; + movq %rdx, %rcx + adcq \$0, %rcx + +- mulq %r9 ++ mulq %rbp + addq %rax, %r14 + movq 48($inp), %rax + adcq \$0, %rdx +@@ -301,9 +300,7 @@ $code.=<<___; + movq %rdx, %rcx + adcq \$0, %rcx + +- mulq %r9 +- movq %r12, %r10 +- lea (%rbx,%r12,2), %r12 #shld \$1, %rbx, %r12 ++ mulq %rbp + addq %rax, %r15 + movq 56($inp), %rax + adcq \$0, %rdx +@@ -311,36 +308,40 @@ $code.=<<___; + movq %rdx, %rcx + adcq \$0, %rcx + +- mulq %r9 +- shrq \$63, %r10 ++ mulq %rbp + addq %rax, %r8 +- movq %r9, %rax ++ movq %rbp, %rax + adcq \$0, %rdx + addq %rcx, %r8 +- movq %rdx, %r9 +- adcq \$0, %r9 ++ adcq \$0, %rdx + +- movq %r13, %rcx +- leaq (%r10,%r13,2), %r13 #shld \$1, %r12, %r13 ++ xorq %rcx, %rcx # rcx:r12:r11 = r12:r11 << 1 ++ addq %r11, %r11 ++ movq %rdx, %r9 ++ adcq %r12, %r12 ++ adcq \$0, %rcx + + mulq %rax ++ addq %rbx, %rax ++ movq 24($inp), %r10 ++ adcq \$0, %rdx + addq %rax, %r11 ++ movq 32($inp), %rax + adcq %rdx, %r12 +- adcq \$0, %r13 ++ adcq \$0, %rcx + + movq %r11, 32(%rsp) + movq %r12, 40(%rsp) +- shrq \$63, %rcx + + #fourth iteration +- movq 24($inp), %r10 +- movq 32($inp), %rax ++ mov %rax, %r11 # 32($inp) + mulq %r10 + addq %rax, %r14 + movq 40($inp), %rax + movq %rdx, %rbx + adcq \$0, %rbx + ++ mov %rax, %r12 # 40($inp) + mulq %r10 + addq %rax, %r15 + movq 48($inp), %rax +@@ -349,9 +350,8 @@ $code.=<<___; + movq %rdx, %rbx + adcq \$0, %rbx + ++ mov %rax, %rbp # 48($inp) + mulq %r10 +- movq %r14, %r12 +- leaq (%rcx,%r14,2), %r14 #shld \$1, %rcx, %r14 + addq %rax, %r8 + movq 56($inp), %rax + adcq \$0, %rdx +@@ -360,32 +360,33 @@ $code.=<<___; + adcq \$0, %rbx + + mulq %r10 +- shrq \$63, %r12 + addq %rax, %r9 + movq %r10, %rax + adcq \$0, %rdx + addq %rbx, %r9 +- movq %rdx, %r10 +- adcq \$0, %r10 ++ adcq \$0, %rdx + +- movq %r15, %rbx +- leaq (%r12,%r15,2),%r15 #shld \$1, %r14, %r15 ++ xorq %rbx, %rbx # rbx:r13:r14 = r13:r14 << 1 ++ addq %r13, %r13 ++ movq %rdx, %r10 ++ adcq %r14, %r14 ++ adcq \$0, %rbx + + mulq %rax ++ addq %rcx, %rax ++ adcq \$0, %rdx + addq %rax, %r13 ++ movq %r12, %rax # 40($inp) + adcq %rdx, %r14 +- adcq \$0, %r15 ++ adcq \$0, %rbx + + movq %r13, 48(%rsp) + movq %r14, 56(%rsp) +- shrq \$63, %rbx + + #fifth iteration +- movq 32($inp), %r11 +- movq 40($inp), %rax + mulq %r11 + addq %rax, %r8 +- movq 48($inp), %rax ++ movq %rbp, %rax # 48($inp) + movq %rdx, %rcx + adcq \$0, %rcx + +@@ -393,97 +394,99 @@ $code.=<<___; + addq %rax, %r9 + movq 56($inp), %rax + adcq \$0, %rdx +- movq %r8, %r12 +- leaq (%rbx,%r8,2), %r8 #shld \$1, %rbx, %r8 + addq %rcx, %r9 + movq %rdx, %rcx + adcq \$0, %rcx + ++ mov %rax, %r14 # 56($inp) + mulq %r11 +- shrq \$63, %r12 + addq %rax, %r10 + movq %r11, %rax + adcq \$0, %rdx + addq %rcx, %r10 +- movq %rdx, %r11 +- adcq \$0, %r11 ++ adcq \$0, %rdx + +- movq %r9, %rcx +- leaq (%r12,%r9,2), %r9 #shld \$1, %r8, %r9 ++ xorq %rcx, %rcx # rcx:r8:r15 = r8:r15 << 1 ++ addq %r15, %r15 ++ movq %rdx, %r11 ++ adcq %r8, %r8 ++ adcq \$0, %rcx + + mulq %rax ++ addq %rbx, %rax ++ adcq \$0, %rdx + addq %rax, %r15 ++ movq %rbp, %rax # 48($inp) + adcq %rdx, %r8 +- adcq \$0, %r9 ++ adcq \$0, %rcx + + movq %r15, 64(%rsp) + movq %r8, 72(%rsp) +- shrq \$63, %rcx + + #sixth iteration +- movq 40($inp), %r12 +- movq 48($inp), %rax + mulq %r12 + addq %rax, %r10 +- movq 56($inp), %rax ++ movq %r14, %rax # 56($inp) + movq %rdx, %rbx + adcq \$0, %rbx + + mulq %r12 + addq %rax, %r11 + movq %r12, %rax +- movq %r10, %r15 +- leaq (%rcx,%r10,2), %r10 #shld \$1, %rcx, %r10 + adcq \$0, %rdx +- shrq \$63, %r15 + addq %rbx, %r11 +- movq %rdx, %r12 +- adcq \$0, %r12 ++ adcq \$0, %rdx + +- movq %r11, %rbx +- leaq (%r15,%r11,2), %r11 #shld \$1, %r10, %r11 ++ xorq %rbx, %rbx # rbx:r10:r9 = r10:r9 << 1 ++ addq %r9, %r9 ++ movq %rdx, %r12 ++ adcq %r10, %r10 ++ adcq \$0, %rbx + + mulq %rax ++ addq %rcx, %rax ++ adcq \$0, %rdx + addq %rax, %r9 ++ movq %r14, %rax # 56($inp) + adcq %rdx, %r10 +- adcq \$0, %r11 ++ adcq \$0, %rbx + + movq %r9, 80(%rsp) + movq %r10, 88(%rsp) + + #seventh iteration +- movq 48($inp), %r13 +- movq 56($inp), %rax +- mulq %r13 ++ mulq %rbp + addq %rax, %r12 +- movq %r13, %rax +- movq %rdx, %r13 +- adcq \$0, %r13 ++ movq %rbp, %rax ++ adcq \$0, %rdx + +- xorq %r14, %r14 +- shlq \$1, %rbx +- adcq %r12, %r12 #shld \$1, %rbx, %r12 +- adcq %r13, %r13 #shld \$1, %r12, %r13 +- adcq %r14, %r14 #shld \$1, %r13, %r14 ++ xorq %rcx, %rcx # rcx:r12:r11 = r12:r11 << 1 ++ addq %r11, %r11 ++ movq %rdx, %r13 ++ adcq %r12, %r12 ++ adcq \$0, %rcx + + mulq %rax ++ addq %rbx, %rax ++ adcq \$0, %rdx + addq %rax, %r11 ++ movq %r14, %rax # 56($inp) + adcq %rdx, %r12 +- adcq \$0, %r13 ++ adcq \$0, %rcx + + movq %r11, 96(%rsp) + movq %r12, 104(%rsp) + + #eighth iteration +- movq 56($inp), %rax ++ xorq %rbx, %rbx # rbx:r13 = r13 << 1 ++ addq %r13, %r13 ++ adcq \$0, %rbx ++ + mulq %rax +- addq %rax, %r13 ++ addq %rcx, %rax + adcq \$0, %rdx +- +- addq %rdx, %r14 +- +- movq %r13, 112(%rsp) +- movq %r14, 120(%rsp) ++ addq %r13, %rax ++ adcq %rbx, %rdx + + movq (%rsp), %r8 + movq 8(%rsp), %r9 +@@ -493,6 +496,10 @@ $code.=<<___; + movq 40(%rsp), %r13 + movq 48(%rsp), %r14 + movq 56(%rsp), %r15 ++ movq %xmm1, %rbp ++ ++ movq %rax, 112(%rsp) ++ movq %rdx, 120(%rsp) + + call __rsaz_512_reduce + +@@ -524,9 +531,9 @@ $code.=<<___; + .Loop_sqrx: + movl $times,128+8(%rsp) + movq $out, %xmm0 # off-load +- movq %rbp, %xmm1 # off-load +-#first iteration ++#first iteration + mulx %rax, %r8, %r9 ++ mov %rax, %rbx + + mulx 16($inp), %rcx, %r10 + xor %rbp, %rbp # cf=0, of=0 +@@ -534,40 +541,39 @@ $code.=<<___; + mulx 24($inp), %rax, %r11 + adcx %rcx, %r9 + +- mulx 32($inp), %rcx, %r12 ++ .byte 0xc4,0x62,0xf3,0xf6,0xa6,0x20,0x00,0x00,0x00 # mulx 32($inp), %rcx, %r12 + adcx %rax, %r10 + +- mulx 40($inp), %rax, %r13 ++ .byte 0xc4,0x62,0xfb,0xf6,0xae,0x28,0x00,0x00,0x00 # mulx 40($inp), %rax, %r13 + adcx %rcx, %r11 + +- .byte 0xc4,0x62,0xf3,0xf6,0xb6,0x30,0x00,0x00,0x00 # mulx 48($inp), %rcx, %r14 ++ mulx 48($inp), %rcx, %r14 + adcx %rax, %r12 + adcx %rcx, %r13 + +- .byte 0xc4,0x62,0xfb,0xf6,0xbe,0x38,0x00,0x00,0x00 # mulx 56($inp), %rax, %r15 ++ mulx 56($inp), %rax, %r15 + adcx %rax, %r14 + adcx %rbp, %r15 # %rbp is 0 + +- mov %r9, %rcx +- shld \$1, %r8, %r9 +- shl \$1, %r8 +- +- xor %ebp, %ebp +- mulx %rdx, %rax, %rdx +- adcx %rdx, %r8 +- mov 8($inp), %rdx +- adcx %rbp, %r9 ++ mulx %rdx, %rax, $out ++ mov %rbx, %rdx # 8($inp) ++ xor %rcx, %rcx ++ adox %r8, %r8 ++ adcx $out, %r8 ++ adox %rbp, %rcx ++ adcx %rbp, %rcx + + mov %rax, (%rsp) + mov %r8, 8(%rsp) + +-#second iteration +- mulx 16($inp), %rax, %rbx ++#second iteration ++ .byte 0xc4,0xe2,0xfb,0xf6,0x9e,0x10,0x00,0x00,0x00 # mulx 16($inp), %rax, %rbx + adox %rax, %r10 + adcx %rbx, %r11 + +- .byte 0xc4,0x62,0xc3,0xf6,0x86,0x18,0x00,0x00,0x00 # mulx 24($inp), $out, %r8 ++ mulx 24($inp), $out, %r8 + adox $out, %r11 ++ .byte 0x66 + adcx %r8, %r12 + + mulx 32($inp), %rax, %rbx +@@ -585,24 +591,25 @@ $code.=<<___; + .byte 0xc4,0x62,0xc3,0xf6,0x86,0x38,0x00,0x00,0x00 # mulx 56($inp), $out, %r8 + adox $out, %r15 + adcx %rbp, %r8 ++ mulx %rdx, %rax, $out + adox %rbp, %r8 ++ .byte 0x48,0x8b,0x96,0x10,0x00,0x00,0x00 # mov 16($inp), %rdx + +- mov %r11, %rbx +- shld \$1, %r10, %r11 +- shld \$1, %rcx, %r10 +- +- xor %ebp,%ebp +- mulx %rdx, %rax, %rcx +- mov 16($inp), %rdx ++ xor %rbx, %rbx ++ adcx %rcx, %rax ++ adox %r9, %r9 ++ adcx %rbp, $out ++ adox %r10, %r10 + adcx %rax, %r9 +- adcx %rcx, %r10 +- adcx %rbp, %r11 ++ adox %rbp, %rbx ++ adcx $out, %r10 ++ adcx %rbp, %rbx + + mov %r9, 16(%rsp) + .byte 0x4c,0x89,0x94,0x24,0x18,0x00,0x00,0x00 # mov %r10, 24(%rsp) +- +-#third iteration +- .byte 0xc4,0x62,0xc3,0xf6,0x8e,0x18,0x00,0x00,0x00 # mulx 24($inp), $out, %r9 ++ ++#third iteration ++ mulx 24($inp), $out, %r9 + adox $out, %r12 + adcx %r9, %r13 + +@@ -610,7 +617,7 @@ $code.=<<___; + adox %rax, %r13 + adcx %rcx, %r14 + +- mulx 40($inp), $out, %r9 ++ .byte 0xc4,0x62,0xc3,0xf6,0x8e,0x28,0x00,0x00,0x00 # mulx 40($inp), $out, %r9 + adox $out, %r14 + adcx %r9, %r15 + +@@ -618,27 +625,28 @@ $code.=<<___; + adox %rax, %r15 + adcx %rcx, %r8 + +- .byte 0xc4,0x62,0xc3,0xf6,0x8e,0x38,0x00,0x00,0x00 # mulx 56($inp), $out, %r9 ++ mulx 56($inp), $out, %r9 + adox $out, %r8 + adcx %rbp, %r9 ++ mulx %rdx, %rax, $out + adox %rbp, %r9 ++ mov 24($inp), %rdx + +- mov %r13, %rcx +- shld \$1, %r12, %r13 +- shld \$1, %rbx, %r12 +- +- xor %ebp, %ebp +- mulx %rdx, %rax, %rdx ++ xor %rcx, %rcx ++ adcx %rbx, %rax ++ adox %r11, %r11 ++ adcx %rbp, $out ++ adox %r12, %r12 + adcx %rax, %r11 +- adcx %rdx, %r12 +- mov 24($inp), %rdx +- adcx %rbp, %r13 ++ adox %rbp, %rcx ++ adcx $out, %r12 ++ adcx %rbp, %rcx + + mov %r11, 32(%rsp) +- .byte 0x4c,0x89,0xa4,0x24,0x28,0x00,0x00,0x00 # mov %r12, 40(%rsp) +- +-#fourth iteration +- .byte 0xc4,0xe2,0xfb,0xf6,0x9e,0x20,0x00,0x00,0x00 # mulx 32($inp), %rax, %rbx ++ mov %r12, 40(%rsp) ++ ++#fourth iteration ++ mulx 32($inp), %rax, %rbx + adox %rax, %r14 + adcx %rbx, %r15 + +@@ -653,25 +661,25 @@ $code.=<<___; + mulx 56($inp), $out, %r10 + adox $out, %r9 + adcx %rbp, %r10 ++ mulx %rdx, %rax, $out + adox %rbp, %r10 ++ mov 32($inp), %rdx + +- .byte 0x66 +- mov %r15, %rbx +- shld \$1, %r14, %r15 +- shld \$1, %rcx, %r14 +- +- xor %ebp, %ebp +- mulx %rdx, %rax, %rdx ++ xor %rbx, %rbx ++ adcx %rcx, %rax ++ adox %r13, %r13 ++ adcx %rbp, $out ++ adox %r14, %r14 + adcx %rax, %r13 +- adcx %rdx, %r14 +- mov 32($inp), %rdx +- adcx %rbp, %r15 ++ adox %rbp, %rbx ++ adcx $out, %r14 ++ adcx %rbp, %rbx + + mov %r13, 48(%rsp) + mov %r14, 56(%rsp) +- +-#fifth iteration +- .byte 0xc4,0x62,0xc3,0xf6,0x9e,0x28,0x00,0x00,0x00 # mulx 40($inp), $out, %r11 ++ ++#fifth iteration ++ mulx 40($inp), $out, %r11 + adox $out, %r8 + adcx %r11, %r9 + +@@ -682,18 +690,19 @@ $code.=<<___; + mulx 56($inp), $out, %r11 + adox $out, %r10 + adcx %rbp, %r11 ++ mulx %rdx, %rax, $out ++ mov 40($inp), %rdx + adox %rbp, %r11 + +- mov %r9, %rcx +- shld \$1, %r8, %r9 +- shld \$1, %rbx, %r8 +- +- xor %ebp, %ebp +- mulx %rdx, %rax, %rdx ++ xor %rcx, %rcx ++ adcx %rbx, %rax ++ adox %r15, %r15 ++ adcx %rbp, $out ++ adox %r8, %r8 + adcx %rax, %r15 +- adcx %rdx, %r8 +- mov 40($inp), %rdx +- adcx %rbp, %r9 ++ adox %rbp, %rcx ++ adcx $out, %r8 ++ adcx %rbp, %rcx + + mov %r15, 64(%rsp) + mov %r8, 72(%rsp) +@@ -706,18 +715,19 @@ $code.=<<___; + .byte 0xc4,0x62,0xc3,0xf6,0xa6,0x38,0x00,0x00,0x00 # mulx 56($inp), $out, %r12 + adox $out, %r11 + adcx %rbp, %r12 ++ mulx %rdx, %rax, $out + adox %rbp, %r12 ++ mov 48($inp), %rdx + +- mov %r11, %rbx +- shld \$1, %r10, %r11 +- shld \$1, %rcx, %r10 +- +- xor %ebp, %ebp +- mulx %rdx, %rax, %rdx ++ xor %rbx, %rbx ++ adcx %rcx, %rax ++ adox %r9, %r9 ++ adcx %rbp, $out ++ adox %r10, %r10 + adcx %rax, %r9 +- adcx %rdx, %r10 +- mov 48($inp), %rdx +- adcx %rbp, %r11 ++ adcx $out, %r10 ++ adox %rbp, %rbx ++ adcx %rbp, %rbx + + mov %r9, 80(%rsp) + mov %r10, 88(%rsp) +@@ -727,31 +737,31 @@ $code.=<<___; + adox %rax, %r12 + adox %rbp, %r13 + +- xor %r14, %r14 +- shld \$1, %r13, %r14 +- shld \$1, %r12, %r13 +- shld \$1, %rbx, %r12 +- +- xor %ebp, %ebp +- mulx %rdx, %rax, %rdx +- adcx %rax, %r11 +- adcx %rdx, %r12 ++ mulx %rdx, %rax, $out ++ xor %rcx, %rcx + mov 56($inp), %rdx +- adcx %rbp, %r13 ++ adcx %rbx, %rax ++ adox %r11, %r11 ++ adcx %rbp, $out ++ adox %r12, %r12 ++ adcx %rax, %r11 ++ adox %rbp, %rcx ++ adcx $out, %r12 ++ adcx %rbp, %rcx + + .byte 0x4c,0x89,0x9c,0x24,0x60,0x00,0x00,0x00 # mov %r11, 96(%rsp) + .byte 0x4c,0x89,0xa4,0x24,0x68,0x00,0x00,0x00 # mov %r12, 104(%rsp) + + #eighth iteration + mulx %rdx, %rax, %rdx +- adox %rax, %r13 +- adox %rbp, %rdx ++ xor %rbx, %rbx ++ adcx %rcx, %rax ++ adox %r13, %r13 ++ adcx %rbp, %rdx ++ adox %rbp, %rbx ++ adcx %r13, %rax ++ adcx %rdx, %rbx + +- .byte 0x66 +- add %rdx, %r14 +- +- movq %r13, 112(%rsp) +- movq %r14, 120(%rsp) + movq %xmm0, $out + movq %xmm1, %rbp + +@@ -765,6 +775,9 @@ $code.=<<___; + movq 48(%rsp), %r14 + movq 56(%rsp), %r15 + ++ movq %rax, 112(%rsp) ++ movq %rbx, 120(%rsp) ++ + call __rsaz_512_reducex + + addq 64(%rsp), %r8 +-- +2.17.1 + diff -Nru openssl-1.0.2g/debian/patches/CVE-2019-1559.patch openssl-1.0.2g/debian/patches/CVE-2019-1559.patch --- openssl-1.0.2g/debian/patches/CVE-2019-1559.patch 1970-01-01 00:00:00.000000000 +0000 +++ openssl-1.0.2g/debian/patches/CVE-2019-1559.patch 2019-02-26 18:15:37.000000000 +0000 @@ -0,0 +1,59 @@ +Backport of: + +From e9bbefbf0f24c57645e7ad6a5a71ae649d18ac8e Mon Sep 17 00:00:00 2001 +From: Matt Caswell +Date: Fri, 14 Dec 2018 07:28:30 +0000 +Subject: [PATCH] Go into the error state if a fatal alert is sent or received + +If an application calls SSL_shutdown after a fatal alert has occured and +then behaves different based on error codes from that function then the +application may be vulnerable to a padding oracle. + +CVE-2019-1559 + +Reviewed-by: Richard Levitte +--- + ssl/d1_pkt.c | 1 + + ssl/s3_pkt.c | 10 +++++++--- + 2 files changed, 8 insertions(+), 3 deletions(-) + +Index: openssl-1.0.2g/ssl/d1_pkt.c +=================================================================== +--- openssl-1.0.2g.orig/ssl/d1_pkt.c 2019-02-26 13:09:11.010950562 -0500 ++++ openssl-1.0.2g/ssl/d1_pkt.c 2019-02-26 13:12:42.259997034 -0500 +@@ -1267,6 +1267,7 @@ int dtls1_read_bytes(SSL *s, int type, u + ERR_add_error_data(2, "SSL alert number ", tmp); + s->shutdown |= SSL_RECEIVED_SHUTDOWN; + SSL_CTX_remove_session(s->ctx, s->session); ++ s->state = SSL_ST_ERR; + return (0); + } else { + al = SSL_AD_ILLEGAL_PARAMETER; +Index: openssl-1.0.2g/ssl/s3_pkt.c +=================================================================== +--- openssl-1.0.2g.orig/ssl/s3_pkt.c 2019-02-26 13:09:11.010950562 -0500 ++++ openssl-1.0.2g/ssl/s3_pkt.c 2019-02-26 13:15:26.492809651 -0500 +@@ -1489,6 +1489,7 @@ int ssl3_read_bytes(SSL *s, int type, un + ERR_add_error_data(2, "SSL alert number ", tmp); + s->shutdown |= SSL_RECEIVED_SHUTDOWN; + SSL_CTX_remove_session(s->ctx, s->session); ++ s->state = SSL_ST_ERR; + return (0); + } else { + al = SSL_AD_ILLEGAL_PARAMETER; +@@ -1708,9 +1709,12 @@ int ssl3_send_alert(SSL *s, int level, i + * protocol_version alerts */ + if (desc < 0) + return -1; +- /* If a fatal one, remove from cache */ +- if ((level == 2) && (s->session != NULL)) +- SSL_CTX_remove_session(s->ctx, s->session); ++ /* If a fatal one, remove from cache and go into the error state */ ++ if (level == SSL3_AL_FATAL) { ++ if (s->session != NULL) ++ SSL_CTX_remove_session(s->ctx, s->session); ++ s->state = SSL_ST_ERR; ++ } + + s->s3->alert_dispatch = 1; + s->s3->send_alert[0] = level; diff -Nru openssl-1.0.2g/debian/patches/CVE-2019-1563.patch openssl-1.0.2g/debian/patches/CVE-2019-1563.patch --- openssl-1.0.2g/debian/patches/CVE-2019-1563.patch 1970-01-01 00:00:00.000000000 +0000 +++ openssl-1.0.2g/debian/patches/CVE-2019-1563.patch 2020-05-27 19:17:45.000000000 +0000 @@ -0,0 +1,162 @@ +From e21f8cf78a125cd3c8c0d1a1a6c8bb0b901f893f Mon Sep 17 00:00:00 2001 +From: Bernd Edlinger +Date: Sun, 1 Sep 2019 00:16:28 +0200 +Subject: [PATCH] Fix a padding oracle in PKCS7_dataDecode and + CMS_decrypt_set1_pkey + +An attack is simple, if the first CMS_recipientInfo is valid but the +second CMS_recipientInfo is chosen ciphertext. If the second +recipientInfo decodes to PKCS #1 v1.5 form plaintext, the correct +encryption key will be replaced by garbage, and the message cannot be +decoded, but if the RSA decryption fails, the correct encryption key is +used and the recipient will not notice the attack. + +As a work around for this potential attack the length of the decrypted +key must be equal to the cipher default key length, in case the +certifiate is not given and all recipientInfo are tried out. + +The old behaviour can be re-enabled in the CMS code by setting the +CMS_DEBUG_DECRYPT flag. + +Reviewed-by: Matt Caswell +(Merged from https://github.com/openssl/openssl/pull/9777) + +(cherry picked from commit 5840ed0cd1e6487d247efbc1a04136a41d7b3a37) +--- + CHANGES | 14 ++++++++++++++ + crypto/cms/cms_env.c | 18 +++++++++++++++++- + crypto/cms/cms_lcl.h | 2 ++ + crypto/cms/cms_smime.c | 4 ++++ + crypto/pkcs7/pk7_doit.c | 12 ++++++++---- + 5 files changed, 45 insertions(+), 5 deletions(-) + +#diff --git a/CHANGES b/CHANGES +#index eff1121106..dbe5c1d043 100644 +#--- a/CHANGES +#+++ b/CHANGES +#@@ -39,6 +39,20 @@ +# (CVE-2019-1547) +# [Billy Bob Brumley] +# +#+ *) Fixed a padding oracle in PKCS7_dataDecode and CMS_decrypt_set1_pkey. +#+ An attack is simple, if the first CMS_recipientInfo is valid but the +#+ second CMS_recipientInfo is chosen ciphertext. If the second +#+ recipientInfo decodes to PKCS #1 v1.5 form plaintext, the correct +#+ encryption key will be replaced by garbage, and the message cannot be +#+ decoded, but if the RSA decryption fails, the correct encryption key is +#+ used and the recipient will not notice the attack. +#+ As a work around for this potential attack the length of the decrypted +#+ key must be equal to the cipher default key length, in case the +#+ certifiate is not given and all recipientInfo are tried out. +#+ The old behaviour can be re-enabled in the CMS code by setting the +#+ CMS_DEBUG_DECRYPT flag. +#+ [Bernd Edlinger] +#+ +# *) Document issue with installation paths in diverse Windows builds +# +# '/usr/local/ssl' is an unsafe prefix for location to install OpenSSL +--- a/crypto/cms/cms_env.c ++++ b/crypto/cms/cms_env.c +@@ -422,6 +422,7 @@ static int cms_RecipientInfo_ktri_decryp + unsigned char *ek = NULL; + size_t eklen; + int ret = 0; ++ size_t fixlen = 0; + CMS_EncryptedContentInfo *ec; + ec = cms->d.envelopedData->encryptedContentInfo; + +@@ -430,6 +431,19 @@ static int cms_RecipientInfo_ktri_decryp + return 0; + } + ++ if (cms->d.envelopedData->encryptedContentInfo->havenocert ++ && !cms->d.envelopedData->encryptedContentInfo->debug) { ++ X509_ALGOR *calg = ec->contentEncryptionAlgorithm; ++ const EVP_CIPHER *ciph = EVP_get_cipherbyobj(calg->algorithm); ++ ++ if (ciph == NULL) { ++ CMSerr(CMS_F_CMS_RECIPIENTINFO_KTRI_DECRYPT, CMS_R_UNKNOWN_CIPHER); ++ return 0; ++ } ++ ++ fixlen = EVP_CIPHER_key_length(ciph); ++ } ++ + ktri->pctx = EVP_PKEY_CTX_new(pkey, NULL); + if (!ktri->pctx) + return 0; +@@ -460,7 +474,9 @@ static int cms_RecipientInfo_ktri_decryp + + if (EVP_PKEY_decrypt(ktri->pctx, ek, &eklen, + ktri->encryptedKey->data, +- ktri->encryptedKey->length) <= 0) { ++ ktri->encryptedKey->length) <= 0 ++ || eklen == 0 ++ || (fixlen != 0 && eklen != fixlen)) { + CMSerr(CMS_F_CMS_RECIPIENTINFO_KTRI_DECRYPT, CMS_R_CMS_LIB); + goto err; + } +--- a/crypto/cms/cms_lcl.h ++++ b/crypto/cms/cms_lcl.h +@@ -172,6 +172,8 @@ struct CMS_EncryptedContentInfo_st { + size_t keylen; + /* Set to 1 if we are debugging decrypt and don't fake keys for MMA */ + int debug; ++ /* Set to 1 if we have no cert and need extra safety measures for MMA */ ++ int havenocert; + }; + + struct CMS_RecipientInfo_st { +--- a/crypto/cms/cms_smime.c ++++ b/crypto/cms/cms_smime.c +@@ -737,6 +737,10 @@ int CMS_decrypt(CMS_ContentInfo *cms, EV + cms->d.envelopedData->encryptedContentInfo->debug = 1; + else + cms->d.envelopedData->encryptedContentInfo->debug = 0; ++ if (!cert) ++ cms->d.envelopedData->encryptedContentInfo->havenocert = 1; ++ else ++ cms->d.envelopedData->encryptedContentInfo->havenocert = 0; + if (!pk && !cert && !dcont && !out) + return 1; + if (pk && !CMS_decrypt_set1_pkey(cms, pk, cert)) +--- a/crypto/pkcs7/pk7_doit.c ++++ b/crypto/pkcs7/pk7_doit.c +@@ -191,7 +191,8 @@ static int pkcs7_encode_rinfo(PKCS7_RECI + } + + static int pkcs7_decrypt_rinfo(unsigned char **pek, int *peklen, +- PKCS7_RECIP_INFO *ri, EVP_PKEY *pkey) ++ PKCS7_RECIP_INFO *ri, EVP_PKEY *pkey, ++ size_t fixlen) + { + EVP_PKEY_CTX *pctx = NULL; + unsigned char *ek = NULL; +@@ -224,7 +225,9 @@ static int pkcs7_decrypt_rinfo(unsigned + } + + if (EVP_PKEY_decrypt(pctx, ek, &eklen, +- ri->enc_key->data, ri->enc_key->length) <= 0) { ++ ri->enc_key->data, ri->enc_key->length) <= 0 ++ || eklen == 0 ++ || (fixlen != 0 && eklen != fixlen)) { + ret = 0; + PKCS7err(PKCS7_F_PKCS7_DECRYPT_RINFO, ERR_R_EVP_LIB); + goto err; +@@ -569,13 +572,14 @@ BIO *PKCS7_dataDecode(PKCS7 *p7, EVP_PKE + for (i = 0; i < sk_PKCS7_RECIP_INFO_num(rsk); i++) { + ri = sk_PKCS7_RECIP_INFO_value(rsk, i); + +- if (pkcs7_decrypt_rinfo(&ek, &eklen, ri, pkey) < 0) ++ if (pkcs7_decrypt_rinfo(&ek, &eklen, ri, pkey, ++ EVP_CIPHER_key_length(evp_cipher)) < 0) + goto err; + ERR_clear_error(); + } + } else { + /* Only exit on fatal errors, not decrypt failure */ +- if (pkcs7_decrypt_rinfo(&ek, &eklen, ri, pkey) < 0) ++ if (pkcs7_decrypt_rinfo(&ek, &eklen, ri, pkey, 0) < 0) + goto err; + ERR_clear_error(); + } diff -Nru openssl-1.0.2g/debian/patches/CVE-2020-1968.patch openssl-1.0.2g/debian/patches/CVE-2020-1968.patch --- openssl-1.0.2g/debian/patches/CVE-2020-1968.patch 1970-01-01 00:00:00.000000000 +0000 +++ openssl-1.0.2g/debian/patches/CVE-2020-1968.patch 2020-09-15 18:13:20.000000000 +0000 @@ -0,0 +1,279 @@ +Description: disable ciphers vulnerable to CVE-2020-1968 +Author: Marc Deslauriers + +--- a/ssl/s3_lib.c ++++ b/ssl/s3_lib.c +@@ -373,6 +373,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] + #endif + + /* Cipher 0D */ ++#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS + { + 1, + SSL3_TXT_DH_DSS_DES_192_CBC3_SHA, +@@ -387,6 +388,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] + 112, + 168, + }, ++#endif + + /* Cipher 0E */ + #ifndef OPENSSL_NO_WEAK_SSL_CIPHERS +@@ -425,6 +427,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] + #endif + + /* Cipher 10 */ ++#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS + { + 1, + SSL3_TXT_DH_RSA_DES_192_CBC3_SHA, +@@ -439,6 +442,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] + 112, + 168, + }, ++#endif + + /* The Ephemeral DH ciphers */ + /* Cipher 11 */ +@@ -942,6 +946,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] + 128, + }, + /* Cipher 30 */ ++#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS + { + 1, + TLS1_TXT_DH_DSS_WITH_AES_128_SHA, +@@ -956,7 +961,9 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] + 128, + 128, + }, ++#endif + /* Cipher 31 */ ++#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS + { + 1, + TLS1_TXT_DH_RSA_WITH_AES_128_SHA, +@@ -971,6 +978,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] + 128, + 128, + }, ++#endif + /* Cipher 32 */ + { + 1, +@@ -1033,6 +1041,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] + 256, + }, + /* Cipher 36 */ ++#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS + { + 1, + TLS1_TXT_DH_DSS_WITH_AES_256_SHA, +@@ -1047,8 +1056,10 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] + 256, + 256, + }, ++#endif + + /* Cipher 37 */ ++#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS + { + 1, + TLS1_TXT_DH_RSA_WITH_AES_256_SHA, +@@ -1063,6 +1074,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] + 256, + 256, + }, ++#endif + + /* Cipher 38 */ + { +@@ -1162,6 +1174,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] + }, + + /* Cipher 3E */ ++#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS + { + 1, + TLS1_TXT_DH_DSS_WITH_AES_128_SHA256, +@@ -1176,8 +1189,10 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] + 128, + 128, + }, ++#endif + + /* Cipher 3F */ ++#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS + { + 1, + TLS1_TXT_DH_RSA_WITH_AES_128_SHA256, +@@ -1192,6 +1207,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] + 128, + 128, + }, ++#endif + + /* Cipher 40 */ + { +@@ -1229,6 +1245,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] + }, + + /* Cipher 42 */ ++#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS + { + 1, + TLS1_TXT_DH_DSS_WITH_CAMELLIA_128_CBC_SHA, +@@ -1243,8 +1260,10 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] + 128, + 128, + }, ++#endif + + /* Cipher 43 */ ++#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS + { + 1, + TLS1_TXT_DH_RSA_WITH_CAMELLIA_128_CBC_SHA, +@@ -1259,6 +1278,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] + 128, + 128, + }, ++#endif + + /* Cipher 44 */ + { +@@ -1452,6 +1472,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] + }, + + /* Cipher 68 */ ++#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS + { + 1, + TLS1_TXT_DH_DSS_WITH_AES_256_SHA256, +@@ -1466,8 +1487,10 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] + 256, + 256, + }, ++#endif + + /* Cipher 69 */ ++#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS + { + 1, + TLS1_TXT_DH_RSA_WITH_AES_256_SHA256, +@@ -1482,6 +1505,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] + 256, + 256, + }, ++#endif + + /* Cipher 6A */ + { +@@ -1621,6 +1645,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] + 256, + }, + /* Cipher 85 */ ++#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS + { + 1, + TLS1_TXT_DH_DSS_WITH_CAMELLIA_256_CBC_SHA, +@@ -1635,8 +1660,10 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] + 256, + 256, + }, ++#endif + + /* Cipher 86 */ ++#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS + { + 1, + TLS1_TXT_DH_RSA_WITH_CAMELLIA_256_CBC_SHA, +@@ -1651,6 +1678,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] + 256, + 256, + }, ++#endif + + /* Cipher 87 */ + { +@@ -1787,6 +1815,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] + }, + + /* Cipher 97 */ ++#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS + { + 1, + TLS1_TXT_DH_DSS_WITH_SEED_SHA, +@@ -1801,8 +1830,10 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] + 128, + 128, + }, ++#endif + + /* Cipher 98 */ ++#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS + { + 1, + TLS1_TXT_DH_RSA_WITH_SEED_SHA, +@@ -1817,6 +1848,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] + 128, + 128, + }, ++#endif + + /* Cipher 99 */ + { +@@ -1935,6 +1967,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] + }, + + /* Cipher A0 */ ++#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS + { + 1, + TLS1_TXT_DH_RSA_WITH_AES_128_GCM_SHA256, +@@ -1949,8 +1982,10 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] + 128, + 128, + }, ++#endif + + /* Cipher A1 */ ++#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS + { + 1, + TLS1_TXT_DH_RSA_WITH_AES_256_GCM_SHA384, +@@ -1965,6 +2000,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] + 256, + 256, + }, ++#endif + + /* Cipher A2 */ + { +@@ -1999,6 +2035,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] + }, + + /* Cipher A4 */ ++#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS + { + 1, + TLS1_TXT_DH_DSS_WITH_AES_128_GCM_SHA256, +@@ -2013,8 +2050,10 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] + 128, + 128, + }, ++#endif + + /* Cipher A5 */ ++#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS + { + 1, + TLS1_TXT_DH_DSS_WITH_AES_256_GCM_SHA384, +@@ -2029,6 +2068,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] + 256, + 256, + }, ++#endif + + /* Cipher A6 */ + { diff -Nru openssl-1.0.2g/debian/patches/CVE-2020-1971-1.patch openssl-1.0.2g/debian/patches/CVE-2020-1971-1.patch --- openssl-1.0.2g/debian/patches/CVE-2020-1971-1.patch 1970-01-01 00:00:00.000000000 +0000 +++ openssl-1.0.2g/debian/patches/CVE-2020-1971-1.patch 2020-12-02 15:15:20.000000000 +0000 @@ -0,0 +1,34 @@ +From ae1e7c236db52fea0c84cb84ddbfe3d03c55ba4a Mon Sep 17 00:00:00 2001 +From: Matt Caswell +Date: Wed, 11 Nov 2020 15:19:34 +0000 +Subject: [PATCH] DirectoryString is a CHOICE type and therefore uses explicit + tagging + +EDIPartyName has 2 fields that use a DirectoryString. However they were +marked as implicit tagging - which is not correct for a CHOICE type. + +Additionally the partyName field was marked as Optional when, according to +RFC5280 it is not. + +Many thanks to github user @filipnavara for reporting this issue. Also to +David Benjamin from Google who independently identified and reported it. + +Fixes #6859 +--- + crypto/x509v3/v3_genn.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/crypto/x509v3/v3_genn.c ++++ b/crypto/x509v3/v3_genn.c +@@ -72,8 +72,9 @@ ASN1_SEQUENCE(OTHERNAME) = { + IMPLEMENT_ASN1_FUNCTIONS(OTHERNAME) + + ASN1_SEQUENCE(EDIPARTYNAME) = { +- ASN1_IMP_OPT(EDIPARTYNAME, nameAssigner, DIRECTORYSTRING, 0), +- ASN1_IMP_OPT(EDIPARTYNAME, partyName, DIRECTORYSTRING, 1) ++ /* DirectoryString is a CHOICE type so use explicit tagging */ ++ ASN1_EXP_OPT(EDIPARTYNAME, nameAssigner, DIRECTORYSTRING, 0), ++ ASN1_EXP(EDIPARTYNAME, partyName, DIRECTORYSTRING, 1) + } ASN1_SEQUENCE_END(EDIPARTYNAME) + + IMPLEMENT_ASN1_FUNCTIONS(EDIPARTYNAME) diff -Nru openssl-1.0.2g/debian/patches/CVE-2020-1971-2.patch openssl-1.0.2g/debian/patches/CVE-2020-1971-2.patch --- openssl-1.0.2g/debian/patches/CVE-2020-1971-2.patch 1970-01-01 00:00:00.000000000 +0000 +++ openssl-1.0.2g/debian/patches/CVE-2020-1971-2.patch 2020-12-02 15:15:26.000000000 +0000 @@ -0,0 +1,94 @@ +From 84743d3e7fae623c0a20bd727ec6e8c4031bf42f Mon Sep 17 00:00:00 2001 +From: Matt Caswell +Date: Wed, 11 Nov 2020 16:12:58 +0000 +Subject: [PATCH] Correctly compare EdiPartyName in GENERAL_NAME_cmp() + +If a GENERAL_NAME field contained EdiPartyName data then it was +incorrectly being handled as type "other". This could lead to a +segmentation fault. + +Many thanks to David Benjamin from Google for reporting this issue. + +CVE-2020-1971 +--- + crypto/x509v3/v3_genn.c | 45 ++++++++++++++++++++++++++++++++++++++--- + 1 file changed, 42 insertions(+), 3 deletions(-) + +--- a/crypto/x509v3/v3_genn.c ++++ b/crypto/x509v3/v3_genn.c +@@ -108,6 +108,37 @@ GENERAL_NAME *GENERAL_NAME_dup(GENERAL_N + (char *)a); + } + ++static int edipartyname_cmp(const EDIPARTYNAME *a, const EDIPARTYNAME *b) ++{ ++ int res; ++ ++ if (a == NULL || b == NULL) { ++ /* ++ * Shouldn't be possible in a valid GENERAL_NAME, but we handle it ++ * anyway. OTHERNAME_cmp treats NULL != NULL so we do the same here ++ */ ++ return -1; ++ } ++ if (a->nameAssigner == NULL && b->nameAssigner != NULL) ++ return -1; ++ if (a->nameAssigner != NULL && b->nameAssigner == NULL) ++ return 1; ++ /* If we get here then both have nameAssigner set, or both unset */ ++ if (a->nameAssigner != NULL) { ++ res = ASN1_STRING_cmp(a->nameAssigner, b->nameAssigner); ++ if (res != 0) ++ return res; ++ } ++ /* ++ * partyName is required, so these should never be NULL. We treat it in ++ * the same way as the a == NULL || b == NULL case above ++ */ ++ if (a->partyName == NULL || b->partyName == NULL) ++ return -1; ++ ++ return ASN1_STRING_cmp(a->partyName, b->partyName); ++} ++ + /* Returns 0 if they are equal, != 0 otherwise. */ + int GENERAL_NAME_cmp(GENERAL_NAME *a, GENERAL_NAME *b) + { +@@ -117,8 +148,11 @@ int GENERAL_NAME_cmp(GENERAL_NAME *a, GE + return -1; + switch (a->type) { + case GEN_X400: ++ result = ASN1_TYPE_cmp(a->d.x400Address, b->d.x400Address); ++ break; ++ + case GEN_EDIPARTY: +- result = ASN1_TYPE_cmp(a->d.other, b->d.other); ++ result = edipartyname_cmp(a->d.ediPartyName, b->d.ediPartyName); + break; + + case GEN_OTHERNAME: +@@ -165,8 +199,11 @@ void GENERAL_NAME_set0_value(GENERAL_NAM + { + switch (type) { + case GEN_X400: ++ a->d.x400Address = value; ++ break; ++ + case GEN_EDIPARTY: +- a->d.other = value; ++ a->d.ediPartyName = value; + break; + + case GEN_OTHERNAME: +@@ -200,8 +237,10 @@ void *GENERAL_NAME_get0_value(GENERAL_NA + *ptype = a->type; + switch (a->type) { + case GEN_X400: ++ return a->d.x400Address; ++ + case GEN_EDIPARTY: +- return a->d.other; ++ return a->d.ediPartyName; + + case GEN_OTHERNAME: + return a->d.otherName; diff -Nru openssl-1.0.2g/debian/patches/CVE-2020-1971-3.patch openssl-1.0.2g/debian/patches/CVE-2020-1971-3.patch --- openssl-1.0.2g/debian/patches/CVE-2020-1971-3.patch 1970-01-01 00:00:00.000000000 +0000 +++ openssl-1.0.2g/debian/patches/CVE-2020-1971-3.patch 2020-12-02 15:58:53.000000000 +0000 @@ -0,0 +1,82 @@ +Backport of: + +From c521851116486d0cb351c46506d309dce0ae4c56 Mon Sep 17 00:00:00 2001 +From: Matt Caswell +Date: Thu, 12 Nov 2020 11:58:12 +0000 +Subject: [PATCH] Check that multi-strings/CHOICE types don't use implicit + tagging + +It never makes sense for multi-string or CHOICE types to use implicit +tagging since the content would be ambiguous. It is an error in the +template if this ever happens. If we detect it we should stop parsing. + +Thanks to David Benjamin from Google for reporting this issue. +--- + crypto/asn1/asn1_err.c | 1 + + crypto/asn1/tasn_dec.c | 19 +++++++++++++++++++ + crypto/err/openssl.txt | 1 + + include/openssl/asn1err.h | 1 + + 4 files changed, 22 insertions(+) + +--- a/crypto/asn1/asn1_err.c ++++ b/crypto/asn1/asn1_err.c +@@ -202,6 +202,7 @@ static ERR_STRING_DATA ASN1_str_reasons[ + {ERR_REASON(ASN1_R_AUX_ERROR), "aux error"}, + {ERR_REASON(ASN1_R_BAD_CLASS), "bad class"}, + {ERR_REASON(ASN1_R_BAD_OBJECT_HEADER), "bad object header"}, ++ {ERR_REASON(ASN1_R_BAD_TEMPLATE), "bad template"}, + {ERR_REASON(ASN1_R_BAD_PASSWORD_READ), "bad password read"}, + {ERR_REASON(ASN1_R_BAD_TAG), "bad tag"}, + {ERR_REASON(ASN1_R_BMPSTRING_IS_WRONG_LENGTH), +--- a/crypto/asn1/tasn_dec.c ++++ b/crypto/asn1/tasn_dec.c +@@ -223,6 +223,15 @@ static int asn1_item_ex_d2i(ASN1_VALUE * + break; + + case ASN1_ITYPE_MSTRING: ++ /* ++ * It never makes sense for multi-strings to have implicit tagging, so ++ * if tag != -1, then this looks like an error in the template. ++ */ ++ if (tag != -1) { ++ ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, ASN1_R_BAD_TEMPLATE); ++ goto err; ++ } ++ + p = *in; + /* Just read in tag and class */ + ret = asn1_check_tlen(NULL, &otag, &oclass, NULL, NULL, +@@ -240,6 +249,7 @@ static int asn1_item_ex_d2i(ASN1_VALUE * + ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, ASN1_R_MSTRING_NOT_UNIVERSAL); + goto err; + } ++ + /* Check tag matches bit map */ + if (!(ASN1_tag2bit(otag) & it->utype)) { + /* If OPTIONAL, assume this is OK */ +@@ -316,6 +326,15 @@ static int asn1_item_ex_d2i(ASN1_VALUE * + goto err; + + case ASN1_ITYPE_CHOICE: ++ /* ++ * It never makes sense for CHOICE types to have implicit tagging, so ++ * if tag != -1, then this looks like an error in the template. ++ */ ++ if (tag != -1) { ++ ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, ASN1_R_BAD_TEMPLATE); ++ goto err; ++ } ++ + if (asn1_cb && !asn1_cb(ASN1_OP_D2I_PRE, pval, it, NULL)) + goto auxerr; + if (*pval) { +--- a/crypto/asn1/asn1.h ++++ b/crypto/asn1/asn1.h +@@ -1306,6 +1306,7 @@ void ERR_load_ASN1_strings(void); + # define ASN1_R_AUX_ERROR 100 + # define ASN1_R_BAD_CLASS 101 + # define ASN1_R_BAD_OBJECT_HEADER 102 ++# define ASN1_R_BAD_TEMPLATE 230 + # define ASN1_R_BAD_PASSWORD_READ 103 + # define ASN1_R_BAD_TAG 104 + # define ASN1_R_BMPSTRING_IS_WRONG_LENGTH 214 diff -Nru openssl-1.0.2g/debian/patches/CVE-2020-1971-4.patch openssl-1.0.2g/debian/patches/CVE-2020-1971-4.patch --- openssl-1.0.2g/debian/patches/CVE-2020-1971-4.patch 1970-01-01 00:00:00.000000000 +0000 +++ openssl-1.0.2g/debian/patches/CVE-2020-1971-4.patch 2020-12-02 15:28:54.000000000 +0000 @@ -0,0 +1,68 @@ +Backport of: + +From 69f3d3c405991b0d6eea78d554b6aab4daeb4514 Mon Sep 17 00:00:00 2001 +From: Matt Caswell +Date: Thu, 12 Nov 2020 14:55:31 +0000 +Subject: [PATCH] Complain if we are attempting to encode with an invalid ASN.1 + template + +It never makes sense for multi-string or CHOICE types to have implicit +tagging. If we have a template that uses the in this way then we +should immediately fail. + +Thanks to David Benjamin from Google for reporting this issue. +--- + crypto/asn1/asn1_err.c | 3 ++- + crypto/asn1/tasn_enc.c | 16 ++++++++++++++++ + crypto/err/openssl.txt | 1 + + include/openssl/asn1err.h | 7 +++---- + 4 files changed, 22 insertions(+), 5 deletions(-) + +--- a/crypto/asn1/asn1_err.c ++++ b/crypto/asn1/asn1_err.c +@@ -103,6 +103,7 @@ static ERR_STRING_DATA ASN1_str_functs[] + {ERR_FUNC(ASN1_F_ASN1_ITEM_DUP), "ASN1_item_dup"}, + {ERR_FUNC(ASN1_F_ASN1_ITEM_EX_COMBINE_NEW), "ASN1_ITEM_EX_COMBINE_NEW"}, + {ERR_FUNC(ASN1_F_ASN1_ITEM_EX_D2I), "ASN1_ITEM_EX_D2I"}, ++ {ERR_FUNC(ASN1_F_ASN1_ITEM_EX_I2D), "ASN1_item_ex_i2d"}, + {ERR_FUNC(ASN1_F_ASN1_ITEM_I2D_BIO), "ASN1_item_i2d_bio"}, + {ERR_FUNC(ASN1_F_ASN1_ITEM_I2D_FP), "ASN1_item_i2d_fp"}, + {ERR_FUNC(ASN1_F_ASN1_ITEM_PACK), "ASN1_item_pack"}, +--- a/crypto/asn1/tasn_enc.c ++++ b/crypto/asn1/tasn_enc.c +@@ -150,9 +150,25 @@ int ASN1_item_ex_i2d(ASN1_VALUE **pval, + break; + + case ASN1_ITYPE_MSTRING: ++ /* ++ * It never makes sense for multi-strings to have implicit tagging, so ++ * if tag != -1, then this looks like an error in the template. ++ */ ++ if (tag != -1) { ++ ASN1err(ASN1_F_ASN1_ITEM_EX_I2D, ASN1_R_BAD_TEMPLATE); ++ return -1; ++ } + return asn1_i2d_ex_primitive(pval, out, it, -1, aclass); + + case ASN1_ITYPE_CHOICE: ++ /* ++ * It never makes sense for CHOICE types to have implicit tagging, so ++ * if tag != -1, then this looks like an error in the template. ++ */ ++ if (tag != -1) { ++ ASN1err(ASN1_F_ASN1_ITEM_EX_I2D, ASN1_R_BAD_TEMPLATE); ++ return -1; ++ } + if (asn1_cb && !asn1_cb(ASN1_OP_I2D_PRE, pval, it, NULL)) + return 0; + i = asn1_get_choice_selector(pval, it); +--- a/crypto/asn1/asn1.h ++++ b/crypto/asn1/asn1.h +@@ -1210,6 +1210,7 @@ void ERR_load_ASN1_strings(void); + # define ASN1_F_ASN1_ITEM_DUP 191 + # define ASN1_F_ASN1_ITEM_EX_COMBINE_NEW 121 + # define ASN1_F_ASN1_ITEM_EX_D2I 120 ++# define ASN1_F_ASN1_ITEM_EX_I2D 144 + # define ASN1_F_ASN1_ITEM_I2D_BIO 192 + # define ASN1_F_ASN1_ITEM_I2D_FP 193 + # define ASN1_F_ASN1_ITEM_PACK 198 diff -Nru openssl-1.0.2g/debian/patches/CVE-2020-1971-5.patch openssl-1.0.2g/debian/patches/CVE-2020-1971-5.patch --- openssl-1.0.2g/debian/patches/CVE-2020-1971-5.patch 1970-01-01 00:00:00.000000000 +0000 +++ openssl-1.0.2g/debian/patches/CVE-2020-1971-5.patch 2020-12-02 18:11:20.000000000 +0000 @@ -0,0 +1,385 @@ +Backport of: + +From c3e7925c31675ad42d9e7d1974e98c10d4fef5df Mon Sep 17 00:00:00 2001 +From: Matt Caswell +Date: Mon, 30 Nov 2020 13:50:52 +0000 +Subject: [PATCH] Add a test for GENERAL_NAME_cmp + +Based on a boringssl test contributed by David Benjamin +--- + test/v3nametest.c | 344 ++++++++++++++++++++++++++++++++++++++++++++++ + 1 file changed, 344 insertions(+) + +--- a/crypto/x509v3/v3nametest.c ++++ b/crypto/x509v3/v3nametest.c +@@ -3,6 +3,8 @@ + #include "../e_os.h" + #include + ++#define OSSL_NELEM(x) (sizeof(x)/sizeof(x[0])) ++ + static const char *const names[] = { + "a", "b", ".", "*", "@", + ".a", "a.", ".b", "b.", ".*", "*.", "*@", "@*", "a@", "@a", "b@", "..", +@@ -321,6 +323,349 @@ static void run_cert(X509 *crt, const ch + } + } + ++struct gennamedata { ++ const unsigned char der[22]; ++ size_t derlen; ++} gennames[] = { ++ { ++ /* ++ * [0] { ++ * OBJECT_IDENTIFIER { 1.2.840.113554.4.1.72585.2.1 } ++ * [0] { ++ * SEQUENCE {} ++ * } ++ * } ++ */ ++ { ++ 0xa0, 0x13, 0x06, 0x0d, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x12, 0x04, ++ 0x01, 0x84, 0xb7, 0x09, 0x02, 0x01, 0xa0, 0x02, 0x30, 0x00 ++ }, ++ 21 ++ }, { ++ /* ++ * [0] { ++ * OBJECT_IDENTIFIER { 1.2.840.113554.4.1.72585.2.1 } ++ * [0] { ++ * [APPLICATION 0] {} ++ * } ++ * } ++ */ ++ { ++ 0xa0, 0x13, 0x06, 0x0d, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x12, 0x04, ++ 0x01, 0x84, 0xb7, 0x09, 0x02, 0x01, 0xa0, 0x02, 0x60, 0x00 ++ }, ++ 21 ++ }, { ++ /* ++ * [0] { ++ * OBJECT_IDENTIFIER { 1.2.840.113554.4.1.72585.2.1 } ++ * [0] { ++ * UTF8String { "a" } ++ * } ++ * } ++ */ ++ { ++ 0xa0, 0x14, 0x06, 0x0d, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x12, 0x04, ++ 0x01, 0x84, 0xb7, 0x09, 0x02, 0x01, 0xa0, 0x03, 0x0c, 0x01, 0x61 ++ }, ++ 22 ++ }, { ++ /* ++ * [0] { ++ * OBJECT_IDENTIFIER { 1.2.840.113554.4.1.72585.2.2 } ++ * [0] { ++ * UTF8String { "a" } ++ * } ++ * } ++ */ ++ { ++ 0xa0, 0x14, 0x06, 0x0d, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x12, 0x04, ++ 0x01, 0x84, 0xb7, 0x09, 0x02, 0x02, 0xa0, 0x03, 0x0c, 0x01, 0x61 ++ }, ++ 22 ++ }, { ++ /* ++ * [0] { ++ * OBJECT_IDENTIFIER { 1.2.840.113554.4.1.72585.2.1 } ++ * [0] { ++ * UTF8String { "b" } ++ * } ++ * } ++ */ ++ { ++ 0xa0, 0x14, 0x06, 0x0d, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x12, 0x04, ++ 0x01, 0x84, 0xb7, 0x09, 0x02, 0x01, 0xa0, 0x03, 0x0c, 0x01, 0x62 ++ }, ++ 22 ++ }, { ++ /* ++ * [0] { ++ * OBJECT_IDENTIFIER { 1.2.840.113554.4.1.72585.2.1 } ++ * [0] { ++ * BOOLEAN { TRUE } ++ * } ++ * } ++ */ ++ { ++ 0xa0, 0x14, 0x06, 0x0d, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x12, 0x04, ++ 0x01, 0x84, 0xb7, 0x09, 0x02, 0x01, 0xa0, 0x03, 0x01, 0x01, 0xff ++ }, ++ 22 ++ }, { ++ /* ++ * [0] { ++ * OBJECT_IDENTIFIER { 1.2.840.113554.4.1.72585.2.1 } ++ * [0] { ++ * BOOLEAN { FALSE } ++ * } ++ * } ++ */ ++ { ++ 0xa0, 0x14, 0x06, 0x0d, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x12, 0x04, ++ 0x01, 0x84, 0xb7, 0x09, 0x02, 0x01, 0xa0, 0x03, 0x01, 0x01, 0x00 ++ }, ++ 22 ++ }, { ++ /* [1 PRIMITIVE] { "a" } */ ++ { ++ 0x81, 0x01, 0x61 ++ }, ++ 3 ++ }, { ++ /* [1 PRIMITIVE] { "b" } */ ++ { ++ 0x81, 0x01, 0x62 ++ }, ++ 3 ++ }, { ++ /* [2 PRIMITIVE] { "a" } */ ++ { ++ 0x82, 0x01, 0x61 ++ }, ++ 3 ++ }, { ++ /* [2 PRIMITIVE] { "b" } */ ++ { ++ 0x82, 0x01, 0x62 ++ }, ++ 3 ++ }, { ++ /* ++ * [4] { ++ * SEQUENCE { ++ * SET { ++ * SEQUENCE { ++ * # commonName ++ * OBJECT_IDENTIFIER { 2.5.4.3 } ++ * UTF8String { "a" } ++ * } ++ * } ++ * } ++ * } ++ */ ++ { ++ 0xa4, 0x0e, 0x30, 0x0c, 0x31, 0x0a, 0x30, 0x08, 0x06, 0x03, 0x55, ++ 0x04, 0x03, 0x0c, 0x01, 0x61 ++ }, ++ 16 ++ }, { ++ /* ++ * [4] { ++ * SEQUENCE { ++ * SET { ++ * SEQUENCE { ++ * # commonName ++ * OBJECT_IDENTIFIER { 2.5.4.3 } ++ * UTF8String { "b" } ++ * } ++ * } ++ * } ++ * } ++ */ ++ { ++ 0xa4, 0x0e, 0x30, 0x0c, 0x31, 0x0a, 0x30, 0x08, 0x06, 0x03, 0x55, ++ 0x04, 0x03, 0x0c, 0x01, 0x62 ++ }, ++ 16 ++ }, { ++ /* ++ * [5] { ++ * [1] { ++ * UTF8String { "a" } ++ * } ++ * } ++ */ ++ { ++ 0xa5, 0x05, 0xa1, 0x03, 0x0c, 0x01, 0x61 ++ }, ++ 7 ++ }, { ++ /* ++ * [5] { ++ * [1] { ++ * UTF8String { "b" } ++ * } ++ * } ++ */ ++ { ++ 0xa5, 0x05, 0xa1, 0x03, 0x0c, 0x01, 0x62 ++ }, ++ 7 ++ }, { ++ /* ++ * [5] { ++ * [0] { ++ * UTF8String {} ++ * } ++ * [1] { ++ * UTF8String { "a" } ++ * } ++ * } ++ */ ++ { ++ 0xa5, 0x09, 0xa0, 0x02, 0x0c, 0x00, 0xa1, 0x03, 0x0c, 0x01, 0x61 ++ }, ++ 11 ++ }, { ++ /* ++ * [5] { ++ * [0] { ++ * UTF8String { "a" } ++ * } ++ * [1] { ++ * UTF8String { "a" } ++ * } ++ * } ++ */ ++ { ++ 0xa5, 0x0a, 0xa0, 0x03, 0x0c, 0x01, 0x61, 0xa1, 0x03, 0x0c, 0x01, ++ 0x61 ++ }, ++ 12 ++ }, { ++ /* ++ * [5] { ++ * [0] { ++ * UTF8String { "b" } ++ * } ++ * [1] { ++ * UTF8String { "a" } ++ * } ++ * } ++ */ ++ { ++ 0xa5, 0x0a, 0xa0, 0x03, 0x0c, 0x01, 0x62, 0xa1, 0x03, 0x0c, 0x01, ++ 0x61 ++ }, ++ 12 ++ }, { ++ /* [6 PRIMITIVE] { "a" } */ ++ { ++ 0x86, 0x01, 0x61 ++ }, ++ 3 ++ }, { ++ /* [6 PRIMITIVE] { "b" } */ ++ { ++ 0x86, 0x01, 0x62 ++ }, ++ 3 ++ }, { ++ /* [7 PRIMITIVE] { `11111111` } */ ++ { ++ 0x87, 0x04, 0x11, 0x11, 0x11, 0x11 ++ }, ++ 6 ++ }, { ++ /* [7 PRIMITIVE] { `22222222`} */ ++ { ++ 0x87, 0x04, 0x22, 0x22, 0x22, 0x22 ++ }, ++ 6 ++ }, { ++ /* [7 PRIMITIVE] { `11111111111111111111111111111111` } */ ++ { ++ 0x87, 0x10, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, ++ 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11 ++ }, ++ 18 ++ }, { ++ /* [7 PRIMITIVE] { `22222222222222222222222222222222` } */ ++ { ++ 0x87, 0x10, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, ++ 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22 ++ }, ++ 18 ++ }, { ++ /* [8 PRIMITIVE] { 1.2.840.113554.4.1.72585.2.1 } */ ++ { ++ 0x88, 0x0d, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x12, 0x04, 0x01, 0x84, ++ 0xb7, 0x09, 0x02, 0x01 ++ }, ++ 15 ++ }, { ++ /* [8 PRIMITIVE] { 1.2.840.113554.4.1.72585.2.2 } */ ++ { ++ 0x88, 0x0d, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x12, 0x04, 0x01, 0x84, ++ 0xb7, 0x09, 0x02, 0x02 ++ }, ++ 15 ++ } ++}; ++ ++static int test_GENERAL_NAME_cmp(void) ++{ ++ size_t i, j; ++ GENERAL_NAME **namesa = OPENSSL_malloc(sizeof(*namesa) ++ * OSSL_NELEM(gennames)); ++ GENERAL_NAME **namesb = OPENSSL_malloc(sizeof(*namesb) ++ * OSSL_NELEM(gennames)); ++ int testresult = 0; ++ ++ if (namesa == NULL || namesb == NULL) ++ goto end; ++ ++ for (i = 0; i < OSSL_NELEM(gennames); i++) { ++ const unsigned char *derp = gennames[i].der; ++ ++ /* ++ * We create two versions of each GENERAL_NAME so that we ensure when ++ * we compare them they are always different pointers. ++ */ ++ namesa[i] = d2i_GENERAL_NAME(NULL, &derp, gennames[i].derlen); ++ derp = gennames[i].der; ++ namesb[i] = d2i_GENERAL_NAME(NULL, &derp, gennames[i].derlen); ++ if (namesa[i] == NULL || namesb[i] == NULL) ++ goto end; ++ } ++ ++ /* Every name should be equal to itself and not equal to any others. */ ++ for (i = 0; i < OSSL_NELEM(gennames); i++) { ++ for (j = 0; j < OSSL_NELEM(gennames); j++) { ++ if (i == j) { ++ if (GENERAL_NAME_cmp(namesa[i], namesb[j]) != 0) ++ goto end; ++ } else { ++ if (GENERAL_NAME_cmp(namesa[i], namesb[j]) == 0) ++ goto end; ++ } ++ } ++ } ++ testresult = 1; ++ ++ end: ++ for (i = 0; i < OSSL_NELEM(gennames); i++) { ++ if (namesa != NULL) ++ GENERAL_NAME_free(namesa[i]); ++ if (namesb != NULL) ++ GENERAL_NAME_free(namesb[i]); ++ } ++ OPENSSL_free(namesa); ++ OPENSSL_free(namesb); ++ ++ return testresult; ++} ++ + int main(void) + { + const struct set_name_fn *pfn = name_fns; +@@ -342,5 +687,11 @@ int main(void) + } + ++pfn; + } ++ ++ if (!test_GENERAL_NAME_cmp()) { ++ fprintf(stderr, "test_GENERAL_NAME_cmp failed\n"); ++ return 1; ++ } ++ + return errors > 0 ? 1 : 0; + } diff -Nru openssl-1.0.2g/debian/patches/CVE-2021-23840.patch openssl-1.0.2g/debian/patches/CVE-2021-23840.patch --- openssl-1.0.2g/debian/patches/CVE-2021-23840.patch 1970-01-01 00:00:00.000000000 +0000 +++ openssl-1.0.2g/debian/patches/CVE-2021-23840.patch 2021-02-17 14:16:17.000000000 +0000 @@ -0,0 +1,79 @@ +Backport of: + +From 6a51b9e1d0cf0bf8515f7201b68fb0a3482b3dc1 Mon Sep 17 00:00:00 2001 +From: Matt Caswell +Date: Tue, 2 Feb 2021 17:17:23 +0000 +Subject: [PATCH] Don't overflow the output length in EVP_CipherUpdate calls + +CVE-2021-23840 + +Reviewed-by: Paul Dale +--- + crypto/err/openssl.txt | 3 ++- + crypto/evp/evp_enc.c | 27 +++++++++++++++++++++++++++ + crypto/evp/evp_err.c | 4 +++- + include/openssl/evperr.h | 7 +++---- + 4 files changed, 35 insertions(+), 6 deletions(-) + +--- a/crypto/evp/evp_enc.c ++++ b/crypto/evp/evp_enc.c +@@ -354,6 +354,19 @@ int EVP_EncryptUpdate(EVP_CIPHER_CTX *ct + return 1; + } else { + j = bl - i; ++ ++ /* ++ * Once we've processed the first j bytes from in, the amount of ++ * data left that is a multiple of the block length is: ++ * (inl - j) & ~(bl - 1) ++ * We must ensure that this amount of data, plus the one block that ++ * we process from ctx->buf does not exceed INT_MAX ++ */ ++ if (((inl - j) & ~(bl - 1)) > INT_MAX - bl) { ++ EVPerr(EVP_F_EVP_ENCRYPTDECRYPTUPDATE, ++ EVP_R_OUTPUT_WOULD_OVERFLOW); ++ return 0; ++ } + memcpy(&(ctx->buf[i]), in, j); + if (!M_do_cipher(ctx, out, ctx->buf, bl)) + return 0; +@@ -455,6 +468,19 @@ int EVP_DecryptUpdate(EVP_CIPHER_CTX *ct + OPENSSL_assert(b <= sizeof ctx->final); + + if (ctx->final_used) { ++ /* ++ * final_used is only ever set if buf_len is 0. Therefore the maximum ++ * length output we will ever see from evp_EncryptDecryptUpdate is ++ * the maximum multiple of the block length that is <= inl, or just: ++ * inl & ~(b - 1) ++ * Since final_used has been set then the final output length is: ++ * (inl & ~(b - 1)) + b ++ * This must never exceed INT_MAX ++ */ ++ if ((inl & ~(b - 1)) > INT_MAX - b) { ++ EVPerr(EVP_F_EVP_DECRYPTUPDATE, EVP_R_OUTPUT_WOULD_OVERFLOW); ++ return 0; ++ } + memcpy(out, ctx->final, b); + out += b; + fix_len = 1; +--- a/crypto/evp/evp_err.c ++++ b/crypto/evp/evp_err.c +@@ -215,6 +215,7 @@ static ERR_STRING_DATA EVP_str_reasons[] + {ERR_REASON(EVP_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE), + "operation not supported for this keytype"}, + {ERR_REASON(EVP_R_OPERATON_NOT_INITIALIZED), "operaton not initialized"}, ++ {ERR_REASON(EVP_R_OUTPUT_WOULD_OVERFLOW), "output would overflow"}, + {ERR_REASON(EVP_R_PKCS8_UNKNOWN_BROKEN_TYPE), + "pkcs8 unknown broken type"}, + {ERR_REASON(EVP_R_PRIVATE_KEY_DECODE_ERROR), "private key decode error"}, +--- a/crypto/evp/evp.h ++++ b/crypto/evp/evp.h +@@ -1509,6 +1509,7 @@ void ERR_load_EVP_strings(void); + # define EVP_R_NO_VERIFY_FUNCTION_CONFIGURED 105 + # define EVP_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE 150 + # define EVP_R_OPERATON_NOT_INITIALIZED 151 ++# define EVP_R_OUTPUT_WOULD_OVERFLOW 184 + # define EVP_R_PKCS8_UNKNOWN_BROKEN_TYPE 117 + # define EVP_R_PRIVATE_KEY_DECODE_ERROR 145 + # define EVP_R_PRIVATE_KEY_ENCODE_ERROR 146 diff -Nru openssl-1.0.2g/debian/patches/CVE-2021-23840-pre1.patch openssl-1.0.2g/debian/patches/CVE-2021-23840-pre1.patch --- openssl-1.0.2g/debian/patches/CVE-2021-23840-pre1.patch 1970-01-01 00:00:00.000000000 +0000 +++ openssl-1.0.2g/debian/patches/CVE-2021-23840-pre1.patch 2021-02-17 14:14:05.000000000 +0000 @@ -0,0 +1,41 @@ +Partial backport of: + +From 83151b73a4736bca1797f8edc2b0ad4cf7ac9146 Mon Sep 17 00:00:00 2001 +From: Andy Polyakov +Date: Mon, 25 Jul 2016 15:02:26 +0200 +Subject: [PATCH] evp/evp_enc.c: make assert error message more readable and + add EVPerr(PARTIALLY_OVERLAPPED) + +Reviewed-by: Stephen Henson +--- + crypto/evp/evp_enc.c | 28 +++++++++++++++++++--------- + crypto/evp/evp_err.c | 3 +++ + include/openssl/evp.h | 3 +++ + 3 files changed, 25 insertions(+), 9 deletions(-) + +--- a/crypto/evp/evp_err.c ++++ b/crypto/evp/evp_err.c +@@ -92,8 +92,10 @@ static ERR_STRING_DATA EVP_str_functs[] + {ERR_FUNC(EVP_F_EVP_CIPHER_CTX_SET_KEY_LENGTH), + "EVP_CIPHER_CTX_set_key_length"}, + {ERR_FUNC(EVP_F_EVP_DECRYPTFINAL_EX), "EVP_DecryptFinal_ex"}, ++ {ERR_FUNC(EVP_F_EVP_DECRYPTUPDATE), "EVP_DecryptUpdate"}, + {ERR_FUNC(EVP_F_EVP_DIGESTINIT_EX), "EVP_DigestInit_ex"}, + {ERR_FUNC(EVP_F_EVP_ENCRYPTFINAL_EX), "EVP_EncryptFinal_ex"}, ++ {ERR_FUNC(EVP_F_EVP_ENCRYPTUPDATE), "EVP_EncryptUpdate"}, + {ERR_FUNC(EVP_F_EVP_MD_CTX_COPY_EX), "EVP_MD_CTX_copy_ex"}, + {ERR_FUNC(EVP_F_EVP_MD_SIZE), "EVP_MD_size"}, + {ERR_FUNC(EVP_F_EVP_OPENINIT), "EVP_OpenInit"}, +--- a/crypto/evp/evp.h ++++ b/crypto/evp/evp.h +@@ -1396,8 +1396,10 @@ void ERR_load_EVP_strings(void); + # define EVP_F_EVP_CIPHER_CTX_CTRL 124 + # define EVP_F_EVP_CIPHER_CTX_SET_KEY_LENGTH 122 + # define EVP_F_EVP_DECRYPTFINAL_EX 101 ++# define EVP_F_EVP_DECRYPTUPDATE 166 + # define EVP_F_EVP_DIGESTINIT_EX 128 + # define EVP_F_EVP_ENCRYPTFINAL_EX 127 ++# define EVP_F_EVP_ENCRYPTUPDATE 167 + # define EVP_F_EVP_MD_CTX_COPY_EX 110 + # define EVP_F_EVP_MD_SIZE 162 + # define EVP_F_EVP_OPENINIT 102 diff -Nru openssl-1.0.2g/debian/patches/CVE-2021-23840-pre2.patch openssl-1.0.2g/debian/patches/CVE-2021-23840-pre2.patch --- openssl-1.0.2g/debian/patches/CVE-2021-23840-pre2.patch 1970-01-01 00:00:00.000000000 +0000 +++ openssl-1.0.2g/debian/patches/CVE-2021-23840-pre2.patch 2021-02-17 14:15:44.000000000 +0000 @@ -0,0 +1,38 @@ +Backport of: + +From 4bd0db1feaaf97fbc2bd31f54f1fbdeab80b2b1a Mon Sep 17 00:00:00 2001 +From: Richard Levitte +Date: Sun, 9 Dec 2018 14:20:30 +0100 +Subject: [PATCH] make update + +Reviewed-by: Kurt Roeckx +Reviewed-by: Paul Dale +(Merged from https://github.com/openssl/openssl/pull/7852) + +(cherry picked from commit f2f734d4f9e34643a1d3e5b79d2447cd643519f8) +--- + crypto/err/openssl.txt | 1 + + crypto/evp/evp_err.c | 2 ++ + include/openssl/evperr.h | 1 + + 3 files changed, 4 insertions(+) + +--- a/crypto/evp/evp_err.c ++++ b/crypto/evp/evp_err.c +@@ -94,6 +94,7 @@ static ERR_STRING_DATA EVP_str_functs[] + {ERR_FUNC(EVP_F_EVP_DECRYPTFINAL_EX), "EVP_DecryptFinal_ex"}, + {ERR_FUNC(EVP_F_EVP_DECRYPTUPDATE), "EVP_DecryptUpdate"}, + {ERR_FUNC(EVP_F_EVP_DIGESTINIT_EX), "EVP_DigestInit_ex"}, ++ {ERR_FUNC(EVP_F_EVP_ENCRYPTDECRYPTUPDATE), "evp_EncryptDecryptUpdate"}, + {ERR_FUNC(EVP_F_EVP_ENCRYPTFINAL_EX), "EVP_EncryptFinal_ex"}, + {ERR_FUNC(EVP_F_EVP_ENCRYPTUPDATE), "EVP_EncryptUpdate"}, + {ERR_FUNC(EVP_F_EVP_MD_CTX_COPY_EX), "EVP_MD_CTX_copy_ex"}, +--- a/crypto/evp/evp.h ++++ b/crypto/evp/evp.h +@@ -1398,6 +1398,7 @@ void ERR_load_EVP_strings(void); + # define EVP_F_EVP_DECRYPTFINAL_EX 101 + # define EVP_F_EVP_DECRYPTUPDATE 166 + # define EVP_F_EVP_DIGESTINIT_EX 128 ++# define EVP_F_EVP_ENCRYPTDECRYPTUPDATE 219 + # define EVP_F_EVP_ENCRYPTFINAL_EX 127 + # define EVP_F_EVP_ENCRYPTUPDATE 167 + # define EVP_F_EVP_MD_CTX_COPY_EX 110 diff -Nru openssl-1.0.2g/debian/patches/CVE-2021-23841.patch openssl-1.0.2g/debian/patches/CVE-2021-23841.patch --- openssl-1.0.2g/debian/patches/CVE-2021-23841.patch 1970-01-01 00:00:00.000000000 +0000 +++ openssl-1.0.2g/debian/patches/CVE-2021-23841.patch 2021-02-17 13:06:07.000000000 +0000 @@ -0,0 +1,40 @@ +Backport of: + +From 122a19ab48091c657f7cb1fb3af9fc07bd557bbf Mon Sep 17 00:00:00 2001 +From: Matt Caswell +Date: Wed, 10 Feb 2021 16:10:36 +0000 +Subject: [PATCH] Fix Null pointer deref in X509_issuer_and_serial_hash() + +The OpenSSL public API function X509_issuer_and_serial_hash() attempts +to create a unique hash value based on the issuer and serial number data +contained within an X509 certificate. However it fails to correctly +handle any errors that may occur while parsing the issuer field (which +might occur if the issuer field is maliciously constructed). This may +subsequently result in a NULL pointer deref and a crash leading to a +potential denial of service attack. + +The function X509_issuer_and_serial_hash() is never directly called by +OpenSSL itself so applications are only vulnerable if they use this +function directly and they use it on certificates that may have been +obtained from untrusted sources. + +CVE-2021-23841 + +Reviewed-by: Richard Levitte +Reviewed-by: Paul Dale +(cherry picked from commit 8130d654d1de922ea224fa18ee3bc7262edc39c0) +--- + crypto/x509/x509_cmp.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/crypto/x509/x509_cmp.c ++++ b/crypto/x509/x509_cmp.c +@@ -87,6 +87,8 @@ unsigned long X509_issuer_and_serial_has + + EVP_MD_CTX_init(&ctx); + f = X509_NAME_oneline(a->cert_info->issuer, NULL, 0); ++ if (f == NULL) ++ goto err; + if (!EVP_DigestInit_ex(&ctx, EVP_md5(), NULL)) + goto err; + if (!EVP_DigestUpdate(&ctx, (unsigned char *)f, strlen(f))) diff -Nru openssl-1.0.2g/debian/patches/series openssl-1.0.2g/debian/patches/series --- openssl-1.0.2g/debian/patches/series 2017-05-19 08:27:37.000000000 +0000 +++ openssl-1.0.2g/debian/patches/series 2021-06-28 13:05:36.000000000 +0000 @@ -48,3 +48,36 @@ CVE-2017-3732.patch move-extended-feature-detection.patch fix-sha-ni.patch +CVE-2017-3735.patch +CVE-2017-3736.patch +CVE-2017-3737-pre.patch +CVE-2017-3737-1.patch +CVE-2017-3737-2.patch +CVE-2017-3738.patch +CVE-2018-0739.patch +CVE-2018-0495.patch +CVE-2018-0732.patch +CVE-2018-0737-1.patch +CVE-2018-0737-2.patch +CVE-2018-0737-3.patch +CVE-2018-0737-4.patch +CVE-2018-0734-pre1.patch +CVE-2018-0734-1.patch +CVE-2018-0734-2.patch +CVE-2018-0734-3.patch +CVE-2018-5407.patch +CVE-2019-1559.patch +CVE-2019-1547.patch +CVE-2019-1551.patch +CVE-2019-1563.patch +CVE-2020-1968.patch +CVE-2020-1971-1.patch +CVE-2020-1971-2.patch +CVE-2020-1971-3.patch +CVE-2020-1971-4.patch +CVE-2020-1971-5.patch +CVE-2021-23840-pre1.patch +CVE-2021-23840-pre2.patch +CVE-2021-23840.patch +CVE-2021-23841.patch +trusted-first-by-default.patch diff -Nru openssl-1.0.2g/debian/patches/trusted-first-by-default.patch openssl-1.0.2g/debian/patches/trusted-first-by-default.patch --- openssl-1.0.2g/debian/patches/trusted-first-by-default.patch 1970-01-01 00:00:00.000000000 +0000 +++ openssl-1.0.2g/debian/patches/trusted-first-by-default.patch 2021-06-28 13:05:36.000000000 +0000 @@ -0,0 +1,19 @@ +Description: Enable X509_V_FLAG_TRUSTED_FIRST by default + This is to ensure that letsencrypt connection with the default chain + remains trusted even after the expiry of the redundand CA + certificate. +Author: Dimitri John Ledkov +Bug-Ubuntu: https://bugs.launchpad.net/bugs/1928989 + + +--- openssl-1.0.2g.orig/crypto/x509/x509_vpm.c ++++ openssl-1.0.2g/crypto/x509/x509_vpm.c +@@ -537,7 +537,7 @@ static const X509_VERIFY_PARAM default_t + "default", /* X509 default parameters */ + 0, /* Check time */ + 0, /* internal flags */ +- 0, /* flags */ ++ X509_V_FLAG_TRUSTED_FIRST, /* flags */ + 0, /* purpose */ + 0, /* trust */ + 100, /* depth */