import compat-openssl11-1.1.1k-4.el9_0

2022-06-02 17:14:09 -04:00 · 2022-06-02 17:14:09 -04:00 · 1a293f5165
commit 1a293f5165
parent 1a551eb8c0
4 changed files with 319 additions and 16 deletions
--- a/SOURCES/openssl-1.1.1-cve-2022-0778.patch
+++ b/SOURCES/openssl-1.1.1-cve-2022-0778.patch
@ -0,0 +1,179 @@
 From 3118eb64934499d93db3230748a452351d1d9a65 Mon Sep 17 00:00:00 2001
 From: Tomas Mraz <tomas@openssl.org>
 Date: Mon, 28 Feb 2022 18:26:21 +0100
 Subject: [PATCH] Fix possible infinite loop in BN_mod_sqrt()
 The calculation in some cases does not finish for non-prime p.
 This fixes CVE-2022-0778.
 Based on patch by David Benjamin <davidben@google.com>.
 Reviewed-by: Paul Dale <pauli@openssl.org>
 Reviewed-by: Matt Caswell <matt@openssl.org>
 ---
 crypto/bn/bn_sqrt.c | 30 ++++++++++++++++++------------
 1 file changed, 18 insertions(+), 12 deletions(-)
 diff --git a/crypto/bn/bn_sqrt.c b/crypto/bn/bn_sqrt.c
 index 1723d5ded5a8..53b0f559855c 100644
 --- a/crypto/bn/bn_sqrt.c
 +++ b/crypto/bn/bn_sqrt.c
@@ -14,7 +14,8 @@ BIGNUM *BN_mod_sqrt(BIGNUM *in, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx)
 /*
  * Returns 'ret' such that ret^2 == a (mod p), using the Tonelli/Shanks
  * algorithm (cf. Henri Cohen, "A Course in Algebraic Computational Number
 - * Theory", algorithm 1.5.1). 'p' must be prime!
 + * Theory", algorithm 1.5.1). 'p' must be prime, otherwise an error or
 + * an incorrect "result" will be returned.
  */
 {
     BIGNUM *ret = in;
@@ -301,18 +302,23 @@ BIGNUM *BN_mod_sqrt(BIGNUM *in, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx)
             goto vrfy;
         }
 -        /* find smallest  i  such that  b^(2^i) = 1 */
 -        i = 1;
 -        if (!BN_mod_sqr(t, b, p, ctx))
 -            goto end;
 -        while (!BN_is_one(t)) {
 -            i++;
 -            if (i == e) {
 -                BNerr(BN_F_BN_MOD_SQRT, BN_R_NOT_A_SQUARE);
 -                goto end;
 +        /* Find the smallest i, 0 < i < e, such that b^(2^i) = 1. */
 +        for (i = 1; i < e; i++) {
 +            if (i == 1) {
 +                if (!BN_mod_sqr(t, b, p, ctx))
 +                    goto end;
 +
 +            } else {
 +                if (!BN_mod_mul(t, t, t, p, ctx))
 +                    goto end;
             }
 -            if (!BN_mod_mul(t, t, t, p, ctx))
 -                goto end;
 +            if (BN_is_one(t))
 +                break;
 +        }
 +        /* If not found, a is not a square or p is not prime. */
 +        if (i >= e) {
 +            BNerr(BN_F_BN_MOD_SQRT, BN_R_NOT_A_SQUARE);
 +            goto end;
         }
         /* t := y^2^(e - i - 1) */
 From b5fcb7e133725b8b2eb66f63f5142710ed63a6d1 Mon Sep 17 00:00:00 2001
 From: Tomas Mraz <tomas@openssl.org>
 Date: Mon, 28 Feb 2022 18:26:30 +0100
 Subject: [PATCH] Add documentation of BN_mod_sqrt()
 Reviewed-by: Paul Dale <pauli@openssl.org>
 Reviewed-by: Matt Caswell <matt@openssl.org>
 ---
 doc/man3/BN_add.pod | 15 +++++++++++++--
 1 file changed, 13 insertions(+), 2 deletions(-)
 diff --git a/doc/man3/BN_add.pod b/doc/man3/BN_add.pod
 index dccd4790ede7..1f5e37a4d183 100644
 --- a/doc/man3/BN_add.pod
 +++ b/doc/man3/BN_add.pod
@@ -3,7 +3,7 @@
 =head1 NAME
 BN_add, BN_sub, BN_mul, BN_sqr, BN_div, BN_mod, BN_nnmod, BN_mod_add,
 -BN_mod_sub, BN_mod_mul, BN_mod_sqr, BN_exp, BN_mod_exp, BN_gcd -
 +BN_mod_sub, BN_mod_mul, BN_mod_sqr, BN_mod_sqrt, BN_exp, BN_mod_exp, BN_gcd -
 arithmetic operations on BIGNUMs
 =head1 SYNOPSIS
@@ -36,6 +36,8 @@ arithmetic operations on BIGNUMs
  int BN_mod_sqr(BIGNUM *r, BIGNUM *a, const BIGNUM *m, BN_CTX *ctx);
 + BIGNUM *BN_mod_sqrt(BIGNUM *in, BIGNUM *a, const BIGNUM *p, BN_CTX *ctx);
 +
  int BN_exp(BIGNUM *r, BIGNUM *a, BIGNUM *p, BN_CTX *ctx);
  int BN_mod_exp(BIGNUM *r, BIGNUM *a, const BIGNUM *p,
@@ -87,6 +89,12 @@ L<BN_mod_mul_reciprocal(3)>.
 BN_mod_sqr() takes the square of I<a> modulo B<m> and places the
 result in I<r>.
 +BN_mod_sqrt() returns the modular square root of I<a> such that
 +C<in^2 = a (mod p)>. The modulus I<p> must be a
 +prime, otherwise an error or an incorrect "result" will be returned.
 +The result is stored into I<in> which can be NULL. The result will be
 +newly allocated in that case.
 +
 BN_exp() raises I<a> to the I<p>-th power and places the result in I<r>
 (C<r=a^p>). This function is faster than repeated applications of
 BN_mul().
@@ -108,7 +116,10 @@ the arguments.
 =head1 RETURN VALUES
 -For all functions, 1 is returned for success, 0 on error. The return
 +The BN_mod_sqrt() returns the result (possibly incorrect if I<p> is
 +not a prime), or NULL.
 +
 +For all remaining functions, 1 is returned for success, 0 on error. The return
 value should always be checked (e.g., C<if (!BN_add(r,a,b)) goto err;>).
 The error codes can be obtained by L<ERR_get_error(3)>.
 From 3ef5c3034e5c545f34d6929568f3f2b10ac4bdf0 Mon Sep 17 00:00:00 2001
 From: Tomas Mraz <tomas@openssl.org>
 Date: Mon, 28 Feb 2022 18:26:35 +0100
 Subject: [PATCH] Add a negative testcase for BN_mod_sqrt
 Reviewed-by: Paul Dale <pauli@openssl.org>
 Reviewed-by: Matt Caswell <matt@openssl.org>
 ---
 test/bntest.c                          | 11 ++++++++++-
 test/recipes/10-test_bn_data/bnmod.txt | 12 ++++++++++++
 2 files changed, 22 insertions(+), 1 deletion(-)
 diff --git a/test/bntest.c b/test/bntest.c
 index 390dd800733e..1cab660bcafb 100644
 --- a/test/bntest.c
 +++ b/test/bntest.c
@@ -1729,8 +1729,17 @@ static int file_modsqrt(STANZA *s)
             || !TEST_ptr(ret2 = BN_new()))
         goto err;
 +    if (BN_is_negative(mod_sqrt)) {
 +        /* A negative testcase */
 +        if (!TEST_ptr_null(BN_mod_sqrt(ret, a, p, ctx)))
 +            goto err;
 +
 +        st = 1;
 +        goto err;
 +    }
 +
     /* There are two possible answers. */
 -    if (!TEST_true(BN_mod_sqrt(ret, a, p, ctx))
 +    if (!TEST_ptr(BN_mod_sqrt(ret, a, p, ctx))
             || !TEST_true(BN_sub(ret2, p, ret)))
         goto err;
 diff --git a/test/recipes/10-test_bn_data/bnmod.txt b/test/recipes/10-test_bn_data/bnmod.txt
 index 5ea4d031f271..e28cc6bfb02e 100644
 --- a/test/recipes/10-test_bn_data/bnmod.txt
 +++ b/test/recipes/10-test_bn_data/bnmod.txt
@@ -2799,3 +2799,15 @@ P = 9df9d6cc20b8540411af4e5357ef2b0353cb1f2ab5ffc3e246b41c32f71e951f
 ModSqrt = a1d52989f12f204d3d2167d9b1e6c8a6174c0c786a979a5952383b7b8bd186
 A = 2eee37cf06228a387788188e650bc6d8a2ff402931443f69156a29155eca07dcb45f3aac238d92943c0c25c896098716baa433f25bd696a142f5a69d5d937e81
 P = 9df9d6cc20b8540411af4e5357ef2b0353cb1f2ab5ffc3e246b41c32f71e951f
 +
 +# Negative testcases for BN_mod_sqrt()
 +
 +# This one triggers an infinite loop with unfixed implementation
 +# It should just fail.
 +ModSqrt = -1
 +A = 20a7ee
 +P = 460201
 +
 +ModSqrt = -1
 +A = 65bebdb00a96fc814ec44b81f98b59fba3c30203928fa5214c51e0a97091645280c947b005847f239758482b9bfc45b066fde340d1fe32fc9c1bf02e1b2d0ed
 +P = 9df9d6cc20b8540411af4e5357ef2b0353cb1f2ab5ffc3e246b41c32f71e951f
--- a/SOURCES/openssl-1.1.1-disable-fips.patch
+++ b/SOURCES/openssl-1.1.1-disable-fips.patch
@ -0,0 +1,125 @@
 Disable FIPS mode
 FIPS mode is not supported for compat-openssl11. Apply a minimal patch
 that will reject explicit enabling of FIPS mode and disable automatic
 activation of FIPS mode.
 To avoid regressions, keep the rest of the library as it was.
 diff -up openssl-1.1.1k/crypto/fips/fips.c.disable-fips openssl-1.1.1k/crypto/fips/fips.c
 --- openssl-1.1.1k/crypto/fips/fips.c.disable-fips	2022-05-30 17:05:28.604500582 +0200
 +++ openssl-1.1.1k/crypto/fips/fips.c	2022-05-30 17:09:46.129110042 +0200
@@ -405,13 +405,8 @@ static int verify_checksums(void)
 int FIPS_module_installed(void)
 {
 -    int rv;
 -    rv = access(FIPS_MODULE_PATH, F_OK);
 -    if (rv < 0 && errno != ENOENT)
 -        rv = 0;
 -
     /* Installed == true */
 -    return !rv || FIPS_module_mode();
 +    return 0;
 }
 int FIPS_module_mode_set(int onoff)
 diff -up openssl-1.1.1k/crypto/o_fips.c.disable-fips openssl-1.1.1k/crypto/o_fips.c
 --- openssl-1.1.1k/crypto/o_fips.c.disable-fips	2022-05-30 17:05:37.411658179 +0200
 +++ openssl-1.1.1k/crypto/o_fips.c	2022-05-30 17:06:25.279514707 +0200
@@ -12,24 +12,14 @@
 int FIPS_mode(void)
 {
 -#ifdef OPENSSL_FIPS
 -    return FIPS_module_mode();
 -#else
     /* This version of the library does not support FIPS mode. */
     return 0;
 -#endif
 }
 int FIPS_mode_set(int r)
 {
 -#ifdef OPENSSL_FIPS
 -    if (r && FIPS_module_mode()) /* can be implicitly initialized by OPENSSL_init() */
 -        return 1;
 -    return FIPS_module_mode_set(r);
 -#else
     if (r == 0)
         return 1;
     CRYPTOerr(CRYPTO_F_FIPS_MODE_SET, CRYPTO_R_FIPS_MODE_NOT_SUPPORTED);
     return 0;
 -#endif
 }
 diff -up openssl-1.1.1k/crypto/o_init.c.disable-fips openssl-1.1.1k/crypto/o_init.c
 --- openssl-1.1.1k/crypto/o_init.c.disable-fips	2022-05-30 17:06:58.250104676 +0200
 +++ openssl-1.1.1k/crypto/o_init.c	2022-05-30 17:17:12.369135344 +0200
@@ -7,55 +7,9 @@
  * https://www.openssl.org/source/license.html
  */
 -/* for secure_getenv */
 -#define _GNU_SOURCE
 #include "e_os.h"
 #include <openssl/err.h>
 #ifdef OPENSSL_FIPS
 -# include <sys/types.h>
 -# include <sys/stat.h>
 -# include <fcntl.h>
 -# include <unistd.h>
 -# include <errno.h>
 -# include <stdlib.h>
 -# include <openssl/rand.h>
 -# include <openssl/fips.h>
 -# include "crypto/fips.h"
 -
 -# define FIPS_MODE_SWITCH_FILE "/proc/sys/crypto/fips_enabled"
 -
 -static void init_fips_mode(void)
 -{
 -    char buf[2] = "0";
 -    int fd;
 -
 -    if (secure_getenv("OPENSSL_FORCE_FIPS_MODE") != NULL) {
 -        buf[0] = '1';
 -    } else if ((fd = open(FIPS_MODE_SWITCH_FILE, O_RDONLY)) >= 0) {
 -        while (read(fd, buf, sizeof(buf)) < 0 && errno == EINTR) ;
 -        close(fd);
 -    }
 -
 -    if (buf[0] != '1' && !FIPS_module_installed())
 -        return;
 -
 -    /* Ensure the selftests always run */
 -    /* XXX: TO SOLVE - premature initialization due to selftests */
 -    FIPS_mode_set(1);
 -
 -    /* Failure reading the fips mode switch file means just not
 -     * switching into FIPS mode. We would break too many things
 -     * otherwise..
 -     */
 -
 -    if (buf[0] != '1') {
 -        /* drop down to non-FIPS mode if it is not requested */
 -        FIPS_mode_set(0);
 -    } else {
 -        /* abort if selftest failed */
 -        FIPS_selftest_check();
 -    }
 -}
 /*
  * Perform FIPS module power on selftest and automatic FIPS mode switch.
@@ -63,11 +17,6 @@ static void init_fips_mode(void)
 void __attribute__ ((constructor)) OPENSSL_init_library(void)
 {
 -    static int done = 0;
 -    if (done)
 -        return;
 -    done = 1;
 -    init_fips_mode();
 }
 #endif
--- a/SOURCES/openssl-1.1.1-version-override.patch
+++ b/SOURCES/openssl-1.1.1-version-override.patch
@ -1,12 +0,0 @@
 diff -up openssl-1.1.1i/include/openssl/opensslv.h.version-override openssl-1.1.1i/include/openssl/opensslv.h
 --- openssl-1.1.1i/include/openssl/opensslv.h.version-override	2020-12-09 10:25:12.042374409 +0100
 +++ openssl-1.1.1i/include/openssl/opensslv.h	2020-12-09 10:26:00.362769170 +0100
@@ -40,7 +40,7 @@ extern "C" {
  *  major minor fix final patch/beta)
  */
 # define OPENSSL_VERSION_NUMBER  0x101010bfL
 -# define OPENSSL_VERSION_TEXT    "OpenSSL 1.1.1k  25 Mar 2021"
 +# define OPENSSL_VERSION_TEXT    "OpenSSL 1.1.1k  FIPS 25 Mar 2021"
 /*-
  * The macros below are to be used for shared library (.so, .dll, ...)
--- a/SPECS/compat-openssl11.spec
+++ b/SPECS/compat-openssl11.spec
@ -22,7 +22,7 @@
 Summary: Utilities from the general purpose cryptography library with TLS implementation
 Name: compat-openssl11
 Version: 1.1.1k
-Release: 3%{?dist}
+Release: 4%{?dist}
 Epoch: 1
 # We have to remove certain patented algorithms from the openssl source
 # tarball with the hobble-openssl script which is included below.
@ -50,7 +50,6 @@ Patch38: openssl-1.1.1-no-weak-verify.patch
 Patch40: openssl-1.1.1-disable-ssl3.patch
 Patch41: openssl-1.1.1-system-cipherlist.patch
 Patch42: openssl-1.1.1-fips.patch
 Patch44: openssl-1.1.1-version-override.patch
 Patch45: openssl-1.1.1-weak-ciphers.patch
 Patch46: openssl-1.1.1-seclevel.patch
 Patch47: openssl-1.1.1-ts-sha256-default.patch
@ -67,11 +66,16 @@ Patch67: openssl-1.1.1-kdf-selftest.patch
 Patch69: openssl-1.1.1-alpn-cb.patch
 Patch70: openssl-1.1.1-rewire-fips-drbg.patch
 Patch71: openssl-1.1.1-new-config-file.patch
 # This modifies code that was patched before, but removing all FIPS patches
 # comes with a much greater risk of introducing regressions.
 Patch72: openssl-1.1.1-disable-fips.patch
 # Backported fixes including security fixes
 Patch52: openssl-1.1.1-s390x-update.patch
 Patch53: openssl-1.1.1-fips-crng-test.patch
 Patch55: openssl-1.1.1-arm-update.patch
 Patch56: openssl-1.1.1-s390x-ecc.patch
 Patch73: openssl-1.1.1-cve-2022-0778.patch
 License: OpenSSL and ASL 2.0
 URL: http://www.openssl.org/
@ -119,7 +123,6 @@ cp %{SOURCE13} test/
 %patch40 -p1 -b .disable-ssl3
 %patch41 -p1 -b .system-cipherlist
 %patch42 -p1 -b .fips
 %patch44 -p1 -b .version-override
 %patch45 -p1 -b .weak-ciphers
 %patch46 -p1 -b .seclevel
 %patch47 -p1 -b .ts-sha256-default
@ -140,6 +143,8 @@ cp %{SOURCE13} test/
 %patch69 -p1 -b .alpn-cb
 %patch70 -p1 -b .rewire-fips-drbg
 %patch71 -p1 -b .conf-new
 %patch72 -p1 -b .disable-fips
 %patch73 -p1 -b .cve-2022-0778
 cp apps/openssl.cnf apps/openssl11.cnf
@ -308,7 +313,13 @@ install -m 644 apps/openssl11.cnf $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/openssl1
 %ldconfig_scriptlets
 %changelog
-* Mon Oct 05 2021 Sahana Prasad <sahana@redhat.com> - 1:1.1.1k-3
+* Mon May 30 2022 Clemens Lang <cllang@redhat.com> - 1:1.1.1k-4
 - Fixes CVE-2022-0778 openssl: Infinite loop in BN_mod_sqrt() reachable when parsing certificates
  Resolves: rhbz#2063147
 - Disable FIPS mode; it does not work and will not be certified
  Resolves: rhbz#2091968
 * Tue Oct 05 2021 Sahana Prasad <sahana@redhat.com> - 1:1.1.1k-3
 - updates OPENSSL_CONF to openssl11.cnf.
 - Related: rhbz#1947584, rhbz#2003123