openssl和openssh[CVE20213711]修复

修复了 SM2 解密缓冲区溢出。[CVE-2021-3711]）

Changes between 1.1.1k and 1.1.1l [24 Aug 2021]
Fixed an SM2 Decryption Buffer Overflow.

In order to decrypt SM2 encrypted data an application is expected to call the API function EVP_PKEY_decrypt(). Typically an application will call this function twice. The first time, on entry, the "out" parameter can be NULL and, on exit, the "outlen" parameter is populated with the buffer size required to hold the decrypted plaintext. The application can then allocate a sufficiently sized buffer and call EVP_PKEY_decrypt() again, but this time passing a non-NULL value for the "out" parameter.

A bug in the implementation of the SM2 decryption code means that the calculation of the buffer size required to hold the plaintext returned by the first call to EVP_PKEY_decrypt() can be smaller than the actual size required by the second call. This can lead to a buffer overflow when EVP_PKEY_decrypt() is called by the application a second time with a buffer that is too small.

A malicious attacker who is able present SM2 content for decryption to an application could cause attacker chosen data to overflow the buffer by up to a maximum of 62 bytes altering the contents of other data held after the buffer, possibly changing application behaviour or causing the application to crash. The location of the buffer is application dependent but is typically heap allocated. ([CVE-2021-3711])

Matt Caswell

1.1.1m 避免两次加载动态引擎。

Changes between 1.1.1l and 1.1.1m [xx XXX xxxx]
Avoid loading of a dynamic engine twice.

Bernd Edlinger

Prioritise DANE TLSA issuer certs over peer certs

Viktor Dukhovni

Fixed random API for MacOS prior to 10.12

These MacOS versions don't support the CommonCrypto APIs

Lenny Primak

openssl小版本，比如修复什么小bug，单并不影响稳定性是按照字母顺序进行排版本

比如： 1.1.1l到1.1.1m，我门可以查看他的历史版本，最新的版本已经升级到3.0.1

依赖包，也可以用做离线使用

yum install -y gcc gcc-c++ autoconf automake zlib zlib-devel pcre-devel pam-devel openssl openssl-devel openssl-libs lrzsz

https://www.openssl.org/source/snapshot/

openssl

• rpm

rpm包下载： https://github.com/philyuchkoff/openssl-RPM-Builder/releases

rpm -e --justdb --nodeps openssl-libs
rpm -e --justdb --nodeps openssl-1:1.0.2k
rpm -ivvh  openssl-1.1.1m-1.el7.x86_64.rpm  --nodeps
openssl version

• 推荐编译安装openssl-1.1.1l

https://www.openssl.org/source/openssl-1.1.1l.tar.gz
https://www.openssl.org/source/snapshot/openssl-1.1.1-stable-SNAP-20220120.tar.gz

mv /usr/bin/openssl{,.bak}
mv /usr/include/openssl{,.bak}
cd /usr/local/openssl-1.1.1m/
./config shared && make && make install

• openssl-1.1.1m
• https://www.openssl.org/source/openssl-1.1.1m.tar.gz

wget  --no-check-certificate https://www.openssl.org/source/openssl-1.1.1m.tar.gz
tar xf openssl-1.1.1m.tar.gz -C /usr/local/
mv /usr/bin/openssl{,.bak}
mv /usr/include/openssl{,.bak}
cd /usr/local/openssl-1.1.1m
./config shared && make && make install

链接

ll /usr/local/bin/openssl
ll -d /usr/local/include/openssl/
ln -s /usr/local/bin/openssl /usr/bin/openssl
ln -s /usr/local/include/openssl/ /usr/include/openssl
ll /usr/bin/openssl
ll -d /usr/include/openssl
echo "/usr/local/lib64" >> /etc/ld.so.conf
/sbin/ldconfig
openssl version
openssl version -a

openssh

安装依赖包

yum install -y gcc gcc-c++ autoconf automake zlib zlib-devel pcre-devel pam-devel openssl openssl-devel openssl-libs

配置必要的编译选项

mv /etc/ssh{,.bak}
mkdir /usr/local/openssh


curl -Lk https://openbsd.hk/pub/OpenBSD/OpenSSH/portable/openssh-8.7p1.tar.gz |tar xz -C ./
cd openssh-8.7p1/
./configure --prefix=/usr/local/openssh \
--sysconfdir=/etc/ssh \
--with-openssl-includes=/usr/local/include \
--with-ssl-dir=/usr/local/lib64 \
--with-zlib \
--with-md5-passwords \
--with-pam && \
make && \
make install

简单的配置下sshd

echo "UseDNS no" >> /etc/ssh/sshd_config
echo "Port 6789" >> /etc/ssh/sshd_config
echo 'PermitRootLogin yes' >> /etc/ssh/sshd_config
echo 'PubkeyAuthentication yes' >> /etc/ssh/sshd_config
echo 'PasswordAuthentication yes' >> /etc/ssh/sshd_config


mv /usr/sbin/sshd{,.bak}
mv /usr/bin/ssh{,.bak}
mv /usr/bin/ssh-keygen{,.bak}
ln -s /usr/local/openssh/bin/ssh /usr/bin/ssh
ln -s /usr/local/openssh/bin/ssh-keygen /usr/bin/ssh-keygen
ln -s /usr/local/openssh/sbin/sshd /usr/sbin/sshd
ssh -V

配置开机启动

systemctl disable sshd --now
mv /usr/lib/systemd/system/sshd.service{,.bak}
systemctl daemon-reload
\cp -a contrib/redhat/sshd.init /etc/init.d/sshd
\cp -a contrib/redhat/sshd.pam /etc/pam.d/sshd.pam
chkconfig --add sshd
systemctl enable sshd --now
systemctl start  sshd
ssh -V