import compat-openssl11-1.1.1k-4.el9_0

2022-09-27 07:02:21 -04:00 · 2022-09-27 07:02:21 -04:00 · 30c60dd5aa
commit 30c60dd5aa
parent b7fd2d9ee8
4 changed files with 317 additions and 18 deletions
--- a/SOURCES/openssl-1.1.1-cve-2022-0778.patch
+++ b/SOURCES/openssl-1.1.1-cve-2022-0778.patch
@ -0,0 +1,179 @@
+From 3118eb64934499d93db3230748a452351d1d9a65 Mon Sep 17 00:00:00 2001
+From: Tomas Mraz <tomas@openssl.org>
+Date: Mon, 28 Feb 2022 18:26:21 +0100
+Subject: [PATCH] Fix possible infinite loop in BN_mod_sqrt()
+
+The calculation in some cases does not finish for non-prime p.
+
+This fixes CVE-2022-0778.
+
+Based on patch by David Benjamin <davidben@google.com>.
+
+Reviewed-by: Paul Dale <pauli@openssl.org>
+Reviewed-by: Matt Caswell <matt@openssl.org>
+---
+ crypto/bn/bn_sqrt.c | 30 ++++++++++++++++++------------
+ 1 file changed, 18 insertions(+), 12 deletions(-)
+
+diff --git a/crypto/bn/bn_sqrt.c b/crypto/bn/bn_sqrt.c
+index 1723d5ded5a8..53b0f559855c 100644
+--- a/crypto/bn/bn_sqrt.c
+++ b/crypto/bn/bn_sqrt.c
+@@ -14,7 +14,8 @@ BIGNUM *BN_mod_sqrt(BIGNUM *in, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx)
+ /*
+  * Returns 'ret' such that ret^2 == a (mod p), using the Tonelli/Shanks
+  * algorithm (cf. Henri Cohen, "A Course in Algebraic Computational Number
+- * Theory", algorithm 1.5.1). 'p' must be prime!
+ * Theory", algorithm 1.5.1). 'p' must be prime, otherwise an error or
+ * an incorrect "result" will be returned.
+  */
+ {
+     BIGNUM *ret = in;
+@@ -301,18 +302,23 @@ BIGNUM *BN_mod_sqrt(BIGNUM *in, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx)
+             goto vrfy;
+         }
+ 
+-        /* find smallest  i  such that  b^(2^i) = 1 */
+-        i = 1;
+-        if (!BN_mod_sqr(t, b, p, ctx))
+-            goto end;
+-        while (!BN_is_one(t)) {
+-            i++;
+-            if (i == e) {
+-                BNerr(BN_F_BN_MOD_SQRT, BN_R_NOT_A_SQUARE);
+-                goto end;
+        /* Find the smallest i, 0 < i < e, such that b^(2^i) = 1. */
+        for (i = 1; i < e; i++) {
+            if (i == 1) {
+                if (!BN_mod_sqr(t, b, p, ctx))
+                    goto end;
+
+            } else {
+                if (!BN_mod_mul(t, t, t, p, ctx))
+                    goto end;
+             }
+-            if (!BN_mod_mul(t, t, t, p, ctx))
+-                goto end;
+            if (BN_is_one(t))
+                break;
+        }
+        /* If not found, a is not a square or p is not prime. */
+        if (i >= e) {
+            BNerr(BN_F_BN_MOD_SQRT, BN_R_NOT_A_SQUARE);
+            goto end;
+         }
+ 
+         /* t := y^2^(e - i - 1) */
+From b5fcb7e133725b8b2eb66f63f5142710ed63a6d1 Mon Sep 17 00:00:00 2001
+From: Tomas Mraz <tomas@openssl.org>
+Date: Mon, 28 Feb 2022 18:26:30 +0100
+Subject: [PATCH] Add documentation of BN_mod_sqrt()
+
+Reviewed-by: Paul Dale <pauli@openssl.org>
+Reviewed-by: Matt Caswell <matt@openssl.org>
+---
+ doc/man3/BN_add.pod | 15 +++++++++++++--
+ 1 file changed, 13 insertions(+), 2 deletions(-)
+
+diff --git a/doc/man3/BN_add.pod b/doc/man3/BN_add.pod
+index dccd4790ede7..1f5e37a4d183 100644
+--- a/doc/man3/BN_add.pod
+++ b/doc/man3/BN_add.pod
+@@ -3,7 +3,7 @@
+ =head1 NAME
+ 
+ BN_add, BN_sub, BN_mul, BN_sqr, BN_div, BN_mod, BN_nnmod, BN_mod_add,
+-BN_mod_sub, BN_mod_mul, BN_mod_sqr, BN_exp, BN_mod_exp, BN_gcd -
+BN_mod_sub, BN_mod_mul, BN_mod_sqr, BN_mod_sqrt, BN_exp, BN_mod_exp, BN_gcd -
+ arithmetic operations on BIGNUMs
+ 
+ =head1 SYNOPSIS
+@@ -36,6 +36,8 @@ arithmetic operations on BIGNUMs
+ 
+  int BN_mod_sqr(BIGNUM *r, BIGNUM *a, const BIGNUM *m, BN_CTX *ctx);
+ 
+ BIGNUM *BN_mod_sqrt(BIGNUM *in, BIGNUM *a, const BIGNUM *p, BN_CTX *ctx);
+
+  int BN_exp(BIGNUM *r, BIGNUM *a, BIGNUM *p, BN_CTX *ctx);
+ 
+  int BN_mod_exp(BIGNUM *r, BIGNUM *a, const BIGNUM *p,
+@@ -87,6 +89,12 @@ L<BN_mod_mul_reciprocal(3)>.
+ BN_mod_sqr() takes the square of I<a> modulo B<m> and places the
+ result in I<r>.
+ 
+BN_mod_sqrt() returns the modular square root of I<a> such that
+C<in^2 = a (mod p)>. The modulus I<p> must be a
+prime, otherwise an error or an incorrect "result" will be returned.
+The result is stored into I<in> which can be NULL. The result will be
+newly allocated in that case.
+
+ BN_exp() raises I<a> to the I<p>-th power and places the result in I<r>
+ (C<r=a^p>). This function is faster than repeated applications of
+ BN_mul().
+@@ -108,7 +116,10 @@ the arguments.
+ 
+ =head1 RETURN VALUES
+ 
+-For all functions, 1 is returned for success, 0 on error. The return
+The BN_mod_sqrt() returns the result (possibly incorrect if I<p> is
+not a prime), or NULL.
+
+For all remaining functions, 1 is returned for success, 0 on error. The return
+ value should always be checked (e.g., C<if (!BN_add(r,a,b)) goto err;>).
+ The error codes can be obtained by L<ERR_get_error(3)>.
+ 
+From 3ef5c3034e5c545f34d6929568f3f2b10ac4bdf0 Mon Sep 17 00:00:00 2001
+From: Tomas Mraz <tomas@openssl.org>
+Date: Mon, 28 Feb 2022 18:26:35 +0100
+Subject: [PATCH] Add a negative testcase for BN_mod_sqrt
+
+Reviewed-by: Paul Dale <pauli@openssl.org>
+Reviewed-by: Matt Caswell <matt@openssl.org>
+---
+ test/bntest.c                          | 11 ++++++++++-
+ test/recipes/10-test_bn_data/bnmod.txt | 12 ++++++++++++
+ 2 files changed, 22 insertions(+), 1 deletion(-)
+
+diff --git a/test/bntest.c b/test/bntest.c
+index 390dd800733e..1cab660bcafb 100644
+--- a/test/bntest.c
+++ b/test/bntest.c
+@@ -1729,8 +1729,17 @@ static int file_modsqrt(STANZA *s)
+             || !TEST_ptr(ret2 = BN_new()))
+         goto err;
+ 
+    if (BN_is_negative(mod_sqrt)) {
+        /* A negative testcase */
+        if (!TEST_ptr_null(BN_mod_sqrt(ret, a, p, ctx)))
+            goto err;
+
+        st = 1;
+        goto err;
+    }
+
+     /* There are two possible answers. */
+-    if (!TEST_true(BN_mod_sqrt(ret, a, p, ctx))
+    if (!TEST_ptr(BN_mod_sqrt(ret, a, p, ctx))
+             || !TEST_true(BN_sub(ret2, p, ret)))
+         goto err;
+ 
+diff --git a/test/recipes/10-test_bn_data/bnmod.txt b/test/recipes/10-test_bn_data/bnmod.txt
+index 5ea4d031f271..e28cc6bfb02e 100644
+--- a/test/recipes/10-test_bn_data/bnmod.txt
+++ b/test/recipes/10-test_bn_data/bnmod.txt
+@@ -2799,3 +2799,15 @@ P = 9df9d6cc20b8540411af4e5357ef2b0353cb1f2ab5ffc3e246b41c32f71e951f
+ ModSqrt = a1d52989f12f204d3d2167d9b1e6c8a6174c0c786a979a5952383b7b8bd186
+ A = 2eee37cf06228a387788188e650bc6d8a2ff402931443f69156a29155eca07dcb45f3aac238d92943c0c25c896098716baa433f25bd696a142f5a69d5d937e81
+ P = 9df9d6cc20b8540411af4e5357ef2b0353cb1f2ab5ffc3e246b41c32f71e951f
+
+# Negative testcases for BN_mod_sqrt()
+
+# This one triggers an infinite loop with unfixed implementation
+# It should just fail.
+ModSqrt = -1
+A = 20a7ee
+P = 460201
+
+ModSqrt = -1
+A = 65bebdb00a96fc814ec44b81f98b59fba3c30203928fa5214c51e0a97091645280c947b005847f239758482b9bfc45b066fde340d1fe32fc9c1bf02e1b2d0ed
+P = 9df9d6cc20b8540411af4e5357ef2b0353cb1f2ab5ffc3e246b41c32f71e951f
--- a/SOURCES/openssl-1.1.1-disable-fips.patch
+++ b/SOURCES/openssl-1.1.1-disable-fips.patch
@ -0,0 +1,125 @@
+Disable FIPS mode
+
+FIPS mode is not supported for compat-openssl11. Apply a minimal patch
+that will reject explicit enabling of FIPS mode and disable automatic
+activation of FIPS mode.
+
+To avoid regressions, keep the rest of the library as it was.
+
+diff -up openssl-1.1.1k/crypto/fips/fips.c.disable-fips openssl-1.1.1k/crypto/fips/fips.c
+--- openssl-1.1.1k/crypto/fips/fips.c.disable-fips	2022-05-30 17:05:28.604500582 +0200
+++ openssl-1.1.1k/crypto/fips/fips.c	2022-05-30 17:09:46.129110042 +0200
+@@ -405,13 +405,8 @@ static int verify_checksums(void)
+ 
+ int FIPS_module_installed(void)
+ {
+-    int rv;
+-    rv = access(FIPS_MODULE_PATH, F_OK);
+-    if (rv < 0 && errno != ENOENT)
+-        rv = 0;
+-
+     /* Installed == true */
+-    return !rv || FIPS_module_mode();
+    return 0;
+ }
+ 
+ int FIPS_module_mode_set(int onoff)
+diff -up openssl-1.1.1k/crypto/o_fips.c.disable-fips openssl-1.1.1k/crypto/o_fips.c
+--- openssl-1.1.1k/crypto/o_fips.c.disable-fips	2022-05-30 17:05:37.411658179 +0200
+++ openssl-1.1.1k/crypto/o_fips.c	2022-05-30 17:06:25.279514707 +0200
+@@ -12,24 +12,14 @@
+ 
+ int FIPS_mode(void)
+ {
+-#ifdef OPENSSL_FIPS
+-    return FIPS_module_mode();
+-#else
+     /* This version of the library does not support FIPS mode. */
+     return 0;
+-#endif
+ }
+ 
+ int FIPS_mode_set(int r)
+ {
+-#ifdef OPENSSL_FIPS
+-    if (r && FIPS_module_mode()) /* can be implicitly initialized by OPENSSL_init() */
+-        return 1;
+-    return FIPS_module_mode_set(r);
+-#else
+     if (r == 0)
+         return 1;
+     CRYPTOerr(CRYPTO_F_FIPS_MODE_SET, CRYPTO_R_FIPS_MODE_NOT_SUPPORTED);
+     return 0;
+-#endif
+ }
+diff -up openssl-1.1.1k/crypto/o_init.c.disable-fips openssl-1.1.1k/crypto/o_init.c
+--- openssl-1.1.1k/crypto/o_init.c.disable-fips	2022-05-30 17:06:58.250104676 +0200
+++ openssl-1.1.1k/crypto/o_init.c	2022-05-30 17:17:12.369135344 +0200
+@@ -7,55 +7,9 @@
+  * https://www.openssl.org/source/license.html
+  */
+ 
+-/* for secure_getenv */
+-#define _GNU_SOURCE
+ #include "e_os.h"
+ #include <openssl/err.h>
+ #ifdef OPENSSL_FIPS
+-# include <sys/types.h>
+-# include <sys/stat.h>
+-# include <fcntl.h>
+-# include <unistd.h>
+-# include <errno.h>
+-# include <stdlib.h>
+-# include <openssl/rand.h>
+-# include <openssl/fips.h>
+-# include "crypto/fips.h"
+-
+-# define FIPS_MODE_SWITCH_FILE "/proc/sys/crypto/fips_enabled"
+-
+-static void init_fips_mode(void)
+-{
+-    char buf[2] = "0";
+-    int fd;
+-
+-    if (secure_getenv("OPENSSL_FORCE_FIPS_MODE") != NULL) {
+-        buf[0] = '1';
+-    } else if ((fd = open(FIPS_MODE_SWITCH_FILE, O_RDONLY)) >= 0) {
+-        while (read(fd, buf, sizeof(buf)) < 0 && errno == EINTR) ;
+-        close(fd);
+-    }
+-
+-    if (buf[0] != '1' && !FIPS_module_installed())
+-        return;
+-
+-    /* Ensure the selftests always run */
+-    /* XXX: TO SOLVE - premature initialization due to selftests */
+-    FIPS_mode_set(1);
+-
+-    /* Failure reading the fips mode switch file means just not
+-     * switching into FIPS mode. We would break too many things
+-     * otherwise..
+-     */
+-
+-    if (buf[0] != '1') {
+-        /* drop down to non-FIPS mode if it is not requested */
+-        FIPS_mode_set(0);
+-    } else {
+-        /* abort if selftest failed */
+-        FIPS_selftest_check();
+-    }
+-}
+ 
+ /*
+  * Perform FIPS module power on selftest and automatic FIPS mode switch.
+@@ -63,11 +17,6 @@ static void init_fips_mode(void)
+ 
+ void __attribute__ ((constructor)) OPENSSL_init_library(void)
+ {
+-    static int done = 0;
+-    if (done)
+-        return;
+-    done = 1;
+-    init_fips_mode();
+ }
+ #endif
+ 
--- a/SOURCES/openssl-1.1.1-version-override.patch
+++ b/SOURCES/openssl-1.1.1-version-override.patch
@ -1,12 +0,0 @@
-diff -up openssl-1.1.1i/include/openssl/opensslv.h.version-override openssl-1.1.1i/include/openssl/opensslv.h
--- openssl-1.1.1i/include/openssl/opensslv.h.version-override	2020-12-09 10:25:12.042374409 +0100
-+++ openssl-1.1.1i/include/openssl/opensslv.h	2020-12-09 10:26:00.362769170 +0100
-@@ -40,7 +40,7 @@ extern "C" {
-  *  major minor fix final patch/beta)
-  */
- # define OPENSSL_VERSION_NUMBER  0x101010bfL
-# define OPENSSL_VERSION_TEXT    "OpenSSL 1.1.1k  25 Mar 2021"
-+# define OPENSSL_VERSION_TEXT    "OpenSSL 1.1.1k  FIPS 25 Mar 2021"
- 
- /*-
-  * The macros below are to be used for shared library (.so, .dll, ...)
--- a/SPECS/compat-openssl11.spec
+++ b/SPECS/compat-openssl11.spec
@ -50,7 +50,6 @@ Patch38: openssl-1.1.1-no-weak-verify.patch
 Patch40: openssl-1.1.1-disable-ssl3.patch
 Patch41: openssl-1.1.1-system-cipherlist.patch
 Patch42: openssl-1.1.1-fips.patch
-Patch44: openssl-1.1.1-version-override.patch
 Patch45: openssl-1.1.1-weak-ciphers.patch
 Patch46: openssl-1.1.1-seclevel.patch
 Patch47: openssl-1.1.1-ts-sha256-default.patch
@ -67,11 +66,16 @@ Patch67: openssl-1.1.1-kdf-selftest.patch
 Patch69: openssl-1.1.1-alpn-cb.patch
 Patch70: openssl-1.1.1-rewire-fips-drbg.patch
 Patch71: openssl-1.1.1-new-config-file.patch
+# This modifies code that was patched before, but removing all FIPS patches
+# comes with a much greater risk of introducing regressions.
+Patch72: openssl-1.1.1-disable-fips.patch
+
 # Backported fixes including security fixes
 Patch52: openssl-1.1.1-s390x-update.patch
 Patch53: openssl-1.1.1-fips-crng-test.patch
 Patch55: openssl-1.1.1-arm-update.patch
 Patch56: openssl-1.1.1-s390x-ecc.patch
+Patch73: openssl-1.1.1-cve-2022-0778.patch

 License: OpenSSL and ASL 2.0
 URL: http://www.openssl.org/
@ -119,7 +123,6 @@ cp %{SOURCE13} test/
 %patch40 -p1 -b .disable-ssl3
 %patch41 -p1 -b .system-cipherlist
 %patch42 -p1 -b .fips
-%patch44 -p1 -b .version-override
 %patch45 -p1 -b .weak-ciphers
 %patch46 -p1 -b .seclevel
 %patch47 -p1 -b .ts-sha256-default
@ -140,6 +143,8 @@ cp %{SOURCE13} test/
 %patch69 -p1 -b .alpn-cb
 %patch70 -p1 -b .rewire-fips-drbg
 %patch71 -p1 -b .conf-new
+%patch72 -p1 -b .disable-fips
+%patch73 -p1 -b .cve-2022-0778

 cp apps/openssl.cnf apps/openssl11.cnf

@ -308,13 +313,15 @@ install -m 644 apps/openssl11.cnf $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/openssl1
 %ldconfig_scriptlets

 %changelog
-* Tue Oct 05 2021 Sahana Prasad <sahana@redhat.com> - 1:1.1.1k-4
- Bumping version as the same one exists on 9.0.0.
- Resolves: rhbz#1947584
+* Mon May 30 2022 Clemens Lang <cllang@redhat.com> - 1:1.1.1k-4
+- Fixes CVE-2022-0778 openssl: Infinite loop in BN_mod_sqrt() reachable when parsing certificates
+  Resolves: rhbz#2063147
+- Disable FIPS mode; it does not work and will not be certified
+  Resolves: rhbz#2091968

 * Tue Oct 05 2021 Sahana Prasad <sahana@redhat.com> - 1:1.1.1k-3
 - updates OPENSSL_CONF to openssl11.cnf.
- Resolves: rhbz#1947584
+- Related: rhbz#1947584, rhbz#2003123

 * Mon Aug 16 2021 Sahana Prasad <sahana@redhat.com> - 1:1.1.1k-2
 - Remove support for building FIPS mode binaries for the