patch openssl with null checks against ContentInfo (#7892)

Author: tobiasb-ms

SPECS/openssl/openssl-1.1.1-add-null-checks-where-contentinfo-data-can-be-null.patch

@@ -0,0 +1,182 @@
+From 03b3941d60c4bce58fab69a0c22377ab439bc0e8 Mon Sep 17 00:00:00 2001
+From: Matt Caswell <matt@openssl.org>
+Date: Fri, 19 Jan 2024 11:28:58 +0000
+Subject: [PATCH] Add NULL checks where ContentInfo data can be NULL
+
+PKCS12 structures contain PKCS7 ContentInfo fields. These fields are
+optional and can be NULL even if the "type" is a valid value. OpenSSL
+was not properly accounting for this and a NULL dereference can occur
+causing a crash.
+
+Reviewed-by: Tomas Mraz <tomas@openssl.org>
+Reviewed-by: Hugo Landau <hlandau@openssl.org>
+Reviewed-by: Neil Horman <nhorman@openssl.org>
+---
+ crypto/err/openssl.txt      |  3 ++-
+ crypto/pkcs12/p12_add.c     | 19 +++++++++++++++++++
+ crypto/pkcs12/p12_mutl.c    |  5 +++++
+ crypto/pkcs12/p12_npas.c    |  5 +++--
+ crypto/pkcs12/pk12err.c     |  4 +++-
+ crypto/pkcs7/pk7_mime.c     |  8 ++++++--
+ include/openssl/pkcs12err.h |  3 ++-
+ 7 files changed, 40 insertions(+), 7 deletions(-)
+
+diff --git a/crypto/err/openssl.txt b/crypto/err/openssl.txt
+index f302dbc06..900b11ee9 100644
+--- a/crypto/err/openssl.txt
++++ b/crypto/err/openssl.txt
+@@ -1,4 +1,4 @@
+-# Copyright 1999-2023 The OpenSSL Project Authors. All Rights Reserved.
++# Copyright 1999-2024 The OpenSSL Project Authors. All Rights Reserved.
+ #
+ # Licensed under the OpenSSL license (the "License").  You may not use
+ # this file except in compliance with the License.  You can obtain a copy
+@@ -970,6 +970,7 @@ PKCS12_F_PKCS12_SETUP_MAC:122:PKCS12_setup_mac
+ PKCS12_F_PKCS12_SET_MAC:123:PKCS12_set_mac
+ PKCS12_F_PKCS12_UNPACK_AUTHSAFES:130:PKCS12_unpack_authsafes
+ PKCS12_F_PKCS12_UNPACK_P7DATA:131:PKCS12_unpack_p7data
++PKCS12_F_PKCS12_UNPACK_P7ENCDATA:134:PKCS12_unpack_p7encdata
+ PKCS12_F_PKCS12_VERIFY_MAC:126:PKCS12_verify_mac
+ PKCS12_F_PKCS8_ENCRYPT:125:PKCS8_encrypt
+ PKCS12_F_PKCS8_SET0_PBE:132:PKCS8_set0_pbe
+diff --git a/crypto/pkcs12/p12_add.c b/crypto/pkcs12/p12_add.c
+index af184c86a..f2fbe9660 100644
+--- a/crypto/pkcs12/p12_add.c
++++ b/crypto/pkcs12/p12_add.c
+@@ -76,6 +76,12 @@ STACK_OF(PKCS12_SAFEBAG) *PKCS12_unpack_p7data(PKCS7 *p7)
+                   PKCS12_R_CONTENT_TYPE_NOT_DATA);
+         return NULL;
+     }
++
++    if (p7->d.data == NULL) {
++        PKCS12err(PKCS12_F_PKCS12_UNPACK_P7DATA, PKCS12_R_DECODE_ERROR);
++        return NULL;
++    }
++
+     return ASN1_item_unpack(p7->d.data, ASN1_ITEM_rptr(PKCS12_SAFEBAGS));
+ }
+ 
+@@ -132,6 +138,12 @@ STACK_OF(PKCS12_SAFEBAG) *PKCS12_unpack_p7encdata(PKCS7 *p7, const char *pass,
+ {
+     if (!PKCS7_type_is_encrypted(p7))
+         return NULL;
++
++    if (p7->d.encrypted == NULL) {
++        PKCS12err(PKCS12_F_PKCS12_UNPACK_P7ENCDATA, PKCS12_R_DECODE_ERROR);
++        return NULL;
++    }
++
+     return PKCS12_item_decrypt_d2i(p7->d.encrypted->enc_data->algorithm,
+                                    ASN1_ITEM_rptr(PKCS12_SAFEBAGS),
+                                    pass, passlen,
+@@ -159,6 +171,13 @@ STACK_OF(PKCS7) *PKCS12_unpack_authsafes(const PKCS12 *p12)
+                   PKCS12_R_CONTENT_TYPE_NOT_DATA);
+         return NULL;
+     }
++
++    if (p12->authsafes->d.data == NULL) {
++        PKCS12err(PKCS12_F_PKCS12_UNPACK_AUTHSAFES,
++                  PKCS12_R_DECODE_ERROR);
++        return NULL;
++    }
++
+     return ASN1_item_unpack(p12->authsafes->d.data,
+                             ASN1_ITEM_rptr(PKCS12_AUTHSAFES));
+ }
+diff --git a/crypto/pkcs12/p12_mutl.c b/crypto/pkcs12/p12_mutl.c
+index 3658003fe..766c9c1e9 100644
+--- a/crypto/pkcs12/p12_mutl.c
++++ b/crypto/pkcs12/p12_mutl.c
+@@ -93,6 +93,11 @@ static int pkcs12_gen_mac(PKCS12 *p12, const char *pass, int passlen,
+         return 0;
+     }
+ 
++    if (p12->authsafes->d.data == NULL) {
++        PKCS12err(PKCS12_F_PKCS12_GEN_MAC, PKCS12_R_DECODE_ERROR);
++        return 0;
++    }
++
+     salt = p12->mac->salt->data;
+     saltlen = p12->mac->salt->length;
+     if (!p12->mac->iter)
+diff --git a/crypto/pkcs12/p12_npas.c b/crypto/pkcs12/p12_npas.c
+index 0334289a8..130337638 100644
+--- a/crypto/pkcs12/p12_npas.c
++++ b/crypto/pkcs12/p12_npas.c
+@@ -78,8 +78,9 @@ static int newpass_p12(PKCS12 *p12, const char *oldpass, const char *newpass)
+             bags = PKCS12_unpack_p7data(p7);
+         } else if (bagnid == NID_pkcs7_encrypted) {
+             bags = PKCS12_unpack_p7encdata(p7, oldpass, -1);
+-            if (!alg_get(p7->d.encrypted->enc_data->algorithm,
+-                         &pbe_nid, &pbe_iter, &pbe_saltlen))
++            if (p7->d.encrypted == NULL
++                    || !alg_get(p7->d.encrypted->enc_data->algorithm,
++                                &pbe_nid, &pbe_iter, &pbe_saltlen))
+                 goto err;
+         } else {
+             continue;
+diff --git a/crypto/pkcs12/pk12err.c b/crypto/pkcs12/pk12err.c
+index 38ce5197e..224941d74 100644
+--- a/crypto/pkcs12/pk12err.c
++++ b/crypto/pkcs12/pk12err.c
+@@ -1,6 +1,6 @@
+ /*
+  * Generated by util/mkerr.pl DO NOT EDIT
+- * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
++ * Copyright 1995-2024 The OpenSSL Project Authors. All Rights Reserved.
+  *
+  * Licensed under the OpenSSL license (the "License").  You may not use
+  * this file except in compliance with the License.  You can obtain a copy
+@@ -58,6 +58,8 @@ static const ERR_STRING_DATA PKCS12_str_functs[] = {
+      "PKCS12_unpack_authsafes"},
+     {ERR_PACK(ERR_LIB_PKCS12, PKCS12_F_PKCS12_UNPACK_P7DATA, 0),
+      "PKCS12_unpack_p7data"},
++    {ERR_PACK(ERR_LIB_PKCS12, PKCS12_F_PKCS12_UNPACK_P7ENCDATA, 0),
++     "PKCS12_unpack_p7encdata"},
+     {ERR_PACK(ERR_LIB_PKCS12, PKCS12_F_PKCS12_VERIFY_MAC, 0),
+      "PKCS12_verify_mac"},
+     {ERR_PACK(ERR_LIB_PKCS12, PKCS12_F_PKCS8_ENCRYPT, 0), "PKCS8_encrypt"},
+diff --git a/crypto/pkcs7/pk7_mime.c b/crypto/pkcs7/pk7_mime.c
+index 19e686814..b457108c9 100644
+--- a/crypto/pkcs7/pk7_mime.c
++++ b/crypto/pkcs7/pk7_mime.c
+@@ -30,10 +30,14 @@ int SMIME_write_PKCS7(BIO *bio, PKCS7 *p7, BIO *data, int flags)
+ {
+     STACK_OF(X509_ALGOR) *mdalgs;
+     int ctype_nid = OBJ_obj2nid(p7->type);
+-    if (ctype_nid == NID_pkcs7_signed)
++
++    if (ctype_nid == NID_pkcs7_signed) {
++        if (p7->d.sign == NULL)
++            return 0;
+         mdalgs = p7->d.sign->md_algs;
+-    else
++    } else {
+         mdalgs = NULL;
++    }
+ 
+     flags ^= SMIME_OLDMIME;
+ 
+diff --git a/include/openssl/pkcs12err.h b/include/openssl/pkcs12err.h
+index eff5eb260..b0f5446c0 100644
+--- a/include/openssl/pkcs12err.h
++++ b/include/openssl/pkcs12err.h
+@@ -1,6 +1,6 @@
+ /*
+  * Generated by util/mkerr.pl DO NOT EDIT
+- * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
++ * Copyright 1995-2024 The OpenSSL Project Authors. All Rights Reserved.
+  *
+  * Licensed under the OpenSSL license (the "License").  You may not use
+  * this file except in compliance with the License.  You can obtain a copy
+@@ -49,6 +49,7 @@ int ERR_load_PKCS12_strings(void);
+ # define PKCS12_F_PKCS12_SET_MAC                          123
+ # define PKCS12_F_PKCS12_UNPACK_AUTHSAFES                 130
+ # define PKCS12_F_PKCS12_UNPACK_P7DATA                    131
++# define PKCS12_F_PKCS12_UNPACK_P7ENCDATA                 134
+ # define PKCS12_F_PKCS12_VERIFY_MAC                       126
+ # define PKCS12_F_PKCS8_ENCRYPT                           125
+ # define PKCS12_F_PKCS8_SET0_PBE                          132
+-- 
+2.33.8
+

SPECS/openssl/openssl.spec

@@ -4,7 +4,7 @@
 Summary:        Utilities from the general purpose cryptography library with TLS implementation
 Name:           openssl
 Version:        1.1.1k
-Release:        28%{?dist}
+Release:        29%{?dist}
 License:        OpenSSL
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@@ -59,6 +59,7 @@ Patch35:        CVE-2023-0466.patch
 Patch36:        CVE-2023-2650.patch
 Patch37:        CVE-2023-3817.patch
 Patch38:        openssl-1.1.1-improve-safety-of-DH.patch
+Patch39:        openssl-1.1.1-add-null-checks-where-contentinfo-data-can-be-null.patch
 BuildRequires:  perl-Test-Warnings
 BuildRequires:  perl-Text-Template
 BuildRequires:  perl(FindBin)
@@ -67,7 +68,7 @@ Requires:       %{name}-libs = %{version}-%{release}
 Requires:       glibc
 Requires:       libgcc
 Conflicts:      httpd <= 2.4.37
-%if %{with_check}
+%if 0%{?with_check}
 BuildRequires:  perl
 BuildRequires:  perl(Math::BigInt)
 BuildRequires:  perl(Test::Harness)
@@ -170,6 +171,7 @@ cp %{SOURCE4} test/
 %patch36 -p1
 %patch37 -p1
 %patch38 -p1
+%patch39 -p1
 
 %build
 # Add -Wa,--noexecstack here so that libcrypto's assembler modules will be
@@ -359,6 +361,9 @@ rm -f %{buildroot}%{_sysconfdir}/pki/tls/ct_log_list.cnf.dist
 %postun libs -p /sbin/ldconfig
 
 %changelog
+* Wed Feb 14 2024 Tobias Brick <tobiasb@microsoft.com> - 1.1.1k-29
+- Introduce patch to correctly address NULL ContentInfo data
+
 * Wed Dec 06 2023 Muhammad Falak <mwani@microsoft.com> - 1.1.1k-28
 - Introduce patch to correctly address exessively long DH keys
 

toolkit/resources/manifests/package/pkggen_core_aarch64.txt

@@ -165,11 +165,11 @@ texinfo-6.8-1.cm2.aarch64.rpm
 gtk-doc-1.33.2-1.cm2.noarch.rpm
 autoconf-2.71-3.cm2.noarch.rpm
 automake-1.16.5-1.cm2.noarch.rpm
-openssl-1.1.1k-28.cm2.aarch64.rpm
-openssl-devel-1.1.1k-28.cm2.aarch64.rpm
-openssl-libs-1.1.1k-28.cm2.aarch64.rpm
-openssl-perl-1.1.1k-28.cm2.aarch64.rpm
-openssl-static-1.1.1k-28.cm2.aarch64.rpm
+openssl-1.1.1k-29.cm2.aarch64.rpm
+openssl-devel-1.1.1k-29.cm2.aarch64.rpm
+openssl-libs-1.1.1k-29.cm2.aarch64.rpm
+openssl-perl-1.1.1k-29.cm2.aarch64.rpm
+openssl-static-1.1.1k-29.cm2.aarch64.rpm
 libcap-2.60-2.cm2.aarch64.rpm
 libcap-devel-2.60-2.cm2.aarch64.rpm
 debugedit-5.0-2.cm2.aarch64.rpm

toolkit/resources/manifests/package/pkggen_core_x86_64.txt

@@ -165,11 +165,11 @@ texinfo-6.8-1.cm2.x86_64.rpm
 gtk-doc-1.33.2-1.cm2.noarch.rpm
 autoconf-2.71-3.cm2.noarch.rpm
 automake-1.16.5-1.cm2.noarch.rpm
-openssl-1.1.1k-28.cm2.x86_64.rpm
-openssl-devel-1.1.1k-28.cm2.x86_64.rpm
-openssl-libs-1.1.1k-28.cm2.x86_64.rpm
-openssl-perl-1.1.1k-28.cm2.x86_64.rpm
-openssl-static-1.1.1k-28.cm2.x86_64.rpm
+openssl-1.1.1k-29.cm2.x86_64.rpm
+openssl-devel-1.1.1k-29.cm2.x86_64.rpm
+openssl-libs-1.1.1k-29.cm2.x86_64.rpm
+openssl-perl-1.1.1k-29.cm2.x86_64.rpm
+openssl-static-1.1.1k-29.cm2.x86_64.rpm
 libcap-2.60-2.cm2.x86_64.rpm
 libcap-devel-2.60-2.cm2.x86_64.rpm
 debugedit-5.0-2.cm2.x86_64.rpm

toolkit/resources/manifests/package/toolchain_aarch64.txt

@@ -270,12 +270,12 @@ npth-1.6-4.cm2.aarch64.rpm
 npth-debuginfo-1.6-4.cm2.aarch64.rpm
 npth-devel-1.6-4.cm2.aarch64.rpm
 ntsysv-1.20-4.cm2.aarch64.rpm
-openssl-1.1.1k-28.cm2.aarch64.rpm
-openssl-debuginfo-1.1.1k-28.cm2.aarch64.rpm
-openssl-devel-1.1.1k-28.cm2.aarch64.rpm
-openssl-libs-1.1.1k-28.cm2.aarch64.rpm
-openssl-perl-1.1.1k-28.cm2.aarch64.rpm
-openssl-static-1.1.1k-28.cm2.aarch64.rpm
+openssl-1.1.1k-29.cm2.aarch64.rpm
+openssl-debuginfo-1.1.1k-29.cm2.aarch64.rpm
+openssl-devel-1.1.1k-29.cm2.aarch64.rpm
+openssl-libs-1.1.1k-29.cm2.aarch64.rpm
+openssl-perl-1.1.1k-29.cm2.aarch64.rpm
+openssl-static-1.1.1k-29.cm2.aarch64.rpm
 p11-kit-0.24.1-1.cm2.aarch64.rpm
 p11-kit-debuginfo-0.24.1-1.cm2.aarch64.rpm
 p11-kit-devel-0.24.1-1.cm2.aarch64.rpm

toolkit/resources/manifests/package/toolchain_x86_64.txt

@@ -276,12 +276,12 @@ npth-1.6-4.cm2.x86_64.rpm
 npth-debuginfo-1.6-4.cm2.x86_64.rpm
 npth-devel-1.6-4.cm2.x86_64.rpm
 ntsysv-1.20-4.cm2.x86_64.rpm
-openssl-1.1.1k-28.cm2.x86_64.rpm
-openssl-debuginfo-1.1.1k-28.cm2.x86_64.rpm
-openssl-devel-1.1.1k-28.cm2.x86_64.rpm
-openssl-libs-1.1.1k-28.cm2.x86_64.rpm
-openssl-perl-1.1.1k-28.cm2.x86_64.rpm
-openssl-static-1.1.1k-28.cm2.x86_64.rpm
+openssl-1.1.1k-29.cm2.x86_64.rpm
+openssl-debuginfo-1.1.1k-29.cm2.x86_64.rpm
+openssl-devel-1.1.1k-29.cm2.x86_64.rpm
+openssl-libs-1.1.1k-29.cm2.x86_64.rpm
+openssl-perl-1.1.1k-29.cm2.x86_64.rpm
+openssl-static-1.1.1k-29.cm2.x86_64.rpm
 p11-kit-0.24.1-1.cm2.x86_64.rpm
 p11-kit-debuginfo-0.24.1-1.cm2.x86_64.rpm
 p11-kit-devel-0.24.1-1.cm2.x86_64.rpm