forked from rpms/openssl
import openssl-1.1.1k-6.el8_5
This commit is contained in:
parent
8755b29af1
commit
145dc9b8af
179
SOURCES/openssl-1.1.1-cve-2022-0778.patch
Normal file
179
SOURCES/openssl-1.1.1-cve-2022-0778.patch
Normal file
@ -0,0 +1,179 @@
|
|||||||
|
From 3118eb64934499d93db3230748a452351d1d9a65 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Tomas Mraz <tomas@openssl.org>
|
||||||
|
Date: Mon, 28 Feb 2022 18:26:21 +0100
|
||||||
|
Subject: [PATCH] Fix possible infinite loop in BN_mod_sqrt()
|
||||||
|
|
||||||
|
The calculation in some cases does not finish for non-prime p.
|
||||||
|
|
||||||
|
This fixes CVE-2022-0778.
|
||||||
|
|
||||||
|
Based on patch by David Benjamin <davidben@google.com>.
|
||||||
|
|
||||||
|
Reviewed-by: Paul Dale <pauli@openssl.org>
|
||||||
|
Reviewed-by: Matt Caswell <matt@openssl.org>
|
||||||
|
---
|
||||||
|
crypto/bn/bn_sqrt.c | 30 ++++++++++++++++++------------
|
||||||
|
1 file changed, 18 insertions(+), 12 deletions(-)
|
||||||
|
|
||||||
|
From b5fcb7e133725b8b2eb66f63f5142710ed63a6d1 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Tomas Mraz <tomas@openssl.org>
|
||||||
|
Date: Mon, 28 Feb 2022 18:26:30 +0100
|
||||||
|
Subject: [PATCH] Add documentation of BN_mod_sqrt()
|
||||||
|
|
||||||
|
Reviewed-by: Paul Dale <pauli@openssl.org>
|
||||||
|
Reviewed-by: Matt Caswell <matt@openssl.org>
|
||||||
|
---
|
||||||
|
doc/man3/BN_add.pod | 15 +++++++++++++--
|
||||||
|
1 file changed, 13 insertions(+), 2 deletions(-)
|
||||||
|
|
||||||
|
From 3ef5c3034e5c545f34d6929568f3f2b10ac4bdf0 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Tomas Mraz <tomas@openssl.org>
|
||||||
|
Date: Mon, 28 Feb 2022 18:26:35 +0100
|
||||||
|
Subject: [PATCH] Add a negative testcase for BN_mod_sqrt
|
||||||
|
|
||||||
|
Reviewed-by: Paul Dale <pauli@openssl.org>
|
||||||
|
Reviewed-by: Matt Caswell <matt@openssl.org>
|
||||||
|
---
|
||||||
|
test/bntest.c | 11 ++++++++++-
|
||||||
|
test/recipes/10-test_bn_data/bnmod.txt | 12 ++++++++++++
|
||||||
|
2 files changed, 22 insertions(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/crypto/bn/bn_sqrt.c b/crypto/bn/bn_sqrt.c
|
||||||
|
index 1723d5ded5a8..53b0f559855c 100644
|
||||||
|
--- a/crypto/bn/bn_sqrt.c
|
||||||
|
+++ b/crypto/bn/bn_sqrt.c
|
||||||
|
@@ -14,7 +14,8 @@ BIGNUM *BN_mod_sqrt(BIGNUM *in, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx)
|
||||||
|
/*
|
||||||
|
* Returns 'ret' such that ret^2 == a (mod p), using the Tonelli/Shanks
|
||||||
|
* algorithm (cf. Henri Cohen, "A Course in Algebraic Computational Number
|
||||||
|
- * Theory", algorithm 1.5.1). 'p' must be prime!
|
||||||
|
+ * Theory", algorithm 1.5.1). 'p' must be prime, otherwise an error or
|
||||||
|
+ * an incorrect "result" will be returned.
|
||||||
|
*/
|
||||||
|
{
|
||||||
|
BIGNUM *ret = in;
|
||||||
|
@@ -301,18 +302,23 @@ BIGNUM *BN_mod_sqrt(BIGNUM *in, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx)
|
||||||
|
goto vrfy;
|
||||||
|
}
|
||||||
|
|
||||||
|
- /* find smallest i such that b^(2^i) = 1 */
|
||||||
|
- i = 1;
|
||||||
|
- if (!BN_mod_sqr(t, b, p, ctx))
|
||||||
|
- goto end;
|
||||||
|
- while (!BN_is_one(t)) {
|
||||||
|
- i++;
|
||||||
|
- if (i == e) {
|
||||||
|
- BNerr(BN_F_BN_MOD_SQRT, BN_R_NOT_A_SQUARE);
|
||||||
|
- goto end;
|
||||||
|
+ /* Find the smallest i, 0 < i < e, such that b^(2^i) = 1. */
|
||||||
|
+ for (i = 1; i < e; i++) {
|
||||||
|
+ if (i == 1) {
|
||||||
|
+ if (!BN_mod_sqr(t, b, p, ctx))
|
||||||
|
+ goto end;
|
||||||
|
+
|
||||||
|
+ } else {
|
||||||
|
+ if (!BN_mod_mul(t, t, t, p, ctx))
|
||||||
|
+ goto end;
|
||||||
|
}
|
||||||
|
- if (!BN_mod_mul(t, t, t, p, ctx))
|
||||||
|
- goto end;
|
||||||
|
+ if (BN_is_one(t))
|
||||||
|
+ break;
|
||||||
|
+ }
|
||||||
|
+ /* If not found, a is not a square or p is not prime. */
|
||||||
|
+ if (i >= e) {
|
||||||
|
+ BNerr(BN_F_BN_MOD_SQRT, BN_R_NOT_A_SQUARE);
|
||||||
|
+ goto end;
|
||||||
|
}
|
||||||
|
|
||||||
|
/* t := y^2^(e - i - 1) */
|
||||||
|
diff --git a/doc/man3/BN_add.pod b/doc/man3/BN_add.pod
|
||||||
|
index dccd4790ede7..1f5e37a4d183 100644
|
||||||
|
--- a/doc/man3/BN_add.pod
|
||||||
|
+++ b/doc/man3/BN_add.pod
|
||||||
|
@@ -3,7 +3,7 @@
|
||||||
|
=head1 NAME
|
||||||
|
|
||||||
|
BN_add, BN_sub, BN_mul, BN_sqr, BN_div, BN_mod, BN_nnmod, BN_mod_add,
|
||||||
|
-BN_mod_sub, BN_mod_mul, BN_mod_sqr, BN_exp, BN_mod_exp, BN_gcd -
|
||||||
|
+BN_mod_sub, BN_mod_mul, BN_mod_sqr, BN_mod_sqrt, BN_exp, BN_mod_exp, BN_gcd -
|
||||||
|
arithmetic operations on BIGNUMs
|
||||||
|
|
||||||
|
=head1 SYNOPSIS
|
||||||
|
@@ -36,6 +36,8 @@ arithmetic operations on BIGNUMs
|
||||||
|
|
||||||
|
int BN_mod_sqr(BIGNUM *r, BIGNUM *a, const BIGNUM *m, BN_CTX *ctx);
|
||||||
|
|
||||||
|
+ BIGNUM *BN_mod_sqrt(BIGNUM *in, BIGNUM *a, const BIGNUM *p, BN_CTX *ctx);
|
||||||
|
+
|
||||||
|
int BN_exp(BIGNUM *r, BIGNUM *a, BIGNUM *p, BN_CTX *ctx);
|
||||||
|
|
||||||
|
int BN_mod_exp(BIGNUM *r, BIGNUM *a, const BIGNUM *p,
|
||||||
|
@@ -87,6 +89,12 @@ L<BN_mod_mul_reciprocal(3)>.
|
||||||
|
BN_mod_sqr() takes the square of I<a> modulo B<m> and places the
|
||||||
|
result in I<r>.
|
||||||
|
|
||||||
|
+BN_mod_sqrt() returns the modular square root of I<a> such that
|
||||||
|
+C<in^2 = a (mod p)>. The modulus I<p> must be a
|
||||||
|
+prime, otherwise an error or an incorrect "result" will be returned.
|
||||||
|
+The result is stored into I<in> which can be NULL. The result will be
|
||||||
|
+newly allocated in that case.
|
||||||
|
+
|
||||||
|
BN_exp() raises I<a> to the I<p>-th power and places the result in I<r>
|
||||||
|
(C<r=a^p>). This function is faster than repeated applications of
|
||||||
|
BN_mul().
|
||||||
|
@@ -108,7 +116,10 @@ the arguments.
|
||||||
|
|
||||||
|
=head1 RETURN VALUES
|
||||||
|
|
||||||
|
-For all functions, 1 is returned for success, 0 on error. The return
|
||||||
|
+The BN_mod_sqrt() returns the result (possibly incorrect if I<p> is
|
||||||
|
+not a prime), or NULL.
|
||||||
|
+
|
||||||
|
+For all remaining functions, 1 is returned for success, 0 on error. The return
|
||||||
|
value should always be checked (e.g., C<if (!BN_add(r,a,b)) goto err;>).
|
||||||
|
The error codes can be obtained by L<ERR_get_error(3)>.
|
||||||
|
|
||||||
|
diff --git a/test/bntest.c b/test/bntest.c
|
||||||
|
index 390dd800733e..1cab660bcafb 100644
|
||||||
|
--- a/test/bntest.c
|
||||||
|
+++ b/test/bntest.c
|
||||||
|
@@ -1729,8 +1729,17 @@ static int file_modsqrt(STANZA *s)
|
||||||
|
|| !TEST_ptr(ret2 = BN_new()))
|
||||||
|
goto err;
|
||||||
|
|
||||||
|
+ if (BN_is_negative(mod_sqrt)) {
|
||||||
|
+ /* A negative testcase */
|
||||||
|
+ if (!TEST_ptr_null(BN_mod_sqrt(ret, a, p, ctx)))
|
||||||
|
+ goto err;
|
||||||
|
+
|
||||||
|
+ st = 1;
|
||||||
|
+ goto err;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
/* There are two possible answers. */
|
||||||
|
- if (!TEST_true(BN_mod_sqrt(ret, a, p, ctx))
|
||||||
|
+ if (!TEST_ptr(BN_mod_sqrt(ret, a, p, ctx))
|
||||||
|
|| !TEST_true(BN_sub(ret2, p, ret)))
|
||||||
|
goto err;
|
||||||
|
|
||||||
|
diff --git a/test/recipes/10-test_bn_data/bnmod.txt b/test/recipes/10-test_bn_data/bnmod.txt
|
||||||
|
index 5ea4d031f271..e28cc6bfb02e 100644
|
||||||
|
--- a/test/recipes/10-test_bn_data/bnmod.txt
|
||||||
|
+++ b/test/recipes/10-test_bn_data/bnmod.txt
|
||||||
|
@@ -2799,3 +2799,15 @@ P = 9df9d6cc20b8540411af4e5357ef2b0353cb1f2ab5ffc3e246b41c32f71e951f
|
||||||
|
ModSqrt = a1d52989f12f204d3d2167d9b1e6c8a6174c0c786a979a5952383b7b8bd186
|
||||||
|
A = 2eee37cf06228a387788188e650bc6d8a2ff402931443f69156a29155eca07dcb45f3aac238d92943c0c25c896098716baa433f25bd696a142f5a69d5d937e81
|
||||||
|
P = 9df9d6cc20b8540411af4e5357ef2b0353cb1f2ab5ffc3e246b41c32f71e951f
|
||||||
|
+
|
||||||
|
+# Negative testcases for BN_mod_sqrt()
|
||||||
|
+
|
||||||
|
+# This one triggers an infinite loop with unfixed implementation
|
||||||
|
+# It should just fail.
|
||||||
|
+ModSqrt = -1
|
||||||
|
+A = 20a7ee
|
||||||
|
+P = 460201
|
||||||
|
+
|
||||||
|
+ModSqrt = -1
|
||||||
|
+A = 65bebdb00a96fc814ec44b81f98b59fba3c30203928fa5214c51e0a97091645280c947b005847f239758482b9bfc45b066fde340d1fe32fc9c1bf02e1b2d0ed
|
||||||
|
+P = 9df9d6cc20b8540411af4e5357ef2b0353cb1f2ab5ffc3e246b41c32f71e951f
|
@ -22,7 +22,7 @@
|
|||||||
Summary: Utilities from the general purpose cryptography library with TLS implementation
|
Summary: Utilities from the general purpose cryptography library with TLS implementation
|
||||||
Name: openssl
|
Name: openssl
|
||||||
Version: 1.1.1k
|
Version: 1.1.1k
|
||||||
Release: 5%{?dist}
|
Release: 6%{?dist}
|
||||||
Epoch: 1
|
Epoch: 1
|
||||||
# We have to remove certain patented algorithms from the openssl source
|
# We have to remove certain patented algorithms from the openssl source
|
||||||
# tarball with the hobble-openssl script which is included below.
|
# tarball with the hobble-openssl script which is included below.
|
||||||
@ -82,6 +82,7 @@ Patch56: openssl-1.1.1-s390x-ecc.patch
|
|||||||
Patch74: openssl-1.1.1-addrconfig.patch
|
Patch74: openssl-1.1.1-addrconfig.patch
|
||||||
Patch75: openssl-1.1.1-tls13-curves.patch
|
Patch75: openssl-1.1.1-tls13-curves.patch
|
||||||
Patch81: openssl-1.1.1-read-buff.patch
|
Patch81: openssl-1.1.1-read-buff.patch
|
||||||
|
Patch82: openssl-1.1.1-cve-2022-0778.patch
|
||||||
|
|
||||||
License: OpenSSL and ASL 2.0
|
License: OpenSSL and ASL 2.0
|
||||||
URL: http://www.openssl.org/
|
URL: http://www.openssl.org/
|
||||||
@ -202,6 +203,7 @@ cp %{SOURCE13} test/
|
|||||||
%patch79 -p1 -b .servername-cb
|
%patch79 -p1 -b .servername-cb
|
||||||
%patch80 -p1 -b .s390x-test-aes
|
%patch80 -p1 -b .s390x-test-aes
|
||||||
%patch81 -p1 -b .read-buff
|
%patch81 -p1 -b .read-buff
|
||||||
|
%patch82 -p1 -b .cve-2022-0778
|
||||||
|
|
||||||
|
|
||||||
%build
|
%build
|
||||||
@ -486,6 +488,10 @@ export LD_LIBRARY_PATH
|
|||||||
%postun libs -p /sbin/ldconfig
|
%postun libs -p /sbin/ldconfig
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Wed Mar 23 2022 Clemens Lang <cllang@redhat.com> - 1:1.1.1k-6
|
||||||
|
- Fixes CVE-2022-0778 openssl: Infinite loop in BN_mod_sqrt() reachable when parsing certificates
|
||||||
|
- Resolves: rhbz#2067144
|
||||||
|
|
||||||
* Fri Nov 12 2021 Sahana Prasad <sahana@redhat.com> - 1:1.1.1k-5
|
* Fri Nov 12 2021 Sahana Prasad <sahana@redhat.com> - 1:1.1.1k-5
|
||||||
- CVE-2021-3712 openssl: Read buffer overruns processing ASN.1 strings
|
- CVE-2021-3712 openssl: Read buffer overruns processing ASN.1 strings
|
||||||
- Resolves: rhbz#2005400
|
- Resolves: rhbz#2005400
|
||||||
|
Loading…
Reference in New Issue
Block a user