Commit 474892a70030eed11bc74c032ece5d0c19f4e5a2 - openssl

SigSEGV with engines, patch from upstream. Signed-off-by: Sebastian Andrzej Siewior <sebastian@breakpoint.cc> Sebastian Andrzej Siewior 1 year, 3 months ago

3 changed file(s) with 105 addition(s) and 0 deletion(s). Raw diff Collapse all Expand all

-0

debian/changelog less more

2	2	[ Sebastian Andrzej Siewior ]
3	3	* CVE-2022-3996 (X.509 Policy Constraints Double Locking) (Closes: #1027102).
4	4	* Add loongarch64 target (Closes: #1024414).
	5	* Avoid SIGSEGV with engines, reported by ValdikSS (Closes: #1028898).
5	6
6	7	[ Helmut Grohne ]
7	8	* Support the noudeb build profile (Closes: #1024929).

+103

-0

debian/patches/Release-the-drbg-in-the-global-default-context-before-eng.patch less more

	0	From: Tomas Mraz <tomas@openssl.org>
	1	Date: Tue, 11 Oct 2022 17:26:23 +0200
	2	Subject: Release the drbg in the global default context before engines
	3
	4	Fixes #17995
	5	Fixes #18578
	6
	7	Reviewed-by: Paul Dale <pauli@openssl.org>
	8	Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
	9	(Merged from https://github.com/openssl/openssl/pull/19390)
	10	---
	11	crypto/context.c \| 15 +++++++++++++++
	12	crypto/rand/rand_lib.c \| 5 +++--
	13	include/crypto/rand.h \| 1 +
	14	include/internal/cryptlib.h \| 2 ++
	15	4 files changed, 21 insertions(+), 2 deletions(-)
	16
	17	diff --git a/crypto/context.c b/crypto/context.c
	18	index bdfc4d02a3f0..548665fba265 100644
	19	--- a/crypto/context.c
	20	+++ b/crypto/context.c
	21	@@ -15,6 +15,7 @@
	22	#include "internal/bio.h"
	23	#include "internal/provider.h"
	24	#include "crypto/ctype.h"
	25	+#include "crypto/rand.h"
	26
	27	struct ossl_lib_ctx_onfree_list_st {
	28	ossl_lib_ctx_onfree_fn *fn;
	29	@@ -271,6 +272,20 @@ OSSL_LIB_CTX OSSL_LIB_CTX_set0_default(OSSL_LIB_CTX libctx)
	30
	31	return NULL;
	32	}
	33	+
	34	+void ossl_release_default_drbg_ctx(void)
	35	+{
	36	+ int dynidx = default_context_int.dyn_indexes[OSSL_LIB_CTX_DRBG_INDEX];
	37	+
	38	+ /* early release of the DRBG in global default libctx, no locking */
	39	+ if (dynidx != -1) {
	40	+ void *data;
	41	+
	42	+ data = CRYPTO_get_ex_data(&default_context_int.data, dynidx);
	43	+ ossl_rand_ctx_free(data);
	44	+ CRYPTO_set_ex_data(&default_context_int.data, dynidx, NULL);
	45	+ }
	46	+}
	47	#endif
	48
	49	OSSL_LIB_CTX ossl_lib_ctx_get_concrete(OSSL_LIB_CTX ctx)
	50	diff --git a/crypto/rand/rand_lib.c b/crypto/rand/rand_lib.c
	51	index c453d3226133..f341d915db76 100644
	52	--- a/crypto/rand/rand_lib.c
	53	+++ b/crypto/rand/rand_lib.c
	54	@@ -96,6 +96,7 @@ void ossl_rand_cleanup_int(void)
	55	CRYPTO_THREAD_lock_free(rand_meth_lock);
	56	rand_meth_lock = NULL;
	57	# endif
	58	+ ossl_release_default_drbg_ctx();
	59	rand_inited = 0;
	60	}
	61
	62	@@ -469,7 +470,7 @@ static void rand_ossl_ctx_new(OSSL_LIB_CTX libctx)
	63	return NULL;
	64	}
	65
	66	-static void rand_ossl_ctx_free(void *vdgbl)
	67	+void ossl_rand_ctx_free(void *vdgbl)
	68	{
	69	RAND_GLOBAL *dgbl = vdgbl;
	70
	71	@@ -494,7 +495,7 @@ static void rand_ossl_ctx_free(void *vdgbl)
	72	static const OSSL_LIB_CTX_METHOD rand_drbg_ossl_ctx_method = {
	73	OSSL_LIB_CTX_METHOD_PRIORITY_2,
	74	rand_ossl_ctx_new,
	75	- rand_ossl_ctx_free,
	76	+ ossl_rand_ctx_free,
	77	};
	78
	79	static RAND_GLOBAL rand_get_global(OSSL_LIB_CTX libctx)
	80	diff --git a/include/crypto/rand.h b/include/crypto/rand.h
	81	index 6a71a339c812..165deaf95c5e 100644
	82	--- a/include/crypto/rand.h
	83	+++ b/include/crypto/rand.h
	84	@@ -125,4 +125,5 @@ void ossl_rand_cleanup_nonce(ossl_unused const OSSL_CORE_HANDLE *handle,
	85	size_t ossl_pool_acquire_entropy(RAND_POOL *pool);
	86	int ossl_pool_add_nonce_data(RAND_POOL *pool);
	87
	88	+void ossl_rand_ctx_free(void *vdgbl);
	89	#endif
	90	diff --git a/include/internal/cryptlib.h b/include/internal/cryptlib.h
	91	index 1291299b6e50..934d4b089c20 100644
	92	--- a/include/internal/cryptlib.h
	93	+++ b/include/internal/cryptlib.h
	94	@@ -199,6 +199,8 @@ int ossl_lib_ctx_run_once(OSSL_LIB_CTX *ctx, unsigned int idx,
	95	int ossl_lib_ctx_onfree(OSSL_LIB_CTX *ctx, ossl_lib_ctx_onfree_fn onfreefn);
	96	const char ossl_lib_ctx_get_descriptor(OSSL_LIB_CTX libctx);
	97
	98	+void ossl_release_default_drbg_ctx(void);
	99	+
	100	OSSL_LIB_CTX ossl_crypto_ex_data_get_ossl_lib_ctx(const CRYPTO_EX_DATA ad);
	101	int ossl_crypto_new_ex_data_ex(OSSL_LIB_CTX ctx, int class_index, void obj,
	102	CRYPTO_EX_DATA *ad);

-0

debian/patches/series less more

7	7	conf-Serialize-allocation-free-of-ssl_names.patch
8	8	Fix-tests-for-new-default-security-level.patch
9	9	x509-fix-double-locking-problem.patch
	10	Release-the-drbg-in-the-global-default-context-before-eng.patch