[Security] Upgrade OpenSSL version to 1.1.1n-0+deb11u4 #41

Why I did it
Upgrade to 1.1.1n-0+deb11u4

How I did it
Remove some of the patches have already added in the openssl git repository
git log --oneline debian/openssl-1.1.1n-0+deb11u1..debian/openssl-1.1.1n-0+deb11u3    
4b70fedda2 Prepare 1.1.1n-0+deb11u3
f6df7303d8 Update expired certs.
84540b59c1 CVE-2022-2068
f763d8a93e Prepare 1.1.1n-0+deb11u2
576562cebe CVE-2022-1292
Add some of additional patches can be retrieved from the debian mirror.
apt source libssl1.1
Add the patches from openssl-1.1.1n/debian/patches to src/openssl.patch/debian.patch/
How to verify it

Author: xumia

rules/openssl.mk

@@ -1,6 +1,6 @@
 # openssl
 
-OPENSSL_VERSION = 1.1.1n-0+deb11u3
+OPENSSL_VERSION = 1.1.1n-0+deb11u4
 OPENSSL_VERSION_FIPS = $(OPENSSL_VERSION)+fips
 OPENSSL = openssl_$(OPENSSL_VERSION_FIPS)_$(ARCH).deb
 $(OPENSSL)_SRC_PATH = $(SRC_PATH)/openssl

rules/symcrypt-openssl.mk

@@ -1,6 +1,6 @@
 # SYMCRYPT_OPENSSL
 
-SYMCRYPT_OPENSSL_VERSION = 0.6
+SYMCRYPT_OPENSSL_VERSION = 0.7
 SYMCRYPT_OPENSSL = symcrypt-openssl_$(SYMCRYPT_OPENSSL_VERSION)_$(ARCH).deb
 $(SYMCRYPT_OPENSSL)_SRC_PATH = $(SRC_PATH)/SymCrypt-OpenSSL-Debian
 $(SYMCRYPT_OPENSSL)_MAKEFILE = Makefile

src/openssl

@@ -1,21 +1,18 @@
 diff --git a/debian/changelog b/debian/changelog
-index f2c3b6b4e9..eae0b966d3 100644
+index eae0b966d3..71103d9192 100644
 --- a/debian/changelog
 +++ b/debian/changelog
-@@ -1,3 +1,16 @@
-+openssl (1.1.1n-0+deb11u3) bullseye-security; urgency=medium
+@@ -1,3 +1,13 @@
++openssl (1.1.1n-0+deb11u4) bullseye-security; urgency=medium
 +
-+  * CVE-2022-2068 (The c_rehash script allows command injection).
-+  * Update expired certs.
++  * CVE-2022-4450 (Double free after calling PEM_read_bio_ex).
++  * CVE-2023-0286 (X.400 address type confusion in X.509 GeneralName).
++  * CVE-2023-0215 (Use-after-free following BIO_new_NDEF).
++  * CVE-2022-4304 (Timing Oracle in RSA Decryption).
++  * CVE-2022-2097 (AES OCB fails to encrypt some bytes).
 +
-+ -- Sebastian Andrzej Siewior <sebastian@breakpoint.cc>  Fri, 24 Jun 2022 22:22:19 +0200
++ -- Sebastian Andrzej Siewior <sebastian@breakpoint.cc>  Sun, 05 Feb 2023 22:23:17 +0100
 +
-+openssl (1.1.1n-0+deb11u2) bullseye-security; urgency=medium
-+
-+  * CVE-2022-1292 (The c_rehash script allows command injection).
-+
-+ -- Sebastian Andrzej Siewior <sebastian@breakpoint.cc>  Tue, 10 May 2022 20:37:36 +0200
-+
- openssl (1.1.1n-0+deb11u1) bullseye; urgency=medium
+ openssl (1.1.1n-0+deb11u3) bullseye-security; urgency=medium
 
-   * New upstream version.
+   * CVE-2022-2068 (The c_rehash script allows command injection).

src/openssl.patch/20-update-changelog

@@ -0,0 +1,79 @@
+From: Alex Chernyakhovsky <achernya@google.com>
+Date: Thu, 16 Jun 2022 12:02:37 +1000
+Subject: AES OCB test vectors
+MIME-Version: 1.0
+Content-Type: text/plain; charset="utf-8"
+Content-Transfer-Encoding: 8bit
+
+Add test vectors for AES OCB for x86 AES-NI multiple of 96 byte issue.
+
+Co-authored-by: Alejandro Sedeño <asedeno@google.com>
+Co-authored-by: David Benjamin <davidben@google.com>
+
+Reviewed-by: Paul Dale <pauli@openssl.org>
+Reviewed-by: Tomas Mraz <tomas@openssl.org>
+---
+ test/recipes/30-test_evp_data/evpciph.txt | 50 +++++++++++++++++++++++++++++++
+ 1 file changed, 50 insertions(+)
+
+diff --git a/test/recipes/30-test_evp_data/evpciph.txt b/test/recipes/30-test_evp_data/evpciph.txt
+index 1c02ea1e9c2d..e12670d9a4b4 100644
+--- a/test/recipes/30-test_evp_data/evpciph.txt
++++ b/test/recipes/30-test_evp_data/evpciph.txt
+@@ -1188,6 +1188,56 @@ Ciphertext = 09A4FD29DE949D9A9AA9924248422097AD4883B4713E6C214FF6567ADA08A967B21
+ Operation = DECRYPT
+ Result = CIPHERFINAL_ERROR
+ 
++#Test vectors generated to validate aesni_ocb_encrypt on x86
++Cipher = aes-128-ocb
++Key = 000102030405060708090A0B0C0D0E0F
++IV = 000000000001020304050607
++Tag = C14DFF7D62A13C4A3422456207453190
++Plaintext = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
++Ciphertext = F5186C9CC3506386919B6FD9443956E05B203313F8AB35E916AB36932EBDDCD2945901BABE7CF29404929F322F954C916065FABF8F1E52F4BD7C538C0F96899519DBC6BC504D837D8EBD1436B45D33F528CB642FA2EB2C403FE604C12B819333
++
++Cipher = aes-128-ocb
++Key = 000102030405060708090A0B0C0D0E0F
++IV = 000000000001020304050607
++Tag = D47D84F6FF912C79B6A4223AB9BE2DB8
++Plaintext = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F
++Ciphertext = F5186C9CC3506386919B6FD9443956E05B203313F8AB35E916AB36932EBDDCD2945901BABE7CF29404929F322F954C916065FABF8F1E52F4BD7C538C0F96899519DBC6BC504D837D8EBD1436B45D33F528CB642FA2EB2C403FE604C12B8193332374120A78A1171D23ED9E9CB1ADC204
++
++Cipher = aes-128-ocb
++Key = 000102030405060708090A0B0C0D0E0F
++IV = 000000000001020304050607
++Tag = 41970D13737B7BD1B5FBF49ED4412CA5
++Plaintext = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F7071000102030405060708090A0B0C0D
++Ciphertext = F5186C9CC3506386919B6FD9443956E05B203313F8AB35E916AB36932EBDDCD2945901BABE7CF29404929F322F954C916065FABF8F1E52F4BD7C538C0F96899519DBC6BC504D837D8EBD1436B45D33F528CB642FA2EB2C403FE604C12B8193332374120A78A1171D23ED9E9CB1ADC20412C017AD0CA498827C768DDD99B26E91
++
++Cipher = aes-128-ocb
++Key = 000102030405060708090A0B0C0D0E0F
++IV = 000000000001020304050607
++Tag = BE0228651ED4E48A11BDED68D953F3A0
++Plaintext = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F7071000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D
++Ciphertext = F5186C9CC3506386919B6FD9443956E05B203313F8AB35E916AB36932EBDDCD2945901BABE7CF29404929F322F954C916065FABF8F1E52F4BD7C538C0F96899519DBC6BC504D837D8EBD1436B45D33F528CB642FA2EB2C403FE604C12B8193332374120A78A1171D23ED9E9CB1ADC20412C017AD0CA498827C768DDD99B26E91EDB8681700FF30366F07AEDE8CEACC1F
++
++Cipher = aes-128-ocb
++Key = 000102030405060708090A0B0C0D0E0F
++IV = 000000000001020304050607
++Tag = 17BC6E10B16E5FDC52836E7D589518C7
++Plaintext = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F7071000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D
++Ciphertext = F5186C9CC3506386919B6FD9443956E05B203313F8AB35E916AB36932EBDDCD2945901BABE7CF29404929F322F954C916065FABF8F1E52F4BD7C538C0F96899519DBC6BC504D837D8EBD1436B45D33F528CB642FA2EB2C403FE604C12B8193332374120A78A1171D23ED9E9CB1ADC20412C017AD0CA498827C768DDD99B26E91EDB8681700FF30366F07AEDE8CEACC1F39BE69B91BC808FA7A193F7EEA43137B
++
++Cipher = aes-128-ocb
++Key = 000102030405060708090A0B0C0D0E0F
++IV = 000000000001020304050607
++Tag = E84AAC18666116990A3A37B3A5FC55BD
++Plaintext = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F7071000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D
++Ciphertext = F5186C9CC3506386919B6FD9443956E05B203313F8AB35E916AB36932EBDDCD2945901BABE7CF29404929F322F954C916065FABF8F1E52F4BD7C538C0F96899519DBC6BC504D837D8EBD1436B45D33F528CB642FA2EB2C403FE604C12B8193332374120A78A1171D23ED9E9CB1ADC20412C017AD0CA498827C768DDD99B26E91EDB8681700FF30366F07AEDE8CEACC1F39BE69B91BC808FA7A193F7EEA43137B11CF99263D693AEBDF8ADE1A1D838DED
++
++Cipher = aes-128-ocb
++Key = 000102030405060708090A0B0C0D0E0F
++IV = 000000000001020304050607
++Tag = 3E5EA7EE064FE83B313E28D411E91EAD
++Plaintext = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F7071000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D
++Ciphertext = F5186C9CC3506386919B6FD9443956E05B203313F8AB35E916AB36932EBDDCD2945901BABE7CF29404929F322F954C916065FABF8F1E52F4BD7C538C0F96899519DBC6BC504D837D8EBD1436B45D33F528CB642FA2EB2C403FE604C12B8193332374120A78A1171D23ED9E9CB1ADC20412C017AD0CA498827C768DDD99B26E91EDB8681700FF30366F07AEDE8CEACC1F39BE69B91BC808FA7A193F7EEA43137B11CF99263D693AEBDF8ADE1A1D838DED48D9E09F452F8E6FBEB76A3DED47611C
++
+ Title = AES XTS test vectors from IEEE Std 1619-2007
+ 
+ # Using the same key twice for encryption is always banned.

src/openssl.patch/debian.patch/AES-OCB-test-vectors.patch

@@ -0,0 +1,55 @@
+From: Matt Caswell <matt@openssl.org>
+Date: Tue, 13 Dec 2022 15:02:26 +0000
+Subject: Add a test for CVE-2022-4450
+
+Call PEM_read_bio_ex() and expect a failure. There should be no dangling
+ptrs and therefore there should be no double free if we free the ptrs on
+error.
+---
+ test/pemtest.c | 30 ++++++++++++++++++++++++++++++
+ 1 file changed, 30 insertions(+)
+
+diff --git a/test/pemtest.c b/test/pemtest.c
+index 3203d976be76..edeb0a12059e 100644
+--- a/test/pemtest.c
++++ b/test/pemtest.c
+@@ -83,9 +83,39 @@ static int test_invalid(void)
+     return 1;
+ }
+ 
++static int test_empty_payload(void)
++{
++    BIO *b;
++    static char *emptypay =
++        "-----BEGIN CERTIFICATE-----\n"
++        "-\n" /* Base64 EOF character */
++        "-----END CERTIFICATE-----";
++    char *name = NULL, *header = NULL;
++    unsigned char *data = NULL;
++    long len;
++    int ret = 0;
++
++    b = BIO_new_mem_buf(emptypay, strlen(emptypay));
++    if (!TEST_ptr(b))
++        return 0;
++
++    /* Expected to fail because the payload is empty */
++    if (!TEST_false(PEM_read_bio_ex(b, &name, &header, &data, &len, 0)))
++        goto err;
++
++    ret = 1;
++ err:
++    OPENSSL_free(name);
++    OPENSSL_free(header);
++    OPENSSL_free(data);
++    BIO_free(b);
++    return ret;
++}
++
+ int setup_tests(void)
+ {
+     ADD_ALL_TESTS(test_b64, OSSL_NELEM(b64_pem_data));
+     ADD_TEST(test_invalid);
++    ADD_TEST(test_empty_payload);
+     return 1;
+ }

src/openssl.patch/debian.patch/Add-a-test-for-CVE-2022-4450.patch

@@ -0,0 +1,33 @@
+From: Matt Caswell <matt@openssl.org>
+Date: Tue, 13 Dec 2022 14:54:55 +0000
+Subject: Avoid dangling ptrs in header and data params for PEM_read_bio_ex
+
+In the event of a failure in PEM_read_bio_ex() we free the buffers we
+allocated for the header and data buffers. However we were not clearing
+the ptrs stored in *header and *data. Since, on success, the caller is
+responsible for freeing these ptrs this can potentially lead to a double
+free if the caller frees them even on failure.
+
+Thanks to Dawei Wang for reporting this issue.
+
+Based on a proposed patch by Kurt Roeckx.
+
+CVE-2022-4450
+---
+ crypto/pem/pem_lib.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/crypto/pem/pem_lib.c b/crypto/pem/pem_lib.c
+index 2de093595d0d..173045be21ea 100644
+--- a/crypto/pem/pem_lib.c
++++ b/crypto/pem/pem_lib.c
+@@ -957,7 +957,9 @@ int PEM_read_bio_ex(BIO *bp, char **name_out, char **header,
+     *data = pem_malloc(len, flags);
+     if (*header == NULL || *data == NULL) {
+         pem_free(*header, flags, 0);
++        *header = NULL;
+         pem_free(*data, flags, 0);
++        *data = NULL;
+         goto end;
+     }
+     BIO_read(headerB, *header, headerlen);

src/openssl.patch/debian.patch/Avoid-dangling-ptrs-in-header-and-data-params-for-PEM_rea.patch

@@ -0,0 +1,87 @@
+From: Hugo Landau <hlandau@openssl.org>
+Date: Tue, 17 Jan 2023 17:45:42 +0000
+Subject: CVE-2023-0286: Fix GENERAL_NAME_cmp for x400Address (1.1.1)
+
+---
+ CHANGES                  | 20 ++++++++++++++++++++
+ crypto/x509v3/v3_genn.c  |  2 +-
+ include/openssl/x509v3.h |  2 +-
+ test/v3nametest.c        |  8 ++++++++
+ 4 files changed, 30 insertions(+), 2 deletions(-)
+
+diff --git a/CHANGES b/CHANGES
+index 3ef3fa28cfa8..265555ab95c5 100644
+--- a/CHANGES
++++ b/CHANGES
+@@ -7,6 +7,26 @@
+  https://github.com/openssl/openssl/commits/ and pick the appropriate
+  release branch.
+ 
++ Changes between 1.1.1s and 1.1.1t [xx XXX xxxx]
++
++  *) Fixed a type confusion vulnerability relating to X.400 address processing
++     inside an X.509 GeneralName. X.400 addresses were parsed as an ASN1_STRING
++     but subsequently interpreted by GENERAL_NAME_cmp as an ASN1_TYPE. This
++     vulnerability may allow an attacker who can provide a certificate chain and
++     CRL (neither of which need have a valid signature) to pass arbitrary
++     pointers to a memcmp call, creating a possible read primitive, subject to
++     some constraints. Refer to the advisory for more information. Thanks to
++     David Benjamin for discovering this issue. (CVE-2023-0286)
++
++     This issue has been fixed by changing the public header file definition of
++     GENERAL_NAME so that x400Address reflects the implementation. It was not
++     possible for any existing application to successfully use the existing
++     definition; however, if any application references the x400Address field
++     (e.g. in dead code), note that the type of this field has changed. There is
++     no ABI change.
++
++     [Hugo Landau]
++
+  Changes between 1.1.1m and 1.1.1n [15 Mar 2022]
+ 
+   *) Fixed a bug in the BN_mod_sqrt() function that can cause it to loop forever
+diff --git a/crypto/x509v3/v3_genn.c b/crypto/x509v3/v3_genn.c
+index 87a5eff47cd9..e54ddc55c957 100644
+--- a/crypto/x509v3/v3_genn.c
++++ b/crypto/x509v3/v3_genn.c
+@@ -98,7 +98,7 @@ int GENERAL_NAME_cmp(GENERAL_NAME *a, GENERAL_NAME *b)
+         return -1;
+     switch (a->type) {
+     case GEN_X400:
+-        result = ASN1_TYPE_cmp(a->d.x400Address, b->d.x400Address);
++        result = ASN1_STRING_cmp(a->d.x400Address, b->d.x400Address);
+         break;
+ 
+     case GEN_EDIPARTY:
+diff --git a/include/openssl/x509v3.h b/include/openssl/x509v3.h
+index 90fa3592ce58..e61c0f29d4b4 100644
+--- a/include/openssl/x509v3.h
++++ b/include/openssl/x509v3.h
+@@ -136,7 +136,7 @@ typedef struct GENERAL_NAME_st {
+         OTHERNAME *otherName;   /* otherName */
+         ASN1_IA5STRING *rfc822Name;
+         ASN1_IA5STRING *dNSName;
+-        ASN1_TYPE *x400Address;
++        ASN1_STRING *x400Address;
+         X509_NAME *directoryName;
+         EDIPARTYNAME *ediPartyName;
+         ASN1_IA5STRING *uniformResourceIdentifier;
+diff --git a/test/v3nametest.c b/test/v3nametest.c
+index d1852190b84e..37819da8fd78 100644
+--- a/test/v3nametest.c
++++ b/test/v3nametest.c
+@@ -646,6 +646,14 @@ static struct gennamedata {
+             0xb7, 0x09, 0x02, 0x02
+         },
+         15
++    }, {
++        /*
++         * Regression test for CVE-2023-0286.
++         */
++        {
++            0xa3, 0x00
++        },
++        2
+     }
+ };
+ 

src/openssl.patch/debian.patch/CVE-2023-0286-Fix-GENERAL_NAME_cmp-for-x400Address-1.1.1.patch

@@ -0,0 +1,69 @@
+From: Alex Chernyakhovsky <achernya@google.com>
+Date: Thu, 16 Jun 2022 12:00:22 +1000
+Subject: Fix AES OCB encrypt/decrypt for x86 AES-NI
+MIME-Version: 1.0
+Content-Type: text/plain; charset="utf-8"
+Content-Transfer-Encoding: 8bit
+
+aesni_ocb_encrypt and aesni_ocb_decrypt operate by having a fast-path
+that performs operations on 6 16-byte blocks concurrently (the
+"grandloop") and then proceeds to handle the "short" tail (which can
+be anywhere from 0 to 5 blocks) that remain.
+
+As part of initialization, the assembly initializes $len to the true
+length, less 96 bytes and converts it to a pointer so that the $inp
+can be compared to it. Each iteration of "grandloop" checks to see if
+there's a full 96-byte chunk to process, and if so, continues. Once
+this has been exhausted, it falls through to "short", which handles
+the remaining zero to five blocks.
+
+Unfortunately, the jump at the end of "grandloop" had a fencepost
+error, doing a `jb` ("jump below") rather than `jbe` (jump below or
+equal). This should be `jbe`, as $inp is pointing to the *end* of the
+chunk currently being handled. If $inp == $len, that means that
+there's a whole 96-byte chunk waiting to be handled. If $inp > $len,
+then there's 5 or fewer 16-byte blocks left to be handled, and the
+fall-through is intended.
+
+The net effect of `jb` instead of `jbe` is that the last 16-byte block
+of the last 96-byte chunk was completely omitted. The contents of
+`out` in this position were never written to. Additionally, since
+those bytes were never processed, the authentication tag generated is
+also incorrect.
+
+The same fencepost error, and identical logic, exists in both
+aesni_ocb_encrypt and aesni_ocb_decrypt.
+
+This addresses CVE-2022-2097.
+
+Co-authored-by: Alejandro Sedeño <asedeno@google.com>
+Co-authored-by: David Benjamin <davidben@google.com>
+
+Reviewed-by: Paul Dale <pauli@openssl.org>
+Reviewed-by: Tomas Mraz <tomas@openssl.org>
+---
+ crypto/aes/asm/aesni-x86.pl | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/crypto/aes/asm/aesni-x86.pl b/crypto/aes/asm/aesni-x86.pl
+index fe2b26542ab6..812758e02e04 100644
+--- a/crypto/aes/asm/aesni-x86.pl
++++ b/crypto/aes/asm/aesni-x86.pl
+@@ -2027,7 +2027,7 @@ my ($l_,$block,$i1,$i3,$i5) = ($rounds_,$key_,$rounds,$len,$out);
+ 	&movdqu		(&QWP(-16*2,$out,$inp),$inout4);
+ 	&movdqu		(&QWP(-16*1,$out,$inp),$inout5);
+ 	&cmp		($inp,$len);			# done yet?
+-	&jb		(&label("grandloop"));
++	&jbe		(&label("grandloop"));
+ 
+ &set_label("short");
+ 	&add		($len,16*6);
+@@ -2453,7 +2453,7 @@ my ($l_,$block,$i1,$i3,$i5) = ($rounds_,$key_,$rounds,$len,$out);
+ 	&pxor		($rndkey1,$inout5);
+ 	&movdqu		(&QWP(-16*1,$out,$inp),$inout5);
+ 	&cmp		($inp,$len);			# done yet?
+-	&jb		(&label("grandloop"));
++	&jbe		(&label("grandloop"));
+ 
+ &set_label("short");
+ 	&add		($len,16*6);