forked from rpms/openssl
import openssl-1.1.1c-12.el8
This commit is contained in:
parent
ecb2952871
commit
ed72945b4b
1434
SOURCES/openssl-1.1.1-arm-update.patch
Normal file
1434
SOURCES/openssl-1.1.1-arm-update.patch
Normal file
File diff suppressed because it is too large
Load Diff
171
SOURCES/openssl-1.1.1-cve-2019-1547.patch
Normal file
171
SOURCES/openssl-1.1.1-cve-2019-1547.patch
Normal file
@ -0,0 +1,171 @@
|
||||
From 30c22fa8b1d840036b8e203585738df62a03cec8 Mon Sep 17 00:00:00 2001
|
||||
From: Billy Brumley <bbrumley@gmail.com>
|
||||
Date: Thu, 5 Sep 2019 21:25:37 +0300
|
||||
Subject: [PATCH] [crypto/ec] for ECC parameters with NULL or zero cofactor,
|
||||
compute it
|
||||
|
||||
The cofactor argument to EC_GROUP_set_generator is optional, and SCA
|
||||
mitigations for ECC currently use it. So the library currently falls
|
||||
back to very old SCA-vulnerable code if the cofactor is not present.
|
||||
|
||||
This PR allows EC_GROUP_set_generator to compute the cofactor for all
|
||||
curves of cryptographic interest. Steering scalar multiplication to more
|
||||
SCA-robust code.
|
||||
|
||||
This issue affects persisted private keys in explicit parameter form,
|
||||
where the (optional) cofactor field is zero or absent.
|
||||
|
||||
It also affects curves not built-in to the library, but constructed
|
||||
programatically with explicit parameters, then calling
|
||||
EC_GROUP_set_generator with a nonsensical value (NULL, zero).
|
||||
|
||||
The very old scalar multiplication code is known to be vulnerable to
|
||||
local uarch attacks, outside of the OpenSSL threat model. New results
|
||||
suggest the code path is also vulnerable to traditional wall clock
|
||||
timing attacks.
|
||||
|
||||
CVE-2019-1547
|
||||
|
||||
Reviewed-by: Matt Caswell <matt@openssl.org>
|
||||
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
|
||||
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
|
||||
(Merged from https://github.com/openssl/openssl/pull/9781)
|
||||
---
|
||||
crypto/ec/ec_lib.c | 103 ++++++++++++++++++++++++++++++++++++++++++---
|
||||
1 file changed, 96 insertions(+), 7 deletions(-)
|
||||
|
||||
diff --git a/crypto/ec/ec_lib.c b/crypto/ec/ec_lib.c
|
||||
index 8cab5a5061..1289c8608e 100644
|
||||
--- a/crypto/ec/ec_lib.c
|
||||
+++ b/crypto/ec/ec_lib.c
|
||||
@@ -265,6 +265,67 @@ int EC_METHOD_get_field_type(const EC_METHOD *meth)
|
||||
|
||||
static int ec_precompute_mont_data(EC_GROUP *);
|
||||
|
||||
+/*-
|
||||
+ * Try computing cofactor from the generator order (n) and field cardinality (q).
|
||||
+ * This works for all curves of cryptographic interest.
|
||||
+ *
|
||||
+ * Hasse thm: q + 1 - 2*sqrt(q) <= n*h <= q + 1 + 2*sqrt(q)
|
||||
+ * h_min = (q + 1 - 2*sqrt(q))/n
|
||||
+ * h_max = (q + 1 + 2*sqrt(q))/n
|
||||
+ * h_max - h_min = 4*sqrt(q)/n
|
||||
+ * So if n > 4*sqrt(q) holds, there is only one possible value for h:
|
||||
+ * h = \lfloor (h_min + h_max)/2 \rceil = \lfloor (q + 1)/n \rceil
|
||||
+ *
|
||||
+ * Otherwise, zero cofactor and return success.
|
||||
+ */
|
||||
+static int ec_guess_cofactor(EC_GROUP *group) {
|
||||
+ int ret = 0;
|
||||
+ BN_CTX *ctx = NULL;
|
||||
+ BIGNUM *q = NULL;
|
||||
+
|
||||
+ /*-
|
||||
+ * If the cofactor is too large, we cannot guess it.
|
||||
+ * The RHS of below is a strict overestimate of lg(4 * sqrt(q))
|
||||
+ */
|
||||
+ if (BN_num_bits(group->order) <= (BN_num_bits(group->field) + 1) / 2 + 3) {
|
||||
+ /* default to 0 */
|
||||
+ BN_zero(group->cofactor);
|
||||
+ /* return success */
|
||||
+ return 1;
|
||||
+ }
|
||||
+
|
||||
+ if ((ctx = BN_CTX_new()) == NULL)
|
||||
+ return 0;
|
||||
+
|
||||
+ BN_CTX_start(ctx);
|
||||
+ if ((q = BN_CTX_get(ctx)) == NULL)
|
||||
+ goto err;
|
||||
+
|
||||
+ /* set q = 2**m for binary fields; q = p otherwise */
|
||||
+ if (group->meth->field_type == NID_X9_62_characteristic_two_field) {
|
||||
+ BN_zero(q);
|
||||
+ if (!BN_set_bit(q, BN_num_bits(group->field) - 1))
|
||||
+ goto err;
|
||||
+ } else {
|
||||
+ if (!BN_copy(q, group->field))
|
||||
+ goto err;
|
||||
+ }
|
||||
+
|
||||
+ /* compute h = \lfloor (q + 1)/n \rceil = \lfloor (q + 1 + n/2)/n \rfloor */
|
||||
+ if (!BN_rshift1(group->cofactor, group->order) /* n/2 */
|
||||
+ || !BN_add(group->cofactor, group->cofactor, q) /* q + n/2 */
|
||||
+ /* q + 1 + n/2 */
|
||||
+ || !BN_add(group->cofactor, group->cofactor, BN_value_one())
|
||||
+ /* (q + 1 + n/2)/n */
|
||||
+ || !BN_div(group->cofactor, NULL, group->cofactor, group->order, ctx))
|
||||
+ goto err;
|
||||
+ ret = 1;
|
||||
+ err:
|
||||
+ BN_CTX_end(ctx);
|
||||
+ BN_CTX_free(ctx);
|
||||
+ return ret;
|
||||
+}
|
||||
+
|
||||
int EC_GROUP_set_generator(EC_GROUP *group, const EC_POINT *generator,
|
||||
const BIGNUM *order, const BIGNUM *cofactor)
|
||||
{
|
||||
@@ -273,6 +334,34 @@ int EC_GROUP_set_generator(EC_GROUP *group, const EC_POINT *generator,
|
||||
return 0;
|
||||
}
|
||||
|
||||
+ /* require group->field >= 1 */
|
||||
+ if (group->field == NULL || BN_is_zero(group->field)
|
||||
+ || BN_is_negative(group->field)) {
|
||||
+ ECerr(EC_F_EC_GROUP_SET_GENERATOR, EC_R_INVALID_FIELD);
|
||||
+ return 0;
|
||||
+ }
|
||||
+
|
||||
+ /*-
|
||||
+ * - require order >= 1
|
||||
+ * - enforce upper bound due to Hasse thm: order can be no more than one bit
|
||||
+ * longer than field cardinality
|
||||
+ */
|
||||
+ if (order == NULL || BN_is_zero(order) || BN_is_negative(order)
|
||||
+ || BN_num_bits(order) > BN_num_bits(group->field) + 1) {
|
||||
+ ECerr(EC_F_EC_GROUP_SET_GENERATOR, EC_R_INVALID_GROUP_ORDER);
|
||||
+ return 0;
|
||||
+ }
|
||||
+
|
||||
+ /*-
|
||||
+ * Unfortunately the cofactor is an optional field in many standards.
|
||||
+ * Internally, the lib uses 0 cofactor as a marker for "unknown cofactor".
|
||||
+ * So accept cofactor == NULL or cofactor >= 0.
|
||||
+ */
|
||||
+ if (cofactor != NULL && BN_is_negative(cofactor)) {
|
||||
+ ECerr(EC_F_EC_GROUP_SET_GENERATOR, EC_R_UNKNOWN_COFACTOR);
|
||||
+ return 0;
|
||||
+ }
|
||||
+
|
||||
if (group->generator == NULL) {
|
||||
group->generator = EC_POINT_new(group);
|
||||
if (group->generator == NULL)
|
||||
@@ -281,17 +370,17 @@ int EC_GROUP_set_generator(EC_GROUP *group, const EC_POINT *generator,
|
||||
if (!EC_POINT_copy(group->generator, generator))
|
||||
return 0;
|
||||
|
||||
- if (order != NULL) {
|
||||
- if (!BN_copy(group->order, order))
|
||||
- return 0;
|
||||
- } else
|
||||
- BN_zero(group->order);
|
||||
+ if (!BN_copy(group->order, order))
|
||||
+ return 0;
|
||||
|
||||
- if (cofactor != NULL) {
|
||||
+ /* Either take the provided positive cofactor, or try to compute it */
|
||||
+ if (cofactor != NULL && !BN_is_zero(cofactor)) {
|
||||
if (!BN_copy(group->cofactor, cofactor))
|
||||
return 0;
|
||||
- } else
|
||||
+ } else if (!ec_guess_cofactor(group)) {
|
||||
BN_zero(group->cofactor);
|
||||
+ return 0;
|
||||
+ }
|
||||
|
||||
/*
|
||||
* Some groups have an order with
|
||||
--
|
||||
2.20.1
|
||||
|
300
SOURCES/openssl-1.1.1-cve-2019-1549.patch
Normal file
300
SOURCES/openssl-1.1.1-cve-2019-1549.patch
Normal file
@ -0,0 +1,300 @@
|
||||
diff -up openssl-1.1.1c/crypto/fips/fips.c.fork-safety openssl-1.1.1c/crypto/fips/fips.c
|
||||
--- openssl-1.1.1c/crypto/fips/fips.c.fork-safety 2019-11-20 11:36:22.343506961 +0100
|
||||
+++ openssl-1.1.1c/crypto/fips/fips.c 2019-11-21 17:44:32.920776849 +0100
|
||||
@@ -472,7 +472,7 @@ int FIPS_module_mode_set(int onoff)
|
||||
|
||||
fips_set_mode(onoff);
|
||||
/* force RNG reseed with entropy from getrandom() on next call */
|
||||
- rand_fork();
|
||||
+ rand_force_reseed();
|
||||
|
||||
ret = 1;
|
||||
goto end;
|
||||
diff -up openssl-1.1.1c/crypto/include/internal/rand_int.h.fork-safety openssl-1.1.1c/crypto/include/internal/rand_int.h
|
||||
--- openssl-1.1.1c/crypto/include/internal/rand_int.h.fork-safety 2019-11-20 11:36:22.382506277 +0100
|
||||
+++ openssl-1.1.1c/crypto/include/internal/rand_int.h 2019-11-21 17:45:42.102456672 +0100
|
||||
@@ -24,9 +24,9 @@
|
||||
typedef struct rand_pool_st RAND_POOL;
|
||||
|
||||
void rand_cleanup_int(void);
|
||||
+void rand_force_reseed(void);
|
||||
void rand_drbg_cleanup_int(void);
|
||||
void drbg_delete_thread_state(void);
|
||||
-void rand_fork(void);
|
||||
|
||||
/* Hardware-based seeding functions. */
|
||||
size_t rand_acquire_entropy_from_tsc(RAND_POOL *pool);
|
||||
diff -up openssl-1.1.1c/crypto/init.c.fork-safety openssl-1.1.1c/crypto/init.c
|
||||
--- openssl-1.1.1c/crypto/init.c.fork-safety 2019-05-28 15:12:21.000000000 +0200
|
||||
+++ openssl-1.1.1c/crypto/init.c 2019-11-21 17:34:13.478597398 +0100
|
||||
@@ -847,6 +847,5 @@ void OPENSSL_fork_parent(void)
|
||||
|
||||
void OPENSSL_fork_child(void)
|
||||
{
|
||||
- rand_fork();
|
||||
}
|
||||
#endif
|
||||
diff -up openssl-1.1.1c/crypto/rand/drbg_lib.c.fork-safety openssl-1.1.1c/crypto/rand/drbg_lib.c
|
||||
--- openssl-1.1.1c/crypto/rand/drbg_lib.c.fork-safety 2019-11-20 11:36:22.383506260 +0100
|
||||
+++ openssl-1.1.1c/crypto/rand/drbg_lib.c 2019-11-21 17:46:37.583397431 +0100
|
||||
@@ -197,7 +197,7 @@ static RAND_DRBG *rand_drbg_new(int secu
|
||||
}
|
||||
|
||||
drbg->secure = secure && CRYPTO_secure_allocated(drbg);
|
||||
- drbg->fork_count = rand_fork_count;
|
||||
+ drbg->fork_id = openssl_get_fork_id();
|
||||
drbg->parent = parent;
|
||||
|
||||
if (parent == NULL) {
|
||||
@@ -583,6 +583,7 @@ int RAND_DRBG_generate(RAND_DRBG *drbg,
|
||||
int prediction_resistance,
|
||||
const unsigned char *adin, size_t adinlen)
|
||||
{
|
||||
+ int fork_id;
|
||||
int reseed_required = 0;
|
||||
|
||||
if (drbg->state != DRBG_READY) {
|
||||
@@ -608,8 +609,10 @@ int RAND_DRBG_generate(RAND_DRBG *drbg,
|
||||
return 0;
|
||||
}
|
||||
|
||||
- if (drbg->fork_count != rand_fork_count) {
|
||||
- drbg->fork_count = rand_fork_count;
|
||||
+ fork_id = openssl_get_fork_id();
|
||||
+
|
||||
+ if (drbg->fork_id != fork_id) {
|
||||
+ drbg->fork_id = fork_id;
|
||||
reseed_required = 1;
|
||||
}
|
||||
|
||||
@@ -1011,6 +1014,20 @@ size_t rand_drbg_seedlen(RAND_DRBG *drbg
|
||||
return min_entropy > min_entropylen ? min_entropy : min_entropylen;
|
||||
}
|
||||
|
||||
+void rand_force_reseed(void)
|
||||
+{
|
||||
+ RAND_DRBG *drbg;
|
||||
+
|
||||
+ drbg = RAND_DRBG_get0_master();
|
||||
+ drbg->fork_id = 0;
|
||||
+
|
||||
+ drbg = RAND_DRBG_get0_private();
|
||||
+ drbg->fork_id = 0;
|
||||
+
|
||||
+ drbg = RAND_DRBG_get0_public();
|
||||
+ drbg->fork_id = 0;
|
||||
+}
|
||||
+
|
||||
/* Implements the default OpenSSL RAND_add() method */
|
||||
static int drbg_add(const void *buf, int num, double randomness)
|
||||
{
|
||||
diff -up openssl-1.1.1c/crypto/rand/rand_lcl.h.fork-safety openssl-1.1.1c/crypto/rand/rand_lcl.h
|
||||
--- openssl-1.1.1c/crypto/rand/rand_lcl.h.fork-safety 2019-11-20 11:36:22.383506260 +0100
|
||||
+++ openssl-1.1.1c/crypto/rand/rand_lcl.h 2019-11-21 17:34:13.485597265 +0100
|
||||
@@ -176,12 +176,12 @@ struct rand_drbg_st {
|
||||
int secure; /* 1: allocated on the secure heap, 0: otherwise */
|
||||
int type; /* the nid of the underlying algorithm */
|
||||
/*
|
||||
- * Stores the value of the rand_fork_count global as of when we last
|
||||
- * reseeded. The DRBG reseeds automatically whenever drbg->fork_count !=
|
||||
- * rand_fork_count. Used to provide fork-safety and reseed this DRBG in
|
||||
- * the child process.
|
||||
+ * Stores the return value of openssl_get_fork_id() as of when we last
|
||||
+ * reseeded. The DRBG reseeds automatically whenever drbg->fork_id !=
|
||||
+ * openssl_get_fork_id(). Used to provide fork-safety and reseed this
|
||||
+ * DRBG in the child process.
|
||||
*/
|
||||
- int fork_count;
|
||||
+ int fork_id;
|
||||
unsigned short flags; /* various external flags */
|
||||
|
||||
/*
|
||||
@@ -273,19 +273,6 @@ struct rand_drbg_st {
|
||||
/* The global RAND method, and the global buffer and DRBG instance. */
|
||||
extern RAND_METHOD rand_meth;
|
||||
|
||||
-/*
|
||||
- * A "generation count" of forks. Incremented in the child process after a
|
||||
- * fork. Since rand_fork_count is increment-only, and only ever written to in
|
||||
- * the child process of the fork, which is guaranteed to be single-threaded, no
|
||||
- * locking is needed for normal (read) accesses; the rest of pthread fork
|
||||
- * processing is assumed to introduce the necessary memory barriers. Sibling
|
||||
- * children of a given parent will produce duplicate values, but this is not
|
||||
- * problematic because the reseeding process pulls input from the system CSPRNG
|
||||
- * and/or other global sources, so the siblings will end up generating
|
||||
- * different output streams.
|
||||
- */
|
||||
-extern int rand_fork_count;
|
||||
-
|
||||
/* DRBG helpers */
|
||||
int rand_drbg_restart(RAND_DRBG *drbg,
|
||||
const unsigned char *buffer, size_t len, size_t entropy);
|
||||
diff -up openssl-1.1.1c/crypto/rand/rand_lib.c.fork-safety openssl-1.1.1c/crypto/rand/rand_lib.c
|
||||
--- openssl-1.1.1c/crypto/rand/rand_lib.c.fork-safety 2019-11-20 11:36:22.374506418 +0100
|
||||
+++ openssl-1.1.1c/crypto/rand/rand_lib.c 2019-11-21 17:34:13.487597227 +0100
|
||||
@@ -30,8 +30,6 @@ static CRYPTO_RWLOCK *rand_meth_lock;
|
||||
static const RAND_METHOD *default_RAND_meth;
|
||||
static CRYPTO_ONCE rand_init = CRYPTO_ONCE_STATIC_INIT;
|
||||
|
||||
-int rand_fork_count;
|
||||
-
|
||||
static CRYPTO_RWLOCK *rand_nonce_lock;
|
||||
static int rand_nonce_count;
|
||||
|
||||
@@ -303,11 +301,6 @@ void rand_drbg_cleanup_additional_data(R
|
||||
rand_pool_reattach(pool, out);
|
||||
}
|
||||
|
||||
-void rand_fork(void)
|
||||
-{
|
||||
- rand_fork_count++;
|
||||
-}
|
||||
-
|
||||
DEFINE_RUN_ONCE_STATIC(do_rand_init)
|
||||
{
|
||||
#ifndef OPENSSL_NO_ENGINE
|
||||
diff -up openssl-1.1.1c/crypto/threads_none.c.fork-safety openssl-1.1.1c/crypto/threads_none.c
|
||||
--- openssl-1.1.1c/crypto/threads_none.c.fork-safety 2019-05-28 15:12:21.000000000 +0200
|
||||
+++ openssl-1.1.1c/crypto/threads_none.c 2019-11-21 17:34:13.489597189 +0100
|
||||
@@ -12,6 +12,11 @@
|
||||
|
||||
#if !defined(OPENSSL_THREADS) || defined(CRYPTO_TDEBUG)
|
||||
|
||||
+# if defined(OPENSSL_SYS_UNIX)
|
||||
+# include <sys/types.h>
|
||||
+# include <unistd.h>
|
||||
+# endif
|
||||
+
|
||||
CRYPTO_RWLOCK *CRYPTO_THREAD_lock_new(void)
|
||||
{
|
||||
CRYPTO_RWLOCK *lock;
|
||||
@@ -133,4 +138,12 @@ int openssl_init_fork_handlers(void)
|
||||
return 0;
|
||||
}
|
||||
|
||||
+int openssl_get_fork_id(void)
|
||||
+{
|
||||
+# if defined(OPENSSL_SYS_UNIX)
|
||||
+ return getpid();
|
||||
+# else
|
||||
+ return 0;
|
||||
+# endif
|
||||
+}
|
||||
#endif
|
||||
diff -up openssl-1.1.1c/crypto/threads_pthread.c.fork-safety openssl-1.1.1c/crypto/threads_pthread.c
|
||||
--- openssl-1.1.1c/crypto/threads_pthread.c.fork-safety 2019-05-28 15:12:21.000000000 +0200
|
||||
+++ openssl-1.1.1c/crypto/threads_pthread.c 2019-11-21 17:34:13.492597131 +0100
|
||||
@@ -12,6 +12,11 @@
|
||||
|
||||
#if defined(OPENSSL_THREADS) && !defined(CRYPTO_TDEBUG) && !defined(OPENSSL_SYS_WINDOWS)
|
||||
|
||||
+# if defined(OPENSSL_SYS_UNIX)
|
||||
+# include <sys/types.h>
|
||||
+# include <unistd.h>
|
||||
+#endif
|
||||
+
|
||||
# ifdef PTHREAD_RWLOCK_INITIALIZER
|
||||
# define USE_RWLOCK
|
||||
# endif
|
||||
@@ -193,4 +198,9 @@ int openssl_init_fork_handlers(void)
|
||||
# endif
|
||||
return 0;
|
||||
}
|
||||
+
|
||||
+int openssl_get_fork_id(void)
|
||||
+{
|
||||
+ return getpid();
|
||||
+}
|
||||
#endif
|
||||
diff -up openssl-1.1.1c/crypto/threads_win.c.fork-safety openssl-1.1.1c/crypto/threads_win.c
|
||||
--- openssl-1.1.1c/crypto/threads_win.c.fork-safety 2019-05-28 15:12:21.000000000 +0200
|
||||
+++ openssl-1.1.1c/crypto/threads_win.c 2019-11-21 17:34:13.495597074 +0100
|
||||
@@ -164,4 +164,8 @@ int openssl_init_fork_handlers(void)
|
||||
return 0;
|
||||
}
|
||||
|
||||
+int openssl_get_fork_id(void)
|
||||
+{
|
||||
+ return 0;
|
||||
+}
|
||||
#endif
|
||||
diff -up openssl-1.1.1c/include/internal/cryptlib.h.fork-safety openssl-1.1.1c/include/internal/cryptlib.h
|
||||
--- openssl-1.1.1c/include/internal/cryptlib.h.fork-safety 2019-05-28 15:12:21.000000000 +0200
|
||||
+++ openssl-1.1.1c/include/internal/cryptlib.h 2019-11-21 17:34:13.497597036 +0100
|
||||
@@ -80,6 +80,7 @@ extern unsigned int OPENSSL_ia32cap_P[];
|
||||
void OPENSSL_showfatal(const char *fmta, ...);
|
||||
void crypto_cleanup_all_ex_data_int(void);
|
||||
int openssl_init_fork_handlers(void);
|
||||
+int openssl_get_fork_id(void);
|
||||
|
||||
char *ossl_safe_getenv(const char *name);
|
||||
|
||||
diff -up openssl-1.1.1c/test/drbgtest.c.fork-safety openssl-1.1.1c/test/drbgtest.c
|
||||
--- openssl-1.1.1c/test/drbgtest.c.fork-safety 2019-11-20 11:36:22.384506242 +0100
|
||||
+++ openssl-1.1.1c/test/drbgtest.c 2019-11-21 17:34:13.499596998 +0100
|
||||
@@ -22,6 +22,13 @@
|
||||
# include <windows.h>
|
||||
#endif
|
||||
|
||||
+
|
||||
+#if defined(OPENSSL_SYS_UNIX)
|
||||
+# include <sys/types.h>
|
||||
+# include <sys/wait.h>
|
||||
+# include <unistd.h>
|
||||
+#endif
|
||||
+
|
||||
#include "testutil.h"
|
||||
#include "drbgtest.h"
|
||||
|
||||
@@ -696,6 +703,40 @@ static int test_drbg_reseed(int expect_s
|
||||
return 1;
|
||||
}
|
||||
|
||||
+
|
||||
+#if defined(OPENSSL_SYS_UNIX)
|
||||
+/*
|
||||
+ * Test whether master, public and private DRBG are reseeded after
|
||||
+ * forking the process.
|
||||
+ */
|
||||
+static int test_drbg_reseed_after_fork(RAND_DRBG *master,
|
||||
+ RAND_DRBG *public,
|
||||
+ RAND_DRBG *private)
|
||||
+{
|
||||
+ pid_t pid;
|
||||
+ int status=0;
|
||||
+
|
||||
+ pid = fork();
|
||||
+ if (!TEST_int_ge(pid, 0))
|
||||
+ return 0;
|
||||
+
|
||||
+ if (pid > 0) {
|
||||
+ /* I'm the parent; wait for the child and check its exit code */
|
||||
+ return TEST_int_eq(waitpid(pid, &status, 0), pid) && TEST_int_eq(status, 0);
|
||||
+ }
|
||||
+
|
||||
+ /* I'm the child; check whether all three DRBGs reseed. */
|
||||
+ if (!TEST_true(test_drbg_reseed(1, master, public, private, 1, 1, 1, 0)))
|
||||
+ status = 1;
|
||||
+
|
||||
+ /* Remove hooks */
|
||||
+ unhook_drbg(master);
|
||||
+ unhook_drbg(public);
|
||||
+ unhook_drbg(private);
|
||||
+ exit(status);
|
||||
+}
|
||||
+#endif
|
||||
+
|
||||
/*
|
||||
* Test whether the default rand_method (RAND_OpenSSL()) is
|
||||
* setup correctly, in particular whether reseeding works
|
||||
@@ -786,6 +827,10 @@ static int test_rand_drbg_reseed(void)
|
||||
goto error;
|
||||
reset_drbg_hook_ctx();
|
||||
|
||||
+#if defined(OPENSSL_SYS_UNIX)
|
||||
+ if (!TEST_true(test_drbg_reseed_after_fork(master, public, private)))
|
||||
+ goto error;
|
||||
+#endif
|
||||
|
||||
/* fill 'randomness' buffer with some arbitrary data */
|
||||
memset(rand_add_buf, 'r', sizeof(rand_add_buf));
|
147
SOURCES/openssl-1.1.1-cve-2019-1563.patch
Normal file
147
SOURCES/openssl-1.1.1-cve-2019-1563.patch
Normal file
@ -0,0 +1,147 @@
|
||||
From 08229ad838c50f644d7e928e2eef147b4308ad64 Mon Sep 17 00:00:00 2001
|
||||
From: Bernd Edlinger <bernd.edlinger@hotmail.de>
|
||||
Date: Sun, 1 Sep 2019 00:16:28 +0200
|
||||
Subject: [PATCH] Fix a padding oracle in PKCS7_dataDecode and
|
||||
CMS_decrypt_set1_pkey
|
||||
|
||||
An attack is simple, if the first CMS_recipientInfo is valid but the
|
||||
second CMS_recipientInfo is chosen ciphertext. If the second
|
||||
recipientInfo decodes to PKCS #1 v1.5 form plaintext, the correct
|
||||
encryption key will be replaced by garbage, and the message cannot be
|
||||
decoded, but if the RSA decryption fails, the correct encryption key is
|
||||
used and the recipient will not notice the attack.
|
||||
|
||||
As a work around for this potential attack the length of the decrypted
|
||||
key must be equal to the cipher default key length, in case the
|
||||
certifiate is not given and all recipientInfo are tried out.
|
||||
|
||||
The old behaviour can be re-enabled in the CMS code by setting the
|
||||
CMS_DEBUG_DECRYPT flag.
|
||||
|
||||
Reviewed-by: Matt Caswell <matt@openssl.org>
|
||||
(Merged from https://github.com/openssl/openssl/pull/9777)
|
||||
|
||||
(cherry picked from commit 5840ed0cd1e6487d247efbc1a04136a41d7b3a37)
|
||||
---
|
||||
crypto/cms/cms_env.c | 18 +++++++++++++++++-
|
||||
crypto/cms/cms_lcl.h | 2 ++
|
||||
crypto/cms/cms_smime.c | 4 ++++
|
||||
crypto/pkcs7/pk7_doit.c | 12 ++++++++----
|
||||
5 files changed, 45 insertions(+), 5 deletions(-)
|
||||
|
||||
diff --git a/crypto/cms/cms_env.c b/crypto/cms/cms_env.c
|
||||
index bb95af75e3..25df1c40b1 100644
|
||||
--- a/crypto/cms/cms_env.c
|
||||
+++ b/crypto/cms/cms_env.c
|
||||
@@ -363,6 +363,7 @@ static int cms_RecipientInfo_ktri_decrypt(CMS_ContentInfo *cms,
|
||||
unsigned char *ek = NULL;
|
||||
size_t eklen;
|
||||
int ret = 0;
|
||||
+ size_t fixlen = 0;
|
||||
CMS_EncryptedContentInfo *ec;
|
||||
ec = cms->d.envelopedData->encryptedContentInfo;
|
||||
|
||||
@@ -371,6 +372,19 @@ static int cms_RecipientInfo_ktri_decrypt(CMS_ContentInfo *cms,
|
||||
return 0;
|
||||
}
|
||||
|
||||
+ if (cms->d.envelopedData->encryptedContentInfo->havenocert
|
||||
+ && !cms->d.envelopedData->encryptedContentInfo->debug) {
|
||||
+ X509_ALGOR *calg = ec->contentEncryptionAlgorithm;
|
||||
+ const EVP_CIPHER *ciph = EVP_get_cipherbyobj(calg->algorithm);
|
||||
+
|
||||
+ if (ciph == NULL) {
|
||||
+ CMSerr(CMS_F_CMS_RECIPIENTINFO_KTRI_DECRYPT, CMS_R_UNKNOWN_CIPHER);
|
||||
+ return 0;
|
||||
+ }
|
||||
+
|
||||
+ fixlen = EVP_CIPHER_key_length(ciph);
|
||||
+ }
|
||||
+
|
||||
ktri->pctx = EVP_PKEY_CTX_new(pkey, NULL);
|
||||
if (ktri->pctx == NULL)
|
||||
return 0;
|
||||
@@ -401,7 +415,9 @@ static int cms_RecipientInfo_ktri_decrypt(CMS_ContentInfo *cms,
|
||||
|
||||
if (EVP_PKEY_decrypt(ktri->pctx, ek, &eklen,
|
||||
ktri->encryptedKey->data,
|
||||
- ktri->encryptedKey->length) <= 0) {
|
||||
+ ktri->encryptedKey->length) <= 0
|
||||
+ || eklen == 0
|
||||
+ || (fixlen != 0 && eklen != fixlen)) {
|
||||
CMSerr(CMS_F_CMS_RECIPIENTINFO_KTRI_DECRYPT, CMS_R_CMS_LIB);
|
||||
goto err;
|
||||
}
|
||||
diff --git a/crypto/cms/cms_lcl.h b/crypto/cms/cms_lcl.h
|
||||
index b5c06b7f6c..8eddb02493 100644
|
||||
--- a/crypto/cms/cms_lcl.h
|
||||
+++ b/crypto/cms/cms_lcl.h
|
||||
@@ -125,6 +125,8 @@ struct CMS_EncryptedContentInfo_st {
|
||||
size_t keylen;
|
||||
/* Set to 1 if we are debugging decrypt and don't fake keys for MMA */
|
||||
int debug;
|
||||
+ /* Set to 1 if we have no cert and need extra safety measures for MMA */
|
||||
+ int havenocert;
|
||||
};
|
||||
|
||||
struct CMS_RecipientInfo_st {
|
||||
diff --git a/crypto/cms/cms_smime.c b/crypto/cms/cms_smime.c
|
||||
index 5dcf803f4b..3a26108b8c 100644
|
||||
--- a/crypto/cms/cms_smime.c
|
||||
+++ b/crypto/cms/cms_smime.c
|
||||
@@ -743,6 +743,10 @@ int CMS_decrypt(CMS_ContentInfo *cms, EVP_PKEY *pk, X509 *cert,
|
||||
cms->d.envelopedData->encryptedContentInfo->debug = 1;
|
||||
else
|
||||
cms->d.envelopedData->encryptedContentInfo->debug = 0;
|
||||
+ if (!cert)
|
||||
+ cms->d.envelopedData->encryptedContentInfo->havenocert = 1;
|
||||
+ else
|
||||
+ cms->d.envelopedData->encryptedContentInfo->havenocert = 0;
|
||||
if (!pk && !cert && !dcont && !out)
|
||||
return 1;
|
||||
if (pk && !CMS_decrypt_set1_pkey(cms, pk, cert))
|
||||
diff --git a/crypto/pkcs7/pk7_doit.c b/crypto/pkcs7/pk7_doit.c
|
||||
index ee08e602a1..15a6160cfe 100644
|
||||
--- a/crypto/pkcs7/pk7_doit.c
|
||||
+++ b/crypto/pkcs7/pk7_doit.c
|
||||
@@ -137,7 +137,8 @@ static int pkcs7_encode_rinfo(PKCS7_RECIP_INFO *ri,
|
||||
}
|
||||
|
||||
static int pkcs7_decrypt_rinfo(unsigned char **pek, int *peklen,
|
||||
- PKCS7_RECIP_INFO *ri, EVP_PKEY *pkey)
|
||||
+ PKCS7_RECIP_INFO *ri, EVP_PKEY *pkey,
|
||||
+ size_t fixlen)
|
||||
{
|
||||
EVP_PKEY_CTX *pctx = NULL;
|
||||
unsigned char *ek = NULL;
|
||||
@@ -170,7 +171,9 @@ static int pkcs7_decrypt_rinfo(unsigned char **pek, int *peklen,
|
||||
}
|
||||
|
||||
if (EVP_PKEY_decrypt(pctx, ek, &eklen,
|
||||
- ri->enc_key->data, ri->enc_key->length) <= 0) {
|
||||
+ ri->enc_key->data, ri->enc_key->length) <= 0
|
||||
+ || eklen == 0
|
||||
+ || (fixlen != 0 && eklen != fixlen)) {
|
||||
ret = 0;
|
||||
PKCS7err(PKCS7_F_PKCS7_DECRYPT_RINFO, ERR_R_EVP_LIB);
|
||||
goto err;
|
||||
@@ -499,13 +502,14 @@ BIO *PKCS7_dataDecode(PKCS7 *p7, EVP_PKEY *pkey, BIO *in_bio, X509 *pcert)
|
||||
for (i = 0; i < sk_PKCS7_RECIP_INFO_num(rsk); i++) {
|
||||
ri = sk_PKCS7_RECIP_INFO_value(rsk, i);
|
||||
|
||||
- if (pkcs7_decrypt_rinfo(&ek, &eklen, ri, pkey) < 0)
|
||||
+ if (pkcs7_decrypt_rinfo(&ek, &eklen, ri, pkey,
|
||||
+ EVP_CIPHER_key_length(evp_cipher)) < 0)
|
||||
goto err;
|
||||
ERR_clear_error();
|
||||
}
|
||||
} else {
|
||||
/* Only exit on fatal errors, not decrypt failure */
|
||||
- if (pkcs7_decrypt_rinfo(&ek, &eklen, ri, pkey) < 0)
|
||||
+ if (pkcs7_decrypt_rinfo(&ek, &eklen, ri, pkey, 0) < 0)
|
||||
goto err;
|
||||
ERR_clear_error();
|
||||
}
|
||||
--
|
||||
2.20.1
|
||||
|
68
SOURCES/openssl-1.1.1-edk2-build.patch
Normal file
68
SOURCES/openssl-1.1.1-edk2-build.patch
Normal file
@ -0,0 +1,68 @@
|
||||
diff -up openssl-1.1.1c/crypto/evp/pkey_kdf.c.edk2-build openssl-1.1.1c/crypto/evp/pkey_kdf.c
|
||||
--- openssl-1.1.1c/crypto/evp/pkey_kdf.c.edk2-build 2019-11-14 16:25:09.437914854 +0100
|
||||
+++ openssl-1.1.1c/crypto/evp/pkey_kdf.c 2019-11-15 14:52:40.216905772 +0100
|
||||
@@ -12,6 +12,7 @@
|
||||
#include <openssl/evp.h>
|
||||
#include <openssl/err.h>
|
||||
#include <openssl/kdf.h>
|
||||
+#include "internal/numbers.h"
|
||||
#include "internal/evp_int.h"
|
||||
|
||||
static int pkey_kdf_init(EVP_PKEY_CTX *ctx)
|
||||
diff -up openssl-1.1.1c/crypto/include/internal/fips_int.h.edk2-build openssl-1.1.1c/crypto/include/internal/fips_int.h
|
||||
--- openssl-1.1.1c/crypto/include/internal/fips_int.h.edk2-build 2019-11-14 16:25:09.430914981 +0100
|
||||
+++ openssl-1.1.1c/crypto/include/internal/fips_int.h 2019-11-15 14:48:02.489936610 +0100
|
||||
@@ -50,10 +50,6 @@
|
||||
#include <openssl/opensslconf.h>
|
||||
#include <openssl/evp.h>
|
||||
|
||||
-#ifndef OPENSSL_FIPS
|
||||
-# error FIPS is disabled.
|
||||
-#endif
|
||||
-
|
||||
#ifdef OPENSSL_FIPS
|
||||
|
||||
int FIPS_module_mode_set(int onoff);
|
||||
@@ -97,4 +93,8 @@ void fips_set_selftest_fail(void);
|
||||
|
||||
void FIPS_get_timevec(unsigned char *buf, unsigned long *pctr);
|
||||
|
||||
+#else
|
||||
+
|
||||
+# define fips_in_post() 0
|
||||
+
|
||||
#endif
|
||||
diff -up openssl-1.1.1c/crypto/kdf/hkdf.c.edk2-build openssl-1.1.1c/crypto/kdf/hkdf.c
|
||||
--- openssl-1.1.1c/crypto/kdf/hkdf.c.edk2-build 2019-11-14 16:25:09.438914836 +0100
|
||||
+++ openssl-1.1.1c/crypto/kdf/hkdf.c 2019-11-15 14:48:53.360015134 +0100
|
||||
@@ -13,6 +13,7 @@
|
||||
#include <openssl/hmac.h>
|
||||
#include <openssl/evp.h>
|
||||
#include <openssl/kdf.h>
|
||||
+#include "internal/numbers.h"
|
||||
#include "internal/cryptlib.h"
|
||||
#include "internal/evp_int.h"
|
||||
#include "kdf_local.h"
|
||||
diff -up openssl-1.1.1c/crypto/kdf/sshkdf.c.edk2-build openssl-1.1.1c/crypto/kdf/sshkdf.c
|
||||
--- openssl-1.1.1c/crypto/kdf/sshkdf.c.edk2-build 2019-11-14 16:25:09.452914583 +0100
|
||||
+++ openssl-1.1.1c/crypto/kdf/sshkdf.c 2019-11-15 14:53:14.769279878 +0100
|
||||
@@ -12,6 +12,7 @@
|
||||
#include <string.h>
|
||||
#include <openssl/evp.h>
|
||||
#include <openssl/kdf.h>
|
||||
+#include "internal/numbers.h"
|
||||
#include "internal/cryptlib.h"
|
||||
#include "internal/evp_int.h"
|
||||
#include "kdf_local.h"
|
||||
diff -up openssl-1.1.1c/crypto/rand/rand_unix.c.edk2-build openssl-1.1.1c/crypto/rand/rand_unix.c
|
||||
--- openssl-1.1.1c/crypto/rand/rand_unix.c.edk2-build 2019-11-14 16:25:09.430914981 +0100
|
||||
+++ openssl-1.1.1c/crypto/rand/rand_unix.c 2019-11-15 14:51:41.634966941 +0100
|
||||
@@ -19,7 +19,7 @@
|
||||
#include "internal/fips_int.h"
|
||||
#include <stdio.h>
|
||||
#include "internal/dso.h"
|
||||
-#if defined(__linux)
|
||||
+#if defined(__linux) && !defined(OPENSSL_SYS_UEFI)
|
||||
# include <sys/syscall.h>
|
||||
# include <sys/random.h>
|
||||
#endif
|
212
SOURCES/openssl-1.1.1-fips-curves.patch
Normal file
212
SOURCES/openssl-1.1.1-fips-curves.patch
Normal file
@ -0,0 +1,212 @@
|
||||
diff -up openssl-1.1.1c/crypto/ec/ec_curve.c.fips-curves openssl-1.1.1c/crypto/ec/ec_curve.c
|
||||
--- openssl-1.1.1c/crypto/ec/ec_curve.c.fips-curves 2019-11-25 13:18:40.719532357 +0100
|
||||
+++ openssl-1.1.1c/crypto/ec/ec_curve.c 2019-11-25 13:18:40.765531559 +0100
|
||||
@@ -13,6 +13,7 @@
|
||||
#include <openssl/err.h>
|
||||
#include <openssl/obj_mac.h>
|
||||
#include <openssl/opensslconf.h>
|
||||
+#include <openssl/crypto.h>
|
||||
#include "internal/nelem.h"
|
||||
|
||||
typedef struct {
|
||||
@@ -237,6 +238,7 @@ static const struct {
|
||||
|
||||
typedef struct _ec_list_element_st {
|
||||
int nid;
|
||||
+ int fips_allowed;
|
||||
const EC_CURVE_DATA *data;
|
||||
const EC_METHOD *(*meth) (void);
|
||||
const char *comment;
|
||||
@@ -246,23 +248,23 @@ static const ec_list_element curve_list[
|
||||
/* prime field curves */
|
||||
/* secg curves */
|
||||
#ifndef OPENSSL_NO_EC_NISTP_64_GCC_128
|
||||
- {NID_secp224r1, &_EC_NIST_PRIME_224.h, EC_GFp_nistp224_method,
|
||||
+ {NID_secp224r1, 1, &_EC_NIST_PRIME_224.h, EC_GFp_nistp224_method,
|
||||
"NIST/SECG curve over a 224 bit prime field"},
|
||||
#else
|
||||
- {NID_secp224r1, &_EC_NIST_PRIME_224.h, 0,
|
||||
+ {NID_secp224r1, 1, &_EC_NIST_PRIME_224.h, 0,
|
||||
"NIST/SECG curve over a 224 bit prime field"},
|
||||
#endif
|
||||
- {NID_secp256k1, &_EC_SECG_PRIME_256K1.h, 0,
|
||||
+ {NID_secp256k1, 0, &_EC_SECG_PRIME_256K1.h, 0,
|
||||
"SECG curve over a 256 bit prime field"},
|
||||
/* SECG secp256r1 is the same as X9.62 prime256v1 and hence omitted */
|
||||
- {NID_secp384r1, &_EC_NIST_PRIME_384.h,
|
||||
+ {NID_secp384r1, 1, &_EC_NIST_PRIME_384.h,
|
||||
# if defined(S390X_EC_ASM)
|
||||
EC_GFp_s390x_nistp384_method,
|
||||
# else
|
||||
0,
|
||||
# endif
|
||||
"NIST/SECG curve over a 384 bit prime field"},
|
||||
- {NID_secp521r1, &_EC_NIST_PRIME_521.h,
|
||||
+ {NID_secp521r1, 1, &_EC_NIST_PRIME_521.h,
|
||||
# if defined(S390X_EC_ASM)
|
||||
EC_GFp_s390x_nistp521_method,
|
||||
# elif !defined(OPENSSL_NO_EC_NISTP_64_GCC_128)
|
||||
@@ -272,7 +274,7 @@ static const ec_list_element curve_list[
|
||||
# endif
|
||||
"NIST/SECG curve over a 521 bit prime field"},
|
||||
/* X9.62 curves */
|
||||
- {NID_X9_62_prime256v1, &_EC_X9_62_PRIME_256V1.h,
|
||||
+ {NID_X9_62_prime256v1, 1, &_EC_X9_62_PRIME_256V1.h,
|
||||
#if defined(ECP_NISTZ256_ASM)
|
||||
EC_GFp_nistz256_method,
|
||||
# elif defined(S390X_EC_ASM)
|
||||
@@ -404,6 +406,10 @@ EC_GROUP *EC_GROUP_new_by_curve_name(int
|
||||
|
||||
for (i = 0; i < curve_list_length; i++)
|
||||
if (curve_list[i].nid == nid) {
|
||||
+ if (!curve_list[i].fips_allowed && FIPS_mode()) {
|
||||
+ ECerr(EC_F_EC_GROUP_NEW_BY_CURVE_NAME, EC_R_NOT_A_NIST_PRIME);
|
||||
+ return NULL;
|
||||
+ }
|
||||
ret = ec_group_new_from_data(curve_list[i]);
|
||||
break;
|
||||
}
|
||||
@@ -418,19 +424,31 @@ EC_GROUP *EC_GROUP_new_by_curve_name(int
|
||||
|
||||
size_t EC_get_builtin_curves(EC_builtin_curve *r, size_t nitems)
|
||||
{
|
||||
- size_t i, min;
|
||||
+ size_t i, j, num;
|
||||
+ int fips_mode = FIPS_mode();
|
||||
|
||||
- if (r == NULL || nitems == 0)
|
||||
- return curve_list_length;
|
||||
+ num = curve_list_length;
|
||||
+ if (fips_mode)
|
||||
+ for (i = 0; i < curve_list_length; i++) {
|
||||
+ if (!curve_list[i].fips_allowed)
|
||||
+ --num;
|
||||
+ }
|
||||
|
||||
- min = nitems < curve_list_length ? nitems : curve_list_length;
|
||||
+ if (r == NULL || nitems == 0) {
|
||||
+ return num;
|
||||
+ }
|
||||
|
||||
- for (i = 0; i < min; i++) {
|
||||
- r[i].nid = curve_list[i].nid;
|
||||
- r[i].comment = curve_list[i].comment;
|
||||
+ for (i = 0, j = 0; i < curve_list_length; i++) {
|
||||
+ if (j >= nitems)
|
||||
+ break;
|
||||
+ if (!fips_mode || curve_list[i].fips_allowed) {
|
||||
+ r[j].nid = curve_list[i].nid;
|
||||
+ r[j].comment = curve_list[i].comment;
|
||||
+ ++j;
|
||||
+ }
|
||||
}
|
||||
|
||||
- return curve_list_length;
|
||||
+ return num;
|
||||
}
|
||||
|
||||
/* Functions to translate between common NIST curve names and NIDs */
|
||||
diff -up openssl-1.1.1c/ssl/t1_lib.c.fips-curves openssl-1.1.1c/ssl/t1_lib.c
|
||||
--- openssl-1.1.1c/ssl/t1_lib.c.fips-curves 2019-11-25 13:18:40.658533416 +0100
|
||||
+++ openssl-1.1.1c/ssl/t1_lib.c 2019-11-26 17:57:15.014742428 +0100
|
||||
@@ -20,6 +20,7 @@
|
||||
#include "internal/nelem.h"
|
||||
#include "ssl_locl.h"
|
||||
#include <openssl/ct.h>
|
||||
+#include <openssl/crypto.h>
|
||||
|
||||
SSL3_ENC_METHOD const TLSv1_enc_data = {
|
||||
tls1_enc,
|
||||
@@ -676,6 +677,36 @@ static const uint16_t tls12_sigalgs[] =
|
||||
#endif
|
||||
};
|
||||
|
||||
+static const uint16_t tls12_fips_sigalgs[] = {
|
||||
+#ifndef OPENSSL_NO_EC
|
||||
+ TLSEXT_SIGALG_ecdsa_secp256r1_sha256,
|
||||
+ TLSEXT_SIGALG_ecdsa_secp384r1_sha384,
|
||||
+ TLSEXT_SIGALG_ecdsa_secp521r1_sha512,
|
||||
+#endif
|
||||
+
|
||||
+ TLSEXT_SIGALG_rsa_pss_pss_sha256,
|
||||
+ TLSEXT_SIGALG_rsa_pss_pss_sha384,
|
||||
+ TLSEXT_SIGALG_rsa_pss_pss_sha512,
|
||||
+ TLSEXT_SIGALG_rsa_pss_rsae_sha256,
|
||||
+ TLSEXT_SIGALG_rsa_pss_rsae_sha384,
|
||||
+ TLSEXT_SIGALG_rsa_pss_rsae_sha512,
|
||||
+
|
||||
+ TLSEXT_SIGALG_rsa_pkcs1_sha256,
|
||||
+ TLSEXT_SIGALG_rsa_pkcs1_sha384,
|
||||
+ TLSEXT_SIGALG_rsa_pkcs1_sha512,
|
||||
+
|
||||
+#ifndef OPENSSL_NO_EC
|
||||
+ TLSEXT_SIGALG_ecdsa_sha224,
|
||||
+#endif
|
||||
+ TLSEXT_SIGALG_rsa_pkcs1_sha224,
|
||||
+#ifndef OPENSSL_NO_DSA
|
||||
+ TLSEXT_SIGALG_dsa_sha224,
|
||||
+ TLSEXT_SIGALG_dsa_sha256,
|
||||
+ TLSEXT_SIGALG_dsa_sha384,
|
||||
+ TLSEXT_SIGALG_dsa_sha512,
|
||||
+#endif
|
||||
+};
|
||||
+
|
||||
#ifndef OPENSSL_NO_EC
|
||||
static const uint16_t suiteb_sigalgs[] = {
|
||||
TLSEXT_SIGALG_ecdsa_secp256r1_sha256,
|
||||
@@ -890,8 +921,11 @@ static const SIGALG_LOOKUP *tls1_get_leg
|
||||
if (idx < 0 || idx >= (int)OSSL_NELEM(tls_default_sigalg))
|
||||
return NULL;
|
||||
if (SSL_USE_SIGALGS(s) || idx != SSL_PKEY_RSA) {
|
||||
- const SIGALG_LOOKUP *lu = tls1_lookup_sigalg(tls_default_sigalg[idx]);
|
||||
+ const SIGALG_LOOKUP *lu;
|
||||
|
||||
+ if (FIPS_mode()) /* We do not allow SHA1 signatures in FIPS mode */
|
||||
+ return NULL;
|
||||
+ lu = tls1_lookup_sigalg(tls_default_sigalg[idx]);
|
||||
if (!tls1_lookup_md(lu, NULL))
|
||||
return NULL;
|
||||
return lu;
|
||||
@@ -945,6 +979,9 @@ size_t tls12_get_psigalgs(SSL *s, int se
|
||||
} else if (s->cert->conf_sigalgs) {
|
||||
*psigs = s->cert->conf_sigalgs;
|
||||
return s->cert->conf_sigalgslen;
|
||||
+ } else if (FIPS_mode()) {
|
||||
+ *psigs = tls12_fips_sigalgs;
|
||||
+ return OSSL_NELEM(tls12_fips_sigalgs);
|
||||
} else {
|
||||
*psigs = tls12_sigalgs;
|
||||
return OSSL_NELEM(tls12_sigalgs);
|
||||
@@ -964,6 +1001,9 @@ int tls_check_sigalg_curve(const SSL *s,
|
||||
if (s->cert->conf_sigalgs) {
|
||||
sigs = s->cert->conf_sigalgs;
|
||||
siglen = s->cert->conf_sigalgslen;
|
||||
+ } else if (FIPS_mode()) {
|
||||
+ sigs = tls12_fips_sigalgs;
|
||||
+ siglen = OSSL_NELEM(tls12_fips_sigalgs);
|
||||
} else {
|
||||
sigs = tls12_sigalgs;
|
||||
siglen = OSSL_NELEM(tls12_sigalgs);
|
||||
@@ -1582,6 +1622,8 @@ static int tls12_sigalg_allowed(SSL *s,
|
||||
if (lu->sig == NID_id_GostR3410_2012_256
|
||||
|| lu->sig == NID_id_GostR3410_2012_512
|
||||
|| lu->sig == NID_id_GostR3410_2001) {
|
||||
+ if (FIPS_mode())
|
||||
+ return 0;
|
||||
/* We never allow GOST sig algs on the server with TLSv1.3 */
|
||||
if (s->server && SSL_IS_TLS13(s))
|
||||
return 0;
|
||||
@@ -2720,6 +2762,13 @@ int tls_choose_sigalg(SSL *s, int fatale
|
||||
const uint16_t *sent_sigs;
|
||||
size_t sent_sigslen;
|
||||
|
||||
+ if (fatalerrs && FIPS_mode()) {
|
||||
+ /* There are no suitable legacy algorithms in FIPS mode */
|
||||
+ SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,
|
||||
+ SSL_F_TLS_CHOOSE_SIGALG,
|
||||
+ SSL_R_NO_SUITABLE_SIGNATURE_ALGORITHM);
|
||||
+ return 0;
|
||||
+ }
|
||||
if ((lu = tls1_get_legacy_sigalg(s, -1)) == NULL) {
|
||||
if (!fatalerrs)
|
||||
return 1;
|
@ -60,7 +60,7 @@ diff -up openssl-1.1.1b/apps/speed.c.fips openssl-1.1.1b/apps/speed.c
|
||||
eddsa_doit[i] = 2;
|
||||
continue;
|
||||
}
|
||||
@@ -1734,23 +1739,30 @@ int speed_main(int argc, char **argv)
|
||||
@@ -1734,23 +1739,31 @@ int speed_main(int argc, char **argv)
|
||||
/* No parameters; turn on everything. */
|
||||
if ((argc == 0) && !doit[D_EVP]) {
|
||||
for (i = 0; i < ALGOR_NUM; i++)
|
||||
@ -87,9 +87,11 @@ diff -up openssl-1.1.1b/apps/speed.c.fips openssl-1.1.1b/apps/speed.c
|
||||
for (loop = 0; loop < OSSL_NELEM(ecdsa_doit); loop++)
|
||||
ecdsa_doit[loop] = 1;
|
||||
for (loop = 0; loop < OSSL_NELEM(ecdh_doit); loop++)
|
||||
ecdh_doit[loop] = 1;
|
||||
- ecdh_doit[loop] = 1;
|
||||
- for (loop = 0; loop < OSSL_NELEM(eddsa_doit); loop++)
|
||||
- eddsa_doit[loop] = 1;
|
||||
+ if(!FIPS_mode() || (loop != R_EC_X25519 && loop != R_EC_X448))
|
||||
+ ecdh_doit[loop] = 1;
|
||||
+ if (!FIPS_mode())
|
||||
+ for (loop = 0; loop < OSSL_NELEM(eddsa_doit); loop++)
|
||||
+ eddsa_doit[loop] = 1;
|
||||
@ -459,7 +461,7 @@ diff -up openssl-1.1.1b/crypto/dsa/dsa_gen.c.fips openssl-1.1.1b/crypto/dsa/dsa_
|
||||
+ goto err;
|
||||
+ }
|
||||
+
|
||||
+ if (FIPS_mode() && (L != 1024 || N != 160) &&
|
||||
+ if (FIPS_mode() &&
|
||||
+ (L != 2048 || N != 224) && (L != 2048 || N != 256) &&
|
||||
+ (L != 3072 || N != 256)) {
|
||||
+ DSAerr(DSA_F_DSA_BUILTIN_PARAMGEN2, DSA_R_KEY_SIZE_INVALID);
|
||||
@ -11546,6 +11548,108 @@ diff -up openssl-1.1.1b/include/openssl/rsaerr.h.fips openssl-1.1.1b/include/ope
|
||||
# define RSA_R_UNSUPPORTED_SIGNATURE_TYPE 155
|
||||
# define RSA_R_VALUE_MISSING 147
|
||||
# define RSA_R_WRONG_SIGNATURE_LENGTH 119
|
||||
diff -up openssl-1.1.1c/ssl/s3_lib.c.fips openssl-1.1.1c/ssl/s3_lib.c
|
||||
--- openssl-1.1.1c/ssl/s3_lib.c.fips 2019-05-28 15:12:21.000000000 +0200
|
||||
+++ openssl-1.1.1c/ssl/s3_lib.c 2019-11-20 12:00:32.770173240 +0100
|
||||
@@ -43,7 +43,7 @@ static SSL_CIPHER tls13_ciphers[] = {
|
||||
SSL_AEAD,
|
||||
TLS1_3_VERSION, TLS1_3_VERSION,
|
||||
0, 0,
|
||||
- SSL_HIGH,
|
||||
+ SSL_HIGH | SSL_FIPS,
|
||||
SSL_HANDSHAKE_MAC_SHA256,
|
||||
128,
|
||||
128,
|
||||
@@ -58,7 +58,7 @@ static SSL_CIPHER tls13_ciphers[] = {
|
||||
SSL_AEAD,
|
||||
TLS1_3_VERSION, TLS1_3_VERSION,
|
||||
0, 0,
|
||||
- SSL_HIGH,
|
||||
+ SSL_HIGH | SSL_FIPS,
|
||||
SSL_HANDSHAKE_MAC_SHA384,
|
||||
256,
|
||||
256,
|
||||
@@ -92,7 +92,7 @@ static SSL_CIPHER tls13_ciphers[] = {
|
||||
SSL_AEAD,
|
||||
TLS1_3_VERSION, TLS1_3_VERSION,
|
||||
0, 0,
|
||||
- SSL_NOT_DEFAULT | SSL_HIGH,
|
||||
+ SSL_NOT_DEFAULT | SSL_HIGH | SSL_FIPS,
|
||||
SSL_HANDSHAKE_MAC_SHA256,
|
||||
128,
|
||||
128,
|
||||
@@ -634,7 +634,7 @@ static SSL_CIPHER ssl3_ciphers[] = {
|
||||
SSL_AEAD,
|
||||
TLS1_2_VERSION, TLS1_2_VERSION,
|
||||
DTLS1_2_VERSION, DTLS1_2_VERSION,
|
||||
- SSL_NOT_DEFAULT | SSL_HIGH,
|
||||
+ SSL_NOT_DEFAULT | SSL_HIGH | SSL_FIPS,
|
||||
SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
|
||||
128,
|
||||
128,
|
||||
@@ -650,7 +650,7 @@ static SSL_CIPHER ssl3_ciphers[] = {
|
||||
SSL_AEAD,
|
||||
TLS1_2_VERSION, TLS1_2_VERSION,
|
||||
DTLS1_2_VERSION, DTLS1_2_VERSION,
|
||||
- SSL_NOT_DEFAULT | SSL_HIGH,
|
||||
+ SSL_NOT_DEFAULT | SSL_HIGH | SSL_FIPS,
|
||||
SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
|
||||
256,
|
||||
256,
|
||||
@@ -666,7 +666,7 @@ static SSL_CIPHER ssl3_ciphers[] = {
|
||||
SSL_AEAD,
|
||||
TLS1_2_VERSION, TLS1_2_VERSION,
|
||||
DTLS1_2_VERSION, DTLS1_2_VERSION,
|
||||
- SSL_NOT_DEFAULT | SSL_HIGH,
|
||||
+ SSL_NOT_DEFAULT | SSL_HIGH | SSL_FIPS,
|
||||
SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
|
||||
128,
|
||||
128,
|
||||
@@ -682,7 +682,7 @@ static SSL_CIPHER ssl3_ciphers[] = {
|
||||
SSL_AEAD,
|
||||
TLS1_2_VERSION, TLS1_2_VERSION,
|
||||
DTLS1_2_VERSION, DTLS1_2_VERSION,
|
||||
- SSL_NOT_DEFAULT | SSL_HIGH,
|
||||
+ SSL_NOT_DEFAULT | SSL_HIGH | SSL_FIPS,
|
||||
SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
|
||||
256,
|
||||
256,
|
||||
@@ -794,7 +794,7 @@ static SSL_CIPHER ssl3_ciphers[] = {
|
||||
SSL_AEAD,
|
||||
TLS1_2_VERSION, TLS1_2_VERSION,
|
||||
DTLS1_2_VERSION, DTLS1_2_VERSION,
|
||||
- SSL_NOT_DEFAULT | SSL_HIGH,
|
||||
+ SSL_NOT_DEFAULT | SSL_HIGH | SSL_FIPS,
|
||||
SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
|
||||
128,
|
||||
128,
|
||||
@@ -810,7 +810,7 @@ static SSL_CIPHER ssl3_ciphers[] = {
|
||||
SSL_AEAD,
|
||||
TLS1_2_VERSION, TLS1_2_VERSION,
|
||||
DTLS1_2_VERSION, DTLS1_2_VERSION,
|
||||
- SSL_NOT_DEFAULT | SSL_HIGH,
|
||||
+ SSL_NOT_DEFAULT | SSL_HIGH | SSL_FIPS,
|
||||
SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
|
||||
256,
|
||||
256,
|
||||
@@ -890,7 +890,7 @@ static SSL_CIPHER ssl3_ciphers[] = {
|
||||
SSL_AEAD,
|
||||
TLS1_2_VERSION, TLS1_2_VERSION,
|
||||
DTLS1_2_VERSION, DTLS1_2_VERSION,
|
||||
- SSL_NOT_DEFAULT | SSL_HIGH,
|
||||
+ SSL_NOT_DEFAULT | SSL_HIGH | SSL_FIPS,
|
||||
SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
|
||||
128,
|
||||
128,
|
||||
@@ -906,7 +906,7 @@ static SSL_CIPHER ssl3_ciphers[] = {
|
||||
SSL_AEAD,
|
||||
TLS1_2_VERSION, TLS1_2_VERSION,
|
||||
DTLS1_2_VERSION, DTLS1_2_VERSION,
|
||||
- SSL_NOT_DEFAULT | SSL_HIGH,
|
||||
+ SSL_NOT_DEFAULT | SSL_HIGH | SSL_FIPS,
|
||||
SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
|
||||
256,
|
||||
256,
|
||||
diff -up openssl-1.1.1b/ssl/ssl_ciph.c.fips openssl-1.1.1b/ssl/ssl_ciph.c
|
||||
--- openssl-1.1.1b/ssl/ssl_ciph.c.fips 2019-02-28 11:30:06.776746228 +0100
|
||||
+++ openssl-1.1.1b/ssl/ssl_ciph.c 2019-02-28 11:30:06.822745372 +0100
|
||||
@ -11673,6 +11777,45 @@ diff -up openssl-1.1.1b/ssl/ssl_lib.c.fips openssl-1.1.1b/ssl/ssl_lib.c
|
||||
}
|
||||
|
||||
if ((ret->ca_names = sk_X509_NAME_new_null()) == NULL)
|
||||
diff -up openssl-1.1.1c/ssl/ssl_locl.h.fips openssl-1.1.1c/ssl/ssl_locl.h
|
||||
--- openssl-1.1.1c/ssl/ssl_locl.h.fips 2019-06-03 16:44:58.963560101 +0200
|
||||
+++ openssl-1.1.1c/ssl/ssl_locl.h 2019-06-24 14:43:19.547353076 +0200
|
||||
@@ -1507,6 +1507,7 @@ typedef struct tls_group_info_st {
|
||||
# define TLS_CURVE_PRIME 0x0
|
||||
# define TLS_CURVE_CHAR2 0x1
|
||||
# define TLS_CURVE_CUSTOM 0x2
|
||||
+# define TLS_CURVE_FIPS 0x80
|
||||
|
||||
typedef struct cert_pkey_st CERT_PKEY;
|
||||
|
||||
diff -up openssl-1.1.1c/ssl/t1_lib.c.fips openssl-1.1.1c/ssl/t1_lib.c
|
||||
--- openssl-1.1.1c/ssl/t1_lib.c.fips 2019-05-28 15:12:21.000000000 +0200
|
||||
+++ openssl-1.1.1c/ssl/t1_lib.c 2019-06-24 14:49:00.638576235 +0200
|
||||
@@ -156,11 +156,11 @@ static const TLS_GROUP_INFO nid_list[] =
|
||||
{NID_secp192k1, 80, TLS_CURVE_PRIME}, /* secp192k1 (18) */
|
||||
{NID_X9_62_prime192v1, 80, TLS_CURVE_PRIME}, /* secp192r1 (19) */
|
||||
{NID_secp224k1, 112, TLS_CURVE_PRIME}, /* secp224k1 (20) */
|
||||
- {NID_secp224r1, 112, TLS_CURVE_PRIME}, /* secp224r1 (21) */
|
||||
+ {NID_secp224r1, 112, TLS_CURVE_PRIME | TLS_CURVE_FIPS}, /* secp224r1 (21) */
|
||||
{NID_secp256k1, 128, TLS_CURVE_PRIME}, /* secp256k1 (22) */
|
||||
- {NID_X9_62_prime256v1, 128, TLS_CURVE_PRIME}, /* secp256r1 (23) */
|
||||
- {NID_secp384r1, 192, TLS_CURVE_PRIME}, /* secp384r1 (24) */
|
||||
- {NID_secp521r1, 256, TLS_CURVE_PRIME}, /* secp521r1 (25) */
|
||||
+ {NID_X9_62_prime256v1, 128, TLS_CURVE_PRIME | TLS_CURVE_FIPS}, /* secp256r1 (23) */
|
||||
+ {NID_secp384r1, 192, TLS_CURVE_PRIME | TLS_CURVE_FIPS}, /* secp384r1 (24) */
|
||||
+ {NID_secp521r1, 256, TLS_CURVE_PRIME | TLS_CURVE_FIPS}, /* secp521r1 (25) */
|
||||
{NID_brainpoolP256r1, 128, TLS_CURVE_PRIME}, /* brainpoolP256r1 (26) */
|
||||
{NID_brainpoolP384r1, 192, TLS_CURVE_PRIME}, /* brainpoolP384r1 (27) */
|
||||
{NID_brainpoolP512r1, 256, TLS_CURVE_PRIME}, /* brainpool512r1 (28) */
|
||||
@@ -255,6 +255,8 @@ int tls_curve_allowed(SSL *s, uint16_t c
|
||||
if (cinfo->flags & TLS_CURVE_CHAR2)
|
||||
return 0;
|
||||
# endif
|
||||
+ if (FIPS_mode() && !(cinfo->flags & TLS_CURVE_FIPS))
|
||||
+ return 0;
|
||||
ctmp[0] = curve >> 8;
|
||||
ctmp[1] = curve & 0xff;
|
||||
return ssl_security(s, op, cinfo->secbits, cinfo->nid, (void *)ctmp);
|
||||
diff -up openssl-1.1.1b/test/dsatest.c.fips openssl-1.1.1b/test/dsatest.c
|
||||
--- openssl-1.1.1b/test/dsatest.c.fips 2019-02-26 15:15:30.000000000 +0100
|
||||
+++ openssl-1.1.1b/test/dsatest.c 2019-02-28 11:30:06.824745335 +0100
|
||||
|
3022
SOURCES/openssl-1.1.1-krb5-kdf.patch
Normal file
3022
SOURCES/openssl-1.1.1-krb5-kdf.patch
Normal file
File diff suppressed because it is too large
Load Diff
2327
SOURCES/openssl-1.1.1-s390x-ecc.patch
Normal file
2327
SOURCES/openssl-1.1.1-s390x-ecc.patch
Normal file
File diff suppressed because it is too large
Load Diff
26
SOURCES/openssl-1.1.1-tls-compliance.patch
Normal file
26
SOURCES/openssl-1.1.1-tls-compliance.patch
Normal file
@ -0,0 +1,26 @@
|
||||
diff -up openssl-1.1.1c/ssl/record/ssl3_record.c.compliance openssl-1.1.1c/ssl/record/ssl3_record.c
|
||||
--- openssl-1.1.1c/ssl/record/ssl3_record.c.compliance 2019-05-28 15:12:21.000000000 +0200
|
||||
+++ openssl-1.1.1c/ssl/record/ssl3_record.c 2019-11-25 13:10:53.890637381 +0100
|
||||
@@ -559,7 +559,7 @@ int ssl3_get_record(SSL *s)
|
||||
RECORD_LAYER_reset_read_sequence(&s->rlayer);
|
||||
return 1;
|
||||
}
|
||||
- SSLfatal(s, SSL_AD_DECRYPTION_FAILED, SSL_F_SSL3_GET_RECORD,
|
||||
+ SSLfatal(s, SSL_AD_BAD_RECORD_MAC, SSL_F_SSL3_GET_RECORD,
|
||||
SSL_R_BLOCK_CIPHER_PAD_IS_WRONG);
|
||||
return -1;
|
||||
}
|
||||
diff -up openssl-1.1.1c/ssl/statem/extensions_srvr.c.compliance openssl-1.1.1c/ssl/statem/extensions_srvr.c
|
||||
--- openssl-1.1.1c/ssl/statem/extensions_srvr.c.compliance 2019-05-28 15:12:21.000000000 +0200
|
||||
+++ openssl-1.1.1c/ssl/statem/extensions_srvr.c 2019-11-25 13:12:59.329459528 +0100
|
||||
@@ -1487,6 +1487,10 @@ EXT_RETURN tls_construct_stoc_status_req
|
||||
unsigned int context, X509 *x,
|
||||
size_t chainidx)
|
||||
{
|
||||
+ /* We don't currently support this extension inside a CertificateRequest */
|
||||
+ if (context == SSL_EXT_TLS1_3_CERTIFICATE_REQUEST)
|
||||
+ return EXT_RETURN_NOT_SENT;
|
||||
+
|
||||
if (!s->ext.status_expected)
|
||||
return EXT_RETURN_NOT_SENT;
|
||||
|
@ -444,3 +444,91 @@ index fa19e7d80d..56e323f5bc 100644
|
||||
--
|
||||
2.20.1
|
||||
|
||||
diff -up openssl-1.1.1c/include/internal/constant_time_locl.h.valgrind openssl-1.1.1c/include/internal/constant_time_locl.h
|
||||
--- openssl-1.1.1c/include/internal/constant_time_locl.h.valgrind 2019-05-28 15:12:21.000000000 +0200
|
||||
+++ openssl-1.1.1c/include/internal/constant_time_locl.h 2019-06-24 15:02:12.796053536 +0200
|
||||
@@ -213,18 +213,66 @@ static ossl_inline unsigned char constan
|
||||
return constant_time_eq_8((unsigned)(a), (unsigned)(b));
|
||||
}
|
||||
|
||||
+/* Returns the value unmodified, but avoids optimizations. */
|
||||
+static ossl_inline unsigned int value_barrier(unsigned int a)
|
||||
+{
|
||||
+#if !defined(OPENSSL_NO_ASM) && defined(__GNUC__)
|
||||
+ unsigned int r;
|
||||
+ __asm__("" : "=r"(r) : "0"(a));
|
||||
+#else
|
||||
+ volatile unsigned int r = a;
|
||||
+#endif
|
||||
+ return r;
|
||||
+}
|
||||
+
|
||||
+/* Convenience method for uint32_t. */
|
||||
+static ossl_inline uint32_t value_barrier_32(uint32_t a)
|
||||
+{
|
||||
+#if !defined(OPENSSL_NO_ASM) && defined(__GNUC__)
|
||||
+ uint32_t r;
|
||||
+ __asm__("" : "=r"(r) : "0"(a));
|
||||
+#else
|
||||
+ volatile uint32_t r = a;
|
||||
+#endif
|
||||
+ return r;
|
||||
+}
|
||||
+
|
||||
+/* Convenience method for uint64_t. */
|
||||
+static ossl_inline uint64_t value_barrier_64(uint64_t a)
|
||||
+{
|
||||
+#if !defined(OPENSSL_NO_ASM) && defined(__GNUC__)
|
||||
+ uint64_t r;
|
||||
+ __asm__("" : "=r"(r) : "0"(a));
|
||||
+#else
|
||||
+ volatile uint64_t r = a;
|
||||
+#endif
|
||||
+ return r;
|
||||
+}
|
||||
+
|
||||
+/* Convenience method for size_t. */
|
||||
+static ossl_inline size_t value_barrier_s(size_t a)
|
||||
+{
|
||||
+#if !defined(OPENSSL_NO_ASM) && defined(__GNUC__)
|
||||
+ size_t r;
|
||||
+ __asm__("" : "=r"(r) : "0"(a));
|
||||
+#else
|
||||
+ volatile size_t r = a;
|
||||
+#endif
|
||||
+ return r;
|
||||
+}
|
||||
+
|
||||
static ossl_inline unsigned int constant_time_select(unsigned int mask,
|
||||
unsigned int a,
|
||||
unsigned int b)
|
||||
{
|
||||
- return (mask & a) | (~mask & b);
|
||||
+ return (value_barrier(mask) & a) | (value_barrier(~mask) & b);
|
||||
}
|
||||
|
||||
static ossl_inline size_t constant_time_select_s(size_t mask,
|
||||
size_t a,
|
||||
size_t b)
|
||||
{
|
||||
- return (mask & a) | (~mask & b);
|
||||
+ return (value_barrier_s(mask) & a) | (value_barrier_s(~mask) & b);
|
||||
}
|
||||
|
||||
static ossl_inline unsigned char constant_time_select_8(unsigned char mask,
|
||||
@@ -249,13 +297,13 @@ static ossl_inline int constant_time_sel
|
||||
static ossl_inline uint32_t constant_time_select_32(uint32_t mask, uint32_t a,
|
||||
uint32_t b)
|
||||
{
|
||||
- return (mask & a) | (~mask & b);
|
||||
+ return (value_barrier_32(mask) & a) | (value_barrier_32(~mask) & b);
|
||||
}
|
||||
|
||||
static ossl_inline uint64_t constant_time_select_64(uint64_t mask, uint64_t a,
|
||||
uint64_t b)
|
||||
{
|
||||
- return (mask & a) | (~mask & b);
|
||||
+ return (value_barrier_64(mask) & a) | (value_barrier_64(~mask) & b);
|
||||
}
|
||||
|
||||
/*
|
||||
|
@ -22,7 +22,7 @@
|
||||
Summary: Utilities from the general purpose cryptography library with TLS implementation
|
||||
Name: openssl
|
||||
Version: 1.1.1c
|
||||
Release: 1%{?dist}
|
||||
Release: 12%{?dist}
|
||||
Epoch: 1
|
||||
# We have to remove certain patented algorithms from the openssl source
|
||||
# tarball with the hobble-openssl script which is included below.
|
||||
@ -62,11 +62,20 @@ Patch47: openssl-1.1.1-ts-sha256-default.patch
|
||||
Patch48: openssl-1.1.1-fips-post-rand.patch
|
||||
Patch49: openssl-1.1.1-evp-kdf.patch
|
||||
Patch50: openssl-1.1.1-ssh-kdf.patch
|
||||
Patch60: openssl-1.1.1-krb5-kdf.patch
|
||||
Patch61: openssl-1.1.1-edk2-build.patch
|
||||
Patch62: openssl-1.1.1-fips-curves.patch
|
||||
# Backported fixes including security fixes
|
||||
Patch51: openssl-1.1.1-upstream-sync.patch
|
||||
Patch52: openssl-1.1.1-s390x-update.patch
|
||||
Patch53: openssl-1.1.1-fips-crng-test.patch
|
||||
Patch54: openssl-1.1.1-regression-fixes.patch
|
||||
Patch55: openssl-1.1.1-arm-update.patch
|
||||
Patch56: openssl-1.1.1-s390x-ecc.patch
|
||||
Patch57: openssl-1.1.1-cve-2019-1547.patch
|
||||
Patch58: openssl-1.1.1-cve-2019-1563.patch
|
||||
Patch59: openssl-1.1.1-cve-2019-1549.patch
|
||||
Patch63: openssl-1.1.1-tls-compliance.patch
|
||||
|
||||
License: OpenSSL
|
||||
Group: System Environment/Libraries
|
||||
@ -177,7 +186,15 @@ cp %{SOURCE13} test/
|
||||
%patch52 -p1 -b .s390x-update
|
||||
%patch53 -p1 -b .crng-test
|
||||
%patch54 -p1 -b .regression
|
||||
|
||||
%patch55 -p1 -b .arm-update
|
||||
%patch56 -p1 -b .s390x-ecc
|
||||
%patch57 -p1 -b .compute-cofactor
|
||||
%patch58 -p1 -b .cms-padding-oracle
|
||||
%patch59 -p1 -b .fork-safety
|
||||
%patch60 -p1 -b .krb5-kdf
|
||||
%patch61 -p1 -b .edk2-build
|
||||
%patch62 -p1 -b .fips-curves
|
||||
%patch63 -p1 -b .compliance
|
||||
|
||||
%build
|
||||
# Figure out which flags we want to use.
|
||||
@ -461,6 +478,42 @@ export LD_LIBRARY_PATH
|
||||
%postun libs -p /sbin/ldconfig
|
||||
|
||||
%changelog
|
||||
* Wed Dec 4 2019 Tomáš Mráz <tmraz@redhat.com> 1.1.1c-12
|
||||
- additional fix for the edk2 build
|
||||
|
||||
* Tue Nov 26 2019 Tomáš Mráz <tmraz@redhat.com> 1.1.1c-9
|
||||
- disallow use of SHA-1 signatures in TLS in FIPS mode
|
||||
|
||||
* Mon Nov 25 2019 Tomáš Mráz <tmraz@redhat.com> 1.1.1c-8
|
||||
- fix CVE-2019-1547 - side-channel weak encryption vulnerability
|
||||
- fix CVE-2019-1563 - padding oracle in CMS API
|
||||
- fix CVE-2019-1549 - ensure fork safety of the DRBG
|
||||
- fix handling of non-FIPS allowed EC curves in FIPS mode
|
||||
- fix TLS compliance issues
|
||||
|
||||
* Thu Nov 21 2019 Tomáš Mráz <tmraz@redhat.com> 1.1.1c-7
|
||||
- backported ARM performance fixes from master
|
||||
|
||||
* Wed Nov 20 2019 Tomáš Mráz <tmraz@redhat.com> 1.1.1c-6
|
||||
- backport of S390x ECC CPACF enhancements from master
|
||||
- FIPS mode: properly disable 1024 bit DSA key generation
|
||||
- FIPS mode: skip ED25519 and ED448 algorithms in openssl speed
|
||||
- FIPS mode: allow AES-CCM ciphersuites
|
||||
|
||||
* Tue Nov 19 2019 Tomáš Mráz <tmraz@redhat.com> 1.1.1c-5
|
||||
- make the code suitable for edk2 build
|
||||
|
||||
* Thu Nov 14 2019 Tomáš Mráz <tmraz@redhat.com> 1.1.1c-4
|
||||
- backport of SSKDF from master
|
||||
|
||||
* Wed Nov 13 2019 Tomáš Mráz <tmraz@redhat.com> 1.1.1c-3
|
||||
- backport of KBKDF and KRB5KDF from master
|
||||
|
||||
* Mon Jun 24 2019 Tomáš Mráz <tmraz@redhat.com> 1.1.1c-2
|
||||
- do not try to use EC groups disallowed in FIPS mode
|
||||
in TLS
|
||||
- fix Valgrind regression with constant-time code
|
||||
|
||||
* Mon Jun 3 2019 Tomáš Mráz <tmraz@redhat.com> 1.1.1c-1
|
||||
- update to the 1.1.1c release
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user