From 1a293f5165136bf757ba7adeb52e955ec09c2692 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Thu, 2 Jun 2022 17:14:09 -0400 Subject: [PATCH] import compat-openssl11-1.1.1k-4.el9_0 --- SOURCES/openssl-1.1.1-cve-2022-0778.patch | 179 +++++++++++++++++++ SOURCES/openssl-1.1.1-disable-fips.patch | 125 +++++++++++++ SOURCES/openssl-1.1.1-version-override.patch | 12 -- SPECS/compat-openssl11.spec | 19 +- 4 files changed, 319 insertions(+), 16 deletions(-) create mode 100644 SOURCES/openssl-1.1.1-cve-2022-0778.patch create mode 100644 SOURCES/openssl-1.1.1-disable-fips.patch delete mode 100644 SOURCES/openssl-1.1.1-version-override.patch diff --git a/SOURCES/openssl-1.1.1-cve-2022-0778.patch b/SOURCES/openssl-1.1.1-cve-2022-0778.patch new file mode 100644 index 0000000..d8649f4 --- /dev/null +++ b/SOURCES/openssl-1.1.1-cve-2022-0778.patch @@ -0,0 +1,179 @@ +From 3118eb64934499d93db3230748a452351d1d9a65 Mon Sep 17 00:00:00 2001 +From: Tomas Mraz +Date: Mon, 28 Feb 2022 18:26:21 +0100 +Subject: [PATCH] Fix possible infinite loop in BN_mod_sqrt() + +The calculation in some cases does not finish for non-prime p. + +This fixes CVE-2022-0778. + +Based on patch by David Benjamin . + +Reviewed-by: Paul Dale +Reviewed-by: Matt Caswell +--- + crypto/bn/bn_sqrt.c | 30 ++++++++++++++++++------------ + 1 file changed, 18 insertions(+), 12 deletions(-) + +diff --git a/crypto/bn/bn_sqrt.c b/crypto/bn/bn_sqrt.c +index 1723d5ded5a8..53b0f559855c 100644 +--- a/crypto/bn/bn_sqrt.c ++++ b/crypto/bn/bn_sqrt.c +@@ -14,7 +14,8 @@ BIGNUM *BN_mod_sqrt(BIGNUM *in, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx) + /* + * Returns 'ret' such that ret^2 == a (mod p), using the Tonelli/Shanks + * algorithm (cf. Henri Cohen, "A Course in Algebraic Computational Number +- * Theory", algorithm 1.5.1). 'p' must be prime! ++ * Theory", algorithm 1.5.1). 'p' must be prime, otherwise an error or ++ * an incorrect "result" will be returned. + */ + { + BIGNUM *ret = in; +@@ -301,18 +302,23 @@ BIGNUM *BN_mod_sqrt(BIGNUM *in, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx) + goto vrfy; + } + +- /* find smallest i such that b^(2^i) = 1 */ +- i = 1; +- if (!BN_mod_sqr(t, b, p, ctx)) +- goto end; +- while (!BN_is_one(t)) { +- i++; +- if (i == e) { +- BNerr(BN_F_BN_MOD_SQRT, BN_R_NOT_A_SQUARE); +- goto end; ++ /* Find the smallest i, 0 < i < e, such that b^(2^i) = 1. */ ++ for (i = 1; i < e; i++) { ++ if (i == 1) { ++ if (!BN_mod_sqr(t, b, p, ctx)) ++ goto end; ++ ++ } else { ++ if (!BN_mod_mul(t, t, t, p, ctx)) ++ goto end; + } +- if (!BN_mod_mul(t, t, t, p, ctx)) +- goto end; ++ if (BN_is_one(t)) ++ break; ++ } ++ /* If not found, a is not a square or p is not prime. */ ++ if (i >= e) { ++ BNerr(BN_F_BN_MOD_SQRT, BN_R_NOT_A_SQUARE); ++ goto end; + } + + /* t := y^2^(e - i - 1) */ +From b5fcb7e133725b8b2eb66f63f5142710ed63a6d1 Mon Sep 17 00:00:00 2001 +From: Tomas Mraz +Date: Mon, 28 Feb 2022 18:26:30 +0100 +Subject: [PATCH] Add documentation of BN_mod_sqrt() + +Reviewed-by: Paul Dale +Reviewed-by: Matt Caswell +--- + doc/man3/BN_add.pod | 15 +++++++++++++-- + 1 file changed, 13 insertions(+), 2 deletions(-) + +diff --git a/doc/man3/BN_add.pod b/doc/man3/BN_add.pod +index dccd4790ede7..1f5e37a4d183 100644 +--- a/doc/man3/BN_add.pod ++++ b/doc/man3/BN_add.pod +@@ -3,7 +3,7 @@ + =head1 NAME + + BN_add, BN_sub, BN_mul, BN_sqr, BN_div, BN_mod, BN_nnmod, BN_mod_add, +-BN_mod_sub, BN_mod_mul, BN_mod_sqr, BN_exp, BN_mod_exp, BN_gcd - ++BN_mod_sub, BN_mod_mul, BN_mod_sqr, BN_mod_sqrt, BN_exp, BN_mod_exp, BN_gcd - + arithmetic operations on BIGNUMs + + =head1 SYNOPSIS +@@ -36,6 +36,8 @@ arithmetic operations on BIGNUMs + + int BN_mod_sqr(BIGNUM *r, BIGNUM *a, const BIGNUM *m, BN_CTX *ctx); + ++ BIGNUM *BN_mod_sqrt(BIGNUM *in, BIGNUM *a, const BIGNUM *p, BN_CTX *ctx); ++ + int BN_exp(BIGNUM *r, BIGNUM *a, BIGNUM *p, BN_CTX *ctx); + + int BN_mod_exp(BIGNUM *r, BIGNUM *a, const BIGNUM *p, +@@ -87,6 +89,12 @@ L. + BN_mod_sqr() takes the square of I modulo B and places the + result in I. + ++BN_mod_sqrt() returns the modular square root of I such that ++C. The modulus I

must be a ++prime, otherwise an error or an incorrect "result" will be returned. ++The result is stored into I which can be NULL. The result will be ++newly allocated in that case. ++ + BN_exp() raises I to the I

-th power and places the result in I + (C). This function is faster than repeated applications of + BN_mul(). +@@ -108,7 +116,10 @@ the arguments. + + =head1 RETURN VALUES + +-For all functions, 1 is returned for success, 0 on error. The return ++The BN_mod_sqrt() returns the result (possibly incorrect if I

is ++not a prime), or NULL. ++ ++For all remaining functions, 1 is returned for success, 0 on error. The return + value should always be checked (e.g., C). + The error codes can be obtained by L. + +From 3ef5c3034e5c545f34d6929568f3f2b10ac4bdf0 Mon Sep 17 00:00:00 2001 +From: Tomas Mraz +Date: Mon, 28 Feb 2022 18:26:35 +0100 +Subject: [PATCH] Add a negative testcase for BN_mod_sqrt + +Reviewed-by: Paul Dale +Reviewed-by: Matt Caswell +--- + test/bntest.c | 11 ++++++++++- + test/recipes/10-test_bn_data/bnmod.txt | 12 ++++++++++++ + 2 files changed, 22 insertions(+), 1 deletion(-) + +diff --git a/test/bntest.c b/test/bntest.c +index 390dd800733e..1cab660bcafb 100644 +--- a/test/bntest.c ++++ b/test/bntest.c +@@ -1729,8 +1729,17 @@ static int file_modsqrt(STANZA *s) + || !TEST_ptr(ret2 = BN_new())) + goto err; + ++ if (BN_is_negative(mod_sqrt)) { ++ /* A negative testcase */ ++ if (!TEST_ptr_null(BN_mod_sqrt(ret, a, p, ctx))) ++ goto err; ++ ++ st = 1; ++ goto err; ++ } ++ + /* There are two possible answers. */ +- if (!TEST_true(BN_mod_sqrt(ret, a, p, ctx)) ++ if (!TEST_ptr(BN_mod_sqrt(ret, a, p, ctx)) + || !TEST_true(BN_sub(ret2, p, ret))) + goto err; + +diff --git a/test/recipes/10-test_bn_data/bnmod.txt b/test/recipes/10-test_bn_data/bnmod.txt +index 5ea4d031f271..e28cc6bfb02e 100644 +--- a/test/recipes/10-test_bn_data/bnmod.txt ++++ b/test/recipes/10-test_bn_data/bnmod.txt +@@ -2799,3 +2799,15 @@ P = 9df9d6cc20b8540411af4e5357ef2b0353cb1f2ab5ffc3e246b41c32f71e951f + ModSqrt = a1d52989f12f204d3d2167d9b1e6c8a6174c0c786a979a5952383b7b8bd186 + A = 2eee37cf06228a387788188e650bc6d8a2ff402931443f69156a29155eca07dcb45f3aac238d92943c0c25c896098716baa433f25bd696a142f5a69d5d937e81 + P = 9df9d6cc20b8540411af4e5357ef2b0353cb1f2ab5ffc3e246b41c32f71e951f ++ ++# Negative testcases for BN_mod_sqrt() ++ ++# This one triggers an infinite loop with unfixed implementation ++# It should just fail. ++ModSqrt = -1 ++A = 20a7ee ++P = 460201 ++ ++ModSqrt = -1 ++A = 65bebdb00a96fc814ec44b81f98b59fba3c30203928fa5214c51e0a97091645280c947b005847f239758482b9bfc45b066fde340d1fe32fc9c1bf02e1b2d0ed ++P = 9df9d6cc20b8540411af4e5357ef2b0353cb1f2ab5ffc3e246b41c32f71e951f diff --git a/SOURCES/openssl-1.1.1-disable-fips.patch b/SOURCES/openssl-1.1.1-disable-fips.patch new file mode 100644 index 0000000..39c3b2b --- /dev/null +++ b/SOURCES/openssl-1.1.1-disable-fips.patch @@ -0,0 +1,125 @@ +Disable FIPS mode + +FIPS mode is not supported for compat-openssl11. Apply a minimal patch +that will reject explicit enabling of FIPS mode and disable automatic +activation of FIPS mode. + +To avoid regressions, keep the rest of the library as it was. + +diff -up openssl-1.1.1k/crypto/fips/fips.c.disable-fips openssl-1.1.1k/crypto/fips/fips.c +--- openssl-1.1.1k/crypto/fips/fips.c.disable-fips 2022-05-30 17:05:28.604500582 +0200 ++++ openssl-1.1.1k/crypto/fips/fips.c 2022-05-30 17:09:46.129110042 +0200 +@@ -405,13 +405,8 @@ static int verify_checksums(void) + + int FIPS_module_installed(void) + { +- int rv; +- rv = access(FIPS_MODULE_PATH, F_OK); +- if (rv < 0 && errno != ENOENT) +- rv = 0; +- + /* Installed == true */ +- return !rv || FIPS_module_mode(); ++ return 0; + } + + int FIPS_module_mode_set(int onoff) +diff -up openssl-1.1.1k/crypto/o_fips.c.disable-fips openssl-1.1.1k/crypto/o_fips.c +--- openssl-1.1.1k/crypto/o_fips.c.disable-fips 2022-05-30 17:05:37.411658179 +0200 ++++ openssl-1.1.1k/crypto/o_fips.c 2022-05-30 17:06:25.279514707 +0200 +@@ -12,24 +12,14 @@ + + int FIPS_mode(void) + { +-#ifdef OPENSSL_FIPS +- return FIPS_module_mode(); +-#else + /* This version of the library does not support FIPS mode. */ + return 0; +-#endif + } + + int FIPS_mode_set(int r) + { +-#ifdef OPENSSL_FIPS +- if (r && FIPS_module_mode()) /* can be implicitly initialized by OPENSSL_init() */ +- return 1; +- return FIPS_module_mode_set(r); +-#else + if (r == 0) + return 1; + CRYPTOerr(CRYPTO_F_FIPS_MODE_SET, CRYPTO_R_FIPS_MODE_NOT_SUPPORTED); + return 0; +-#endif + } +diff -up openssl-1.1.1k/crypto/o_init.c.disable-fips openssl-1.1.1k/crypto/o_init.c +--- openssl-1.1.1k/crypto/o_init.c.disable-fips 2022-05-30 17:06:58.250104676 +0200 ++++ openssl-1.1.1k/crypto/o_init.c 2022-05-30 17:17:12.369135344 +0200 +@@ -7,55 +7,9 @@ + * https://www.openssl.org/source/license.html + */ + +-/* for secure_getenv */ +-#define _GNU_SOURCE + #include "e_os.h" + #include + #ifdef OPENSSL_FIPS +-# include +-# include +-# include +-# include +-# include +-# include +-# include +-# include +-# include "crypto/fips.h" +- +-# define FIPS_MODE_SWITCH_FILE "/proc/sys/crypto/fips_enabled" +- +-static void init_fips_mode(void) +-{ +- char buf[2] = "0"; +- int fd; +- +- if (secure_getenv("OPENSSL_FORCE_FIPS_MODE") != NULL) { +- buf[0] = '1'; +- } else if ((fd = open(FIPS_MODE_SWITCH_FILE, O_RDONLY)) >= 0) { +- while (read(fd, buf, sizeof(buf)) < 0 && errno == EINTR) ; +- close(fd); +- } +- +- if (buf[0] != '1' && !FIPS_module_installed()) +- return; +- +- /* Ensure the selftests always run */ +- /* XXX: TO SOLVE - premature initialization due to selftests */ +- FIPS_mode_set(1); +- +- /* Failure reading the fips mode switch file means just not +- * switching into FIPS mode. We would break too many things +- * otherwise.. +- */ +- +- if (buf[0] != '1') { +- /* drop down to non-FIPS mode if it is not requested */ +- FIPS_mode_set(0); +- } else { +- /* abort if selftest failed */ +- FIPS_selftest_check(); +- } +-} + + /* + * Perform FIPS module power on selftest and automatic FIPS mode switch. +@@ -63,11 +17,6 @@ static void init_fips_mode(void) + + void __attribute__ ((constructor)) OPENSSL_init_library(void) + { +- static int done = 0; +- if (done) +- return; +- done = 1; +- init_fips_mode(); + } + #endif + diff --git a/SOURCES/openssl-1.1.1-version-override.patch b/SOURCES/openssl-1.1.1-version-override.patch deleted file mode 100644 index b89ebc6..0000000 --- a/SOURCES/openssl-1.1.1-version-override.patch +++ /dev/null @@ -1,12 +0,0 @@ -diff -up openssl-1.1.1i/include/openssl/opensslv.h.version-override openssl-1.1.1i/include/openssl/opensslv.h ---- openssl-1.1.1i/include/openssl/opensslv.h.version-override 2020-12-09 10:25:12.042374409 +0100 -+++ openssl-1.1.1i/include/openssl/opensslv.h 2020-12-09 10:26:00.362769170 +0100 -@@ -40,7 +40,7 @@ extern "C" { - * major minor fix final patch/beta) - */ - # define OPENSSL_VERSION_NUMBER 0x101010bfL --# define OPENSSL_VERSION_TEXT "OpenSSL 1.1.1k 25 Mar 2021" -+# define OPENSSL_VERSION_TEXT "OpenSSL 1.1.1k FIPS 25 Mar 2021" - - /*- - * The macros below are to be used for shared library (.so, .dll, ...) diff --git a/SPECS/compat-openssl11.spec b/SPECS/compat-openssl11.spec index cbaf271..aed86ed 100644 --- a/SPECS/compat-openssl11.spec +++ b/SPECS/compat-openssl11.spec @@ -22,7 +22,7 @@ Summary: Utilities from the general purpose cryptography library with TLS implementation Name: compat-openssl11 Version: 1.1.1k -Release: 3%{?dist} +Release: 4%{?dist} Epoch: 1 # We have to remove certain patented algorithms from the openssl source # tarball with the hobble-openssl script which is included below. @@ -50,7 +50,6 @@ Patch38: openssl-1.1.1-no-weak-verify.patch Patch40: openssl-1.1.1-disable-ssl3.patch Patch41: openssl-1.1.1-system-cipherlist.patch Patch42: openssl-1.1.1-fips.patch -Patch44: openssl-1.1.1-version-override.patch Patch45: openssl-1.1.1-weak-ciphers.patch Patch46: openssl-1.1.1-seclevel.patch Patch47: openssl-1.1.1-ts-sha256-default.patch @@ -67,11 +66,16 @@ Patch67: openssl-1.1.1-kdf-selftest.patch Patch69: openssl-1.1.1-alpn-cb.patch Patch70: openssl-1.1.1-rewire-fips-drbg.patch Patch71: openssl-1.1.1-new-config-file.patch +# This modifies code that was patched before, but removing all FIPS patches +# comes with a much greater risk of introducing regressions. +Patch72: openssl-1.1.1-disable-fips.patch + # Backported fixes including security fixes Patch52: openssl-1.1.1-s390x-update.patch Patch53: openssl-1.1.1-fips-crng-test.patch Patch55: openssl-1.1.1-arm-update.patch Patch56: openssl-1.1.1-s390x-ecc.patch +Patch73: openssl-1.1.1-cve-2022-0778.patch License: OpenSSL and ASL 2.0 URL: http://www.openssl.org/ @@ -119,7 +123,6 @@ cp %{SOURCE13} test/ %patch40 -p1 -b .disable-ssl3 %patch41 -p1 -b .system-cipherlist %patch42 -p1 -b .fips -%patch44 -p1 -b .version-override %patch45 -p1 -b .weak-ciphers %patch46 -p1 -b .seclevel %patch47 -p1 -b .ts-sha256-default @@ -140,6 +143,8 @@ cp %{SOURCE13} test/ %patch69 -p1 -b .alpn-cb %patch70 -p1 -b .rewire-fips-drbg %patch71 -p1 -b .conf-new +%patch72 -p1 -b .disable-fips +%patch73 -p1 -b .cve-2022-0778 cp apps/openssl.cnf apps/openssl11.cnf @@ -308,7 +313,13 @@ install -m 644 apps/openssl11.cnf $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/openssl1 %ldconfig_scriptlets %changelog -* Mon Oct 05 2021 Sahana Prasad - 1:1.1.1k-3 +* Mon May 30 2022 Clemens Lang - 1:1.1.1k-4 +- Fixes CVE-2022-0778 openssl: Infinite loop in BN_mod_sqrt() reachable when parsing certificates + Resolves: rhbz#2063147 +- Disable FIPS mode; it does not work and will not be certified + Resolves: rhbz#2091968 + +* Tue Oct 05 2021 Sahana Prasad - 1:1.1.1k-3 - updates OPENSSL_CONF to openssl11.cnf. - Related: rhbz#1947584, rhbz#2003123