import openssl-1.1.1c-15.el8
This commit is contained in:
parent
9035cd7561
commit
2b3c833414
1434
SOURCES/openssl-1.1.1-arm-update.patch
Normal file
1434
SOURCES/openssl-1.1.1-arm-update.patch
Normal file
File diff suppressed because it is too large
Load Diff
171
SOURCES/openssl-1.1.1-cve-2019-1547.patch
Normal file
171
SOURCES/openssl-1.1.1-cve-2019-1547.patch
Normal file
@ -0,0 +1,171 @@
|
|||||||
|
From 30c22fa8b1d840036b8e203585738df62a03cec8 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Billy Brumley <bbrumley@gmail.com>
|
||||||
|
Date: Thu, 5 Sep 2019 21:25:37 +0300
|
||||||
|
Subject: [PATCH] [crypto/ec] for ECC parameters with NULL or zero cofactor,
|
||||||
|
compute it
|
||||||
|
|
||||||
|
The cofactor argument to EC_GROUP_set_generator is optional, and SCA
|
||||||
|
mitigations for ECC currently use it. So the library currently falls
|
||||||
|
back to very old SCA-vulnerable code if the cofactor is not present.
|
||||||
|
|
||||||
|
This PR allows EC_GROUP_set_generator to compute the cofactor for all
|
||||||
|
curves of cryptographic interest. Steering scalar multiplication to more
|
||||||
|
SCA-robust code.
|
||||||
|
|
||||||
|
This issue affects persisted private keys in explicit parameter form,
|
||||||
|
where the (optional) cofactor field is zero or absent.
|
||||||
|
|
||||||
|
It also affects curves not built-in to the library, but constructed
|
||||||
|
programatically with explicit parameters, then calling
|
||||||
|
EC_GROUP_set_generator with a nonsensical value (NULL, zero).
|
||||||
|
|
||||||
|
The very old scalar multiplication code is known to be vulnerable to
|
||||||
|
local uarch attacks, outside of the OpenSSL threat model. New results
|
||||||
|
suggest the code path is also vulnerable to traditional wall clock
|
||||||
|
timing attacks.
|
||||||
|
|
||||||
|
CVE-2019-1547
|
||||||
|
|
||||||
|
Reviewed-by: Matt Caswell <matt@openssl.org>
|
||||||
|
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
|
||||||
|
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
|
||||||
|
(Merged from https://github.com/openssl/openssl/pull/9781)
|
||||||
|
---
|
||||||
|
crypto/ec/ec_lib.c | 103 ++++++++++++++++++++++++++++++++++++++++++---
|
||||||
|
1 file changed, 96 insertions(+), 7 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/crypto/ec/ec_lib.c b/crypto/ec/ec_lib.c
|
||||||
|
index 8cab5a5061..1289c8608e 100644
|
||||||
|
--- a/crypto/ec/ec_lib.c
|
||||||
|
+++ b/crypto/ec/ec_lib.c
|
||||||
|
@@ -265,6 +265,67 @@ int EC_METHOD_get_field_type(const EC_METHOD *meth)
|
||||||
|
|
||||||
|
static int ec_precompute_mont_data(EC_GROUP *);
|
||||||
|
|
||||||
|
+/*-
|
||||||
|
+ * Try computing cofactor from the generator order (n) and field cardinality (q).
|
||||||
|
+ * This works for all curves of cryptographic interest.
|
||||||
|
+ *
|
||||||
|
+ * Hasse thm: q + 1 - 2*sqrt(q) <= n*h <= q + 1 + 2*sqrt(q)
|
||||||
|
+ * h_min = (q + 1 - 2*sqrt(q))/n
|
||||||
|
+ * h_max = (q + 1 + 2*sqrt(q))/n
|
||||||
|
+ * h_max - h_min = 4*sqrt(q)/n
|
||||||
|
+ * So if n > 4*sqrt(q) holds, there is only one possible value for h:
|
||||||
|
+ * h = \lfloor (h_min + h_max)/2 \rceil = \lfloor (q + 1)/n \rceil
|
||||||
|
+ *
|
||||||
|
+ * Otherwise, zero cofactor and return success.
|
||||||
|
+ */
|
||||||
|
+static int ec_guess_cofactor(EC_GROUP *group) {
|
||||||
|
+ int ret = 0;
|
||||||
|
+ BN_CTX *ctx = NULL;
|
||||||
|
+ BIGNUM *q = NULL;
|
||||||
|
+
|
||||||
|
+ /*-
|
||||||
|
+ * If the cofactor is too large, we cannot guess it.
|
||||||
|
+ * The RHS of below is a strict overestimate of lg(4 * sqrt(q))
|
||||||
|
+ */
|
||||||
|
+ if (BN_num_bits(group->order) <= (BN_num_bits(group->field) + 1) / 2 + 3) {
|
||||||
|
+ /* default to 0 */
|
||||||
|
+ BN_zero(group->cofactor);
|
||||||
|
+ /* return success */
|
||||||
|
+ return 1;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ if ((ctx = BN_CTX_new()) == NULL)
|
||||||
|
+ return 0;
|
||||||
|
+
|
||||||
|
+ BN_CTX_start(ctx);
|
||||||
|
+ if ((q = BN_CTX_get(ctx)) == NULL)
|
||||||
|
+ goto err;
|
||||||
|
+
|
||||||
|
+ /* set q = 2**m for binary fields; q = p otherwise */
|
||||||
|
+ if (group->meth->field_type == NID_X9_62_characteristic_two_field) {
|
||||||
|
+ BN_zero(q);
|
||||||
|
+ if (!BN_set_bit(q, BN_num_bits(group->field) - 1))
|
||||||
|
+ goto err;
|
||||||
|
+ } else {
|
||||||
|
+ if (!BN_copy(q, group->field))
|
||||||
|
+ goto err;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ /* compute h = \lfloor (q + 1)/n \rceil = \lfloor (q + 1 + n/2)/n \rfloor */
|
||||||
|
+ if (!BN_rshift1(group->cofactor, group->order) /* n/2 */
|
||||||
|
+ || !BN_add(group->cofactor, group->cofactor, q) /* q + n/2 */
|
||||||
|
+ /* q + 1 + n/2 */
|
||||||
|
+ || !BN_add(group->cofactor, group->cofactor, BN_value_one())
|
||||||
|
+ /* (q + 1 + n/2)/n */
|
||||||
|
+ || !BN_div(group->cofactor, NULL, group->cofactor, group->order, ctx))
|
||||||
|
+ goto err;
|
||||||
|
+ ret = 1;
|
||||||
|
+ err:
|
||||||
|
+ BN_CTX_end(ctx);
|
||||||
|
+ BN_CTX_free(ctx);
|
||||||
|
+ return ret;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
int EC_GROUP_set_generator(EC_GROUP *group, const EC_POINT *generator,
|
||||||
|
const BIGNUM *order, const BIGNUM *cofactor)
|
||||||
|
{
|
||||||
|
@@ -273,6 +334,34 @@ int EC_GROUP_set_generator(EC_GROUP *group, const EC_POINT *generator,
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
+ /* require group->field >= 1 */
|
||||||
|
+ if (group->field == NULL || BN_is_zero(group->field)
|
||||||
|
+ || BN_is_negative(group->field)) {
|
||||||
|
+ ECerr(EC_F_EC_GROUP_SET_GENERATOR, EC_R_INVALID_FIELD);
|
||||||
|
+ return 0;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ /*-
|
||||||
|
+ * - require order >= 1
|
||||||
|
+ * - enforce upper bound due to Hasse thm: order can be no more than one bit
|
||||||
|
+ * longer than field cardinality
|
||||||
|
+ */
|
||||||
|
+ if (order == NULL || BN_is_zero(order) || BN_is_negative(order)
|
||||||
|
+ || BN_num_bits(order) > BN_num_bits(group->field) + 1) {
|
||||||
|
+ ECerr(EC_F_EC_GROUP_SET_GENERATOR, EC_R_INVALID_GROUP_ORDER);
|
||||||
|
+ return 0;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ /*-
|
||||||
|
+ * Unfortunately the cofactor is an optional field in many standards.
|
||||||
|
+ * Internally, the lib uses 0 cofactor as a marker for "unknown cofactor".
|
||||||
|
+ * So accept cofactor == NULL or cofactor >= 0.
|
||||||
|
+ */
|
||||||
|
+ if (cofactor != NULL && BN_is_negative(cofactor)) {
|
||||||
|
+ ECerr(EC_F_EC_GROUP_SET_GENERATOR, EC_R_UNKNOWN_COFACTOR);
|
||||||
|
+ return 0;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
if (group->generator == NULL) {
|
||||||
|
group->generator = EC_POINT_new(group);
|
||||||
|
if (group->generator == NULL)
|
||||||
|
@@ -281,17 +370,17 @@ int EC_GROUP_set_generator(EC_GROUP *group, const EC_POINT *generator,
|
||||||
|
if (!EC_POINT_copy(group->generator, generator))
|
||||||
|
return 0;
|
||||||
|
|
||||||
|
- if (order != NULL) {
|
||||||
|
- if (!BN_copy(group->order, order))
|
||||||
|
- return 0;
|
||||||
|
- } else
|
||||||
|
- BN_zero(group->order);
|
||||||
|
+ if (!BN_copy(group->order, order))
|
||||||
|
+ return 0;
|
||||||
|
|
||||||
|
- if (cofactor != NULL) {
|
||||||
|
+ /* Either take the provided positive cofactor, or try to compute it */
|
||||||
|
+ if (cofactor != NULL && !BN_is_zero(cofactor)) {
|
||||||
|
if (!BN_copy(group->cofactor, cofactor))
|
||||||
|
return 0;
|
||||||
|
- } else
|
||||||
|
+ } else if (!ec_guess_cofactor(group)) {
|
||||||
|
BN_zero(group->cofactor);
|
||||||
|
+ return 0;
|
||||||
|
+ }
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Some groups have an order with
|
||||||
|
--
|
||||||
|
2.20.1
|
||||||
|
|
300
SOURCES/openssl-1.1.1-cve-2019-1549.patch
Normal file
300
SOURCES/openssl-1.1.1-cve-2019-1549.patch
Normal file
@ -0,0 +1,300 @@
|
|||||||
|
diff -up openssl-1.1.1c/crypto/fips/fips.c.fork-safety openssl-1.1.1c/crypto/fips/fips.c
|
||||||
|
--- openssl-1.1.1c/crypto/fips/fips.c.fork-safety 2019-11-20 11:36:22.343506961 +0100
|
||||||
|
+++ openssl-1.1.1c/crypto/fips/fips.c 2019-11-21 17:44:32.920776849 +0100
|
||||||
|
@@ -472,7 +472,7 @@ int FIPS_module_mode_set(int onoff)
|
||||||
|
|
||||||
|
fips_set_mode(onoff);
|
||||||
|
/* force RNG reseed with entropy from getrandom() on next call */
|
||||||
|
- rand_fork();
|
||||||
|
+ rand_force_reseed();
|
||||||
|
|
||||||
|
ret = 1;
|
||||||
|
goto end;
|
||||||
|
diff -up openssl-1.1.1c/crypto/include/internal/rand_int.h.fork-safety openssl-1.1.1c/crypto/include/internal/rand_int.h
|
||||||
|
--- openssl-1.1.1c/crypto/include/internal/rand_int.h.fork-safety 2019-11-20 11:36:22.382506277 +0100
|
||||||
|
+++ openssl-1.1.1c/crypto/include/internal/rand_int.h 2019-11-21 17:45:42.102456672 +0100
|
||||||
|
@@ -24,9 +24,9 @@
|
||||||
|
typedef struct rand_pool_st RAND_POOL;
|
||||||
|
|
||||||
|
void rand_cleanup_int(void);
|
||||||
|
+void rand_force_reseed(void);
|
||||||
|
void rand_drbg_cleanup_int(void);
|
||||||
|
void drbg_delete_thread_state(void);
|
||||||
|
-void rand_fork(void);
|
||||||
|
|
||||||
|
/* Hardware-based seeding functions. */
|
||||||
|
size_t rand_acquire_entropy_from_tsc(RAND_POOL *pool);
|
||||||
|
diff -up openssl-1.1.1c/crypto/init.c.fork-safety openssl-1.1.1c/crypto/init.c
|
||||||
|
--- openssl-1.1.1c/crypto/init.c.fork-safety 2019-05-28 15:12:21.000000000 +0200
|
||||||
|
+++ openssl-1.1.1c/crypto/init.c 2019-11-21 17:34:13.478597398 +0100
|
||||||
|
@@ -847,6 +847,5 @@ void OPENSSL_fork_parent(void)
|
||||||
|
|
||||||
|
void OPENSSL_fork_child(void)
|
||||||
|
{
|
||||||
|
- rand_fork();
|
||||||
|
}
|
||||||
|
#endif
|
||||||
|
diff -up openssl-1.1.1c/crypto/rand/drbg_lib.c.fork-safety openssl-1.1.1c/crypto/rand/drbg_lib.c
|
||||||
|
--- openssl-1.1.1c/crypto/rand/drbg_lib.c.fork-safety 2019-11-20 11:36:22.383506260 +0100
|
||||||
|
+++ openssl-1.1.1c/crypto/rand/drbg_lib.c 2019-11-21 17:46:37.583397431 +0100
|
||||||
|
@@ -197,7 +197,7 @@ static RAND_DRBG *rand_drbg_new(int secu
|
||||||
|
}
|
||||||
|
|
||||||
|
drbg->secure = secure && CRYPTO_secure_allocated(drbg);
|
||||||
|
- drbg->fork_count = rand_fork_count;
|
||||||
|
+ drbg->fork_id = openssl_get_fork_id();
|
||||||
|
drbg->parent = parent;
|
||||||
|
|
||||||
|
if (parent == NULL) {
|
||||||
|
@@ -583,6 +583,7 @@ int RAND_DRBG_generate(RAND_DRBG *drbg,
|
||||||
|
int prediction_resistance,
|
||||||
|
const unsigned char *adin, size_t adinlen)
|
||||||
|
{
|
||||||
|
+ int fork_id;
|
||||||
|
int reseed_required = 0;
|
||||||
|
|
||||||
|
if (drbg->state != DRBG_READY) {
|
||||||
|
@@ -608,8 +609,10 @@ int RAND_DRBG_generate(RAND_DRBG *drbg,
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
- if (drbg->fork_count != rand_fork_count) {
|
||||||
|
- drbg->fork_count = rand_fork_count;
|
||||||
|
+ fork_id = openssl_get_fork_id();
|
||||||
|
+
|
||||||
|
+ if (drbg->fork_id != fork_id) {
|
||||||
|
+ drbg->fork_id = fork_id;
|
||||||
|
reseed_required = 1;
|
||||||
|
}
|
||||||
|
|
||||||
|
@@ -1011,6 +1014,20 @@ size_t rand_drbg_seedlen(RAND_DRBG *drbg
|
||||||
|
return min_entropy > min_entropylen ? min_entropy : min_entropylen;
|
||||||
|
}
|
||||||
|
|
||||||
|
+void rand_force_reseed(void)
|
||||||
|
+{
|
||||||
|
+ RAND_DRBG *drbg;
|
||||||
|
+
|
||||||
|
+ drbg = RAND_DRBG_get0_master();
|
||||||
|
+ drbg->fork_id = 0;
|
||||||
|
+
|
||||||
|
+ drbg = RAND_DRBG_get0_private();
|
||||||
|
+ drbg->fork_id = 0;
|
||||||
|
+
|
||||||
|
+ drbg = RAND_DRBG_get0_public();
|
||||||
|
+ drbg->fork_id = 0;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
/* Implements the default OpenSSL RAND_add() method */
|
||||||
|
static int drbg_add(const void *buf, int num, double randomness)
|
||||||
|
{
|
||||||
|
diff -up openssl-1.1.1c/crypto/rand/rand_lcl.h.fork-safety openssl-1.1.1c/crypto/rand/rand_lcl.h
|
||||||
|
--- openssl-1.1.1c/crypto/rand/rand_lcl.h.fork-safety 2019-11-20 11:36:22.383506260 +0100
|
||||||
|
+++ openssl-1.1.1c/crypto/rand/rand_lcl.h 2019-11-21 17:34:13.485597265 +0100
|
||||||
|
@@ -176,12 +176,12 @@ struct rand_drbg_st {
|
||||||
|
int secure; /* 1: allocated on the secure heap, 0: otherwise */
|
||||||
|
int type; /* the nid of the underlying algorithm */
|
||||||
|
/*
|
||||||
|
- * Stores the value of the rand_fork_count global as of when we last
|
||||||
|
- * reseeded. The DRBG reseeds automatically whenever drbg->fork_count !=
|
||||||
|
- * rand_fork_count. Used to provide fork-safety and reseed this DRBG in
|
||||||
|
- * the child process.
|
||||||
|
+ * Stores the return value of openssl_get_fork_id() as of when we last
|
||||||
|
+ * reseeded. The DRBG reseeds automatically whenever drbg->fork_id !=
|
||||||
|
+ * openssl_get_fork_id(). Used to provide fork-safety and reseed this
|
||||||
|
+ * DRBG in the child process.
|
||||||
|
*/
|
||||||
|
- int fork_count;
|
||||||
|
+ int fork_id;
|
||||||
|
unsigned short flags; /* various external flags */
|
||||||
|
|
||||||
|
/*
|
||||||
|
@@ -273,19 +273,6 @@ struct rand_drbg_st {
|
||||||
|
/* The global RAND method, and the global buffer and DRBG instance. */
|
||||||
|
extern RAND_METHOD rand_meth;
|
||||||
|
|
||||||
|
-/*
|
||||||
|
- * A "generation count" of forks. Incremented in the child process after a
|
||||||
|
- * fork. Since rand_fork_count is increment-only, and only ever written to in
|
||||||
|
- * the child process of the fork, which is guaranteed to be single-threaded, no
|
||||||
|
- * locking is needed for normal (read) accesses; the rest of pthread fork
|
||||||
|
- * processing is assumed to introduce the necessary memory barriers. Sibling
|
||||||
|
- * children of a given parent will produce duplicate values, but this is not
|
||||||
|
- * problematic because the reseeding process pulls input from the system CSPRNG
|
||||||
|
- * and/or other global sources, so the siblings will end up generating
|
||||||
|
- * different output streams.
|
||||||
|
- */
|
||||||
|
-extern int rand_fork_count;
|
||||||
|
-
|
||||||
|
/* DRBG helpers */
|
||||||
|
int rand_drbg_restart(RAND_DRBG *drbg,
|
||||||
|
const unsigned char *buffer, size_t len, size_t entropy);
|
||||||
|
diff -up openssl-1.1.1c/crypto/rand/rand_lib.c.fork-safety openssl-1.1.1c/crypto/rand/rand_lib.c
|
||||||
|
--- openssl-1.1.1c/crypto/rand/rand_lib.c.fork-safety 2019-11-20 11:36:22.374506418 +0100
|
||||||
|
+++ openssl-1.1.1c/crypto/rand/rand_lib.c 2019-11-21 17:34:13.487597227 +0100
|
||||||
|
@@ -30,8 +30,6 @@ static CRYPTO_RWLOCK *rand_meth_lock;
|
||||||
|
static const RAND_METHOD *default_RAND_meth;
|
||||||
|
static CRYPTO_ONCE rand_init = CRYPTO_ONCE_STATIC_INIT;
|
||||||
|
|
||||||
|
-int rand_fork_count;
|
||||||
|
-
|
||||||
|
static CRYPTO_RWLOCK *rand_nonce_lock;
|
||||||
|
static int rand_nonce_count;
|
||||||
|
|
||||||
|
@@ -303,11 +301,6 @@ void rand_drbg_cleanup_additional_data(R
|
||||||
|
rand_pool_reattach(pool, out);
|
||||||
|
}
|
||||||
|
|
||||||
|
-void rand_fork(void)
|
||||||
|
-{
|
||||||
|
- rand_fork_count++;
|
||||||
|
-}
|
||||||
|
-
|
||||||
|
DEFINE_RUN_ONCE_STATIC(do_rand_init)
|
||||||
|
{
|
||||||
|
#ifndef OPENSSL_NO_ENGINE
|
||||||
|
diff -up openssl-1.1.1c/crypto/threads_none.c.fork-safety openssl-1.1.1c/crypto/threads_none.c
|
||||||
|
--- openssl-1.1.1c/crypto/threads_none.c.fork-safety 2019-05-28 15:12:21.000000000 +0200
|
||||||
|
+++ openssl-1.1.1c/crypto/threads_none.c 2019-11-21 17:34:13.489597189 +0100
|
||||||
|
@@ -12,6 +12,11 @@
|
||||||
|
|
||||||
|
#if !defined(OPENSSL_THREADS) || defined(CRYPTO_TDEBUG)
|
||||||
|
|
||||||
|
+# if defined(OPENSSL_SYS_UNIX)
|
||||||
|
+# include <sys/types.h>
|
||||||
|
+# include <unistd.h>
|
||||||
|
+# endif
|
||||||
|
+
|
||||||
|
CRYPTO_RWLOCK *CRYPTO_THREAD_lock_new(void)
|
||||||
|
{
|
||||||
|
CRYPTO_RWLOCK *lock;
|
||||||
|
@@ -133,4 +138,12 @@ int openssl_init_fork_handlers(void)
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
+int openssl_get_fork_id(void)
|
||||||
|
+{
|
||||||
|
+# if defined(OPENSSL_SYS_UNIX)
|
||||||
|
+ return getpid();
|
||||||
|
+# else
|
||||||
|
+ return 0;
|
||||||
|
+# endif
|
||||||
|
+}
|
||||||
|
#endif
|
||||||
|
diff -up openssl-1.1.1c/crypto/threads_pthread.c.fork-safety openssl-1.1.1c/crypto/threads_pthread.c
|
||||||
|
--- openssl-1.1.1c/crypto/threads_pthread.c.fork-safety 2019-05-28 15:12:21.000000000 +0200
|
||||||
|
+++ openssl-1.1.1c/crypto/threads_pthread.c 2019-11-21 17:34:13.492597131 +0100
|
||||||
|
@@ -12,6 +12,11 @@
|
||||||
|
|
||||||
|
#if defined(OPENSSL_THREADS) && !defined(CRYPTO_TDEBUG) && !defined(OPENSSL_SYS_WINDOWS)
|
||||||
|
|
||||||
|
+# if defined(OPENSSL_SYS_UNIX)
|
||||||
|
+# include <sys/types.h>
|
||||||
|
+# include <unistd.h>
|
||||||
|
+#endif
|
||||||
|
+
|
||||||
|
# ifdef PTHREAD_RWLOCK_INITIALIZER
|
||||||
|
# define USE_RWLOCK
|
||||||
|
# endif
|
||||||
|
@@ -193,4 +198,9 @@ int openssl_init_fork_handlers(void)
|
||||||
|
# endif
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
+
|
||||||
|
+int openssl_get_fork_id(void)
|
||||||
|
+{
|
||||||
|
+ return getpid();
|
||||||
|
+}
|
||||||
|
#endif
|
||||||
|
diff -up openssl-1.1.1c/crypto/threads_win.c.fork-safety openssl-1.1.1c/crypto/threads_win.c
|
||||||
|
--- openssl-1.1.1c/crypto/threads_win.c.fork-safety 2019-05-28 15:12:21.000000000 +0200
|
||||||
|
+++ openssl-1.1.1c/crypto/threads_win.c 2019-11-21 17:34:13.495597074 +0100
|
||||||
|
@@ -164,4 +164,8 @@ int openssl_init_fork_handlers(void)
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
+int openssl_get_fork_id(void)
|
||||||
|
+{
|
||||||
|
+ return 0;
|
||||||
|
+}
|
||||||
|
#endif
|
||||||
|
diff -up openssl-1.1.1c/include/internal/cryptlib.h.fork-safety openssl-1.1.1c/include/internal/cryptlib.h
|
||||||
|
--- openssl-1.1.1c/include/internal/cryptlib.h.fork-safety 2019-05-28 15:12:21.000000000 +0200
|
||||||
|
+++ openssl-1.1.1c/include/internal/cryptlib.h 2019-11-21 17:34:13.497597036 +0100
|
||||||
|
@@ -80,6 +80,7 @@ extern unsigned int OPENSSL_ia32cap_P[];
|
||||||
|
void OPENSSL_showfatal(const char *fmta, ...);
|
||||||
|
void crypto_cleanup_all_ex_data_int(void);
|
||||||
|
int openssl_init_fork_handlers(void);
|
||||||
|
+int openssl_get_fork_id(void);
|
||||||
|
|
||||||
|
char *ossl_safe_getenv(const char *name);
|
||||||
|
|
||||||
|
diff -up openssl-1.1.1c/test/drbgtest.c.fork-safety openssl-1.1.1c/test/drbgtest.c
|
||||||
|
--- openssl-1.1.1c/test/drbgtest.c.fork-safety 2019-11-20 11:36:22.384506242 +0100
|
||||||
|
+++ openssl-1.1.1c/test/drbgtest.c 2019-11-21 17:34:13.499596998 +0100
|
||||||
|
@@ -22,6 +22,13 @@
|
||||||
|
# include <windows.h>
|
||||||
|
#endif
|
||||||
|
|
||||||
|
+
|
||||||
|
+#if defined(OPENSSL_SYS_UNIX)
|
||||||
|
+# include <sys/types.h>
|
||||||
|
+# include <sys/wait.h>
|
||||||
|
+# include <unistd.h>
|
||||||
|
+#endif
|
||||||
|
+
|
||||||
|
#include "testutil.h"
|
||||||
|
#include "drbgtest.h"
|
||||||
|
|
||||||
|
@@ -696,6 +703,40 @@ static int test_drbg_reseed(int expect_s
|
||||||
|
return 1;
|
||||||
|
}
|
||||||
|
|
||||||
|
+
|
||||||
|
+#if defined(OPENSSL_SYS_UNIX)
|
||||||
|
+/*
|
||||||
|
+ * Test whether master, public and private DRBG are reseeded after
|
||||||
|
+ * forking the process.
|
||||||
|
+ */
|
||||||
|
+static int test_drbg_reseed_after_fork(RAND_DRBG *master,
|
||||||
|
+ RAND_DRBG *public,
|
||||||
|
+ RAND_DRBG *private)
|
||||||
|
+{
|
||||||
|
+ pid_t pid;
|
||||||
|
+ int status=0;
|
||||||
|
+
|
||||||
|
+ pid = fork();
|
||||||
|
+ if (!TEST_int_ge(pid, 0))
|
||||||
|
+ return 0;
|
||||||
|
+
|
||||||
|
+ if (pid > 0) {
|
||||||
|
+ /* I'm the parent; wait for the child and check its exit code */
|
||||||
|
+ return TEST_int_eq(waitpid(pid, &status, 0), pid) && TEST_int_eq(status, 0);
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ /* I'm the child; check whether all three DRBGs reseed. */
|
||||||
|
+ if (!TEST_true(test_drbg_reseed(1, master, public, private, 1, 1, 1, 0)))
|
||||||
|
+ status = 1;
|
||||||
|
+
|
||||||
|
+ /* Remove hooks */
|
||||||
|
+ unhook_drbg(master);
|
||||||
|
+ unhook_drbg(public);
|
||||||
|
+ unhook_drbg(private);
|
||||||
|
+ exit(status);
|
||||||
|
+}
|
||||||
|
+#endif
|
||||||
|
+
|
||||||
|
/*
|
||||||
|
* Test whether the default rand_method (RAND_OpenSSL()) is
|
||||||
|
* setup correctly, in particular whether reseeding works
|
||||||
|
@@ -786,6 +827,10 @@ static int test_rand_drbg_reseed(void)
|
||||||
|
goto error;
|
||||||
|
reset_drbg_hook_ctx();
|
||||||
|
|
||||||
|
+#if defined(OPENSSL_SYS_UNIX)
|
||||||
|
+ if (!TEST_true(test_drbg_reseed_after_fork(master, public, private)))
|
||||||
|
+ goto error;
|
||||||
|
+#endif
|
||||||
|
|
||||||
|
/* fill 'randomness' buffer with some arbitrary data */
|
||||||
|
memset(rand_add_buf, 'r', sizeof(rand_add_buf));
|
147
SOURCES/openssl-1.1.1-cve-2019-1563.patch
Normal file
147
SOURCES/openssl-1.1.1-cve-2019-1563.patch
Normal file
@ -0,0 +1,147 @@
|
|||||||
|
From 08229ad838c50f644d7e928e2eef147b4308ad64 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Bernd Edlinger <bernd.edlinger@hotmail.de>
|
||||||
|
Date: Sun, 1 Sep 2019 00:16:28 +0200
|
||||||
|
Subject: [PATCH] Fix a padding oracle in PKCS7_dataDecode and
|
||||||
|
CMS_decrypt_set1_pkey
|
||||||
|
|
||||||
|
An attack is simple, if the first CMS_recipientInfo is valid but the
|
||||||
|
second CMS_recipientInfo is chosen ciphertext. If the second
|
||||||
|
recipientInfo decodes to PKCS #1 v1.5 form plaintext, the correct
|
||||||
|
encryption key will be replaced by garbage, and the message cannot be
|
||||||
|
decoded, but if the RSA decryption fails, the correct encryption key is
|
||||||
|
used and the recipient will not notice the attack.
|
||||||
|
|
||||||
|
As a work around for this potential attack the length of the decrypted
|
||||||
|
key must be equal to the cipher default key length, in case the
|
||||||
|
certifiate is not given and all recipientInfo are tried out.
|
||||||
|
|
||||||
|
The old behaviour can be re-enabled in the CMS code by setting the
|
||||||
|
CMS_DEBUG_DECRYPT flag.
|
||||||
|
|
||||||
|
Reviewed-by: Matt Caswell <matt@openssl.org>
|
||||||
|
(Merged from https://github.com/openssl/openssl/pull/9777)
|
||||||
|
|
||||||
|
(cherry picked from commit 5840ed0cd1e6487d247efbc1a04136a41d7b3a37)
|
||||||
|
---
|
||||||
|
crypto/cms/cms_env.c | 18 +++++++++++++++++-
|
||||||
|
crypto/cms/cms_lcl.h | 2 ++
|
||||||
|
crypto/cms/cms_smime.c | 4 ++++
|
||||||
|
crypto/pkcs7/pk7_doit.c | 12 ++++++++----
|
||||||
|
5 files changed, 45 insertions(+), 5 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/crypto/cms/cms_env.c b/crypto/cms/cms_env.c
|
||||||
|
index bb95af75e3..25df1c40b1 100644
|
||||||
|
--- a/crypto/cms/cms_env.c
|
||||||
|
+++ b/crypto/cms/cms_env.c
|
||||||
|
@@ -363,6 +363,7 @@ static int cms_RecipientInfo_ktri_decrypt(CMS_ContentInfo *cms,
|
||||||
|
unsigned char *ek = NULL;
|
||||||
|
size_t eklen;
|
||||||
|
int ret = 0;
|
||||||
|
+ size_t fixlen = 0;
|
||||||
|
CMS_EncryptedContentInfo *ec;
|
||||||
|
ec = cms->d.envelopedData->encryptedContentInfo;
|
||||||
|
|
||||||
|
@@ -371,6 +372,19 @@ static int cms_RecipientInfo_ktri_decrypt(CMS_ContentInfo *cms,
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
+ if (cms->d.envelopedData->encryptedContentInfo->havenocert
|
||||||
|
+ && !cms->d.envelopedData->encryptedContentInfo->debug) {
|
||||||
|
+ X509_ALGOR *calg = ec->contentEncryptionAlgorithm;
|
||||||
|
+ const EVP_CIPHER *ciph = EVP_get_cipherbyobj(calg->algorithm);
|
||||||
|
+
|
||||||
|
+ if (ciph == NULL) {
|
||||||
|
+ CMSerr(CMS_F_CMS_RECIPIENTINFO_KTRI_DECRYPT, CMS_R_UNKNOWN_CIPHER);
|
||||||
|
+ return 0;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ fixlen = EVP_CIPHER_key_length(ciph);
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
ktri->pctx = EVP_PKEY_CTX_new(pkey, NULL);
|
||||||
|
if (ktri->pctx == NULL)
|
||||||
|
return 0;
|
||||||
|
@@ -401,7 +415,9 @@ static int cms_RecipientInfo_ktri_decrypt(CMS_ContentInfo *cms,
|
||||||
|
|
||||||
|
if (EVP_PKEY_decrypt(ktri->pctx, ek, &eklen,
|
||||||
|
ktri->encryptedKey->data,
|
||||||
|
- ktri->encryptedKey->length) <= 0) {
|
||||||
|
+ ktri->encryptedKey->length) <= 0
|
||||||
|
+ || eklen == 0
|
||||||
|
+ || (fixlen != 0 && eklen != fixlen)) {
|
||||||
|
CMSerr(CMS_F_CMS_RECIPIENTINFO_KTRI_DECRYPT, CMS_R_CMS_LIB);
|
||||||
|
goto err;
|
||||||
|
}
|
||||||
|
diff --git a/crypto/cms/cms_lcl.h b/crypto/cms/cms_lcl.h
|
||||||
|
index b5c06b7f6c..8eddb02493 100644
|
||||||
|
--- a/crypto/cms/cms_lcl.h
|
||||||
|
+++ b/crypto/cms/cms_lcl.h
|
||||||
|
@@ -125,6 +125,8 @@ struct CMS_EncryptedContentInfo_st {
|
||||||
|
size_t keylen;
|
||||||
|
/* Set to 1 if we are debugging decrypt and don't fake keys for MMA */
|
||||||
|
int debug;
|
||||||
|
+ /* Set to 1 if we have no cert and need extra safety measures for MMA */
|
||||||
|
+ int havenocert;
|
||||||
|
};
|
||||||
|
|
||||||
|
struct CMS_RecipientInfo_st {
|
||||||
|
diff --git a/crypto/cms/cms_smime.c b/crypto/cms/cms_smime.c
|
||||||
|
index 5dcf803f4b..3a26108b8c 100644
|
||||||
|
--- a/crypto/cms/cms_smime.c
|
||||||
|
+++ b/crypto/cms/cms_smime.c
|
||||||
|
@@ -743,6 +743,10 @@ int CMS_decrypt(CMS_ContentInfo *cms, EVP_PKEY *pk, X509 *cert,
|
||||||
|
cms->d.envelopedData->encryptedContentInfo->debug = 1;
|
||||||
|
else
|
||||||
|
cms->d.envelopedData->encryptedContentInfo->debug = 0;
|
||||||
|
+ if (!cert)
|
||||||
|
+ cms->d.envelopedData->encryptedContentInfo->havenocert = 1;
|
||||||
|
+ else
|
||||||
|
+ cms->d.envelopedData->encryptedContentInfo->havenocert = 0;
|
||||||
|
if (!pk && !cert && !dcont && !out)
|
||||||
|
return 1;
|
||||||
|
if (pk && !CMS_decrypt_set1_pkey(cms, pk, cert))
|
||||||
|
diff --git a/crypto/pkcs7/pk7_doit.c b/crypto/pkcs7/pk7_doit.c
|
||||||
|
index ee08e602a1..15a6160cfe 100644
|
||||||
|
--- a/crypto/pkcs7/pk7_doit.c
|
||||||
|
+++ b/crypto/pkcs7/pk7_doit.c
|
||||||
|
@@ -137,7 +137,8 @@ static int pkcs7_encode_rinfo(PKCS7_RECIP_INFO *ri,
|
||||||
|
}
|
||||||
|
|
||||||
|
static int pkcs7_decrypt_rinfo(unsigned char **pek, int *peklen,
|
||||||
|
- PKCS7_RECIP_INFO *ri, EVP_PKEY *pkey)
|
||||||
|
+ PKCS7_RECIP_INFO *ri, EVP_PKEY *pkey,
|
||||||
|
+ size_t fixlen)
|
||||||
|
{
|
||||||
|
EVP_PKEY_CTX *pctx = NULL;
|
||||||
|
unsigned char *ek = NULL;
|
||||||
|
@@ -170,7 +171,9 @@ static int pkcs7_decrypt_rinfo(unsigned char **pek, int *peklen,
|
||||||
|
}
|
||||||
|
|
||||||
|
if (EVP_PKEY_decrypt(pctx, ek, &eklen,
|
||||||
|
- ri->enc_key->data, ri->enc_key->length) <= 0) {
|
||||||
|
+ ri->enc_key->data, ri->enc_key->length) <= 0
|
||||||
|
+ || eklen == 0
|
||||||
|
+ || (fixlen != 0 && eklen != fixlen)) {
|
||||||
|
ret = 0;
|
||||||
|
PKCS7err(PKCS7_F_PKCS7_DECRYPT_RINFO, ERR_R_EVP_LIB);
|
||||||
|
goto err;
|
||||||
|
@@ -499,13 +502,14 @@ BIO *PKCS7_dataDecode(PKCS7 *p7, EVP_PKEY *pkey, BIO *in_bio, X509 *pcert)
|
||||||
|
for (i = 0; i < sk_PKCS7_RECIP_INFO_num(rsk); i++) {
|
||||||
|
ri = sk_PKCS7_RECIP_INFO_value(rsk, i);
|
||||||
|
|
||||||
|
- if (pkcs7_decrypt_rinfo(&ek, &eklen, ri, pkey) < 0)
|
||||||
|
+ if (pkcs7_decrypt_rinfo(&ek, &eklen, ri, pkey,
|
||||||
|
+ EVP_CIPHER_key_length(evp_cipher)) < 0)
|
||||||
|
goto err;
|
||||||
|
ERR_clear_error();
|
||||||
|
}
|
||||||
|
} else {
|
||||||
|
/* Only exit on fatal errors, not decrypt failure */
|
||||||
|
- if (pkcs7_decrypt_rinfo(&ek, &eklen, ri, pkey) < 0)
|
||||||
|
+ if (pkcs7_decrypt_rinfo(&ek, &eklen, ri, pkey, 0) < 0)
|
||||||
|
goto err;
|
||||||
|
ERR_clear_error();
|
||||||
|
}
|
||||||
|
--
|
||||||
|
2.20.1
|
||||||
|
|
68
SOURCES/openssl-1.1.1-edk2-build.patch
Normal file
68
SOURCES/openssl-1.1.1-edk2-build.patch
Normal file
@ -0,0 +1,68 @@
|
|||||||
|
diff -up openssl-1.1.1c/crypto/evp/pkey_kdf.c.edk2-build openssl-1.1.1c/crypto/evp/pkey_kdf.c
|
||||||
|
--- openssl-1.1.1c/crypto/evp/pkey_kdf.c.edk2-build 2019-11-14 16:25:09.437914854 +0100
|
||||||
|
+++ openssl-1.1.1c/crypto/evp/pkey_kdf.c 2019-11-15 14:52:40.216905772 +0100
|
||||||
|
@@ -12,6 +12,7 @@
|
||||||
|
#include <openssl/evp.h>
|
||||||
|
#include <openssl/err.h>
|
||||||
|
#include <openssl/kdf.h>
|
||||||
|
+#include "internal/numbers.h"
|
||||||
|
#include "internal/evp_int.h"
|
||||||
|
|
||||||
|
static int pkey_kdf_init(EVP_PKEY_CTX *ctx)
|
||||||
|
diff -up openssl-1.1.1c/crypto/include/internal/fips_int.h.edk2-build openssl-1.1.1c/crypto/include/internal/fips_int.h
|
||||||
|
--- openssl-1.1.1c/crypto/include/internal/fips_int.h.edk2-build 2019-11-14 16:25:09.430914981 +0100
|
||||||
|
+++ openssl-1.1.1c/crypto/include/internal/fips_int.h 2019-11-15 14:48:02.489936610 +0100
|
||||||
|
@@ -50,10 +50,6 @@
|
||||||
|
#include <openssl/opensslconf.h>
|
||||||
|
#include <openssl/evp.h>
|
||||||
|
|
||||||
|
-#ifndef OPENSSL_FIPS
|
||||||
|
-# error FIPS is disabled.
|
||||||
|
-#endif
|
||||||
|
-
|
||||||
|
#ifdef OPENSSL_FIPS
|
||||||
|
|
||||||
|
int FIPS_module_mode_set(int onoff);
|
||||||
|
@@ -97,4 +93,8 @@ void fips_set_selftest_fail(void);
|
||||||
|
|
||||||
|
void FIPS_get_timevec(unsigned char *buf, unsigned long *pctr);
|
||||||
|
|
||||||
|
+#else
|
||||||
|
+
|
||||||
|
+# define fips_in_post() 0
|
||||||
|
+
|
||||||
|
#endif
|
||||||
|
diff -up openssl-1.1.1c/crypto/kdf/hkdf.c.edk2-build openssl-1.1.1c/crypto/kdf/hkdf.c
|
||||||
|
--- openssl-1.1.1c/crypto/kdf/hkdf.c.edk2-build 2019-11-14 16:25:09.438914836 +0100
|
||||||
|
+++ openssl-1.1.1c/crypto/kdf/hkdf.c 2019-11-15 14:48:53.360015134 +0100
|
||||||
|
@@ -13,6 +13,7 @@
|
||||||
|
#include <openssl/hmac.h>
|
||||||
|
#include <openssl/evp.h>
|
||||||
|
#include <openssl/kdf.h>
|
||||||
|
+#include "internal/numbers.h"
|
||||||
|
#include "internal/cryptlib.h"
|
||||||
|
#include "internal/evp_int.h"
|
||||||
|
#include "kdf_local.h"
|
||||||
|
diff -up openssl-1.1.1c/crypto/kdf/sshkdf.c.edk2-build openssl-1.1.1c/crypto/kdf/sshkdf.c
|
||||||
|
--- openssl-1.1.1c/crypto/kdf/sshkdf.c.edk2-build 2019-11-14 16:25:09.452914583 +0100
|
||||||
|
+++ openssl-1.1.1c/crypto/kdf/sshkdf.c 2019-11-15 14:53:14.769279878 +0100
|
||||||
|
@@ -12,6 +12,7 @@
|
||||||
|
#include <string.h>
|
||||||
|
#include <openssl/evp.h>
|
||||||
|
#include <openssl/kdf.h>
|
||||||
|
+#include "internal/numbers.h"
|
||||||
|
#include "internal/cryptlib.h"
|
||||||
|
#include "internal/evp_int.h"
|
||||||
|
#include "kdf_local.h"
|
||||||
|
diff -up openssl-1.1.1c/crypto/rand/rand_unix.c.edk2-build openssl-1.1.1c/crypto/rand/rand_unix.c
|
||||||
|
--- openssl-1.1.1c/crypto/rand/rand_unix.c.edk2-build 2019-11-14 16:25:09.430914981 +0100
|
||||||
|
+++ openssl-1.1.1c/crypto/rand/rand_unix.c 2019-11-15 14:51:41.634966941 +0100
|
||||||
|
@@ -19,7 +19,7 @@
|
||||||
|
#include "internal/fips_int.h"
|
||||||
|
#include <stdio.h>
|
||||||
|
#include "internal/dso.h"
|
||||||
|
-#if defined(__linux)
|
||||||
|
+#if defined(__linux) && !defined(OPENSSL_SYS_UEFI)
|
||||||
|
# include <sys/syscall.h>
|
||||||
|
# include <sys/random.h>
|
||||||
|
#endif
|
212
SOURCES/openssl-1.1.1-fips-curves.patch
Normal file
212
SOURCES/openssl-1.1.1-fips-curves.patch
Normal file
@ -0,0 +1,212 @@
|
|||||||
|
diff -up openssl-1.1.1c/crypto/ec/ec_curve.c.fips-curves openssl-1.1.1c/crypto/ec/ec_curve.c
|
||||||
|
--- openssl-1.1.1c/crypto/ec/ec_curve.c.fips-curves 2019-11-25 13:18:40.719532357 +0100
|
||||||
|
+++ openssl-1.1.1c/crypto/ec/ec_curve.c 2019-11-25 13:18:40.765531559 +0100
|
||||||
|
@@ -13,6 +13,7 @@
|
||||||
|
#include <openssl/err.h>
|
||||||
|
#include <openssl/obj_mac.h>
|
||||||
|
#include <openssl/opensslconf.h>
|
||||||
|
+#include <openssl/crypto.h>
|
||||||
|
#include "internal/nelem.h"
|
||||||
|
|
||||||
|
typedef struct {
|
||||||
|
@@ -237,6 +238,7 @@ static const struct {
|
||||||
|
|
||||||
|
typedef struct _ec_list_element_st {
|
||||||
|
int nid;
|
||||||
|
+ int fips_allowed;
|
||||||
|
const EC_CURVE_DATA *data;
|
||||||
|
const EC_METHOD *(*meth) (void);
|
||||||
|
const char *comment;
|
||||||
|
@@ -246,23 +248,23 @@ static const ec_list_element curve_list[
|
||||||
|
/* prime field curves */
|
||||||
|
/* secg curves */
|
||||||
|
#ifndef OPENSSL_NO_EC_NISTP_64_GCC_128
|
||||||
|
- {NID_secp224r1, &_EC_NIST_PRIME_224.h, EC_GFp_nistp224_method,
|
||||||
|
+ {NID_secp224r1, 1, &_EC_NIST_PRIME_224.h, EC_GFp_nistp224_method,
|
||||||
|
"NIST/SECG curve over a 224 bit prime field"},
|
||||||
|
#else
|
||||||
|
- {NID_secp224r1, &_EC_NIST_PRIME_224.h, 0,
|
||||||
|
+ {NID_secp224r1, 1, &_EC_NIST_PRIME_224.h, 0,
|
||||||
|
"NIST/SECG curve over a 224 bit prime field"},
|
||||||
|
#endif
|
||||||
|
- {NID_secp256k1, &_EC_SECG_PRIME_256K1.h, 0,
|
||||||
|
+ {NID_secp256k1, 0, &_EC_SECG_PRIME_256K1.h, 0,
|
||||||
|
"SECG curve over a 256 bit prime field"},
|
||||||
|
/* SECG secp256r1 is the same as X9.62 prime256v1 and hence omitted */
|
||||||
|
- {NID_secp384r1, &_EC_NIST_PRIME_384.h,
|
||||||
|
+ {NID_secp384r1, 1, &_EC_NIST_PRIME_384.h,
|
||||||
|
# if defined(S390X_EC_ASM)
|
||||||
|
EC_GFp_s390x_nistp384_method,
|
||||||
|
# else
|
||||||
|
0,
|
||||||
|
# endif
|
||||||
|
"NIST/SECG curve over a 384 bit prime field"},
|
||||||
|
- {NID_secp521r1, &_EC_NIST_PRIME_521.h,
|
||||||
|
+ {NID_secp521r1, 1, &_EC_NIST_PRIME_521.h,
|
||||||
|
# if defined(S390X_EC_ASM)
|
||||||
|
EC_GFp_s390x_nistp521_method,
|
||||||
|
# elif !defined(OPENSSL_NO_EC_NISTP_64_GCC_128)
|
||||||
|
@@ -272,7 +274,7 @@ static const ec_list_element curve_list[
|
||||||
|
# endif
|
||||||
|
"NIST/SECG curve over a 521 bit prime field"},
|
||||||
|
/* X9.62 curves */
|
||||||
|
- {NID_X9_62_prime256v1, &_EC_X9_62_PRIME_256V1.h,
|
||||||
|
+ {NID_X9_62_prime256v1, 1, &_EC_X9_62_PRIME_256V1.h,
|
||||||
|
#if defined(ECP_NISTZ256_ASM)
|
||||||
|
EC_GFp_nistz256_method,
|
||||||
|
# elif defined(S390X_EC_ASM)
|
||||||
|
@@ -404,6 +406,10 @@ EC_GROUP *EC_GROUP_new_by_curve_name(int
|
||||||
|
|
||||||
|
for (i = 0; i < curve_list_length; i++)
|
||||||
|
if (curve_list[i].nid == nid) {
|
||||||
|
+ if (!curve_list[i].fips_allowed && FIPS_mode()) {
|
||||||
|
+ ECerr(EC_F_EC_GROUP_NEW_BY_CURVE_NAME, EC_R_NOT_A_NIST_PRIME);
|
||||||
|
+ return NULL;
|
||||||
|
+ }
|
||||||
|
ret = ec_group_new_from_data(curve_list[i]);
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
@@ -418,19 +424,31 @@ EC_GROUP *EC_GROUP_new_by_curve_name(int
|
||||||
|
|
||||||
|
size_t EC_get_builtin_curves(EC_builtin_curve *r, size_t nitems)
|
||||||
|
{
|
||||||
|
- size_t i, min;
|
||||||
|
+ size_t i, j, num;
|
||||||
|
+ int fips_mode = FIPS_mode();
|
||||||
|
|
||||||
|
- if (r == NULL || nitems == 0)
|
||||||
|
- return curve_list_length;
|
||||||
|
+ num = curve_list_length;
|
||||||
|
+ if (fips_mode)
|
||||||
|
+ for (i = 0; i < curve_list_length; i++) {
|
||||||
|
+ if (!curve_list[i].fips_allowed)
|
||||||
|
+ --num;
|
||||||
|
+ }
|
||||||
|
|
||||||
|
- min = nitems < curve_list_length ? nitems : curve_list_length;
|
||||||
|
+ if (r == NULL || nitems == 0) {
|
||||||
|
+ return num;
|
||||||
|
+ }
|
||||||
|
|
||||||
|
- for (i = 0; i < min; i++) {
|
||||||
|
- r[i].nid = curve_list[i].nid;
|
||||||
|
- r[i].comment = curve_list[i].comment;
|
||||||
|
+ for (i = 0, j = 0; i < curve_list_length; i++) {
|
||||||
|
+ if (j >= nitems)
|
||||||
|
+ break;
|
||||||
|
+ if (!fips_mode || curve_list[i].fips_allowed) {
|
||||||
|
+ r[j].nid = curve_list[i].nid;
|
||||||
|
+ r[j].comment = curve_list[i].comment;
|
||||||
|
+ ++j;
|
||||||
|
+ }
|
||||||
|
}
|
||||||
|
|
||||||
|
- return curve_list_length;
|
||||||
|
+ return num;
|
||||||
|
}
|
||||||
|
|
||||||
|
/* Functions to translate between common NIST curve names and NIDs */
|
||||||
|
diff -up openssl-1.1.1c/ssl/t1_lib.c.fips-curves openssl-1.1.1c/ssl/t1_lib.c
|
||||||
|
--- openssl-1.1.1c/ssl/t1_lib.c.fips-curves 2019-11-25 13:18:40.658533416 +0100
|
||||||
|
+++ openssl-1.1.1c/ssl/t1_lib.c 2019-11-26 17:57:15.014742428 +0100
|
||||||
|
@@ -20,6 +20,7 @@
|
||||||
|
#include "internal/nelem.h"
|
||||||
|
#include "ssl_locl.h"
|
||||||
|
#include <openssl/ct.h>
|
||||||
|
+#include <openssl/crypto.h>
|
||||||
|
|
||||||
|
SSL3_ENC_METHOD const TLSv1_enc_data = {
|
||||||
|
tls1_enc,
|
||||||
|
@@ -676,6 +677,36 @@ static const uint16_t tls12_sigalgs[] =
|
||||||
|
#endif
|
||||||
|
};
|
||||||
|
|
||||||
|
+static const uint16_t tls12_fips_sigalgs[] = {
|
||||||
|
+#ifndef OPENSSL_NO_EC
|
||||||
|
+ TLSEXT_SIGALG_ecdsa_secp256r1_sha256,
|
||||||
|
+ TLSEXT_SIGALG_ecdsa_secp384r1_sha384,
|
||||||
|
+ TLSEXT_SIGALG_ecdsa_secp521r1_sha512,
|
||||||
|
+#endif
|
||||||
|
+
|
||||||
|
+ TLSEXT_SIGALG_rsa_pss_pss_sha256,
|
||||||
|
+ TLSEXT_SIGALG_rsa_pss_pss_sha384,
|
||||||
|
+ TLSEXT_SIGALG_rsa_pss_pss_sha512,
|
||||||
|
+ TLSEXT_SIGALG_rsa_pss_rsae_sha256,
|
||||||
|
+ TLSEXT_SIGALG_rsa_pss_rsae_sha384,
|
||||||
|
+ TLSEXT_SIGALG_rsa_pss_rsae_sha512,
|
||||||
|
+
|
||||||
|
+ TLSEXT_SIGALG_rsa_pkcs1_sha256,
|
||||||
|
+ TLSEXT_SIGALG_rsa_pkcs1_sha384,
|
||||||
|
+ TLSEXT_SIGALG_rsa_pkcs1_sha512,
|
||||||
|
+
|
||||||
|
+#ifndef OPENSSL_NO_EC
|
||||||
|
+ TLSEXT_SIGALG_ecdsa_sha224,
|
||||||
|
+#endif
|
||||||
|
+ TLSEXT_SIGALG_rsa_pkcs1_sha224,
|
||||||
|
+#ifndef OPENSSL_NO_DSA
|
||||||
|
+ TLSEXT_SIGALG_dsa_sha224,
|
||||||
|
+ TLSEXT_SIGALG_dsa_sha256,
|
||||||
|
+ TLSEXT_SIGALG_dsa_sha384,
|
||||||
|
+ TLSEXT_SIGALG_dsa_sha512,
|
||||||
|
+#endif
|
||||||
|
+};
|
||||||
|
+
|
||||||
|
#ifndef OPENSSL_NO_EC
|
||||||
|
static const uint16_t suiteb_sigalgs[] = {
|
||||||
|
TLSEXT_SIGALG_ecdsa_secp256r1_sha256,
|
||||||
|
@@ -890,8 +921,11 @@ static const SIGALG_LOOKUP *tls1_get_leg
|
||||||
|
if (idx < 0 || idx >= (int)OSSL_NELEM(tls_default_sigalg))
|
||||||
|
return NULL;
|
||||||
|
if (SSL_USE_SIGALGS(s) || idx != SSL_PKEY_RSA) {
|
||||||
|
- const SIGALG_LOOKUP *lu = tls1_lookup_sigalg(tls_default_sigalg[idx]);
|
||||||
|
+ const SIGALG_LOOKUP *lu;
|
||||||
|
|
||||||
|
+ if (FIPS_mode()) /* We do not allow SHA1 signatures in FIPS mode */
|
||||||
|
+ return NULL;
|
||||||
|
+ lu = tls1_lookup_sigalg(tls_default_sigalg[idx]);
|
||||||
|
if (!tls1_lookup_md(lu, NULL))
|
||||||
|
return NULL;
|
||||||
|
return lu;
|
||||||
|
@@ -945,6 +979,9 @@ size_t tls12_get_psigalgs(SSL *s, int se
|
||||||
|
} else if (s->cert->conf_sigalgs) {
|
||||||
|
*psigs = s->cert->conf_sigalgs;
|
||||||
|
return s->cert->conf_sigalgslen;
|
||||||
|
+ } else if (FIPS_mode()) {
|
||||||
|
+ *psigs = tls12_fips_sigalgs;
|
||||||
|
+ return OSSL_NELEM(tls12_fips_sigalgs);
|
||||||
|
} else {
|
||||||
|
*psigs = tls12_sigalgs;
|
||||||
|
return OSSL_NELEM(tls12_sigalgs);
|
||||||
|
@@ -964,6 +1001,9 @@ int tls_check_sigalg_curve(const SSL *s,
|
||||||
|
if (s->cert->conf_sigalgs) {
|
||||||
|
sigs = s->cert->conf_sigalgs;
|
||||||
|
siglen = s->cert->conf_sigalgslen;
|
||||||
|
+ } else if (FIPS_mode()) {
|
||||||
|
+ sigs = tls12_fips_sigalgs;
|
||||||
|
+ siglen = OSSL_NELEM(tls12_fips_sigalgs);
|
||||||
|
} else {
|
||||||
|
sigs = tls12_sigalgs;
|
||||||
|
siglen = OSSL_NELEM(tls12_sigalgs);
|
||||||
|
@@ -1582,6 +1622,8 @@ static int tls12_sigalg_allowed(SSL *s,
|
||||||
|
if (lu->sig == NID_id_GostR3410_2012_256
|
||||||
|
|| lu->sig == NID_id_GostR3410_2012_512
|
||||||
|
|| lu->sig == NID_id_GostR3410_2001) {
|
||||||
|
+ if (FIPS_mode())
|
||||||
|
+ return 0;
|
||||||
|
/* We never allow GOST sig algs on the server with TLSv1.3 */
|
||||||
|
if (s->server && SSL_IS_TLS13(s))
|
||||||
|
return 0;
|
||||||
|
@@ -2720,6 +2762,13 @@ int tls_choose_sigalg(SSL *s, int fatale
|
||||||
|
const uint16_t *sent_sigs;
|
||||||
|
size_t sent_sigslen;
|
||||||
|
|
||||||
|
+ if (fatalerrs && FIPS_mode()) {
|
||||||
|
+ /* There are no suitable legacy algorithms in FIPS mode */
|
||||||
|
+ SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,
|
||||||
|
+ SSL_F_TLS_CHOOSE_SIGALG,
|
||||||
|
+ SSL_R_NO_SUITABLE_SIGNATURE_ALGORITHM);
|
||||||
|
+ return 0;
|
||||||
|
+ }
|
||||||
|
if ((lu = tls1_get_legacy_sigalg(s, -1)) == NULL) {
|
||||||
|
if (!fatalerrs)
|
||||||
|
return 1;
|
@ -60,7 +60,7 @@ diff -up openssl-1.1.1b/apps/speed.c.fips openssl-1.1.1b/apps/speed.c
|
|||||||
eddsa_doit[i] = 2;
|
eddsa_doit[i] = 2;
|
||||||
continue;
|
continue;
|
||||||
}
|
}
|
||||||
@@ -1734,23 +1739,30 @@ int speed_main(int argc, char **argv)
|
@@ -1734,23 +1739,31 @@ int speed_main(int argc, char **argv)
|
||||||
/* No parameters; turn on everything. */
|
/* No parameters; turn on everything. */
|
||||||
if ((argc == 0) && !doit[D_EVP]) {
|
if ((argc == 0) && !doit[D_EVP]) {
|
||||||
for (i = 0; i < ALGOR_NUM; i++)
|
for (i = 0; i < ALGOR_NUM; i++)
|
||||||
@ -87,9 +87,11 @@ diff -up openssl-1.1.1b/apps/speed.c.fips openssl-1.1.1b/apps/speed.c
|
|||||||
for (loop = 0; loop < OSSL_NELEM(ecdsa_doit); loop++)
|
for (loop = 0; loop < OSSL_NELEM(ecdsa_doit); loop++)
|
||||||
ecdsa_doit[loop] = 1;
|
ecdsa_doit[loop] = 1;
|
||||||
for (loop = 0; loop < OSSL_NELEM(ecdh_doit); loop++)
|
for (loop = 0; loop < OSSL_NELEM(ecdh_doit); loop++)
|
||||||
ecdh_doit[loop] = 1;
|
- ecdh_doit[loop] = 1;
|
||||||
- for (loop = 0; loop < OSSL_NELEM(eddsa_doit); loop++)
|
- for (loop = 0; loop < OSSL_NELEM(eddsa_doit); loop++)
|
||||||
- eddsa_doit[loop] = 1;
|
- eddsa_doit[loop] = 1;
|
||||||
|
+ if(!FIPS_mode() || (loop != R_EC_X25519 && loop != R_EC_X448))
|
||||||
|
+ ecdh_doit[loop] = 1;
|
||||||
+ if (!FIPS_mode())
|
+ if (!FIPS_mode())
|
||||||
+ for (loop = 0; loop < OSSL_NELEM(eddsa_doit); loop++)
|
+ for (loop = 0; loop < OSSL_NELEM(eddsa_doit); loop++)
|
||||||
+ eddsa_doit[loop] = 1;
|
+ eddsa_doit[loop] = 1;
|
||||||
@ -459,7 +461,7 @@ diff -up openssl-1.1.1b/crypto/dsa/dsa_gen.c.fips openssl-1.1.1b/crypto/dsa/dsa_
|
|||||||
+ goto err;
|
+ goto err;
|
||||||
+ }
|
+ }
|
||||||
+
|
+
|
||||||
+ if (FIPS_mode() && (L != 1024 || N != 160) &&
|
+ if (FIPS_mode() &&
|
||||||
+ (L != 2048 || N != 224) && (L != 2048 || N != 256) &&
|
+ (L != 2048 || N != 224) && (L != 2048 || N != 256) &&
|
||||||
+ (L != 3072 || N != 256)) {
|
+ (L != 3072 || N != 256)) {
|
||||||
+ DSAerr(DSA_F_DSA_BUILTIN_PARAMGEN2, DSA_R_KEY_SIZE_INVALID);
|
+ DSAerr(DSA_F_DSA_BUILTIN_PARAMGEN2, DSA_R_KEY_SIZE_INVALID);
|
||||||
@ -11546,6 +11548,108 @@ diff -up openssl-1.1.1b/include/openssl/rsaerr.h.fips openssl-1.1.1b/include/ope
|
|||||||
# define RSA_R_UNSUPPORTED_SIGNATURE_TYPE 155
|
# define RSA_R_UNSUPPORTED_SIGNATURE_TYPE 155
|
||||||
# define RSA_R_VALUE_MISSING 147
|
# define RSA_R_VALUE_MISSING 147
|
||||||
# define RSA_R_WRONG_SIGNATURE_LENGTH 119
|
# define RSA_R_WRONG_SIGNATURE_LENGTH 119
|
||||||
|
diff -up openssl-1.1.1c/ssl/s3_lib.c.fips openssl-1.1.1c/ssl/s3_lib.c
|
||||||
|
--- openssl-1.1.1c/ssl/s3_lib.c.fips 2019-05-28 15:12:21.000000000 +0200
|
||||||
|
+++ openssl-1.1.1c/ssl/s3_lib.c 2019-11-20 12:00:32.770173240 +0100
|
||||||
|
@@ -43,7 +43,7 @@ static SSL_CIPHER tls13_ciphers[] = {
|
||||||
|
SSL_AEAD,
|
||||||
|
TLS1_3_VERSION, TLS1_3_VERSION,
|
||||||
|
0, 0,
|
||||||
|
- SSL_HIGH,
|
||||||
|
+ SSL_HIGH | SSL_FIPS,
|
||||||
|
SSL_HANDSHAKE_MAC_SHA256,
|
||||||
|
128,
|
||||||
|
128,
|
||||||
|
@@ -58,7 +58,7 @@ static SSL_CIPHER tls13_ciphers[] = {
|
||||||
|
SSL_AEAD,
|
||||||
|
TLS1_3_VERSION, TLS1_3_VERSION,
|
||||||
|
0, 0,
|
||||||
|
- SSL_HIGH,
|
||||||
|
+ SSL_HIGH | SSL_FIPS,
|
||||||
|
SSL_HANDSHAKE_MAC_SHA384,
|
||||||
|
256,
|
||||||
|
256,
|
||||||
|
@@ -92,7 +92,7 @@ static SSL_CIPHER tls13_ciphers[] = {
|
||||||
|
SSL_AEAD,
|
||||||
|
TLS1_3_VERSION, TLS1_3_VERSION,
|
||||||
|
0, 0,
|
||||||
|
- SSL_NOT_DEFAULT | SSL_HIGH,
|
||||||
|
+ SSL_NOT_DEFAULT | SSL_HIGH | SSL_FIPS,
|
||||||
|
SSL_HANDSHAKE_MAC_SHA256,
|
||||||
|
128,
|
||||||
|
128,
|
||||||
|
@@ -634,7 +634,7 @@ static SSL_CIPHER ssl3_ciphers[] = {
|
||||||
|
SSL_AEAD,
|
||||||
|
TLS1_2_VERSION, TLS1_2_VERSION,
|
||||||
|
DTLS1_2_VERSION, DTLS1_2_VERSION,
|
||||||
|
- SSL_NOT_DEFAULT | SSL_HIGH,
|
||||||
|
+ SSL_NOT_DEFAULT | SSL_HIGH | SSL_FIPS,
|
||||||
|
SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
|
||||||
|
128,
|
||||||
|
128,
|
||||||
|
@@ -650,7 +650,7 @@ static SSL_CIPHER ssl3_ciphers[] = {
|
||||||
|
SSL_AEAD,
|
||||||
|
TLS1_2_VERSION, TLS1_2_VERSION,
|
||||||
|
DTLS1_2_VERSION, DTLS1_2_VERSION,
|
||||||
|
- SSL_NOT_DEFAULT | SSL_HIGH,
|
||||||
|
+ SSL_NOT_DEFAULT | SSL_HIGH | SSL_FIPS,
|
||||||
|
SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
|
||||||
|
256,
|
||||||
|
256,
|
||||||
|
@@ -666,7 +666,7 @@ static SSL_CIPHER ssl3_ciphers[] = {
|
||||||
|
SSL_AEAD,
|
||||||
|
TLS1_2_VERSION, TLS1_2_VERSION,
|
||||||
|
DTLS1_2_VERSION, DTLS1_2_VERSION,
|
||||||
|
- SSL_NOT_DEFAULT | SSL_HIGH,
|
||||||
|
+ SSL_NOT_DEFAULT | SSL_HIGH | SSL_FIPS,
|
||||||
|
SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
|
||||||
|
128,
|
||||||
|
128,
|
||||||
|
@@ -682,7 +682,7 @@ static SSL_CIPHER ssl3_ciphers[] = {
|
||||||
|
SSL_AEAD,
|
||||||
|
TLS1_2_VERSION, TLS1_2_VERSION,
|
||||||
|
DTLS1_2_VERSION, DTLS1_2_VERSION,
|
||||||
|
- SSL_NOT_DEFAULT | SSL_HIGH,
|
||||||
|
+ SSL_NOT_DEFAULT | SSL_HIGH | SSL_FIPS,
|
||||||
|
SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
|
||||||
|
256,
|
||||||
|
256,
|
||||||
|
@@ -794,7 +794,7 @@ static SSL_CIPHER ssl3_ciphers[] = {
|
||||||
|
SSL_AEAD,
|
||||||
|
TLS1_2_VERSION, TLS1_2_VERSION,
|
||||||
|
DTLS1_2_VERSION, DTLS1_2_VERSION,
|
||||||
|
- SSL_NOT_DEFAULT | SSL_HIGH,
|
||||||
|
+ SSL_NOT_DEFAULT | SSL_HIGH | SSL_FIPS,
|
||||||
|
SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
|
||||||
|
128,
|
||||||
|
128,
|
||||||
|
@@ -810,7 +810,7 @@ static SSL_CIPHER ssl3_ciphers[] = {
|
||||||
|
SSL_AEAD,
|
||||||
|
TLS1_2_VERSION, TLS1_2_VERSION,
|
||||||
|
DTLS1_2_VERSION, DTLS1_2_VERSION,
|
||||||
|
- SSL_NOT_DEFAULT | SSL_HIGH,
|
||||||
|
+ SSL_NOT_DEFAULT | SSL_HIGH | SSL_FIPS,
|
||||||
|
SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
|
||||||
|
256,
|
||||||
|
256,
|
||||||
|
@@ -890,7 +890,7 @@ static SSL_CIPHER ssl3_ciphers[] = {
|
||||||
|
SSL_AEAD,
|
||||||
|
TLS1_2_VERSION, TLS1_2_VERSION,
|
||||||
|
DTLS1_2_VERSION, DTLS1_2_VERSION,
|
||||||
|
- SSL_NOT_DEFAULT | SSL_HIGH,
|
||||||
|
+ SSL_NOT_DEFAULT | SSL_HIGH | SSL_FIPS,
|
||||||
|
SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
|
||||||
|
128,
|
||||||
|
128,
|
||||||
|
@@ -906,7 +906,7 @@ static SSL_CIPHER ssl3_ciphers[] = {
|
||||||
|
SSL_AEAD,
|
||||||
|
TLS1_2_VERSION, TLS1_2_VERSION,
|
||||||
|
DTLS1_2_VERSION, DTLS1_2_VERSION,
|
||||||
|
- SSL_NOT_DEFAULT | SSL_HIGH,
|
||||||
|
+ SSL_NOT_DEFAULT | SSL_HIGH | SSL_FIPS,
|
||||||
|
SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
|
||||||
|
256,
|
||||||
|
256,
|
||||||
diff -up openssl-1.1.1b/ssl/ssl_ciph.c.fips openssl-1.1.1b/ssl/ssl_ciph.c
|
diff -up openssl-1.1.1b/ssl/ssl_ciph.c.fips openssl-1.1.1b/ssl/ssl_ciph.c
|
||||||
--- openssl-1.1.1b/ssl/ssl_ciph.c.fips 2019-02-28 11:30:06.776746228 +0100
|
--- openssl-1.1.1b/ssl/ssl_ciph.c.fips 2019-02-28 11:30:06.776746228 +0100
|
||||||
+++ openssl-1.1.1b/ssl/ssl_ciph.c 2019-02-28 11:30:06.822745372 +0100
|
+++ openssl-1.1.1b/ssl/ssl_ciph.c 2019-02-28 11:30:06.822745372 +0100
|
||||||
|
3022
SOURCES/openssl-1.1.1-krb5-kdf.patch
Normal file
3022
SOURCES/openssl-1.1.1-krb5-kdf.patch
Normal file
File diff suppressed because it is too large
Load Diff
2327
SOURCES/openssl-1.1.1-s390x-ecc.patch
Normal file
2327
SOURCES/openssl-1.1.1-s390x-ecc.patch
Normal file
File diff suppressed because it is too large
Load Diff
40
SOURCES/openssl-1.1.1-s390x-sigill.patch
Normal file
40
SOURCES/openssl-1.1.1-s390x-sigill.patch
Normal file
@ -0,0 +1,40 @@
|
|||||||
|
diff -up openssl-1.1.1c/crypto/s390xcap.c.s390x-sigill openssl-1.1.1c/crypto/s390xcap.c
|
||||||
|
--- openssl-1.1.1c/crypto/s390xcap.c.s390x-sigill 2019-05-28 15:12:21.000000000 +0200
|
||||||
|
+++ openssl-1.1.1c/crypto/s390xcap.c 2020-02-12 17:05:54.566258533 +0100
|
||||||
|
@@ -1,5 +1,5 @@
|
||||||
|
/*
|
||||||
|
- * Copyright 2010-2017 The OpenSSL Project Authors. All Rights Reserved.
|
||||||
|
+ * Copyright 2010-2019 The OpenSSL Project Authors. All Rights Reserved.
|
||||||
|
*
|
||||||
|
* Licensed under the OpenSSL license (the "License"). You may not use
|
||||||
|
* this file except in compliance with the License. You can obtain a copy
|
||||||
|
@@ -29,7 +29,7 @@ struct OPENSSL_s390xcap_st OPENSSL_s390x
|
||||||
|
void OPENSSL_cpuid_setup(void)
|
||||||
|
{
|
||||||
|
sigset_t oset;
|
||||||
|
- struct sigaction ill_act, oact;
|
||||||
|
+ struct sigaction ill_act, oact_ill, oact_fpe;
|
||||||
|
|
||||||
|
if (OPENSSL_s390xcap_P.stfle[0])
|
||||||
|
return;
|
||||||
|
@@ -44,8 +44,8 @@ void OPENSSL_cpuid_setup(void)
|
||||||
|
sigdelset(&ill_act.sa_mask, SIGFPE);
|
||||||
|
sigdelset(&ill_act.sa_mask, SIGTRAP);
|
||||||
|
sigprocmask(SIG_SETMASK, &ill_act.sa_mask, &oset);
|
||||||
|
- sigaction(SIGILL, &ill_act, &oact);
|
||||||
|
- sigaction(SIGFPE, &ill_act, &oact);
|
||||||
|
+ sigaction(SIGILL, &ill_act, &oact_ill);
|
||||||
|
+ sigaction(SIGFPE, &ill_act, &oact_fpe);
|
||||||
|
|
||||||
|
/* protection against missing store-facility-list-extended */
|
||||||
|
if (sigsetjmp(ill_jmp, 1) == 0)
|
||||||
|
@@ -61,7 +61,7 @@ void OPENSSL_cpuid_setup(void)
|
||||||
|
| S390X_CAPBIT(S390X_VXE));
|
||||||
|
}
|
||||||
|
|
||||||
|
- sigaction(SIGFPE, &oact, NULL);
|
||||||
|
- sigaction(SIGILL, &oact, NULL);
|
||||||
|
+ sigaction(SIGFPE, &oact_fpe, NULL);
|
||||||
|
+ sigaction(SIGILL, &oact_ill, NULL);
|
||||||
|
sigprocmask(SIG_SETMASK, &oset, NULL);
|
||||||
|
}
|
26
SOURCES/openssl-1.1.1-tls-compliance.patch
Normal file
26
SOURCES/openssl-1.1.1-tls-compliance.patch
Normal file
@ -0,0 +1,26 @@
|
|||||||
|
diff -up openssl-1.1.1c/ssl/record/ssl3_record.c.compliance openssl-1.1.1c/ssl/record/ssl3_record.c
|
||||||
|
--- openssl-1.1.1c/ssl/record/ssl3_record.c.compliance 2019-05-28 15:12:21.000000000 +0200
|
||||||
|
+++ openssl-1.1.1c/ssl/record/ssl3_record.c 2019-11-25 13:10:53.890637381 +0100
|
||||||
|
@@ -559,7 +559,7 @@ int ssl3_get_record(SSL *s)
|
||||||
|
RECORD_LAYER_reset_read_sequence(&s->rlayer);
|
||||||
|
return 1;
|
||||||
|
}
|
||||||
|
- SSLfatal(s, SSL_AD_DECRYPTION_FAILED, SSL_F_SSL3_GET_RECORD,
|
||||||
|
+ SSLfatal(s, SSL_AD_BAD_RECORD_MAC, SSL_F_SSL3_GET_RECORD,
|
||||||
|
SSL_R_BLOCK_CIPHER_PAD_IS_WRONG);
|
||||||
|
return -1;
|
||||||
|
}
|
||||||
|
diff -up openssl-1.1.1c/ssl/statem/extensions_srvr.c.compliance openssl-1.1.1c/ssl/statem/extensions_srvr.c
|
||||||
|
--- openssl-1.1.1c/ssl/statem/extensions_srvr.c.compliance 2019-05-28 15:12:21.000000000 +0200
|
||||||
|
+++ openssl-1.1.1c/ssl/statem/extensions_srvr.c 2019-11-25 13:12:59.329459528 +0100
|
||||||
|
@@ -1487,6 +1487,10 @@ EXT_RETURN tls_construct_stoc_status_req
|
||||||
|
unsigned int context, X509 *x,
|
||||||
|
size_t chainidx)
|
||||||
|
{
|
||||||
|
+ /* We don't currently support this extension inside a CertificateRequest */
|
||||||
|
+ if (context == SSL_EXT_TLS1_3_CERTIFICATE_REQUEST)
|
||||||
|
+ return EXT_RETURN_NOT_SENT;
|
||||||
|
+
|
||||||
|
if (!s->ext.status_expected)
|
||||||
|
return EXT_RETURN_NOT_SENT;
|
||||||
|
|
@ -22,7 +22,7 @@
|
|||||||
Summary: Utilities from the general purpose cryptography library with TLS implementation
|
Summary: Utilities from the general purpose cryptography library with TLS implementation
|
||||||
Name: openssl
|
Name: openssl
|
||||||
Version: 1.1.1c
|
Version: 1.1.1c
|
||||||
Release: 2%{?dist}.1
|
Release: 15%{?dist}
|
||||||
Epoch: 1
|
Epoch: 1
|
||||||
# We have to remove certain patented algorithms from the openssl source
|
# We have to remove certain patented algorithms from the openssl source
|
||||||
# tarball with the hobble-openssl script which is included below.
|
# tarball with the hobble-openssl script which is included below.
|
||||||
@ -62,12 +62,22 @@ Patch47: openssl-1.1.1-ts-sha256-default.patch
|
|||||||
Patch48: openssl-1.1.1-fips-post-rand.patch
|
Patch48: openssl-1.1.1-fips-post-rand.patch
|
||||||
Patch49: openssl-1.1.1-evp-kdf.patch
|
Patch49: openssl-1.1.1-evp-kdf.patch
|
||||||
Patch50: openssl-1.1.1-ssh-kdf.patch
|
Patch50: openssl-1.1.1-ssh-kdf.patch
|
||||||
|
Patch60: openssl-1.1.1-krb5-kdf.patch
|
||||||
|
Patch61: openssl-1.1.1-edk2-build.patch
|
||||||
|
Patch62: openssl-1.1.1-fips-curves.patch
|
||||||
Patch65: openssl-1.1.1-fips-drbg-selftest.patch
|
Patch65: openssl-1.1.1-fips-drbg-selftest.patch
|
||||||
# Backported fixes including security fixes
|
# Backported fixes including security fixes
|
||||||
Patch51: openssl-1.1.1-upstream-sync.patch
|
Patch51: openssl-1.1.1-upstream-sync.patch
|
||||||
Patch52: openssl-1.1.1-s390x-update.patch
|
Patch52: openssl-1.1.1-s390x-update.patch
|
||||||
Patch53: openssl-1.1.1-fips-crng-test.patch
|
Patch53: openssl-1.1.1-fips-crng-test.patch
|
||||||
Patch54: openssl-1.1.1-regression-fixes.patch
|
Patch54: openssl-1.1.1-regression-fixes.patch
|
||||||
|
Patch55: openssl-1.1.1-arm-update.patch
|
||||||
|
Patch56: openssl-1.1.1-s390x-ecc.patch
|
||||||
|
Patch57: openssl-1.1.1-cve-2019-1547.patch
|
||||||
|
Patch58: openssl-1.1.1-cve-2019-1563.patch
|
||||||
|
Patch59: openssl-1.1.1-cve-2019-1549.patch
|
||||||
|
Patch63: openssl-1.1.1-tls-compliance.patch
|
||||||
|
Patch64: openssl-1.1.1-s390x-sigill.patch
|
||||||
|
|
||||||
License: OpenSSL
|
License: OpenSSL
|
||||||
Group: System Environment/Libraries
|
Group: System Environment/Libraries
|
||||||
@ -178,9 +188,18 @@ cp %{SOURCE13} test/
|
|||||||
%patch52 -p1 -b .s390x-update
|
%patch52 -p1 -b .s390x-update
|
||||||
%patch53 -p1 -b .crng-test
|
%patch53 -p1 -b .crng-test
|
||||||
%patch54 -p1 -b .regression
|
%patch54 -p1 -b .regression
|
||||||
|
%patch55 -p1 -b .arm-update
|
||||||
|
%patch56 -p1 -b .s390x-ecc
|
||||||
|
%patch57 -p1 -b .compute-cofactor
|
||||||
|
%patch58 -p1 -b .cms-padding-oracle
|
||||||
|
%patch59 -p1 -b .fork-safety
|
||||||
|
%patch60 -p1 -b .krb5-kdf
|
||||||
|
%patch61 -p1 -b .edk2-build
|
||||||
|
%patch62 -p1 -b .fips-curves
|
||||||
|
%patch63 -p1 -b .compliance
|
||||||
|
%patch64 -p1 -b .s390x-sigill
|
||||||
%patch65 -p1 -b .drbg-selftest
|
%patch65 -p1 -b .drbg-selftest
|
||||||
|
|
||||||
|
|
||||||
%build
|
%build
|
||||||
# Figure out which flags we want to use.
|
# Figure out which flags we want to use.
|
||||||
# default
|
# default
|
||||||
@ -463,9 +482,43 @@ export LD_LIBRARY_PATH
|
|||||||
%postun libs -p /sbin/ldconfig
|
%postun libs -p /sbin/ldconfig
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
* Thu Mar 5 2020 Tomáš Mráz <tmraz@redhat.com> 1.1.1c-2.1
|
* Thu Mar 5 2020 Tomáš Mráz <tmraz@redhat.com> 1.1.1c-15
|
||||||
- add selftest of the RAND_DRBG implementation
|
- add selftest of the RAND_DRBG implementation
|
||||||
|
|
||||||
|
* Wed Feb 19 2020 Tomáš Mráz <tmraz@redhat.com> 1.1.1c-14
|
||||||
- fix incorrect error return value from FIPS_selftest_dsa
|
- fix incorrect error return value from FIPS_selftest_dsa
|
||||||
|
- S390x: properly restore SIGILL signal handler
|
||||||
|
|
||||||
|
* Wed Dec 4 2019 Tomáš Mráz <tmraz@redhat.com> 1.1.1c-12
|
||||||
|
- additional fix for the edk2 build
|
||||||
|
|
||||||
|
* Tue Nov 26 2019 Tomáš Mráz <tmraz@redhat.com> 1.1.1c-9
|
||||||
|
- disallow use of SHA-1 signatures in TLS in FIPS mode
|
||||||
|
|
||||||
|
* Mon Nov 25 2019 Tomáš Mráz <tmraz@redhat.com> 1.1.1c-8
|
||||||
|
- fix CVE-2019-1547 - side-channel weak encryption vulnerability
|
||||||
|
- fix CVE-2019-1563 - padding oracle in CMS API
|
||||||
|
- fix CVE-2019-1549 - ensure fork safety of the DRBG
|
||||||
|
- fix handling of non-FIPS allowed EC curves in FIPS mode
|
||||||
|
- fix TLS compliance issues
|
||||||
|
|
||||||
|
* Thu Nov 21 2019 Tomáš Mráz <tmraz@redhat.com> 1.1.1c-7
|
||||||
|
- backported ARM performance fixes from master
|
||||||
|
|
||||||
|
* Wed Nov 20 2019 Tomáš Mráz <tmraz@redhat.com> 1.1.1c-6
|
||||||
|
- backport of S390x ECC CPACF enhancements from master
|
||||||
|
- FIPS mode: properly disable 1024 bit DSA key generation
|
||||||
|
- FIPS mode: skip ED25519 and ED448 algorithms in openssl speed
|
||||||
|
- FIPS mode: allow AES-CCM ciphersuites
|
||||||
|
|
||||||
|
* Tue Nov 19 2019 Tomáš Mráz <tmraz@redhat.com> 1.1.1c-5
|
||||||
|
- make the code suitable for edk2 build
|
||||||
|
|
||||||
|
* Thu Nov 14 2019 Tomáš Mráz <tmraz@redhat.com> 1.1.1c-4
|
||||||
|
- backport of SSKDF from master
|
||||||
|
|
||||||
|
* Wed Nov 13 2019 Tomáš Mráz <tmraz@redhat.com> 1.1.1c-3
|
||||||
|
- backport of KBKDF and KRB5KDF from master
|
||||||
|
|
||||||
* Mon Jun 24 2019 Tomáš Mráz <tmraz@redhat.com> 1.1.1c-2
|
* Mon Jun 24 2019 Tomáš Mráz <tmraz@redhat.com> 1.1.1c-2
|
||||||
- do not try to use EC groups disallowed in FIPS mode
|
- do not try to use EC groups disallowed in FIPS mode
|
||||||
|
Loading…
Reference in New Issue
Block a user