修复了 SM2 解密缓冲区溢出。[CVE-2021-3711])
Changes between 1.1.1k and 1.1.1l [24 Aug 2021]
Fixed an SM2 Decryption Buffer Overflow.
In order to decrypt SM2 encrypted data an application is expected to call the API function EVP_PKEY_decrypt(). Typically an application will call this function twice. The first time, on entry, the "out" parameter can be NULL and, on exit, the "outlen" parameter is populated with the buffer size required to hold the decrypted plaintext. The application can then allocate a sufficiently sized buffer and call EVP_PKEY_decrypt() again, but this time passing a non-NULL value for the "out" parameter.
A bug in the implementation of the SM2 decryption code means that the calculation of the buffer size required to hold the plaintext returned by the first call to EVP_PKEY_decrypt() can be smaller than the actual size required by the second call. This can lead to a buffer overflow when EVP_PKEY_decrypt() is called by the application a second time with a buffer that is too small.
A malicious attacker who is able present SM2 content for decryption to an application could cause attacker chosen data to overflow the buffer by up to a maximum of 62 bytes altering the contents of other data held after the buffer, possibly changing application behaviour or causing the application to crash. The location of the buffer is application dependent but is typically heap allocated. ([CVE-2021-3711])
Matt Caswell
1.1.1m 避免两次加载动态引擎。
Changes between 1.1.1l and 1.1.1m [xx XXX xxxx]
Avoid loading of a dynamic engine twice.
Bernd Edlinger
Prioritise DANE TLSA issuer certs over peer certs
Viktor Dukhovni
Fixed random API for MacOS prior to 10.12
These MacOS versions don't support the CommonCrypto APIs
Lenny Primak
openssl小版本,比如修复什么小bug,单并不影响稳定性是按照字母顺序进行排版本
比如: 1.1.1l到1.1.1m,我门可以查看他的历史版本,最新的版本已经升级到3.0.1
依赖包,也可以用做离线使用
yum install -y gcc gcc-c++ autoconf automake zlib zlib-devel pcre-devel pam-devel openssl openssl-devel openssl-libs lrzsz
https://www.openssl.org/source/snapshot/
openssl
- rpm
rpm包下载: https://github.com/philyuchkoff/openssl-RPM-Builder/releases
rpm -e --justdb --nodeps openssl-libs
rpm -e --justdb --nodeps openssl-1:1.0.2k
rpm -ivvh openssl-1.1.1m-1.el7.x86_64.rpm --nodeps
openssl version
- 推荐编译安装openssl-1.1.1l
https://www.openssl.org/source/openssl-1.1.1l.tar.gz
https://www.openssl.org/source/snapshot/openssl-1.1.1-stable-SNAP-20220120.tar.gz
mv /usr/bin/openssl{,.bak}
mv /usr/include/openssl{,.bak}
cd /usr/local/openssl-1.1.1m/
./config shared && make && make install
- openssl-1.1.1m
- https://www.openssl.org/source/openssl-1.1.1m.tar.gz
wget --no-check-certificate https://www.openssl.org/source/openssl-1.1.1m.tar.gz
tar xf openssl-1.1.1m.tar.gz -C /usr/local/
mv /usr/bin/openssl{,.bak}
mv /usr/include/openssl{,.bak}
cd /usr/local/openssl-1.1.1m
./config shared && make && make install
链接
ll /usr/local/bin/openssl
ll -d /usr/local/include/openssl/
ln -s /usr/local/bin/openssl /usr/bin/openssl
ln -s /usr/local/include/openssl/ /usr/include/openssl
ll /usr/bin/openssl
ll -d /usr/include/openssl
echo "/usr/local/lib64" >> /etc/ld.so.conf
/sbin/ldconfig
openssl version
openssl version -a
openssh
安装依赖包
yum install -y gcc gcc-c++ autoconf automake zlib zlib-devel pcre-devel pam-devel openssl openssl-devel openssl-libs
配置必要的编译选项
mv /etc/ssh{,.bak}
mkdir /usr/local/openssh
curl -Lk https://openbsd.hk/pub/OpenBSD/OpenSSH/portable/openssh-8.7p1.tar.gz |tar xz -C ./
cd openssh-8.7p1/
./configure --prefix=/usr/local/openssh \
--sysconfdir=/etc/ssh \
--with-openssl-includes=/usr/local/include \
--with-ssl-dir=/usr/local/lib64 \
--with-zlib \
--with-md5-passwords \
--with-pam && \
make && \
make install
简单的配置下sshd
echo "UseDNS no" >> /etc/ssh/sshd_config
echo "Port 6789" >> /etc/ssh/sshd_config
echo 'PermitRootLogin yes' >> /etc/ssh/sshd_config
echo 'PubkeyAuthentication yes' >> /etc/ssh/sshd_config
echo 'PasswordAuthentication yes' >> /etc/ssh/sshd_config
mv /usr/sbin/sshd{,.bak}
mv /usr/bin/ssh{,.bak}
mv /usr/bin/ssh-keygen{,.bak}
ln -s /usr/local/openssh/bin/ssh /usr/bin/ssh
ln -s /usr/local/openssh/bin/ssh-keygen /usr/bin/ssh-keygen
ln -s /usr/local/openssh/sbin/sshd /usr/sbin/sshd
ssh -V
配置开机启动
systemctl disable sshd --now
mv /usr/lib/systemd/system/sshd.service{,.bak}
systemctl daemon-reload
\cp -a contrib/redhat/sshd.init /etc/init.d/sshd
\cp -a contrib/redhat/sshd.pam /etc/pam.d/sshd.pam
chkconfig --add sshd
systemctl enable sshd --now
systemctl start sshd
ssh -V