import openssl-1.1.1c-12.el8

This commit is contained in:
CentOS Sources 2020-01-21 10:44:27 -05:00 committed by Stepan Oksanichenko
parent ecb2952871
commit ed72945b4b
12 changed files with 7996 additions and 5 deletions

File diff suppressed because it is too large Load Diff

View File

@ -0,0 +1,171 @@
From 30c22fa8b1d840036b8e203585738df62a03cec8 Mon Sep 17 00:00:00 2001
From: Billy Brumley <bbrumley@gmail.com>
Date: Thu, 5 Sep 2019 21:25:37 +0300
Subject: [PATCH] [crypto/ec] for ECC parameters with NULL or zero cofactor,
compute it
The cofactor argument to EC_GROUP_set_generator is optional, and SCA
mitigations for ECC currently use it. So the library currently falls
back to very old SCA-vulnerable code if the cofactor is not present.
This PR allows EC_GROUP_set_generator to compute the cofactor for all
curves of cryptographic interest. Steering scalar multiplication to more
SCA-robust code.
This issue affects persisted private keys in explicit parameter form,
where the (optional) cofactor field is zero or absent.
It also affects curves not built-in to the library, but constructed
programatically with explicit parameters, then calling
EC_GROUP_set_generator with a nonsensical value (NULL, zero).
The very old scalar multiplication code is known to be vulnerable to
local uarch attacks, outside of the OpenSSL threat model. New results
suggest the code path is also vulnerable to traditional wall clock
timing attacks.
CVE-2019-1547
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/9781)
---
crypto/ec/ec_lib.c | 103 ++++++++++++++++++++++++++++++++++++++++++---
1 file changed, 96 insertions(+), 7 deletions(-)
diff --git a/crypto/ec/ec_lib.c b/crypto/ec/ec_lib.c
index 8cab5a5061..1289c8608e 100644
--- a/crypto/ec/ec_lib.c
+++ b/crypto/ec/ec_lib.c
@@ -265,6 +265,67 @@ int EC_METHOD_get_field_type(const EC_METHOD *meth)
static int ec_precompute_mont_data(EC_GROUP *);
+/*-
+ * Try computing cofactor from the generator order (n) and field cardinality (q).
+ * This works for all curves of cryptographic interest.
+ *
+ * Hasse thm: q + 1 - 2*sqrt(q) <= n*h <= q + 1 + 2*sqrt(q)
+ * h_min = (q + 1 - 2*sqrt(q))/n
+ * h_max = (q + 1 + 2*sqrt(q))/n
+ * h_max - h_min = 4*sqrt(q)/n
+ * So if n > 4*sqrt(q) holds, there is only one possible value for h:
+ * h = \lfloor (h_min + h_max)/2 \rceil = \lfloor (q + 1)/n \rceil
+ *
+ * Otherwise, zero cofactor and return success.
+ */
+static int ec_guess_cofactor(EC_GROUP *group) {
+ int ret = 0;
+ BN_CTX *ctx = NULL;
+ BIGNUM *q = NULL;
+
+ /*-
+ * If the cofactor is too large, we cannot guess it.
+ * The RHS of below is a strict overestimate of lg(4 * sqrt(q))
+ */
+ if (BN_num_bits(group->order) <= (BN_num_bits(group->field) + 1) / 2 + 3) {
+ /* default to 0 */
+ BN_zero(group->cofactor);
+ /* return success */
+ return 1;
+ }
+
+ if ((ctx = BN_CTX_new()) == NULL)
+ return 0;
+
+ BN_CTX_start(ctx);
+ if ((q = BN_CTX_get(ctx)) == NULL)
+ goto err;
+
+ /* set q = 2**m for binary fields; q = p otherwise */
+ if (group->meth->field_type == NID_X9_62_characteristic_two_field) {
+ BN_zero(q);
+ if (!BN_set_bit(q, BN_num_bits(group->field) - 1))
+ goto err;
+ } else {
+ if (!BN_copy(q, group->field))
+ goto err;
+ }
+
+ /* compute h = \lfloor (q + 1)/n \rceil = \lfloor (q + 1 + n/2)/n \rfloor */
+ if (!BN_rshift1(group->cofactor, group->order) /* n/2 */
+ || !BN_add(group->cofactor, group->cofactor, q) /* q + n/2 */
+ /* q + 1 + n/2 */
+ || !BN_add(group->cofactor, group->cofactor, BN_value_one())
+ /* (q + 1 + n/2)/n */
+ || !BN_div(group->cofactor, NULL, group->cofactor, group->order, ctx))
+ goto err;
+ ret = 1;
+ err:
+ BN_CTX_end(ctx);
+ BN_CTX_free(ctx);
+ return ret;
+}
+
int EC_GROUP_set_generator(EC_GROUP *group, const EC_POINT *generator,
const BIGNUM *order, const BIGNUM *cofactor)
{
@@ -273,6 +334,34 @@ int EC_GROUP_set_generator(EC_GROUP *group, const EC_POINT *generator,
return 0;
}
+ /* require group->field >= 1 */
+ if (group->field == NULL || BN_is_zero(group->field)
+ || BN_is_negative(group->field)) {
+ ECerr(EC_F_EC_GROUP_SET_GENERATOR, EC_R_INVALID_FIELD);
+ return 0;
+ }
+
+ /*-
+ * - require order >= 1
+ * - enforce upper bound due to Hasse thm: order can be no more than one bit
+ * longer than field cardinality
+ */
+ if (order == NULL || BN_is_zero(order) || BN_is_negative(order)
+ || BN_num_bits(order) > BN_num_bits(group->field) + 1) {
+ ECerr(EC_F_EC_GROUP_SET_GENERATOR, EC_R_INVALID_GROUP_ORDER);
+ return 0;
+ }
+
+ /*-
+ * Unfortunately the cofactor is an optional field in many standards.
+ * Internally, the lib uses 0 cofactor as a marker for "unknown cofactor".
+ * So accept cofactor == NULL or cofactor >= 0.
+ */
+ if (cofactor != NULL && BN_is_negative(cofactor)) {
+ ECerr(EC_F_EC_GROUP_SET_GENERATOR, EC_R_UNKNOWN_COFACTOR);
+ return 0;
+ }
+
if (group->generator == NULL) {
group->generator = EC_POINT_new(group);
if (group->generator == NULL)
@@ -281,17 +370,17 @@ int EC_GROUP_set_generator(EC_GROUP *group, const EC_POINT *generator,
if (!EC_POINT_copy(group->generator, generator))
return 0;
- if (order != NULL) {
- if (!BN_copy(group->order, order))
- return 0;
- } else
- BN_zero(group->order);
+ if (!BN_copy(group->order, order))
+ return 0;
- if (cofactor != NULL) {
+ /* Either take the provided positive cofactor, or try to compute it */
+ if (cofactor != NULL && !BN_is_zero(cofactor)) {
if (!BN_copy(group->cofactor, cofactor))
return 0;
- } else
+ } else if (!ec_guess_cofactor(group)) {
BN_zero(group->cofactor);
+ return 0;
+ }
/*
* Some groups have an order with
--
2.20.1

View File

@ -0,0 +1,300 @@
diff -up openssl-1.1.1c/crypto/fips/fips.c.fork-safety openssl-1.1.1c/crypto/fips/fips.c
--- openssl-1.1.1c/crypto/fips/fips.c.fork-safety 2019-11-20 11:36:22.343506961 +0100
+++ openssl-1.1.1c/crypto/fips/fips.c 2019-11-21 17:44:32.920776849 +0100
@@ -472,7 +472,7 @@ int FIPS_module_mode_set(int onoff)
fips_set_mode(onoff);
/* force RNG reseed with entropy from getrandom() on next call */
- rand_fork();
+ rand_force_reseed();
ret = 1;
goto end;
diff -up openssl-1.1.1c/crypto/include/internal/rand_int.h.fork-safety openssl-1.1.1c/crypto/include/internal/rand_int.h
--- openssl-1.1.1c/crypto/include/internal/rand_int.h.fork-safety 2019-11-20 11:36:22.382506277 +0100
+++ openssl-1.1.1c/crypto/include/internal/rand_int.h 2019-11-21 17:45:42.102456672 +0100
@@ -24,9 +24,9 @@
typedef struct rand_pool_st RAND_POOL;
void rand_cleanup_int(void);
+void rand_force_reseed(void);
void rand_drbg_cleanup_int(void);
void drbg_delete_thread_state(void);
-void rand_fork(void);
/* Hardware-based seeding functions. */
size_t rand_acquire_entropy_from_tsc(RAND_POOL *pool);
diff -up openssl-1.1.1c/crypto/init.c.fork-safety openssl-1.1.1c/crypto/init.c
--- openssl-1.1.1c/crypto/init.c.fork-safety 2019-05-28 15:12:21.000000000 +0200
+++ openssl-1.1.1c/crypto/init.c 2019-11-21 17:34:13.478597398 +0100
@@ -847,6 +847,5 @@ void OPENSSL_fork_parent(void)
void OPENSSL_fork_child(void)
{
- rand_fork();
}
#endif
diff -up openssl-1.1.1c/crypto/rand/drbg_lib.c.fork-safety openssl-1.1.1c/crypto/rand/drbg_lib.c
--- openssl-1.1.1c/crypto/rand/drbg_lib.c.fork-safety 2019-11-20 11:36:22.383506260 +0100
+++ openssl-1.1.1c/crypto/rand/drbg_lib.c 2019-11-21 17:46:37.583397431 +0100
@@ -197,7 +197,7 @@ static RAND_DRBG *rand_drbg_new(int secu
}
drbg->secure = secure && CRYPTO_secure_allocated(drbg);
- drbg->fork_count = rand_fork_count;
+ drbg->fork_id = openssl_get_fork_id();
drbg->parent = parent;
if (parent == NULL) {
@@ -583,6 +583,7 @@ int RAND_DRBG_generate(RAND_DRBG *drbg,
int prediction_resistance,
const unsigned char *adin, size_t adinlen)
{
+ int fork_id;
int reseed_required = 0;
if (drbg->state != DRBG_READY) {
@@ -608,8 +609,10 @@ int RAND_DRBG_generate(RAND_DRBG *drbg,
return 0;
}
- if (drbg->fork_count != rand_fork_count) {
- drbg->fork_count = rand_fork_count;
+ fork_id = openssl_get_fork_id();
+
+ if (drbg->fork_id != fork_id) {
+ drbg->fork_id = fork_id;
reseed_required = 1;
}
@@ -1011,6 +1014,20 @@ size_t rand_drbg_seedlen(RAND_DRBG *drbg
return min_entropy > min_entropylen ? min_entropy : min_entropylen;
}
+void rand_force_reseed(void)
+{
+ RAND_DRBG *drbg;
+
+ drbg = RAND_DRBG_get0_master();
+ drbg->fork_id = 0;
+
+ drbg = RAND_DRBG_get0_private();
+ drbg->fork_id = 0;
+
+ drbg = RAND_DRBG_get0_public();
+ drbg->fork_id = 0;
+}
+
/* Implements the default OpenSSL RAND_add() method */
static int drbg_add(const void *buf, int num, double randomness)
{
diff -up openssl-1.1.1c/crypto/rand/rand_lcl.h.fork-safety openssl-1.1.1c/crypto/rand/rand_lcl.h
--- openssl-1.1.1c/crypto/rand/rand_lcl.h.fork-safety 2019-11-20 11:36:22.383506260 +0100
+++ openssl-1.1.1c/crypto/rand/rand_lcl.h 2019-11-21 17:34:13.485597265 +0100
@@ -176,12 +176,12 @@ struct rand_drbg_st {
int secure; /* 1: allocated on the secure heap, 0: otherwise */
int type; /* the nid of the underlying algorithm */
/*
- * Stores the value of the rand_fork_count global as of when we last
- * reseeded. The DRBG reseeds automatically whenever drbg->fork_count !=
- * rand_fork_count. Used to provide fork-safety and reseed this DRBG in
- * the child process.
+ * Stores the return value of openssl_get_fork_id() as of when we last
+ * reseeded. The DRBG reseeds automatically whenever drbg->fork_id !=
+ * openssl_get_fork_id(). Used to provide fork-safety and reseed this
+ * DRBG in the child process.
*/
- int fork_count;
+ int fork_id;
unsigned short flags; /* various external flags */
/*
@@ -273,19 +273,6 @@ struct rand_drbg_st {
/* The global RAND method, and the global buffer and DRBG instance. */
extern RAND_METHOD rand_meth;
-/*
- * A "generation count" of forks. Incremented in the child process after a
- * fork. Since rand_fork_count is increment-only, and only ever written to in
- * the child process of the fork, which is guaranteed to be single-threaded, no
- * locking is needed for normal (read) accesses; the rest of pthread fork
- * processing is assumed to introduce the necessary memory barriers. Sibling
- * children of a given parent will produce duplicate values, but this is not
- * problematic because the reseeding process pulls input from the system CSPRNG
- * and/or other global sources, so the siblings will end up generating
- * different output streams.
- */
-extern int rand_fork_count;
-
/* DRBG helpers */
int rand_drbg_restart(RAND_DRBG *drbg,
const unsigned char *buffer, size_t len, size_t entropy);
diff -up openssl-1.1.1c/crypto/rand/rand_lib.c.fork-safety openssl-1.1.1c/crypto/rand/rand_lib.c
--- openssl-1.1.1c/crypto/rand/rand_lib.c.fork-safety 2019-11-20 11:36:22.374506418 +0100
+++ openssl-1.1.1c/crypto/rand/rand_lib.c 2019-11-21 17:34:13.487597227 +0100
@@ -30,8 +30,6 @@ static CRYPTO_RWLOCK *rand_meth_lock;
static const RAND_METHOD *default_RAND_meth;
static CRYPTO_ONCE rand_init = CRYPTO_ONCE_STATIC_INIT;
-int rand_fork_count;
-
static CRYPTO_RWLOCK *rand_nonce_lock;
static int rand_nonce_count;
@@ -303,11 +301,6 @@ void rand_drbg_cleanup_additional_data(R
rand_pool_reattach(pool, out);
}
-void rand_fork(void)
-{
- rand_fork_count++;
-}
-
DEFINE_RUN_ONCE_STATIC(do_rand_init)
{
#ifndef OPENSSL_NO_ENGINE
diff -up openssl-1.1.1c/crypto/threads_none.c.fork-safety openssl-1.1.1c/crypto/threads_none.c
--- openssl-1.1.1c/crypto/threads_none.c.fork-safety 2019-05-28 15:12:21.000000000 +0200
+++ openssl-1.1.1c/crypto/threads_none.c 2019-11-21 17:34:13.489597189 +0100
@@ -12,6 +12,11 @@
#if !defined(OPENSSL_THREADS) || defined(CRYPTO_TDEBUG)
+# if defined(OPENSSL_SYS_UNIX)
+# include <sys/types.h>
+# include <unistd.h>
+# endif
+
CRYPTO_RWLOCK *CRYPTO_THREAD_lock_new(void)
{
CRYPTO_RWLOCK *lock;
@@ -133,4 +138,12 @@ int openssl_init_fork_handlers(void)
return 0;
}
+int openssl_get_fork_id(void)
+{
+# if defined(OPENSSL_SYS_UNIX)
+ return getpid();
+# else
+ return 0;
+# endif
+}
#endif
diff -up openssl-1.1.1c/crypto/threads_pthread.c.fork-safety openssl-1.1.1c/crypto/threads_pthread.c
--- openssl-1.1.1c/crypto/threads_pthread.c.fork-safety 2019-05-28 15:12:21.000000000 +0200
+++ openssl-1.1.1c/crypto/threads_pthread.c 2019-11-21 17:34:13.492597131 +0100
@@ -12,6 +12,11 @@
#if defined(OPENSSL_THREADS) && !defined(CRYPTO_TDEBUG) && !defined(OPENSSL_SYS_WINDOWS)
+# if defined(OPENSSL_SYS_UNIX)
+# include <sys/types.h>
+# include <unistd.h>
+#endif
+
# ifdef PTHREAD_RWLOCK_INITIALIZER
# define USE_RWLOCK
# endif
@@ -193,4 +198,9 @@ int openssl_init_fork_handlers(void)
# endif
return 0;
}
+
+int openssl_get_fork_id(void)
+{
+ return getpid();
+}
#endif
diff -up openssl-1.1.1c/crypto/threads_win.c.fork-safety openssl-1.1.1c/crypto/threads_win.c
--- openssl-1.1.1c/crypto/threads_win.c.fork-safety 2019-05-28 15:12:21.000000000 +0200
+++ openssl-1.1.1c/crypto/threads_win.c 2019-11-21 17:34:13.495597074 +0100
@@ -164,4 +164,8 @@ int openssl_init_fork_handlers(void)
return 0;
}
+int openssl_get_fork_id(void)
+{
+ return 0;
+}
#endif
diff -up openssl-1.1.1c/include/internal/cryptlib.h.fork-safety openssl-1.1.1c/include/internal/cryptlib.h
--- openssl-1.1.1c/include/internal/cryptlib.h.fork-safety 2019-05-28 15:12:21.000000000 +0200
+++ openssl-1.1.1c/include/internal/cryptlib.h 2019-11-21 17:34:13.497597036 +0100
@@ -80,6 +80,7 @@ extern unsigned int OPENSSL_ia32cap_P[];
void OPENSSL_showfatal(const char *fmta, ...);
void crypto_cleanup_all_ex_data_int(void);
int openssl_init_fork_handlers(void);
+int openssl_get_fork_id(void);
char *ossl_safe_getenv(const char *name);
diff -up openssl-1.1.1c/test/drbgtest.c.fork-safety openssl-1.1.1c/test/drbgtest.c
--- openssl-1.1.1c/test/drbgtest.c.fork-safety 2019-11-20 11:36:22.384506242 +0100
+++ openssl-1.1.1c/test/drbgtest.c 2019-11-21 17:34:13.499596998 +0100
@@ -22,6 +22,13 @@
# include <windows.h>
#endif
+
+#if defined(OPENSSL_SYS_UNIX)
+# include <sys/types.h>
+# include <sys/wait.h>
+# include <unistd.h>
+#endif
+
#include "testutil.h"
#include "drbgtest.h"
@@ -696,6 +703,40 @@ static int test_drbg_reseed(int expect_s
return 1;
}
+
+#if defined(OPENSSL_SYS_UNIX)
+/*
+ * Test whether master, public and private DRBG are reseeded after
+ * forking the process.
+ */
+static int test_drbg_reseed_after_fork(RAND_DRBG *master,
+ RAND_DRBG *public,
+ RAND_DRBG *private)
+{
+ pid_t pid;
+ int status=0;
+
+ pid = fork();
+ if (!TEST_int_ge(pid, 0))
+ return 0;
+
+ if (pid > 0) {
+ /* I'm the parent; wait for the child and check its exit code */
+ return TEST_int_eq(waitpid(pid, &status, 0), pid) && TEST_int_eq(status, 0);
+ }
+
+ /* I'm the child; check whether all three DRBGs reseed. */
+ if (!TEST_true(test_drbg_reseed(1, master, public, private, 1, 1, 1, 0)))
+ status = 1;
+
+ /* Remove hooks */
+ unhook_drbg(master);
+ unhook_drbg(public);
+ unhook_drbg(private);
+ exit(status);
+}
+#endif
+
/*
* Test whether the default rand_method (RAND_OpenSSL()) is
* setup correctly, in particular whether reseeding works
@@ -786,6 +827,10 @@ static int test_rand_drbg_reseed(void)
goto error;
reset_drbg_hook_ctx();
+#if defined(OPENSSL_SYS_UNIX)
+ if (!TEST_true(test_drbg_reseed_after_fork(master, public, private)))
+ goto error;
+#endif
/* fill 'randomness' buffer with some arbitrary data */
memset(rand_add_buf, 'r', sizeof(rand_add_buf));

View File

@ -0,0 +1,147 @@
From 08229ad838c50f644d7e928e2eef147b4308ad64 Mon Sep 17 00:00:00 2001
From: Bernd Edlinger <bernd.edlinger@hotmail.de>
Date: Sun, 1 Sep 2019 00:16:28 +0200
Subject: [PATCH] Fix a padding oracle in PKCS7_dataDecode and
CMS_decrypt_set1_pkey
An attack is simple, if the first CMS_recipientInfo is valid but the
second CMS_recipientInfo is chosen ciphertext. If the second
recipientInfo decodes to PKCS #1 v1.5 form plaintext, the correct
encryption key will be replaced by garbage, and the message cannot be
decoded, but if the RSA decryption fails, the correct encryption key is
used and the recipient will not notice the attack.
As a work around for this potential attack the length of the decrypted
key must be equal to the cipher default key length, in case the
certifiate is not given and all recipientInfo are tried out.
The old behaviour can be re-enabled in the CMS code by setting the
CMS_DEBUG_DECRYPT flag.
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9777)
(cherry picked from commit 5840ed0cd1e6487d247efbc1a04136a41d7b3a37)
---
crypto/cms/cms_env.c | 18 +++++++++++++++++-
crypto/cms/cms_lcl.h | 2 ++
crypto/cms/cms_smime.c | 4 ++++
crypto/pkcs7/pk7_doit.c | 12 ++++++++----
5 files changed, 45 insertions(+), 5 deletions(-)
diff --git a/crypto/cms/cms_env.c b/crypto/cms/cms_env.c
index bb95af75e3..25df1c40b1 100644
--- a/crypto/cms/cms_env.c
+++ b/crypto/cms/cms_env.c
@@ -363,6 +363,7 @@ static int cms_RecipientInfo_ktri_decrypt(CMS_ContentInfo *cms,
unsigned char *ek = NULL;
size_t eklen;
int ret = 0;
+ size_t fixlen = 0;
CMS_EncryptedContentInfo *ec;
ec = cms->d.envelopedData->encryptedContentInfo;
@@ -371,6 +372,19 @@ static int cms_RecipientInfo_ktri_decrypt(CMS_ContentInfo *cms,
return 0;
}
+ if (cms->d.envelopedData->encryptedContentInfo->havenocert
+ && !cms->d.envelopedData->encryptedContentInfo->debug) {
+ X509_ALGOR *calg = ec->contentEncryptionAlgorithm;
+ const EVP_CIPHER *ciph = EVP_get_cipherbyobj(calg->algorithm);
+
+ if (ciph == NULL) {
+ CMSerr(CMS_F_CMS_RECIPIENTINFO_KTRI_DECRYPT, CMS_R_UNKNOWN_CIPHER);
+ return 0;
+ }
+
+ fixlen = EVP_CIPHER_key_length(ciph);
+ }
+
ktri->pctx = EVP_PKEY_CTX_new(pkey, NULL);
if (ktri->pctx == NULL)
return 0;
@@ -401,7 +415,9 @@ static int cms_RecipientInfo_ktri_decrypt(CMS_ContentInfo *cms,
if (EVP_PKEY_decrypt(ktri->pctx, ek, &eklen,
ktri->encryptedKey->data,
- ktri->encryptedKey->length) <= 0) {
+ ktri->encryptedKey->length) <= 0
+ || eklen == 0
+ || (fixlen != 0 && eklen != fixlen)) {
CMSerr(CMS_F_CMS_RECIPIENTINFO_KTRI_DECRYPT, CMS_R_CMS_LIB);
goto err;
}
diff --git a/crypto/cms/cms_lcl.h b/crypto/cms/cms_lcl.h
index b5c06b7f6c..8eddb02493 100644
--- a/crypto/cms/cms_lcl.h
+++ b/crypto/cms/cms_lcl.h
@@ -125,6 +125,8 @@ struct CMS_EncryptedContentInfo_st {
size_t keylen;
/* Set to 1 if we are debugging decrypt and don't fake keys for MMA */
int debug;
+ /* Set to 1 if we have no cert and need extra safety measures for MMA */
+ int havenocert;
};
struct CMS_RecipientInfo_st {
diff --git a/crypto/cms/cms_smime.c b/crypto/cms/cms_smime.c
index 5dcf803f4b..3a26108b8c 100644
--- a/crypto/cms/cms_smime.c
+++ b/crypto/cms/cms_smime.c
@@ -743,6 +743,10 @@ int CMS_decrypt(CMS_ContentInfo *cms, EVP_PKEY *pk, X509 *cert,
cms->d.envelopedData->encryptedContentInfo->debug = 1;
else
cms->d.envelopedData->encryptedContentInfo->debug = 0;
+ if (!cert)
+ cms->d.envelopedData->encryptedContentInfo->havenocert = 1;
+ else
+ cms->d.envelopedData->encryptedContentInfo->havenocert = 0;
if (!pk && !cert && !dcont && !out)
return 1;
if (pk && !CMS_decrypt_set1_pkey(cms, pk, cert))
diff --git a/crypto/pkcs7/pk7_doit.c b/crypto/pkcs7/pk7_doit.c
index ee08e602a1..15a6160cfe 100644
--- a/crypto/pkcs7/pk7_doit.c
+++ b/crypto/pkcs7/pk7_doit.c
@@ -137,7 +137,8 @@ static int pkcs7_encode_rinfo(PKCS7_RECIP_INFO *ri,
}
static int pkcs7_decrypt_rinfo(unsigned char **pek, int *peklen,
- PKCS7_RECIP_INFO *ri, EVP_PKEY *pkey)
+ PKCS7_RECIP_INFO *ri, EVP_PKEY *pkey,
+ size_t fixlen)
{
EVP_PKEY_CTX *pctx = NULL;
unsigned char *ek = NULL;
@@ -170,7 +171,9 @@ static int pkcs7_decrypt_rinfo(unsigned char **pek, int *peklen,
}
if (EVP_PKEY_decrypt(pctx, ek, &eklen,
- ri->enc_key->data, ri->enc_key->length) <= 0) {
+ ri->enc_key->data, ri->enc_key->length) <= 0
+ || eklen == 0
+ || (fixlen != 0 && eklen != fixlen)) {
ret = 0;
PKCS7err(PKCS7_F_PKCS7_DECRYPT_RINFO, ERR_R_EVP_LIB);
goto err;
@@ -499,13 +502,14 @@ BIO *PKCS7_dataDecode(PKCS7 *p7, EVP_PKEY *pkey, BIO *in_bio, X509 *pcert)
for (i = 0; i < sk_PKCS7_RECIP_INFO_num(rsk); i++) {
ri = sk_PKCS7_RECIP_INFO_value(rsk, i);
- if (pkcs7_decrypt_rinfo(&ek, &eklen, ri, pkey) < 0)
+ if (pkcs7_decrypt_rinfo(&ek, &eklen, ri, pkey,
+ EVP_CIPHER_key_length(evp_cipher)) < 0)
goto err;
ERR_clear_error();
}
} else {
/* Only exit on fatal errors, not decrypt failure */
- if (pkcs7_decrypt_rinfo(&ek, &eklen, ri, pkey) < 0)
+ if (pkcs7_decrypt_rinfo(&ek, &eklen, ri, pkey, 0) < 0)
goto err;
ERR_clear_error();
}
--
2.20.1

View File

@ -0,0 +1,68 @@
diff -up openssl-1.1.1c/crypto/evp/pkey_kdf.c.edk2-build openssl-1.1.1c/crypto/evp/pkey_kdf.c
--- openssl-1.1.1c/crypto/evp/pkey_kdf.c.edk2-build 2019-11-14 16:25:09.437914854 +0100
+++ openssl-1.1.1c/crypto/evp/pkey_kdf.c 2019-11-15 14:52:40.216905772 +0100
@@ -12,6 +12,7 @@
#include <openssl/evp.h>
#include <openssl/err.h>
#include <openssl/kdf.h>
+#include "internal/numbers.h"
#include "internal/evp_int.h"
static int pkey_kdf_init(EVP_PKEY_CTX *ctx)
diff -up openssl-1.1.1c/crypto/include/internal/fips_int.h.edk2-build openssl-1.1.1c/crypto/include/internal/fips_int.h
--- openssl-1.1.1c/crypto/include/internal/fips_int.h.edk2-build 2019-11-14 16:25:09.430914981 +0100
+++ openssl-1.1.1c/crypto/include/internal/fips_int.h 2019-11-15 14:48:02.489936610 +0100
@@ -50,10 +50,6 @@
#include <openssl/opensslconf.h>
#include <openssl/evp.h>
-#ifndef OPENSSL_FIPS
-# error FIPS is disabled.
-#endif
-
#ifdef OPENSSL_FIPS
int FIPS_module_mode_set(int onoff);
@@ -97,4 +93,8 @@ void fips_set_selftest_fail(void);
void FIPS_get_timevec(unsigned char *buf, unsigned long *pctr);
+#else
+
+# define fips_in_post() 0
+
#endif
diff -up openssl-1.1.1c/crypto/kdf/hkdf.c.edk2-build openssl-1.1.1c/crypto/kdf/hkdf.c
--- openssl-1.1.1c/crypto/kdf/hkdf.c.edk2-build 2019-11-14 16:25:09.438914836 +0100
+++ openssl-1.1.1c/crypto/kdf/hkdf.c 2019-11-15 14:48:53.360015134 +0100
@@ -13,6 +13,7 @@
#include <openssl/hmac.h>
#include <openssl/evp.h>
#include <openssl/kdf.h>
+#include "internal/numbers.h"
#include "internal/cryptlib.h"
#include "internal/evp_int.h"
#include "kdf_local.h"
diff -up openssl-1.1.1c/crypto/kdf/sshkdf.c.edk2-build openssl-1.1.1c/crypto/kdf/sshkdf.c
--- openssl-1.1.1c/crypto/kdf/sshkdf.c.edk2-build 2019-11-14 16:25:09.452914583 +0100
+++ openssl-1.1.1c/crypto/kdf/sshkdf.c 2019-11-15 14:53:14.769279878 +0100
@@ -12,6 +12,7 @@
#include <string.h>
#include <openssl/evp.h>
#include <openssl/kdf.h>
+#include "internal/numbers.h"
#include "internal/cryptlib.h"
#include "internal/evp_int.h"
#include "kdf_local.h"
diff -up openssl-1.1.1c/crypto/rand/rand_unix.c.edk2-build openssl-1.1.1c/crypto/rand/rand_unix.c
--- openssl-1.1.1c/crypto/rand/rand_unix.c.edk2-build 2019-11-14 16:25:09.430914981 +0100
+++ openssl-1.1.1c/crypto/rand/rand_unix.c 2019-11-15 14:51:41.634966941 +0100
@@ -19,7 +19,7 @@
#include "internal/fips_int.h"
#include <stdio.h>
#include "internal/dso.h"
-#if defined(__linux)
+#if defined(__linux) && !defined(OPENSSL_SYS_UEFI)
# include <sys/syscall.h>
# include <sys/random.h>
#endif

View File

@ -0,0 +1,212 @@
diff -up openssl-1.1.1c/crypto/ec/ec_curve.c.fips-curves openssl-1.1.1c/crypto/ec/ec_curve.c
--- openssl-1.1.1c/crypto/ec/ec_curve.c.fips-curves 2019-11-25 13:18:40.719532357 +0100
+++ openssl-1.1.1c/crypto/ec/ec_curve.c 2019-11-25 13:18:40.765531559 +0100
@@ -13,6 +13,7 @@
#include <openssl/err.h>
#include <openssl/obj_mac.h>
#include <openssl/opensslconf.h>
+#include <openssl/crypto.h>
#include "internal/nelem.h"
typedef struct {
@@ -237,6 +238,7 @@ static const struct {
typedef struct _ec_list_element_st {
int nid;
+ int fips_allowed;
const EC_CURVE_DATA *data;
const EC_METHOD *(*meth) (void);
const char *comment;
@@ -246,23 +248,23 @@ static const ec_list_element curve_list[
/* prime field curves */
/* secg curves */
#ifndef OPENSSL_NO_EC_NISTP_64_GCC_128
- {NID_secp224r1, &_EC_NIST_PRIME_224.h, EC_GFp_nistp224_method,
+ {NID_secp224r1, 1, &_EC_NIST_PRIME_224.h, EC_GFp_nistp224_method,
"NIST/SECG curve over a 224 bit prime field"},
#else
- {NID_secp224r1, &_EC_NIST_PRIME_224.h, 0,
+ {NID_secp224r1, 1, &_EC_NIST_PRIME_224.h, 0,
"NIST/SECG curve over a 224 bit prime field"},
#endif
- {NID_secp256k1, &_EC_SECG_PRIME_256K1.h, 0,
+ {NID_secp256k1, 0, &_EC_SECG_PRIME_256K1.h, 0,
"SECG curve over a 256 bit prime field"},
/* SECG secp256r1 is the same as X9.62 prime256v1 and hence omitted */
- {NID_secp384r1, &_EC_NIST_PRIME_384.h,
+ {NID_secp384r1, 1, &_EC_NIST_PRIME_384.h,
# if defined(S390X_EC_ASM)
EC_GFp_s390x_nistp384_method,
# else
0,
# endif
"NIST/SECG curve over a 384 bit prime field"},
- {NID_secp521r1, &_EC_NIST_PRIME_521.h,
+ {NID_secp521r1, 1, &_EC_NIST_PRIME_521.h,
# if defined(S390X_EC_ASM)
EC_GFp_s390x_nistp521_method,
# elif !defined(OPENSSL_NO_EC_NISTP_64_GCC_128)
@@ -272,7 +274,7 @@ static const ec_list_element curve_list[
# endif
"NIST/SECG curve over a 521 bit prime field"},
/* X9.62 curves */
- {NID_X9_62_prime256v1, &_EC_X9_62_PRIME_256V1.h,
+ {NID_X9_62_prime256v1, 1, &_EC_X9_62_PRIME_256V1.h,
#if defined(ECP_NISTZ256_ASM)
EC_GFp_nistz256_method,
# elif defined(S390X_EC_ASM)
@@ -404,6 +406,10 @@ EC_GROUP *EC_GROUP_new_by_curve_name(int
for (i = 0; i < curve_list_length; i++)
if (curve_list[i].nid == nid) {
+ if (!curve_list[i].fips_allowed && FIPS_mode()) {
+ ECerr(EC_F_EC_GROUP_NEW_BY_CURVE_NAME, EC_R_NOT_A_NIST_PRIME);
+ return NULL;
+ }
ret = ec_group_new_from_data(curve_list[i]);
break;
}
@@ -418,19 +424,31 @@ EC_GROUP *EC_GROUP_new_by_curve_name(int
size_t EC_get_builtin_curves(EC_builtin_curve *r, size_t nitems)
{
- size_t i, min;
+ size_t i, j, num;
+ int fips_mode = FIPS_mode();
- if (r == NULL || nitems == 0)
- return curve_list_length;
+ num = curve_list_length;
+ if (fips_mode)
+ for (i = 0; i < curve_list_length; i++) {
+ if (!curve_list[i].fips_allowed)
+ --num;
+ }
- min = nitems < curve_list_length ? nitems : curve_list_length;
+ if (r == NULL || nitems == 0) {
+ return num;
+ }
- for (i = 0; i < min; i++) {
- r[i].nid = curve_list[i].nid;
- r[i].comment = curve_list[i].comment;
+ for (i = 0, j = 0; i < curve_list_length; i++) {
+ if (j >= nitems)
+ break;
+ if (!fips_mode || curve_list[i].fips_allowed) {
+ r[j].nid = curve_list[i].nid;
+ r[j].comment = curve_list[i].comment;
+ ++j;
+ }
}
- return curve_list_length;
+ return num;
}
/* Functions to translate between common NIST curve names and NIDs */
diff -up openssl-1.1.1c/ssl/t1_lib.c.fips-curves openssl-1.1.1c/ssl/t1_lib.c
--- openssl-1.1.1c/ssl/t1_lib.c.fips-curves 2019-11-25 13:18:40.658533416 +0100
+++ openssl-1.1.1c/ssl/t1_lib.c 2019-11-26 17:57:15.014742428 +0100
@@ -20,6 +20,7 @@
#include "internal/nelem.h"
#include "ssl_locl.h"
#include <openssl/ct.h>
+#include <openssl/crypto.h>
SSL3_ENC_METHOD const TLSv1_enc_data = {
tls1_enc,
@@ -676,6 +677,36 @@ static const uint16_t tls12_sigalgs[] =
#endif
};
+static const uint16_t tls12_fips_sigalgs[] = {
+#ifndef OPENSSL_NO_EC
+ TLSEXT_SIGALG_ecdsa_secp256r1_sha256,
+ TLSEXT_SIGALG_ecdsa_secp384r1_sha384,
+ TLSEXT_SIGALG_ecdsa_secp521r1_sha512,
+#endif
+
+ TLSEXT_SIGALG_rsa_pss_pss_sha256,
+ TLSEXT_SIGALG_rsa_pss_pss_sha384,
+ TLSEXT_SIGALG_rsa_pss_pss_sha512,
+ TLSEXT_SIGALG_rsa_pss_rsae_sha256,
+ TLSEXT_SIGALG_rsa_pss_rsae_sha384,
+ TLSEXT_SIGALG_rsa_pss_rsae_sha512,
+
+ TLSEXT_SIGALG_rsa_pkcs1_sha256,
+ TLSEXT_SIGALG_rsa_pkcs1_sha384,
+ TLSEXT_SIGALG_rsa_pkcs1_sha512,
+
+#ifndef OPENSSL_NO_EC
+ TLSEXT_SIGALG_ecdsa_sha224,
+#endif
+ TLSEXT_SIGALG_rsa_pkcs1_sha224,
+#ifndef OPENSSL_NO_DSA
+ TLSEXT_SIGALG_dsa_sha224,
+ TLSEXT_SIGALG_dsa_sha256,
+ TLSEXT_SIGALG_dsa_sha384,
+ TLSEXT_SIGALG_dsa_sha512,
+#endif
+};
+
#ifndef OPENSSL_NO_EC
static const uint16_t suiteb_sigalgs[] = {
TLSEXT_SIGALG_ecdsa_secp256r1_sha256,
@@ -890,8 +921,11 @@ static const SIGALG_LOOKUP *tls1_get_leg
if (idx < 0 || idx >= (int)OSSL_NELEM(tls_default_sigalg))
return NULL;
if (SSL_USE_SIGALGS(s) || idx != SSL_PKEY_RSA) {
- const SIGALG_LOOKUP *lu = tls1_lookup_sigalg(tls_default_sigalg[idx]);
+ const SIGALG_LOOKUP *lu;
+ if (FIPS_mode()) /* We do not allow SHA1 signatures in FIPS mode */
+ return NULL;
+ lu = tls1_lookup_sigalg(tls_default_sigalg[idx]);
if (!tls1_lookup_md(lu, NULL))
return NULL;
return lu;
@@ -945,6 +979,9 @@ size_t tls12_get_psigalgs(SSL *s, int se
} else if (s->cert->conf_sigalgs) {
*psigs = s->cert->conf_sigalgs;
return s->cert->conf_sigalgslen;
+ } else if (FIPS_mode()) {
+ *psigs = tls12_fips_sigalgs;
+ return OSSL_NELEM(tls12_fips_sigalgs);
} else {
*psigs = tls12_sigalgs;
return OSSL_NELEM(tls12_sigalgs);
@@ -964,6 +1001,9 @@ int tls_check_sigalg_curve(const SSL *s,
if (s->cert->conf_sigalgs) {
sigs = s->cert->conf_sigalgs;
siglen = s->cert->conf_sigalgslen;
+ } else if (FIPS_mode()) {
+ sigs = tls12_fips_sigalgs;
+ siglen = OSSL_NELEM(tls12_fips_sigalgs);
} else {
sigs = tls12_sigalgs;
siglen = OSSL_NELEM(tls12_sigalgs);
@@ -1582,6 +1622,8 @@ static int tls12_sigalg_allowed(SSL *s,
if (lu->sig == NID_id_GostR3410_2012_256
|| lu->sig == NID_id_GostR3410_2012_512
|| lu->sig == NID_id_GostR3410_2001) {
+ if (FIPS_mode())
+ return 0;
/* We never allow GOST sig algs on the server with TLSv1.3 */
if (s->server && SSL_IS_TLS13(s))
return 0;
@@ -2720,6 +2762,13 @@ int tls_choose_sigalg(SSL *s, int fatale
const uint16_t *sent_sigs;
size_t sent_sigslen;
+ if (fatalerrs && FIPS_mode()) {
+ /* There are no suitable legacy algorithms in FIPS mode */
+ SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,
+ SSL_F_TLS_CHOOSE_SIGALG,
+ SSL_R_NO_SUITABLE_SIGNATURE_ALGORITHM);
+ return 0;
+ }
if ((lu = tls1_get_legacy_sigalg(s, -1)) == NULL) {
if (!fatalerrs)
return 1;

View File

@ -60,7 +60,7 @@ diff -up openssl-1.1.1b/apps/speed.c.fips openssl-1.1.1b/apps/speed.c
eddsa_doit[i] = 2;
continue;
}
@@ -1734,23 +1739,30 @@ int speed_main(int argc, char **argv)
@@ -1734,23 +1739,31 @@ int speed_main(int argc, char **argv)
/* No parameters; turn on everything. */
if ((argc == 0) && !doit[D_EVP]) {
for (i = 0; i < ALGOR_NUM; i++)
@ -87,9 +87,11 @@ diff -up openssl-1.1.1b/apps/speed.c.fips openssl-1.1.1b/apps/speed.c
for (loop = 0; loop < OSSL_NELEM(ecdsa_doit); loop++)
ecdsa_doit[loop] = 1;
for (loop = 0; loop < OSSL_NELEM(ecdh_doit); loop++)
ecdh_doit[loop] = 1;
- ecdh_doit[loop] = 1;
- for (loop = 0; loop < OSSL_NELEM(eddsa_doit); loop++)
- eddsa_doit[loop] = 1;
+ if(!FIPS_mode() || (loop != R_EC_X25519 && loop != R_EC_X448))
+ ecdh_doit[loop] = 1;
+ if (!FIPS_mode())
+ for (loop = 0; loop < OSSL_NELEM(eddsa_doit); loop++)
+ eddsa_doit[loop] = 1;
@ -459,7 +461,7 @@ diff -up openssl-1.1.1b/crypto/dsa/dsa_gen.c.fips openssl-1.1.1b/crypto/dsa/dsa_
+ goto err;
+ }
+
+ if (FIPS_mode() && (L != 1024 || N != 160) &&
+ if (FIPS_mode() &&
+ (L != 2048 || N != 224) && (L != 2048 || N != 256) &&
+ (L != 3072 || N != 256)) {
+ DSAerr(DSA_F_DSA_BUILTIN_PARAMGEN2, DSA_R_KEY_SIZE_INVALID);
@ -11546,6 +11548,108 @@ diff -up openssl-1.1.1b/include/openssl/rsaerr.h.fips openssl-1.1.1b/include/ope
# define RSA_R_UNSUPPORTED_SIGNATURE_TYPE 155
# define RSA_R_VALUE_MISSING 147
# define RSA_R_WRONG_SIGNATURE_LENGTH 119
diff -up openssl-1.1.1c/ssl/s3_lib.c.fips openssl-1.1.1c/ssl/s3_lib.c
--- openssl-1.1.1c/ssl/s3_lib.c.fips 2019-05-28 15:12:21.000000000 +0200
+++ openssl-1.1.1c/ssl/s3_lib.c 2019-11-20 12:00:32.770173240 +0100
@@ -43,7 +43,7 @@ static SSL_CIPHER tls13_ciphers[] = {
SSL_AEAD,
TLS1_3_VERSION, TLS1_3_VERSION,
0, 0,
- SSL_HIGH,
+ SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_SHA256,
128,
128,
@@ -58,7 +58,7 @@ static SSL_CIPHER tls13_ciphers[] = {
SSL_AEAD,
TLS1_3_VERSION, TLS1_3_VERSION,
0, 0,
- SSL_HIGH,
+ SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_SHA384,
256,
256,
@@ -92,7 +92,7 @@ static SSL_CIPHER tls13_ciphers[] = {
SSL_AEAD,
TLS1_3_VERSION, TLS1_3_VERSION,
0, 0,
- SSL_NOT_DEFAULT | SSL_HIGH,
+ SSL_NOT_DEFAULT | SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_SHA256,
128,
128,
@@ -634,7 +634,7 @@ static SSL_CIPHER ssl3_ciphers[] = {
SSL_AEAD,
TLS1_2_VERSION, TLS1_2_VERSION,
DTLS1_2_VERSION, DTLS1_2_VERSION,
- SSL_NOT_DEFAULT | SSL_HIGH,
+ SSL_NOT_DEFAULT | SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
128,
128,
@@ -650,7 +650,7 @@ static SSL_CIPHER ssl3_ciphers[] = {
SSL_AEAD,
TLS1_2_VERSION, TLS1_2_VERSION,
DTLS1_2_VERSION, DTLS1_2_VERSION,
- SSL_NOT_DEFAULT | SSL_HIGH,
+ SSL_NOT_DEFAULT | SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
256,
256,
@@ -666,7 +666,7 @@ static SSL_CIPHER ssl3_ciphers[] = {
SSL_AEAD,
TLS1_2_VERSION, TLS1_2_VERSION,
DTLS1_2_VERSION, DTLS1_2_VERSION,
- SSL_NOT_DEFAULT | SSL_HIGH,
+ SSL_NOT_DEFAULT | SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
128,
128,
@@ -682,7 +682,7 @@ static SSL_CIPHER ssl3_ciphers[] = {
SSL_AEAD,
TLS1_2_VERSION, TLS1_2_VERSION,
DTLS1_2_VERSION, DTLS1_2_VERSION,
- SSL_NOT_DEFAULT | SSL_HIGH,
+ SSL_NOT_DEFAULT | SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
256,
256,
@@ -794,7 +794,7 @@ static SSL_CIPHER ssl3_ciphers[] = {
SSL_AEAD,
TLS1_2_VERSION, TLS1_2_VERSION,
DTLS1_2_VERSION, DTLS1_2_VERSION,
- SSL_NOT_DEFAULT | SSL_HIGH,
+ SSL_NOT_DEFAULT | SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
128,
128,
@@ -810,7 +810,7 @@ static SSL_CIPHER ssl3_ciphers[] = {
SSL_AEAD,
TLS1_2_VERSION, TLS1_2_VERSION,
DTLS1_2_VERSION, DTLS1_2_VERSION,
- SSL_NOT_DEFAULT | SSL_HIGH,
+ SSL_NOT_DEFAULT | SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
256,
256,
@@ -890,7 +890,7 @@ static SSL_CIPHER ssl3_ciphers[] = {
SSL_AEAD,
TLS1_2_VERSION, TLS1_2_VERSION,
DTLS1_2_VERSION, DTLS1_2_VERSION,
- SSL_NOT_DEFAULT | SSL_HIGH,
+ SSL_NOT_DEFAULT | SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
128,
128,
@@ -906,7 +906,7 @@ static SSL_CIPHER ssl3_ciphers[] = {
SSL_AEAD,
TLS1_2_VERSION, TLS1_2_VERSION,
DTLS1_2_VERSION, DTLS1_2_VERSION,
- SSL_NOT_DEFAULT | SSL_HIGH,
+ SSL_NOT_DEFAULT | SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
256,
256,
diff -up openssl-1.1.1b/ssl/ssl_ciph.c.fips openssl-1.1.1b/ssl/ssl_ciph.c
--- openssl-1.1.1b/ssl/ssl_ciph.c.fips 2019-02-28 11:30:06.776746228 +0100
+++ openssl-1.1.1b/ssl/ssl_ciph.c 2019-02-28 11:30:06.822745372 +0100
@ -11673,6 +11777,45 @@ diff -up openssl-1.1.1b/ssl/ssl_lib.c.fips openssl-1.1.1b/ssl/ssl_lib.c
}
if ((ret->ca_names = sk_X509_NAME_new_null()) == NULL)
diff -up openssl-1.1.1c/ssl/ssl_locl.h.fips openssl-1.1.1c/ssl/ssl_locl.h
--- openssl-1.1.1c/ssl/ssl_locl.h.fips 2019-06-03 16:44:58.963560101 +0200
+++ openssl-1.1.1c/ssl/ssl_locl.h 2019-06-24 14:43:19.547353076 +0200
@@ -1507,6 +1507,7 @@ typedef struct tls_group_info_st {
# define TLS_CURVE_PRIME 0x0
# define TLS_CURVE_CHAR2 0x1
# define TLS_CURVE_CUSTOM 0x2
+# define TLS_CURVE_FIPS 0x80
typedef struct cert_pkey_st CERT_PKEY;
diff -up openssl-1.1.1c/ssl/t1_lib.c.fips openssl-1.1.1c/ssl/t1_lib.c
--- openssl-1.1.1c/ssl/t1_lib.c.fips 2019-05-28 15:12:21.000000000 +0200
+++ openssl-1.1.1c/ssl/t1_lib.c 2019-06-24 14:49:00.638576235 +0200
@@ -156,11 +156,11 @@ static const TLS_GROUP_INFO nid_list[] =
{NID_secp192k1, 80, TLS_CURVE_PRIME}, /* secp192k1 (18) */
{NID_X9_62_prime192v1, 80, TLS_CURVE_PRIME}, /* secp192r1 (19) */
{NID_secp224k1, 112, TLS_CURVE_PRIME}, /* secp224k1 (20) */
- {NID_secp224r1, 112, TLS_CURVE_PRIME}, /* secp224r1 (21) */
+ {NID_secp224r1, 112, TLS_CURVE_PRIME | TLS_CURVE_FIPS}, /* secp224r1 (21) */
{NID_secp256k1, 128, TLS_CURVE_PRIME}, /* secp256k1 (22) */
- {NID_X9_62_prime256v1, 128, TLS_CURVE_PRIME}, /* secp256r1 (23) */
- {NID_secp384r1, 192, TLS_CURVE_PRIME}, /* secp384r1 (24) */
- {NID_secp521r1, 256, TLS_CURVE_PRIME}, /* secp521r1 (25) */
+ {NID_X9_62_prime256v1, 128, TLS_CURVE_PRIME | TLS_CURVE_FIPS}, /* secp256r1 (23) */
+ {NID_secp384r1, 192, TLS_CURVE_PRIME | TLS_CURVE_FIPS}, /* secp384r1 (24) */
+ {NID_secp521r1, 256, TLS_CURVE_PRIME | TLS_CURVE_FIPS}, /* secp521r1 (25) */
{NID_brainpoolP256r1, 128, TLS_CURVE_PRIME}, /* brainpoolP256r1 (26) */
{NID_brainpoolP384r1, 192, TLS_CURVE_PRIME}, /* brainpoolP384r1 (27) */
{NID_brainpoolP512r1, 256, TLS_CURVE_PRIME}, /* brainpool512r1 (28) */
@@ -255,6 +255,8 @@ int tls_curve_allowed(SSL *s, uint16_t c
if (cinfo->flags & TLS_CURVE_CHAR2)
return 0;
# endif
+ if (FIPS_mode() && !(cinfo->flags & TLS_CURVE_FIPS))
+ return 0;
ctmp[0] = curve >> 8;
ctmp[1] = curve & 0xff;
return ssl_security(s, op, cinfo->secbits, cinfo->nid, (void *)ctmp);
diff -up openssl-1.1.1b/test/dsatest.c.fips openssl-1.1.1b/test/dsatest.c
--- openssl-1.1.1b/test/dsatest.c.fips 2019-02-26 15:15:30.000000000 +0100
+++ openssl-1.1.1b/test/dsatest.c 2019-02-28 11:30:06.824745335 +0100

File diff suppressed because it is too large Load Diff

File diff suppressed because it is too large Load Diff

View File

@ -0,0 +1,26 @@
diff -up openssl-1.1.1c/ssl/record/ssl3_record.c.compliance openssl-1.1.1c/ssl/record/ssl3_record.c
--- openssl-1.1.1c/ssl/record/ssl3_record.c.compliance 2019-05-28 15:12:21.000000000 +0200
+++ openssl-1.1.1c/ssl/record/ssl3_record.c 2019-11-25 13:10:53.890637381 +0100
@@ -559,7 +559,7 @@ int ssl3_get_record(SSL *s)
RECORD_LAYER_reset_read_sequence(&s->rlayer);
return 1;
}
- SSLfatal(s, SSL_AD_DECRYPTION_FAILED, SSL_F_SSL3_GET_RECORD,
+ SSLfatal(s, SSL_AD_BAD_RECORD_MAC, SSL_F_SSL3_GET_RECORD,
SSL_R_BLOCK_CIPHER_PAD_IS_WRONG);
return -1;
}
diff -up openssl-1.1.1c/ssl/statem/extensions_srvr.c.compliance openssl-1.1.1c/ssl/statem/extensions_srvr.c
--- openssl-1.1.1c/ssl/statem/extensions_srvr.c.compliance 2019-05-28 15:12:21.000000000 +0200
+++ openssl-1.1.1c/ssl/statem/extensions_srvr.c 2019-11-25 13:12:59.329459528 +0100
@@ -1487,6 +1487,10 @@ EXT_RETURN tls_construct_stoc_status_req
unsigned int context, X509 *x,
size_t chainidx)
{
+ /* We don't currently support this extension inside a CertificateRequest */
+ if (context == SSL_EXT_TLS1_3_CERTIFICATE_REQUEST)
+ return EXT_RETURN_NOT_SENT;
+
if (!s->ext.status_expected)
return EXT_RETURN_NOT_SENT;

View File

@ -444,3 +444,91 @@ index fa19e7d80d..56e323f5bc 100644
--
2.20.1
diff -up openssl-1.1.1c/include/internal/constant_time_locl.h.valgrind openssl-1.1.1c/include/internal/constant_time_locl.h
--- openssl-1.1.1c/include/internal/constant_time_locl.h.valgrind 2019-05-28 15:12:21.000000000 +0200
+++ openssl-1.1.1c/include/internal/constant_time_locl.h 2019-06-24 15:02:12.796053536 +0200
@@ -213,18 +213,66 @@ static ossl_inline unsigned char constan
return constant_time_eq_8((unsigned)(a), (unsigned)(b));
}
+/* Returns the value unmodified, but avoids optimizations. */
+static ossl_inline unsigned int value_barrier(unsigned int a)
+{
+#if !defined(OPENSSL_NO_ASM) && defined(__GNUC__)
+ unsigned int r;
+ __asm__("" : "=r"(r) : "0"(a));
+#else
+ volatile unsigned int r = a;
+#endif
+ return r;
+}
+
+/* Convenience method for uint32_t. */
+static ossl_inline uint32_t value_barrier_32(uint32_t a)
+{
+#if !defined(OPENSSL_NO_ASM) && defined(__GNUC__)
+ uint32_t r;
+ __asm__("" : "=r"(r) : "0"(a));
+#else
+ volatile uint32_t r = a;
+#endif
+ return r;
+}
+
+/* Convenience method for uint64_t. */
+static ossl_inline uint64_t value_barrier_64(uint64_t a)
+{
+#if !defined(OPENSSL_NO_ASM) && defined(__GNUC__)
+ uint64_t r;
+ __asm__("" : "=r"(r) : "0"(a));
+#else
+ volatile uint64_t r = a;
+#endif
+ return r;
+}
+
+/* Convenience method for size_t. */
+static ossl_inline size_t value_barrier_s(size_t a)
+{
+#if !defined(OPENSSL_NO_ASM) && defined(__GNUC__)
+ size_t r;
+ __asm__("" : "=r"(r) : "0"(a));
+#else
+ volatile size_t r = a;
+#endif
+ return r;
+}
+
static ossl_inline unsigned int constant_time_select(unsigned int mask,
unsigned int a,
unsigned int b)
{
- return (mask & a) | (~mask & b);
+ return (value_barrier(mask) & a) | (value_barrier(~mask) & b);
}
static ossl_inline size_t constant_time_select_s(size_t mask,
size_t a,
size_t b)
{
- return (mask & a) | (~mask & b);
+ return (value_barrier_s(mask) & a) | (value_barrier_s(~mask) & b);
}
static ossl_inline unsigned char constant_time_select_8(unsigned char mask,
@@ -249,13 +297,13 @@ static ossl_inline int constant_time_sel
static ossl_inline uint32_t constant_time_select_32(uint32_t mask, uint32_t a,
uint32_t b)
{
- return (mask & a) | (~mask & b);
+ return (value_barrier_32(mask) & a) | (value_barrier_32(~mask) & b);
}
static ossl_inline uint64_t constant_time_select_64(uint64_t mask, uint64_t a,
uint64_t b)
{
- return (mask & a) | (~mask & b);
+ return (value_barrier_64(mask) & a) | (value_barrier_64(~mask) & b);
}
/*

View File

@ -22,7 +22,7 @@
Summary: Utilities from the general purpose cryptography library with TLS implementation
Name: openssl
Version: 1.1.1c
Release: 1%{?dist}
Release: 12%{?dist}
Epoch: 1
# We have to remove certain patented algorithms from the openssl source
# tarball with the hobble-openssl script which is included below.
@ -62,11 +62,20 @@ Patch47: openssl-1.1.1-ts-sha256-default.patch
Patch48: openssl-1.1.1-fips-post-rand.patch
Patch49: openssl-1.1.1-evp-kdf.patch
Patch50: openssl-1.1.1-ssh-kdf.patch
Patch60: openssl-1.1.1-krb5-kdf.patch
Patch61: openssl-1.1.1-edk2-build.patch
Patch62: openssl-1.1.1-fips-curves.patch
# Backported fixes including security fixes
Patch51: openssl-1.1.1-upstream-sync.patch
Patch52: openssl-1.1.1-s390x-update.patch
Patch53: openssl-1.1.1-fips-crng-test.patch
Patch54: openssl-1.1.1-regression-fixes.patch
Patch55: openssl-1.1.1-arm-update.patch
Patch56: openssl-1.1.1-s390x-ecc.patch
Patch57: openssl-1.1.1-cve-2019-1547.patch
Patch58: openssl-1.1.1-cve-2019-1563.patch
Patch59: openssl-1.1.1-cve-2019-1549.patch
Patch63: openssl-1.1.1-tls-compliance.patch
License: OpenSSL
Group: System Environment/Libraries
@ -177,7 +186,15 @@ cp %{SOURCE13} test/
%patch52 -p1 -b .s390x-update
%patch53 -p1 -b .crng-test
%patch54 -p1 -b .regression
%patch55 -p1 -b .arm-update
%patch56 -p1 -b .s390x-ecc
%patch57 -p1 -b .compute-cofactor
%patch58 -p1 -b .cms-padding-oracle
%patch59 -p1 -b .fork-safety
%patch60 -p1 -b .krb5-kdf
%patch61 -p1 -b .edk2-build
%patch62 -p1 -b .fips-curves
%patch63 -p1 -b .compliance
%build
# Figure out which flags we want to use.
@ -461,6 +478,42 @@ export LD_LIBRARY_PATH
%postun libs -p /sbin/ldconfig
%changelog
* Wed Dec 4 2019 Tomáš Mráz <tmraz@redhat.com> 1.1.1c-12
- additional fix for the edk2 build
* Tue Nov 26 2019 Tomáš Mráz <tmraz@redhat.com> 1.1.1c-9
- disallow use of SHA-1 signatures in TLS in FIPS mode
* Mon Nov 25 2019 Tomáš Mráz <tmraz@redhat.com> 1.1.1c-8
- fix CVE-2019-1547 - side-channel weak encryption vulnerability
- fix CVE-2019-1563 - padding oracle in CMS API
- fix CVE-2019-1549 - ensure fork safety of the DRBG
- fix handling of non-FIPS allowed EC curves in FIPS mode
- fix TLS compliance issues
* Thu Nov 21 2019 Tomáš Mráz <tmraz@redhat.com> 1.1.1c-7
- backported ARM performance fixes from master
* Wed Nov 20 2019 Tomáš Mráz <tmraz@redhat.com> 1.1.1c-6
- backport of S390x ECC CPACF enhancements from master
- FIPS mode: properly disable 1024 bit DSA key generation
- FIPS mode: skip ED25519 and ED448 algorithms in openssl speed
- FIPS mode: allow AES-CCM ciphersuites
* Tue Nov 19 2019 Tomáš Mráz <tmraz@redhat.com> 1.1.1c-5
- make the code suitable for edk2 build
* Thu Nov 14 2019 Tomáš Mráz <tmraz@redhat.com> 1.1.1c-4
- backport of SSKDF from master
* Wed Nov 13 2019 Tomáš Mráz <tmraz@redhat.com> 1.1.1c-3
- backport of KBKDF and KRB5KDF from master
* Mon Jun 24 2019 Tomáš Mráz <tmraz@redhat.com> 1.1.1c-2
- do not try to use EC groups disallowed in FIPS mode
in TLS
- fix Valgrind regression with constant-time code
* Mon Jun 3 2019 Tomáš Mráz <tmraz@redhat.com> 1.1.1c-1
- update to the 1.1.1c release