From a98d99a5032dced33ff8de82268ddcad0b9e485d Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Tue, 10 Jun 2014 16:38:56 +0200 Subject: [PATCH] fix CVE-2014-0224 fix that broke EAP-FAST session resumption support - make FIPS mode keygen bit length restriction enforced only when OPENSSL_ENFORCE_MODULUS_BITS is set --- openssl-1.0.1g-new-fips-reqs.patch | 21 +++++++++++---------- openssl-1.0.1h-session-resumption.patch | 11 +++++++++++ openssl.spec | 9 ++++++++- 3 files changed, 30 insertions(+), 11 deletions(-) create mode 100644 openssl-1.0.1h-session-resumption.patch diff --git a/openssl-1.0.1g-new-fips-reqs.patch b/openssl-1.0.1g-new-fips-reqs.patch index 9f2fe9b..335cf43 100644 --- a/openssl-1.0.1g-new-fips-reqs.patch +++ b/openssl-1.0.1g-new-fips-reqs.patch @@ -80,11 +80,12 @@ diff -up openssl-1.0.1g/crypto/dh/dh_check.c.fips-reqs openssl-1.0.1g/crypto/dh/ diff -up openssl-1.0.1g/crypto/dsa/dsa_gen.c.fips-reqs openssl-1.0.1g/crypto/dsa/dsa_gen.c --- openssl-1.0.1g/crypto/dsa/dsa_gen.c.fips-reqs 2014-05-06 16:22:21.254536168 +0200 +++ openssl-1.0.1g/crypto/dsa/dsa_gen.c 2014-05-06 16:22:21.432540283 +0200 -@@ -159,7 +159,6 @@ int dsa_builtin_paramgen(DSA *ret, size_ +@@ -159,7 +159,7 @@ int dsa_builtin_paramgen(DSA *ret, size_ } if (FIPS_module_mode() && - (bits != 1024 || qbits != 160) && ++ (getenv("OPENSSL_ENFORCE_MODULUS_BITS") || bits != 1024 || qbits != 160) && (bits != 2048 || qbits != 224) && (bits != 2048 || qbits != 256) && (bits != 3072 || qbits != 256)) @@ -95,7 +96,7 @@ diff -up openssl-1.0.1g/crypto/dsa/dsa.h.fips-reqs openssl-1.0.1g/crypto/dsa/dsa #endif #define OPENSSL_DSA_FIPS_MIN_MODULUS_BITS 1024 -+#define OPENSSL_DSA_FIPS_MIN_MODULUS_BITS_GEN 2048 ++#define OPENSSL_DSA_FIPS_MIN_MODULUS_BITS_GEN (getenv("OPENSSL_ENFORCE_MODULUS_BITS")?2048:1024) #define DSA_FLAG_CACHE_MONT_P 0x01 #define DSA_FLAG_NO_EXP_CONSTTIME 0x02 /* new with 0.9.7h; the built-in DSA @@ -1493,7 +1494,7 @@ diff -up openssl-1.0.1g/crypto/rsa/rsa_gen.c.fips-reqs openssl-1.0.1g/crypto/rsa + return 0; + } + -+ if (bits != 2048 && bits != 3072) ++ if ((pbits & 0xFF) || (getenv("OPENSSL_ENFORCE_MODULUS_BITS") && bits != 2048 && bits != 3072)) + { + FIPSerr(FIPS_F_RSA_BUILTIN_KEYGEN, FIPS_R_INVALID_KEY_LENGTH); + return 0; @@ -1693,7 +1694,7 @@ diff -up openssl-1.0.1g/crypto/rsa/rsa_gen.c.fips-reqs openssl-1.0.1g/crypto/rsa static int rsa_builtin_keygen(RSA *rsa, int bits, BIGNUM *e_value, BN_GENCB *cb) { BIGNUM *r0=NULL,*r1=NULL,*r2=NULL,*r3=NULL,*tmp; -@@ -176,17 +393,7 @@ static int rsa_builtin_keygen(RSA *rsa, +@@ -176,17 +393,12 @@ static int rsa_builtin_keygen(RSA *rsa, #ifdef OPENSSL_FIPS if (FIPS_module_mode()) { @@ -1703,16 +1704,16 @@ diff -up openssl-1.0.1g/crypto/rsa/rsa_gen.c.fips-reqs openssl-1.0.1g/crypto/rsa - return 0; - } - -- if (bits < OPENSSL_RSA_FIPS_MIN_MODULUS_BITS) -- { -- FIPSerr(FIPS_F_RSA_BUILTIN_KEYGEN,FIPS_R_KEY_TOO_SHORT); -- return 0; -- } + if (bits < OPENSSL_RSA_FIPS_MIN_MODULUS_BITS) + { + FIPSerr(FIPS_F_RSA_BUILTIN_KEYGEN,FIPS_R_KEY_TOO_SHORT); + return 0; + } + return FIPS_rsa_builtin_keygen(rsa, bits, e_value, cb); } #endif -@@ -301,17 +508,6 @@ static int rsa_builtin_keygen(RSA *rsa, +@@ -301,17 +520,6 @@ static int rsa_builtin_keygen(RSA *rsa, p = rsa->p; if (!BN_mod_inverse(rsa->iqmp,rsa->q,p,ctx)) goto err; diff --git a/openssl-1.0.1h-session-resumption.patch b/openssl-1.0.1h-session-resumption.patch new file mode 100644 index 0000000..1d0626f --- /dev/null +++ b/openssl-1.0.1h-session-resumption.patch @@ -0,0 +1,11 @@ +diff -up openssl-1.0.1h/ssl/s3_clnt.c.resumption openssl-1.0.1h/ssl/s3_clnt.c +--- openssl-1.0.1h/ssl/s3_clnt.c.resumption 2014-06-05 11:44:33.000000000 +0200 ++++ openssl-1.0.1h/ssl/s3_clnt.c 2014-06-10 16:35:12.895096670 +0200 +@@ -901,6 +901,7 @@ int ssl3_get_server_hello(SSL *s) + { + s->session->cipher = pref_cipher ? + pref_cipher : ssl_get_cipher_by_char(s, p+j); ++ s->s3->flags |= SSL3_FLAGS_CCS_OK; + } + } + #endif /* OPENSSL_NO_TLSEXT */ diff --git a/openssl.spec b/openssl.spec index 667d2a8..9c6ea0d 100644 --- a/openssl.spec +++ b/openssl.spec @@ -23,7 +23,7 @@ Summary: Utilities from the general purpose cryptography library with TLS implementation Name: openssl Version: 1.0.1h -Release: 2%{?dist} +Release: 3%{?dist} Epoch: 1 # We have to remove certain patented algorithms from the openssl source # tarball with the hobble-openssl script which is included below. @@ -85,6 +85,7 @@ Patch90: openssl-1.0.1e-enc-fail.patch Patch91: openssl-1.0.1e-ssl2-no-ec.patch # Backported fixes including security fixes Patch81: openssl-1.0.1-beta2-padlock64.patch +Patch82: openssl-1.0.1h-session-resumption.patch Patch84: openssl-1.0.1e-trusted-first.patch Patch85: openssl-1.0.1e-arm-use-elf-auxv-caps.patch Patch89: openssl-1.0.1e-ephemeral-key-size.patch @@ -206,6 +207,7 @@ cp %{SOURCE12} %{SOURCE13} crypto/ec/ %patch91 -p1 -b .ssl2noec %patch81 -p1 -b .padlock64 +%patch82 -p1 -b .resumption %patch84 -p1 -b .trusted-first %patch85 -p1 -b .armcap %patch89 -p1 -b .ephemeral @@ -472,6 +474,11 @@ rm -rf $RPM_BUILD_ROOT/%{_libdir}/fipscanister.* %postun libs -p /sbin/ldconfig %changelog +* Tue Jun 10 2014 Tomáš Mráz 1.0.1h-3 +- make FIPS mode keygen bit length restriction enforced only when + OPENSSL_ENFORCE_MODULUS_BITS is set +- fix CVE-2014-0224 fix that broke EAP-FAST session resumption support + * Sat Jun 07 2014 Fedora Release Engineering - 1:1.0.1h-2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild