diff -Nru openssl1.0-1.0.2n/debian/changelog openssl1.0-1.0.2n/debian/changelog --- openssl1.0-1.0.2n/debian/changelog 2019-02-26 19:46:16.000000000 +0000 +++ openssl1.0-1.0.2n/debian/changelog 2020-09-16 11:51:13.000000000 +0000 @@ -1,3 +1,27 @@ +openssl1.0 (1.0.2n-1ubuntu5.4) bionic-security; urgency=medium + + * SECURITY UPDATE: Raccoon Attack + - debian/patches/CVE-2020-1968.patch: disable ciphers that reuse the + DH secret across multiple TLS connections in ssl/s3_lib.c. + - CVE-2020-1968 + * SECURITY UPDATE: ECDSA remote timing attack + - debian/patches/CVE-2019-1547.patch: for ECC parameters with NULL or + zero cofactor, compute it in crypto/ec/ec.h, crypto/ec/ec_err.c, + crypto/ec/ec_lib.c. + - CVE-2019-1547 + * SECURITY UPDATE: rsaz_512_sqr overflow bug on x86_64 + - debian/patches/CVE-2019-1551.patch: fix an overflow bug in + rsaz_512_sqr in crypto/bn/asm/rsaz-x86_64.pl. + - CVE-2019-1551 + * SECURITY UPDATE: Padding Oracle issue + - debian/patches/CVE-2019-1563.patch: fix a padding oracle in + PKCS7_dataDecode and CMS_decrypt_set1_pkey in crypto/cms/cms_env.c, + crypto/cms/cms_lcl.h, crypto/cms/cms_smime.c, + crypto/pkcs7/pk7_doit.c. + - CVE-2019-1563 + + -- Marc Deslauriers Wed, 16 Sep 2020 07:51:13 -0400 + openssl1.0 (1.0.2n-1ubuntu5.3) bionic-security; urgency=medium * SECURITY UPDATE: 0-byte record padding oracle diff -Nru openssl1.0-1.0.2n/debian/patches/CVE-2019-1547.patch openssl1.0-1.0.2n/debian/patches/CVE-2019-1547.patch --- openssl1.0-1.0.2n/debian/patches/CVE-2019-1547.patch 1970-01-01 00:00:00.000000000 +0000 +++ openssl1.0-1.0.2n/debian/patches/CVE-2019-1547.patch 2020-09-16 11:51:13.000000000 +0000 @@ -0,0 +1,230 @@ +From 21c856b75d81eff61aa63b4f036bb64a85bf6d46 Mon Sep 17 00:00:00 2001 +From: Billy Brumley +Date: Sat, 7 Sep 2019 10:50:58 +0300 +Subject: [PATCH] [crypto/ec] for ECC parameters with NULL or zero cofactor, + compute it + +The cofactor argument to EC_GROUP_set_generator is optional, and SCA +mitigations for ECC currently use it. So the library currently falls +back to very old SCA-vulnerable code if the cofactor is not present. + +This PR allows EC_GROUP_set_generator to compute the cofactor for all +curves of cryptographic interest. Steering scalar multiplication to more +SCA-robust code. + +This issue affects persisted private keys in explicit parameter form, +where the (optional) cofactor field is zero or absent. + +It also affects curves not built-in to the library, but constructed +programatically with explicit parameters, then calling +EC_GROUP_set_generator with a nonsensical value (NULL, zero). + +The very old scalar multiplication code is known to be vulnerable to +local uarch attacks, outside of the OpenSSL threat model. New results +suggest the code path is also vulnerable to traditional wall clock +timing attacks. + +CVE-2019-1547 + +Reviewed-by: Nicola Tuveri +Reviewed-by: Matt Caswell +(Merged from https://github.com/openssl/openssl/pull/9799) +--- + CHANGES | 7 ++++ + crypto/ec/ec.h | 6 ++- + crypto/ec/ec_err.c | 3 +- + crypto/ec/ec_lib.c | 102 +++++++++++++++++++++++++++++++++++++++++---- + 4 files changed, 108 insertions(+), 10 deletions(-) + +#diff --git a/CHANGES b/CHANGES +#index d804f325b4..ee272f2266 100644 +#--- a/CHANGES +#+++ b/CHANGES +#@@ -9,6 +9,13 @@ +# +# Changes between 1.0.2s and 1.0.2t [xx XXX xxxx] +# +#+ *) Compute ECC cofactors if not provided during EC_GROUP construction. Before +#+ this change, EC_GROUP_set_generator would accept order and/or cofactor as +#+ NULL. After this change, only the cofactor parameter can be NULL. It also +#+ does some minimal sanity checks on the passed order. +#+ (CVE-2019-1547) +#+ [Billy Bob Brumley] +#+ +# *) Document issue with installation paths in diverse Windows builds +# +# '/usr/local/ssl' is an unsafe prefix for location to install OpenSSL +--- a/crypto/ec/ec.h ++++ b/crypto/ec/ec.h +@@ -1073,6 +1073,7 @@ int EC_KEY_print_fp(FILE *fp, const EC_K + * The following lines are auto generated by the script mkerr.pl. Any changes + * made after this point may be overwritten when the script is next run. + */ ++ + void ERR_load_EC_strings(void); + + /* Error codes for the EC functions. */ +@@ -1270,13 +1271,14 @@ void ERR_load_EC_strings(void); + # define EC_R_SLOT_FULL 108 + # define EC_R_UNDEFINED_GENERATOR 113 + # define EC_R_UNDEFINED_ORDER 128 ++# define EC_R_UNKNOWN_COFACTOR 152 + # define EC_R_UNKNOWN_GROUP 129 + # define EC_R_UNKNOWN_ORDER 114 + # define EC_R_UNSUPPORTED_FIELD 131 + # define EC_R_WRONG_CURVE_PARAMETERS 145 + # define EC_R_WRONG_ORDER 130 + +-#ifdef __cplusplus ++# ifdef __cplusplus + } +-#endif ++# endif + #endif +--- a/crypto/ec/ec_err.c ++++ b/crypto/ec/ec_err.c +@@ -1,6 +1,6 @@ + /* crypto/ec/ec_err.c */ + /* ==================================================================== +- * Copyright (c) 1999-2015 The OpenSSL Project. All rights reserved. ++ * Copyright (c) 1999-2019 The OpenSSL Project. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions +@@ -310,6 +310,7 @@ static ERR_STRING_DATA EC_str_reasons[] + {ERR_REASON(EC_R_SLOT_FULL), "slot full"}, + {ERR_REASON(EC_R_UNDEFINED_GENERATOR), "undefined generator"}, + {ERR_REASON(EC_R_UNDEFINED_ORDER), "undefined order"}, ++ {ERR_REASON(EC_R_UNKNOWN_COFACTOR), "unknown cofactor"}, + {ERR_REASON(EC_R_UNKNOWN_GROUP), "unknown group"}, + {ERR_REASON(EC_R_UNKNOWN_ORDER), "unknown order"}, + {ERR_REASON(EC_R_UNSUPPORTED_FIELD), "unsupported field"}, +--- a/crypto/ec/ec_lib.c ++++ b/crypto/ec/ec_lib.c +@@ -290,6 +290,67 @@ int EC_METHOD_get_field_type(const EC_ME + return meth->field_type; + } + ++/*- ++ * Try computing cofactor from the generator order (n) and field cardinality (q). ++ * This works for all curves of cryptographic interest. ++ * ++ * Hasse thm: q + 1 - 2*sqrt(q) <= n*h <= q + 1 + 2*sqrt(q) ++ * h_min = (q + 1 - 2*sqrt(q))/n ++ * h_max = (q + 1 + 2*sqrt(q))/n ++ * h_max - h_min = 4*sqrt(q)/n ++ * So if n > 4*sqrt(q) holds, there is only one possible value for h: ++ * h = \lfloor (h_min + h_max)/2 \rceil = \lfloor (q + 1)/n \rceil ++ * ++ * Otherwise, zero cofactor and return success. ++ */ ++static int ec_guess_cofactor(EC_GROUP *group) { ++ int ret = 0; ++ BN_CTX *ctx = NULL; ++ BIGNUM *q = NULL; ++ ++ /*- ++ * If the cofactor is too large, we cannot guess it. ++ * The RHS of below is a strict overestimate of lg(4 * sqrt(q)) ++ */ ++ if (BN_num_bits(&group->order) <= (BN_num_bits(&group->field) + 1) / 2 + 3) { ++ /* default to 0 */ ++ BN_zero(&group->cofactor); ++ /* return success */ ++ return 1; ++ } ++ ++ if ((ctx = BN_CTX_new()) == NULL) ++ return 0; ++ ++ BN_CTX_start(ctx); ++ if ((q = BN_CTX_get(ctx)) == NULL) ++ goto err; ++ ++ /* set q = 2**m for binary fields; q = p otherwise */ ++ if (group->meth->field_type == NID_X9_62_characteristic_two_field) { ++ BN_zero(q); ++ if (!BN_set_bit(q, BN_num_bits(&group->field) - 1)) ++ goto err; ++ } else { ++ if (!BN_copy(q, &group->field)) ++ goto err; ++ } ++ ++ /* compute h = \lfloor (q + 1)/n \rceil = \lfloor (q + 1 + n/2)/n \rfloor */ ++ if (!BN_rshift1(&group->cofactor, &group->order) /* n/2 */ ++ || !BN_add(&group->cofactor, &group->cofactor, q) /* q + n/2 */ ++ /* q + 1 + n/2 */ ++ || !BN_add(&group->cofactor, &group->cofactor, BN_value_one()) ++ /* (q + 1 + n/2)/n */ ++ || !BN_div(&group->cofactor, NULL, &group->cofactor, &group->order, ctx)) ++ goto err; ++ ret = 1; ++ err: ++ BN_CTX_end(ctx); ++ BN_CTX_free(ctx); ++ return ret; ++} ++ + int EC_GROUP_set_generator(EC_GROUP *group, const EC_POINT *generator, + const BIGNUM *order, const BIGNUM *cofactor) + { +@@ -298,6 +359,33 @@ int EC_GROUP_set_generator(EC_GROUP *gro + return 0; + } + ++ /* require group->field >= 1 */ ++ if (BN_is_zero(&group->field) || BN_is_negative(&group->field)) { ++ ECerr(EC_F_EC_GROUP_SET_GENERATOR, EC_R_INVALID_FIELD); ++ return 0; ++ } ++ ++ /*- ++ * - require order >= 1 ++ * - enforce upper bound due to Hasse thm: order can be no more than one bit ++ * longer than field cardinality ++ */ ++ if (order == NULL || BN_is_zero(order) || BN_is_negative(order) ++ || BN_num_bits(order) > BN_num_bits(&group->field) + 1) { ++ ECerr(EC_F_EC_GROUP_SET_GENERATOR, EC_R_INVALID_GROUP_ORDER); ++ return 0; ++ } ++ ++ /*- ++ * Unfortunately the cofactor is an optional field in many standards. ++ * Internally, the lib uses 0 cofactor as a marker for "unknown cofactor". ++ * So accept cofactor == NULL or cofactor >= 0. ++ */ ++ if (cofactor != NULL && BN_is_negative(cofactor)) { ++ ECerr(EC_F_EC_GROUP_SET_GENERATOR, EC_R_UNKNOWN_COFACTOR); ++ return 0; ++ } ++ + if (group->generator == NULL) { + group->generator = EC_POINT_new(group); + if (group->generator == NULL) +@@ -306,17 +394,17 @@ int EC_GROUP_set_generator(EC_GROUP *gro + if (!EC_POINT_copy(group->generator, generator)) + return 0; + +- if (order != NULL) { +- if (!BN_copy(&group->order, order)) +- return 0; +- } else +- BN_zero(&group->order); ++ if (!BN_copy(&group->order, order)) ++ return 0; + +- if (cofactor != NULL) { ++ /* Either take the provided positive cofactor, or try to compute it */ ++ if (cofactor != NULL && !BN_is_zero(cofactor)) { + if (!BN_copy(&group->cofactor, cofactor)) + return 0; +- } else ++ } else if (!ec_guess_cofactor(group)) { + BN_zero(&group->cofactor); ++ return 0; ++ } + + /* + * We ignore the return value because some groups have an order with diff -Nru openssl1.0-1.0.2n/debian/patches/CVE-2019-1551.patch openssl1.0-1.0.2n/debian/patches/CVE-2019-1551.patch --- openssl1.0-1.0.2n/debian/patches/CVE-2019-1551.patch 1970-01-01 00:00:00.000000000 +0000 +++ openssl1.0-1.0.2n/debian/patches/CVE-2019-1551.patch 2020-09-16 11:51:13.000000000 +0000 @@ -0,0 +1,766 @@ +From f1c5eea8a817075d31e43f5876993c6710238c98 Mon Sep 17 00:00:00 2001 +From: Andy Polyakov +Date: Wed, 4 Dec 2019 12:48:21 +0100 +Subject: [PATCH] Fix an overflow bug in rsaz_512_sqr + +There is an overflow bug in the x64_64 Montgomery squaring procedure used in +exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis +suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a +result of this defect would be very difficult to perform and are not believed +likely. Attacks against DH512 are considered just feasible. However, for an +attack the target would have to re-use the DH512 private key, which is not +recommended anyway. Also applications directly using the low level API +BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. + +CVE-2019-1551 + +Reviewed-by: Paul Dale +Reviewed-by: Bernd Edlinger +(Merged from https://github.com/openssl/openssl/pull/10576) +--- + crypto/bn/asm/rsaz-x86_64.pl | 399 ++++++++++++++++++----------------- + 1 file changed, 206 insertions(+), 193 deletions(-) + +diff --git a/crypto/bn/asm/rsaz-x86_64.pl b/crypto/bn/asm/rsaz-x86_64.pl +index 87ce2c34d9..e0da6d9ae5 100755 +--- a/crypto/bn/asm/rsaz-x86_64.pl ++++ b/crypto/bn/asm/rsaz-x86_64.pl +@@ -140,7 +140,7 @@ rsaz_512_sqr: # 25-29% faster than rsaz_512_mul + + subq \$128+24, %rsp + .Lsqr_body: +- movq $mod, %rbp # common argument ++ movq $mod, %xmm1 # common off-load + movq ($inp), %rdx + movq 8($inp), %rax + movq $n0, 128(%rsp) +@@ -158,7 +158,8 @@ $code.=<<___; + .Loop_sqr: + movl $times,128+8(%rsp) + #first iteration +- movq %rdx, %rbx ++ movq %rdx, %rbx # 0($inp) ++ mov %rax, %rbp # 8($inp) + mulq %rdx + movq %rax, %r8 + movq 16($inp), %rax +@@ -197,31 +198,29 @@ $code.=<<___; + mulq %rbx + addq %rax, %r14 + movq %rbx, %rax +- movq %rdx, %r15 +- adcq \$0, %r15 ++ adcq \$0, %rdx + +- addq %r8, %r8 #shlq \$1, %r8 +- movq %r9, %rcx +- adcq %r9, %r9 #shld \$1, %r8, %r9 ++ xorq %rcx,%rcx # rcx:r8 = r8 << 1 ++ addq %r8, %r8 ++ movq %rdx, %r15 ++ adcq \$0, %rcx + + mulq %rax +- movq %rax, (%rsp) +- addq %rdx, %r8 +- adcq \$0, %r9 ++ addq %r8, %rdx ++ adcq \$0, %rcx + +- movq %r8, 8(%rsp) +- shrq \$63, %rcx ++ movq %rax, (%rsp) ++ movq %rdx, 8(%rsp) + + #second iteration +- movq 8($inp), %r8 + movq 16($inp), %rax +- mulq %r8 ++ mulq %rbp + addq %rax, %r10 + movq 24($inp), %rax + movq %rdx, %rbx + adcq \$0, %rbx + +- mulq %r8 ++ mulq %rbp + addq %rax, %r11 + movq 32($inp), %rax + adcq \$0, %rdx +@@ -229,7 +228,7 @@ $code.=<<___; + movq %rdx, %rbx + adcq \$0, %rbx + +- mulq %r8 ++ mulq %rbp + addq %rax, %r12 + movq 40($inp), %rax + adcq \$0, %rdx +@@ -237,7 +236,7 @@ $code.=<<___; + movq %rdx, %rbx + adcq \$0, %rbx + +- mulq %r8 ++ mulq %rbp + addq %rax, %r13 + movq 48($inp), %rax + adcq \$0, %rdx +@@ -245,7 +244,7 @@ $code.=<<___; + movq %rdx, %rbx + adcq \$0, %rbx + +- mulq %r8 ++ mulq %rbp + addq %rax, %r14 + movq 56($inp), %rax + adcq \$0, %rdx +@@ -253,39 +252,39 @@ $code.=<<___; + movq %rdx, %rbx + adcq \$0, %rbx + +- mulq %r8 ++ mulq %rbp + addq %rax, %r15 +- movq %r8, %rax ++ movq %rbp, %rax + adcq \$0, %rdx + addq %rbx, %r15 +- movq %rdx, %r8 +- movq %r10, %rdx +- adcq \$0, %r8 ++ adcq \$0, %rdx + +- add %rdx, %rdx +- lea (%rcx,%r10,2), %r10 #shld \$1, %rcx, %r10 +- movq %r11, %rbx +- adcq %r11, %r11 #shld \$1, %r10, %r11 ++ xorq %rbx, %rbx # rbx:r10:r9 = r10:r9 << 1 ++ addq %r9, %r9 ++ movq %rdx, %r8 ++ adcq %r10, %r10 ++ adcq \$0, %rbx + + mulq %rax ++ addq %rcx, %rax ++ movq 16($inp), %rbp ++ adcq \$0, %rdx + addq %rax, %r9 ++ movq 24($inp), %rax + adcq %rdx, %r10 +- adcq \$0, %r11 ++ adcq \$0, %rbx + + movq %r9, 16(%rsp) + movq %r10, 24(%rsp) +- shrq \$63, %rbx +- ++ + #third iteration +- movq 16($inp), %r9 +- movq 24($inp), %rax +- mulq %r9 ++ mulq %rbp + addq %rax, %r12 + movq 32($inp), %rax + movq %rdx, %rcx + adcq \$0, %rcx + +- mulq %r9 ++ mulq %rbp + addq %rax, %r13 + movq 40($inp), %rax + adcq \$0, %rdx +@@ -293,7 +292,7 @@ $code.=<<___; + movq %rdx, %rcx + adcq \$0, %rcx + +- mulq %r9 ++ mulq %rbp + addq %rax, %r14 + movq 48($inp), %rax + adcq \$0, %rdx +@@ -301,9 +300,7 @@ $code.=<<___; + movq %rdx, %rcx + adcq \$0, %rcx + +- mulq %r9 +- movq %r12, %r10 +- lea (%rbx,%r12,2), %r12 #shld \$1, %rbx, %r12 ++ mulq %rbp + addq %rax, %r15 + movq 56($inp), %rax + adcq \$0, %rdx +@@ -311,36 +308,40 @@ $code.=<<___; + movq %rdx, %rcx + adcq \$0, %rcx + +- mulq %r9 +- shrq \$63, %r10 ++ mulq %rbp + addq %rax, %r8 +- movq %r9, %rax ++ movq %rbp, %rax + adcq \$0, %rdx + addq %rcx, %r8 +- movq %rdx, %r9 +- adcq \$0, %r9 ++ adcq \$0, %rdx + +- movq %r13, %rcx +- leaq (%r10,%r13,2), %r13 #shld \$1, %r12, %r13 ++ xorq %rcx, %rcx # rcx:r12:r11 = r12:r11 << 1 ++ addq %r11, %r11 ++ movq %rdx, %r9 ++ adcq %r12, %r12 ++ adcq \$0, %rcx + + mulq %rax ++ addq %rbx, %rax ++ movq 24($inp), %r10 ++ adcq \$0, %rdx + addq %rax, %r11 ++ movq 32($inp), %rax + adcq %rdx, %r12 +- adcq \$0, %r13 ++ adcq \$0, %rcx + + movq %r11, 32(%rsp) + movq %r12, 40(%rsp) +- shrq \$63, %rcx + + #fourth iteration +- movq 24($inp), %r10 +- movq 32($inp), %rax ++ mov %rax, %r11 # 32($inp) + mulq %r10 + addq %rax, %r14 + movq 40($inp), %rax + movq %rdx, %rbx + adcq \$0, %rbx + ++ mov %rax, %r12 # 40($inp) + mulq %r10 + addq %rax, %r15 + movq 48($inp), %rax +@@ -349,9 +350,8 @@ $code.=<<___; + movq %rdx, %rbx + adcq \$0, %rbx + ++ mov %rax, %rbp # 48($inp) + mulq %r10 +- movq %r14, %r12 +- leaq (%rcx,%r14,2), %r14 #shld \$1, %rcx, %r14 + addq %rax, %r8 + movq 56($inp), %rax + adcq \$0, %rdx +@@ -360,32 +360,33 @@ $code.=<<___; + adcq \$0, %rbx + + mulq %r10 +- shrq \$63, %r12 + addq %rax, %r9 + movq %r10, %rax + adcq \$0, %rdx + addq %rbx, %r9 +- movq %rdx, %r10 +- adcq \$0, %r10 ++ adcq \$0, %rdx + +- movq %r15, %rbx +- leaq (%r12,%r15,2),%r15 #shld \$1, %r14, %r15 ++ xorq %rbx, %rbx # rbx:r13:r14 = r13:r14 << 1 ++ addq %r13, %r13 ++ movq %rdx, %r10 ++ adcq %r14, %r14 ++ adcq \$0, %rbx + + mulq %rax ++ addq %rcx, %rax ++ adcq \$0, %rdx + addq %rax, %r13 ++ movq %r12, %rax # 40($inp) + adcq %rdx, %r14 +- adcq \$0, %r15 ++ adcq \$0, %rbx + + movq %r13, 48(%rsp) + movq %r14, 56(%rsp) +- shrq \$63, %rbx + + #fifth iteration +- movq 32($inp), %r11 +- movq 40($inp), %rax + mulq %r11 + addq %rax, %r8 +- movq 48($inp), %rax ++ movq %rbp, %rax # 48($inp) + movq %rdx, %rcx + adcq \$0, %rcx + +@@ -393,97 +394,99 @@ $code.=<<___; + addq %rax, %r9 + movq 56($inp), %rax + adcq \$0, %rdx +- movq %r8, %r12 +- leaq (%rbx,%r8,2), %r8 #shld \$1, %rbx, %r8 + addq %rcx, %r9 + movq %rdx, %rcx + adcq \$0, %rcx + ++ mov %rax, %r14 # 56($inp) + mulq %r11 +- shrq \$63, %r12 + addq %rax, %r10 + movq %r11, %rax + adcq \$0, %rdx + addq %rcx, %r10 +- movq %rdx, %r11 +- adcq \$0, %r11 ++ adcq \$0, %rdx + +- movq %r9, %rcx +- leaq (%r12,%r9,2), %r9 #shld \$1, %r8, %r9 ++ xorq %rcx, %rcx # rcx:r8:r15 = r8:r15 << 1 ++ addq %r15, %r15 ++ movq %rdx, %r11 ++ adcq %r8, %r8 ++ adcq \$0, %rcx + + mulq %rax ++ addq %rbx, %rax ++ adcq \$0, %rdx + addq %rax, %r15 ++ movq %rbp, %rax # 48($inp) + adcq %rdx, %r8 +- adcq \$0, %r9 ++ adcq \$0, %rcx + + movq %r15, 64(%rsp) + movq %r8, 72(%rsp) +- shrq \$63, %rcx + + #sixth iteration +- movq 40($inp), %r12 +- movq 48($inp), %rax + mulq %r12 + addq %rax, %r10 +- movq 56($inp), %rax ++ movq %r14, %rax # 56($inp) + movq %rdx, %rbx + adcq \$0, %rbx + + mulq %r12 + addq %rax, %r11 + movq %r12, %rax +- movq %r10, %r15 +- leaq (%rcx,%r10,2), %r10 #shld \$1, %rcx, %r10 + adcq \$0, %rdx +- shrq \$63, %r15 + addq %rbx, %r11 +- movq %rdx, %r12 +- adcq \$0, %r12 ++ adcq \$0, %rdx + +- movq %r11, %rbx +- leaq (%r15,%r11,2), %r11 #shld \$1, %r10, %r11 ++ xorq %rbx, %rbx # rbx:r10:r9 = r10:r9 << 1 ++ addq %r9, %r9 ++ movq %rdx, %r12 ++ adcq %r10, %r10 ++ adcq \$0, %rbx + + mulq %rax ++ addq %rcx, %rax ++ adcq \$0, %rdx + addq %rax, %r9 ++ movq %r14, %rax # 56($inp) + adcq %rdx, %r10 +- adcq \$0, %r11 ++ adcq \$0, %rbx + + movq %r9, 80(%rsp) + movq %r10, 88(%rsp) + + #seventh iteration +- movq 48($inp), %r13 +- movq 56($inp), %rax +- mulq %r13 ++ mulq %rbp + addq %rax, %r12 +- movq %r13, %rax +- movq %rdx, %r13 +- adcq \$0, %r13 ++ movq %rbp, %rax ++ adcq \$0, %rdx + +- xorq %r14, %r14 +- shlq \$1, %rbx +- adcq %r12, %r12 #shld \$1, %rbx, %r12 +- adcq %r13, %r13 #shld \$1, %r12, %r13 +- adcq %r14, %r14 #shld \$1, %r13, %r14 ++ xorq %rcx, %rcx # rcx:r12:r11 = r12:r11 << 1 ++ addq %r11, %r11 ++ movq %rdx, %r13 ++ adcq %r12, %r12 ++ adcq \$0, %rcx + + mulq %rax ++ addq %rbx, %rax ++ adcq \$0, %rdx + addq %rax, %r11 ++ movq %r14, %rax # 56($inp) + adcq %rdx, %r12 +- adcq \$0, %r13 ++ adcq \$0, %rcx + + movq %r11, 96(%rsp) + movq %r12, 104(%rsp) + + #eighth iteration +- movq 56($inp), %rax ++ xorq %rbx, %rbx # rbx:r13 = r13 << 1 ++ addq %r13, %r13 ++ adcq \$0, %rbx ++ + mulq %rax +- addq %rax, %r13 ++ addq %rcx, %rax + adcq \$0, %rdx +- +- addq %rdx, %r14 +- +- movq %r13, 112(%rsp) +- movq %r14, 120(%rsp) ++ addq %r13, %rax ++ adcq %rbx, %rdx + + movq (%rsp), %r8 + movq 8(%rsp), %r9 +@@ -493,6 +496,10 @@ $code.=<<___; + movq 40(%rsp), %r13 + movq 48(%rsp), %r14 + movq 56(%rsp), %r15 ++ movq %xmm1, %rbp ++ ++ movq %rax, 112(%rsp) ++ movq %rdx, 120(%rsp) + + call __rsaz_512_reduce + +@@ -524,9 +531,9 @@ $code.=<<___; + .Loop_sqrx: + movl $times,128+8(%rsp) + movq $out, %xmm0 # off-load +- movq %rbp, %xmm1 # off-load +-#first iteration ++#first iteration + mulx %rax, %r8, %r9 ++ mov %rax, %rbx + + mulx 16($inp), %rcx, %r10 + xor %rbp, %rbp # cf=0, of=0 +@@ -534,40 +541,39 @@ $code.=<<___; + mulx 24($inp), %rax, %r11 + adcx %rcx, %r9 + +- mulx 32($inp), %rcx, %r12 ++ .byte 0xc4,0x62,0xf3,0xf6,0xa6,0x20,0x00,0x00,0x00 # mulx 32($inp), %rcx, %r12 + adcx %rax, %r10 + +- mulx 40($inp), %rax, %r13 ++ .byte 0xc4,0x62,0xfb,0xf6,0xae,0x28,0x00,0x00,0x00 # mulx 40($inp), %rax, %r13 + adcx %rcx, %r11 + +- .byte 0xc4,0x62,0xf3,0xf6,0xb6,0x30,0x00,0x00,0x00 # mulx 48($inp), %rcx, %r14 ++ mulx 48($inp), %rcx, %r14 + adcx %rax, %r12 + adcx %rcx, %r13 + +- .byte 0xc4,0x62,0xfb,0xf6,0xbe,0x38,0x00,0x00,0x00 # mulx 56($inp), %rax, %r15 ++ mulx 56($inp), %rax, %r15 + adcx %rax, %r14 + adcx %rbp, %r15 # %rbp is 0 + +- mov %r9, %rcx +- shld \$1, %r8, %r9 +- shl \$1, %r8 +- +- xor %ebp, %ebp +- mulx %rdx, %rax, %rdx +- adcx %rdx, %r8 +- mov 8($inp), %rdx +- adcx %rbp, %r9 ++ mulx %rdx, %rax, $out ++ mov %rbx, %rdx # 8($inp) ++ xor %rcx, %rcx ++ adox %r8, %r8 ++ adcx $out, %r8 ++ adox %rbp, %rcx ++ adcx %rbp, %rcx + + mov %rax, (%rsp) + mov %r8, 8(%rsp) + +-#second iteration +- mulx 16($inp), %rax, %rbx ++#second iteration ++ .byte 0xc4,0xe2,0xfb,0xf6,0x9e,0x10,0x00,0x00,0x00 # mulx 16($inp), %rax, %rbx + adox %rax, %r10 + adcx %rbx, %r11 + +- .byte 0xc4,0x62,0xc3,0xf6,0x86,0x18,0x00,0x00,0x00 # mulx 24($inp), $out, %r8 ++ mulx 24($inp), $out, %r8 + adox $out, %r11 ++ .byte 0x66 + adcx %r8, %r12 + + mulx 32($inp), %rax, %rbx +@@ -585,24 +591,25 @@ $code.=<<___; + .byte 0xc4,0x62,0xc3,0xf6,0x86,0x38,0x00,0x00,0x00 # mulx 56($inp), $out, %r8 + adox $out, %r15 + adcx %rbp, %r8 ++ mulx %rdx, %rax, $out + adox %rbp, %r8 ++ .byte 0x48,0x8b,0x96,0x10,0x00,0x00,0x00 # mov 16($inp), %rdx + +- mov %r11, %rbx +- shld \$1, %r10, %r11 +- shld \$1, %rcx, %r10 +- +- xor %ebp,%ebp +- mulx %rdx, %rax, %rcx +- mov 16($inp), %rdx ++ xor %rbx, %rbx ++ adcx %rcx, %rax ++ adox %r9, %r9 ++ adcx %rbp, $out ++ adox %r10, %r10 + adcx %rax, %r9 +- adcx %rcx, %r10 +- adcx %rbp, %r11 ++ adox %rbp, %rbx ++ adcx $out, %r10 ++ adcx %rbp, %rbx + + mov %r9, 16(%rsp) + .byte 0x4c,0x89,0x94,0x24,0x18,0x00,0x00,0x00 # mov %r10, 24(%rsp) +- +-#third iteration +- .byte 0xc4,0x62,0xc3,0xf6,0x8e,0x18,0x00,0x00,0x00 # mulx 24($inp), $out, %r9 ++ ++#third iteration ++ mulx 24($inp), $out, %r9 + adox $out, %r12 + adcx %r9, %r13 + +@@ -610,7 +617,7 @@ $code.=<<___; + adox %rax, %r13 + adcx %rcx, %r14 + +- mulx 40($inp), $out, %r9 ++ .byte 0xc4,0x62,0xc3,0xf6,0x8e,0x28,0x00,0x00,0x00 # mulx 40($inp), $out, %r9 + adox $out, %r14 + adcx %r9, %r15 + +@@ -618,27 +625,28 @@ $code.=<<___; + adox %rax, %r15 + adcx %rcx, %r8 + +- .byte 0xc4,0x62,0xc3,0xf6,0x8e,0x38,0x00,0x00,0x00 # mulx 56($inp), $out, %r9 ++ mulx 56($inp), $out, %r9 + adox $out, %r8 + adcx %rbp, %r9 ++ mulx %rdx, %rax, $out + adox %rbp, %r9 ++ mov 24($inp), %rdx + +- mov %r13, %rcx +- shld \$1, %r12, %r13 +- shld \$1, %rbx, %r12 +- +- xor %ebp, %ebp +- mulx %rdx, %rax, %rdx ++ xor %rcx, %rcx ++ adcx %rbx, %rax ++ adox %r11, %r11 ++ adcx %rbp, $out ++ adox %r12, %r12 + adcx %rax, %r11 +- adcx %rdx, %r12 +- mov 24($inp), %rdx +- adcx %rbp, %r13 ++ adox %rbp, %rcx ++ adcx $out, %r12 ++ adcx %rbp, %rcx + + mov %r11, 32(%rsp) +- .byte 0x4c,0x89,0xa4,0x24,0x28,0x00,0x00,0x00 # mov %r12, 40(%rsp) +- +-#fourth iteration +- .byte 0xc4,0xe2,0xfb,0xf6,0x9e,0x20,0x00,0x00,0x00 # mulx 32($inp), %rax, %rbx ++ mov %r12, 40(%rsp) ++ ++#fourth iteration ++ mulx 32($inp), %rax, %rbx + adox %rax, %r14 + adcx %rbx, %r15 + +@@ -653,25 +661,25 @@ $code.=<<___; + mulx 56($inp), $out, %r10 + adox $out, %r9 + adcx %rbp, %r10 ++ mulx %rdx, %rax, $out + adox %rbp, %r10 ++ mov 32($inp), %rdx + +- .byte 0x66 +- mov %r15, %rbx +- shld \$1, %r14, %r15 +- shld \$1, %rcx, %r14 +- +- xor %ebp, %ebp +- mulx %rdx, %rax, %rdx ++ xor %rbx, %rbx ++ adcx %rcx, %rax ++ adox %r13, %r13 ++ adcx %rbp, $out ++ adox %r14, %r14 + adcx %rax, %r13 +- adcx %rdx, %r14 +- mov 32($inp), %rdx +- adcx %rbp, %r15 ++ adox %rbp, %rbx ++ adcx $out, %r14 ++ adcx %rbp, %rbx + + mov %r13, 48(%rsp) + mov %r14, 56(%rsp) +- +-#fifth iteration +- .byte 0xc4,0x62,0xc3,0xf6,0x9e,0x28,0x00,0x00,0x00 # mulx 40($inp), $out, %r11 ++ ++#fifth iteration ++ mulx 40($inp), $out, %r11 + adox $out, %r8 + adcx %r11, %r9 + +@@ -682,18 +690,19 @@ $code.=<<___; + mulx 56($inp), $out, %r11 + adox $out, %r10 + adcx %rbp, %r11 ++ mulx %rdx, %rax, $out ++ mov 40($inp), %rdx + adox %rbp, %r11 + +- mov %r9, %rcx +- shld \$1, %r8, %r9 +- shld \$1, %rbx, %r8 +- +- xor %ebp, %ebp +- mulx %rdx, %rax, %rdx ++ xor %rcx, %rcx ++ adcx %rbx, %rax ++ adox %r15, %r15 ++ adcx %rbp, $out ++ adox %r8, %r8 + adcx %rax, %r15 +- adcx %rdx, %r8 +- mov 40($inp), %rdx +- adcx %rbp, %r9 ++ adox %rbp, %rcx ++ adcx $out, %r8 ++ adcx %rbp, %rcx + + mov %r15, 64(%rsp) + mov %r8, 72(%rsp) +@@ -706,18 +715,19 @@ $code.=<<___; + .byte 0xc4,0x62,0xc3,0xf6,0xa6,0x38,0x00,0x00,0x00 # mulx 56($inp), $out, %r12 + adox $out, %r11 + adcx %rbp, %r12 ++ mulx %rdx, %rax, $out + adox %rbp, %r12 ++ mov 48($inp), %rdx + +- mov %r11, %rbx +- shld \$1, %r10, %r11 +- shld \$1, %rcx, %r10 +- +- xor %ebp, %ebp +- mulx %rdx, %rax, %rdx ++ xor %rbx, %rbx ++ adcx %rcx, %rax ++ adox %r9, %r9 ++ adcx %rbp, $out ++ adox %r10, %r10 + adcx %rax, %r9 +- adcx %rdx, %r10 +- mov 48($inp), %rdx +- adcx %rbp, %r11 ++ adcx $out, %r10 ++ adox %rbp, %rbx ++ adcx %rbp, %rbx + + mov %r9, 80(%rsp) + mov %r10, 88(%rsp) +@@ -727,31 +737,31 @@ $code.=<<___; + adox %rax, %r12 + adox %rbp, %r13 + +- xor %r14, %r14 +- shld \$1, %r13, %r14 +- shld \$1, %r12, %r13 +- shld \$1, %rbx, %r12 +- +- xor %ebp, %ebp +- mulx %rdx, %rax, %rdx +- adcx %rax, %r11 +- adcx %rdx, %r12 ++ mulx %rdx, %rax, $out ++ xor %rcx, %rcx + mov 56($inp), %rdx +- adcx %rbp, %r13 ++ adcx %rbx, %rax ++ adox %r11, %r11 ++ adcx %rbp, $out ++ adox %r12, %r12 ++ adcx %rax, %r11 ++ adox %rbp, %rcx ++ adcx $out, %r12 ++ adcx %rbp, %rcx + + .byte 0x4c,0x89,0x9c,0x24,0x60,0x00,0x00,0x00 # mov %r11, 96(%rsp) + .byte 0x4c,0x89,0xa4,0x24,0x68,0x00,0x00,0x00 # mov %r12, 104(%rsp) + + #eighth iteration + mulx %rdx, %rax, %rdx +- adox %rax, %r13 +- adox %rbp, %rdx ++ xor %rbx, %rbx ++ adcx %rcx, %rax ++ adox %r13, %r13 ++ adcx %rbp, %rdx ++ adox %rbp, %rbx ++ adcx %r13, %rax ++ adcx %rdx, %rbx + +- .byte 0x66 +- add %rdx, %r14 +- +- movq %r13, 112(%rsp) +- movq %r14, 120(%rsp) + movq %xmm0, $out + movq %xmm1, %rbp + +@@ -765,6 +775,9 @@ $code.=<<___; + movq 48(%rsp), %r14 + movq 56(%rsp), %r15 + ++ movq %rax, 112(%rsp) ++ movq %rbx, 120(%rsp) ++ + call __rsaz_512_reducex + + addq 64(%rsp), %r8 +-- +2.17.1 + diff -Nru openssl1.0-1.0.2n/debian/patches/CVE-2019-1563.patch openssl1.0-1.0.2n/debian/patches/CVE-2019-1563.patch --- openssl1.0-1.0.2n/debian/patches/CVE-2019-1563.patch 1970-01-01 00:00:00.000000000 +0000 +++ openssl1.0-1.0.2n/debian/patches/CVE-2019-1563.patch 2020-09-16 11:51:13.000000000 +0000 @@ -0,0 +1,162 @@ +From e21f8cf78a125cd3c8c0d1a1a6c8bb0b901f893f Mon Sep 17 00:00:00 2001 +From: Bernd Edlinger +Date: Sun, 1 Sep 2019 00:16:28 +0200 +Subject: [PATCH] Fix a padding oracle in PKCS7_dataDecode and + CMS_decrypt_set1_pkey + +An attack is simple, if the first CMS_recipientInfo is valid but the +second CMS_recipientInfo is chosen ciphertext. If the second +recipientInfo decodes to PKCS #1 v1.5 form plaintext, the correct +encryption key will be replaced by garbage, and the message cannot be +decoded, but if the RSA decryption fails, the correct encryption key is +used and the recipient will not notice the attack. + +As a work around for this potential attack the length of the decrypted +key must be equal to the cipher default key length, in case the +certifiate is not given and all recipientInfo are tried out. + +The old behaviour can be re-enabled in the CMS code by setting the +CMS_DEBUG_DECRYPT flag. + +Reviewed-by: Matt Caswell +(Merged from https://github.com/openssl/openssl/pull/9777) + +(cherry picked from commit 5840ed0cd1e6487d247efbc1a04136a41d7b3a37) +--- + CHANGES | 14 ++++++++++++++ + crypto/cms/cms_env.c | 18 +++++++++++++++++- + crypto/cms/cms_lcl.h | 2 ++ + crypto/cms/cms_smime.c | 4 ++++ + crypto/pkcs7/pk7_doit.c | 12 ++++++++---- + 5 files changed, 45 insertions(+), 5 deletions(-) + +#diff --git a/CHANGES b/CHANGES +#index eff1121106..dbe5c1d043 100644 +#--- a/CHANGES +#+++ b/CHANGES +#@@ -39,6 +39,20 @@ +# (CVE-2019-1547) +# [Billy Bob Brumley] +# +#+ *) Fixed a padding oracle in PKCS7_dataDecode and CMS_decrypt_set1_pkey. +#+ An attack is simple, if the first CMS_recipientInfo is valid but the +#+ second CMS_recipientInfo is chosen ciphertext. If the second +#+ recipientInfo decodes to PKCS #1 v1.5 form plaintext, the correct +#+ encryption key will be replaced by garbage, and the message cannot be +#+ decoded, but if the RSA decryption fails, the correct encryption key is +#+ used and the recipient will not notice the attack. +#+ As a work around for this potential attack the length of the decrypted +#+ key must be equal to the cipher default key length, in case the +#+ certifiate is not given and all recipientInfo are tried out. +#+ The old behaviour can be re-enabled in the CMS code by setting the +#+ CMS_DEBUG_DECRYPT flag. +#+ [Bernd Edlinger] +#+ +# *) Document issue with installation paths in diverse Windows builds +# +# '/usr/local/ssl' is an unsafe prefix for location to install OpenSSL +--- a/crypto/cms/cms_env.c ++++ b/crypto/cms/cms_env.c +@@ -422,6 +422,7 @@ static int cms_RecipientInfo_ktri_decryp + unsigned char *ek = NULL; + size_t eklen; + int ret = 0; ++ size_t fixlen = 0; + CMS_EncryptedContentInfo *ec; + ec = cms->d.envelopedData->encryptedContentInfo; + +@@ -430,6 +431,19 @@ static int cms_RecipientInfo_ktri_decryp + return 0; + } + ++ if (cms->d.envelopedData->encryptedContentInfo->havenocert ++ && !cms->d.envelopedData->encryptedContentInfo->debug) { ++ X509_ALGOR *calg = ec->contentEncryptionAlgorithm; ++ const EVP_CIPHER *ciph = EVP_get_cipherbyobj(calg->algorithm); ++ ++ if (ciph == NULL) { ++ CMSerr(CMS_F_CMS_RECIPIENTINFO_KTRI_DECRYPT, CMS_R_UNKNOWN_CIPHER); ++ return 0; ++ } ++ ++ fixlen = EVP_CIPHER_key_length(ciph); ++ } ++ + ktri->pctx = EVP_PKEY_CTX_new(pkey, NULL); + if (!ktri->pctx) + return 0; +@@ -460,7 +474,9 @@ static int cms_RecipientInfo_ktri_decryp + + if (EVP_PKEY_decrypt(ktri->pctx, ek, &eklen, + ktri->encryptedKey->data, +- ktri->encryptedKey->length) <= 0) { ++ ktri->encryptedKey->length) <= 0 ++ || eklen == 0 ++ || (fixlen != 0 && eklen != fixlen)) { + CMSerr(CMS_F_CMS_RECIPIENTINFO_KTRI_DECRYPT, CMS_R_CMS_LIB); + goto err; + } +--- a/crypto/cms/cms_lcl.h ++++ b/crypto/cms/cms_lcl.h +@@ -172,6 +172,8 @@ struct CMS_EncryptedContentInfo_st { + size_t keylen; + /* Set to 1 if we are debugging decrypt and don't fake keys for MMA */ + int debug; ++ /* Set to 1 if we have no cert and need extra safety measures for MMA */ ++ int havenocert; + }; + + struct CMS_RecipientInfo_st { +--- a/crypto/cms/cms_smime.c ++++ b/crypto/cms/cms_smime.c +@@ -737,6 +737,10 @@ int CMS_decrypt(CMS_ContentInfo *cms, EV + cms->d.envelopedData->encryptedContentInfo->debug = 1; + else + cms->d.envelopedData->encryptedContentInfo->debug = 0; ++ if (!cert) ++ cms->d.envelopedData->encryptedContentInfo->havenocert = 1; ++ else ++ cms->d.envelopedData->encryptedContentInfo->havenocert = 0; + if (!pk && !cert && !dcont && !out) + return 1; + if (pk && !CMS_decrypt_set1_pkey(cms, pk, cert)) +--- a/crypto/pkcs7/pk7_doit.c ++++ b/crypto/pkcs7/pk7_doit.c +@@ -191,7 +191,8 @@ static int pkcs7_encode_rinfo(PKCS7_RECI + } + + static int pkcs7_decrypt_rinfo(unsigned char **pek, int *peklen, +- PKCS7_RECIP_INFO *ri, EVP_PKEY *pkey) ++ PKCS7_RECIP_INFO *ri, EVP_PKEY *pkey, ++ size_t fixlen) + { + EVP_PKEY_CTX *pctx = NULL; + unsigned char *ek = NULL; +@@ -224,7 +225,9 @@ static int pkcs7_decrypt_rinfo(unsigned + } + + if (EVP_PKEY_decrypt(pctx, ek, &eklen, +- ri->enc_key->data, ri->enc_key->length) <= 0) { ++ ri->enc_key->data, ri->enc_key->length) <= 0 ++ || eklen == 0 ++ || (fixlen != 0 && eklen != fixlen)) { + ret = 0; + PKCS7err(PKCS7_F_PKCS7_DECRYPT_RINFO, ERR_R_EVP_LIB); + goto err; +@@ -569,13 +572,14 @@ BIO *PKCS7_dataDecode(PKCS7 *p7, EVP_PKE + for (i = 0; i < sk_PKCS7_RECIP_INFO_num(rsk); i++) { + ri = sk_PKCS7_RECIP_INFO_value(rsk, i); + +- if (pkcs7_decrypt_rinfo(&ek, &eklen, ri, pkey) < 0) ++ if (pkcs7_decrypt_rinfo(&ek, &eklen, ri, pkey, ++ EVP_CIPHER_key_length(evp_cipher)) < 0) + goto err; + ERR_clear_error(); + } + } else { + /* Only exit on fatal errors, not decrypt failure */ +- if (pkcs7_decrypt_rinfo(&ek, &eklen, ri, pkey) < 0) ++ if (pkcs7_decrypt_rinfo(&ek, &eklen, ri, pkey, 0) < 0) + goto err; + ERR_clear_error(); + } diff -Nru openssl1.0-1.0.2n/debian/patches/CVE-2020-1968.patch openssl1.0-1.0.2n/debian/patches/CVE-2020-1968.patch --- openssl1.0-1.0.2n/debian/patches/CVE-2020-1968.patch 1970-01-01 00:00:00.000000000 +0000 +++ openssl1.0-1.0.2n/debian/patches/CVE-2020-1968.patch 2020-09-16 11:51:10.000000000 +0000 @@ -0,0 +1,247 @@ +Description: disable ciphers vulnerable to CVE-2020-1968 +Author: Marc Deslauriers + +--- a/ssl/s3_lib.c ++++ b/ssl/s3_lib.c +@@ -967,6 +967,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] + 128, + }, + /* Cipher 30 */ ++#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS + { + 1, + TLS1_TXT_DH_DSS_WITH_AES_128_SHA, +@@ -981,7 +982,9 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] + 128, + 128, + }, ++#endif + /* Cipher 31 */ ++#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS + { + 1, + TLS1_TXT_DH_RSA_WITH_AES_128_SHA, +@@ -996,6 +999,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] + 128, + 128, + }, ++#endif + /* Cipher 32 */ + { + 1, +@@ -1058,6 +1062,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] + 256, + }, + /* Cipher 36 */ ++#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS + { + 1, + TLS1_TXT_DH_DSS_WITH_AES_256_SHA, +@@ -1072,8 +1077,10 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] + 256, + 256, + }, ++#endif + + /* Cipher 37 */ ++#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS + { + 1, + TLS1_TXT_DH_RSA_WITH_AES_256_SHA, +@@ -1088,6 +1095,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] + 256, + 256, + }, ++#endif + + /* Cipher 38 */ + { +@@ -1187,6 +1195,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] + }, + + /* Cipher 3E */ ++#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS + { + 1, + TLS1_TXT_DH_DSS_WITH_AES_128_SHA256, +@@ -1201,8 +1210,10 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] + 128, + 128, + }, ++#endif + + /* Cipher 3F */ ++#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS + { + 1, + TLS1_TXT_DH_RSA_WITH_AES_128_SHA256, +@@ -1217,6 +1228,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] + 128, + 128, + }, ++#endif + + /* Cipher 40 */ + { +@@ -1254,6 +1266,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] + }, + + /* Cipher 42 */ ++#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS + { + 1, + TLS1_TXT_DH_DSS_WITH_CAMELLIA_128_CBC_SHA, +@@ -1268,8 +1281,10 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] + 128, + 128, + }, ++#endif + + /* Cipher 43 */ ++#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS + { + 1, + TLS1_TXT_DH_RSA_WITH_CAMELLIA_128_CBC_SHA, +@@ -1284,6 +1299,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] + 128, + 128, + }, ++#endif + + /* Cipher 44 */ + { +@@ -1479,6 +1495,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] + }, + + /* Cipher 68 */ ++#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS + { + 1, + TLS1_TXT_DH_DSS_WITH_AES_256_SHA256, +@@ -1493,8 +1510,10 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] + 256, + 256, + }, ++#endif + + /* Cipher 69 */ ++#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS + { + 1, + TLS1_TXT_DH_RSA_WITH_AES_256_SHA256, +@@ -1509,6 +1528,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] + 256, + 256, + }, ++#endif + + /* Cipher 6A */ + { +@@ -1648,6 +1668,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] + 256, + }, + /* Cipher 85 */ ++#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS + { + 1, + TLS1_TXT_DH_DSS_WITH_CAMELLIA_256_CBC_SHA, +@@ -1662,8 +1683,10 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] + 256, + 256, + }, ++#endif + + /* Cipher 86 */ ++#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS + { + 1, + TLS1_TXT_DH_RSA_WITH_CAMELLIA_256_CBC_SHA, +@@ -1678,6 +1701,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] + 256, + 256, + }, ++#endif + + /* Cipher 87 */ + { +@@ -1818,6 +1842,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] + }, + + /* Cipher 97 */ ++#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS + { + 1, + TLS1_TXT_DH_DSS_WITH_SEED_SHA, +@@ -1832,8 +1857,10 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] + 128, + 128, + }, ++#endif + + /* Cipher 98 */ ++#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS + { + 1, + TLS1_TXT_DH_RSA_WITH_SEED_SHA, +@@ -1848,6 +1875,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] + 128, + 128, + }, ++#endif + + /* Cipher 99 */ + { +@@ -1966,6 +1994,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] + }, + + /* Cipher A0 */ ++#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS + { + 1, + TLS1_TXT_DH_RSA_WITH_AES_128_GCM_SHA256, +@@ -1980,8 +2009,10 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] + 128, + 128, + }, ++#endif + + /* Cipher A1 */ ++#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS + { + 1, + TLS1_TXT_DH_RSA_WITH_AES_256_GCM_SHA384, +@@ -1996,6 +2027,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] + 256, + 256, + }, ++#endif + + /* Cipher A2 */ + { +@@ -2030,6 +2062,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] + }, + + /* Cipher A4 */ ++#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS + { + 1, + TLS1_TXT_DH_DSS_WITH_AES_128_GCM_SHA256, +@@ -2044,8 +2077,10 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] + 128, + 128, + }, ++#endif + + /* Cipher A5 */ ++#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS + { + 1, + TLS1_TXT_DH_DSS_WITH_AES_256_GCM_SHA384, +@@ -2060,6 +2095,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] + 256, + 256, + }, ++#endif + + /* Cipher A6 */ + { diff -Nru openssl1.0-1.0.2n/debian/patches/series openssl1.0-1.0.2n/debian/patches/series --- openssl1.0-1.0.2n/debian/patches/series 2019-02-26 19:46:16.000000000 +0000 +++ openssl1.0-1.0.2n/debian/patches/series 2020-09-16 11:51:13.000000000 +0000 @@ -33,3 +33,7 @@ CVE-2018-5407.patch CVE-2019-1559.patch s390x-fix-aes-gcm-tls.patch +CVE-2020-1968.patch +CVE-2019-1547.patch +CVE-2019-1551.patch +CVE-2019-1563.patch