diff --git a/0007-Add-support-for-PROFILE-SYSTEM-system-default-cipher.patch b/0007-Add-support-for-PROFILE-SYSTEM-system-default-cipher.patch index c9c7a4f..83d5c23 100644 --- a/0007-Add-support-for-PROFILE-SYSTEM-system-default-cipher.patch +++ b/0007-Add-support-for-PROFILE-SYSTEM-system-default-cipher.patch @@ -139,7 +139,7 @@ index 8360991ce4..33c23efb0d 100644 + + if ((ciphers_path = secure_getenv("OPENSSL_SYSTEM_CIPHERS_OVERRIDE")) == NULL) + ciphers_path = SYSTEM_CIPHERS_FILE; -+ ++ ERR_set_mark(); + if (access(ciphers_path, R_OK) == 0) { + CONF *conf = NCONF_new_ex(NULL, NCONF_default()); + char *value = NULL; @@ -153,7 +153,7 @@ index 8360991ce4..33c23efb0d 100644 + } else { + snprintf(buf, sizeof(buf), "%s", SSL_DEFAULT_CIPHER_LIST); + } -+ ++ ERR_pop_to_mark(); + slen = strlen(suffix); + len = strlen(buf); + diff --git a/0141-print-pq-group.patch b/0141-print-pq-group.patch index a6462fe..e834823 100644 --- a/0141-print-pq-group.patch +++ b/0141-print-pq-group.patch @@ -17,3 +17,16 @@ index 3b3c0dd0b38f5..026315406e298 100644 BIO_puts(out, "Server Temp Key: "); switch (EVP_PKEY_get_id(key)) { case EVP_PKEY_RSA: +diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c +index b98464256e..eb3d7e24f6 100644 +--- a/ssl/s3_lib.c ++++ b/ssl/s3_lib.c +@@ -3734,7 +3734,7 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg) + if (SSL_CONNECTION_IS_TLS13(sc) && sc->s3.did_kex) + id = sc->s3.group_id; + else +- id = sc->session->kex_group; ++ id = (sc->session != NULL) ? sc->session->kex_group : NID_undef; + ret = tls1_group_id2nid(id, 1); + break; + } diff --git a/0142-CVE-2024-13176-Minerva.patch b/0142-CVE-2024-13176-Minerva.patch new file mode 100644 index 0000000..4dbe652 --- /dev/null +++ b/0142-CVE-2024-13176-Minerva.patch @@ -0,0 +1,93 @@ +diff --git a/crypto/bn/bn_exp.c b/crypto/bn/bn_exp.c +index b876edbfac36e..af52e2ced6914 100644 +--- a/crypto/bn/bn_exp.c ++++ b/crypto/bn/bn_exp.c +@@ -606,7 +606,7 @@ static int MOD_EXP_CTIME_COPY_FROM_PREBUF(BIGNUM *b, int top, + * out by Colin Percival, + * http://www.daemonology.net/hyperthreading-considered-harmful/) + */ +-int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p, ++int bn_mod_exp_mont_fixed_top(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p, + const BIGNUM *m, BN_CTX *ctx, + BN_MONT_CTX *in_mont) + { +@@ -623,10 +623,6 @@ int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p, + unsigned int t4 = 0; + #endif + +- bn_check_top(a); +- bn_check_top(p); +- bn_check_top(m); +- + if (!BN_is_odd(m)) { + ERR_raise(ERR_LIB_BN, BN_R_CALLED_WITH_EVEN_MODULUS); + return 0; +@@ -1146,7 +1142,7 @@ int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p, + goto err; + } else + #endif +- if (!BN_from_montgomery(rr, &tmp, mont, ctx)) ++ if (!bn_from_mont_fixed_top(rr, &tmp, mont, ctx)) + goto err; + ret = 1; + err: +@@ -1160,6 +1156,19 @@ int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p, + return ret; + } + ++int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p, ++ const BIGNUM *m, BN_CTX *ctx, ++ BN_MONT_CTX *in_mont) ++{ ++ bn_check_top(a); ++ bn_check_top(p); ++ bn_check_top(m); ++ if (!bn_mod_exp_mont_fixed_top(rr, a, p, m, ctx, in_mont)) ++ return 0; ++ bn_correct_top(rr); ++ return 1; ++} ++ + int BN_mod_exp_mont_word(BIGNUM *rr, BN_ULONG a, const BIGNUM *p, + const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *in_mont) + { +diff --git a/crypto/ec/ec_lib.c b/crypto/ec/ec_lib.c +index 19384eba186b5..3f8d65c1bf1a1 100644 +--- a/crypto/ec/ec_lib.c ++++ b/crypto/ec/ec_lib.c +@@ -21,6 +21,7 @@ + #include + #include + #include "crypto/ec.h" ++#include "crypto/bn.h" + #include "internal/nelem.h" + #include "ec_local.h" + +@@ -1265,10 +1266,10 @@ static int ec_field_inverse_mod_ord(const EC_GROUP *group, BIGNUM *r, + if (!BN_sub(e, group->order, e)) + goto err; + /*- +- * Exponent e is public. +- * No need for scatter-gather or BN_FLG_CONSTTIME. ++ * Although the exponent is public we want the result to be ++ * fixed top. + */ +- if (!BN_mod_exp_mont(r, x, e, group->order, ctx, group->mont_data)) ++ if (!bn_mod_exp_mont_fixed_top(r, x, e, group->order, ctx, group->mont_data)) + goto err; + + ret = 1; +diff --git a/include/crypto/bn.h b/include/crypto/bn.h +index 47d9b44f879f0..bdee28625ce60 100644 +--- a/include/crypto/bn.h ++++ b/include/crypto/bn.h +@@ -73,6 +73,9 @@ int bn_set_words(BIGNUM *a, const BN_ULONG *words, int num_words); + */ + int bn_mul_mont_fixed_top(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, + BN_MONT_CTX *mont, BN_CTX *ctx); ++int bn_mod_exp_mont_fixed_top(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p, ++ const BIGNUM *m, BN_CTX *ctx, ++ BN_MONT_CTX *in_mont); + int bn_to_mont_fixed_top(BIGNUM *r, const BIGNUM *a, BN_MONT_CTX *mont, + BN_CTX *ctx); + int bn_from_mont_fixed_top(BIGNUM *r, const BIGNUM *a, BN_MONT_CTX *mont, diff --git a/0143-CVE-2024-12797.patch b/0143-CVE-2024-12797.patch new file mode 100644 index 0000000..0f618e9 --- /dev/null +++ b/0143-CVE-2024-12797.patch @@ -0,0 +1,238 @@ +diff --git a/ssl/statem/statem_clnt.c b/ssl/statem/statem_clnt.c +index 436b397346..df2eed7594 100644 +--- a/ssl/statem/statem_clnt.c ++++ b/ssl/statem/statem_clnt.c +@@ -1910,6 +1910,7 @@ static WORK_STATE tls_post_process_server_rpk(SSL_CONNECTION *sc, + { + size_t certidx; + const SSL_CERT_LOOKUP *clu; ++ int v_ok; + + if (sc->session->peer_rpk == NULL) { + SSLfatal(sc, SSL_AD_ILLEGAL_PARAMETER, +@@ -1919,9 +1920,19 @@ static WORK_STATE tls_post_process_server_rpk(SSL_CONNECTION *sc, + + if (sc->rwstate == SSL_RETRY_VERIFY) + sc->rwstate = SSL_NOTHING; +- if (ssl_verify_rpk(sc, sc->session->peer_rpk) > 0 +- && sc->rwstate == SSL_RETRY_VERIFY) ++ ++ ERR_set_mark(); ++ v_ok = ssl_verify_rpk(sc, sc->session->peer_rpk); ++ if (v_ok <= 0 && sc->verify_mode != SSL_VERIFY_NONE) { ++ ERR_clear_last_mark(); ++ SSLfatal(sc, ssl_x509err2alert(sc->verify_result), ++ SSL_R_CERTIFICATE_VERIFY_FAILED); ++ return WORK_ERROR; ++ } ++ ERR_pop_to_mark(); /* but we keep s->verify_result */ ++ if (v_ok > 0 && sc->rwstate == SSL_RETRY_VERIFY) { + return WORK_MORE_A; ++ } + + if ((clu = ssl_cert_lookup_by_pkey(sc->session->peer_rpk, &certidx, + SSL_CONNECTION_GET_CTX(sc))) == NULL) { +@@ -2071,10 +2082,7 @@ WORK_STATE tls_post_process_server_certificate(SSL_CONNECTION *s, + + if (s->rwstate == SSL_RETRY_VERIFY) + s->rwstate = SSL_NOTHING; +- i = ssl_verify_cert_chain(s, s->session->peer_chain); +- if (i > 0 && s->rwstate == SSL_RETRY_VERIFY) { +- return WORK_MORE_A; +- } ++ + /* + * The documented interface is that SSL_VERIFY_PEER should be set in order + * for client side verification of the server certificate to take place. +@@ -2089,12 +2097,17 @@ WORK_STATE tls_post_process_server_certificate(SSL_CONNECTION *s, + * (less clean) historic behaviour of performing validation if any flag is + * set. The *documented* interface remains the same. + */ +- if (s->verify_mode != SSL_VERIFY_NONE && i <= 0) { ++ ERR_set_mark(); ++ i = ssl_verify_cert_chain(s, s->session->peer_chain); ++ if (i <= 0 && s->verify_mode != SSL_VERIFY_NONE) { ++ ERR_clear_last_mark(); + SSLfatal(s, ssl_x509err2alert(s->verify_result), + SSL_R_CERTIFICATE_VERIFY_FAILED); + return WORK_ERROR; + } +- ERR_clear_error(); /* but we keep s->verify_result */ ++ ERR_pop_to_mark(); /* but we keep s->verify_result */ ++ if (i > 0 && s->rwstate == SSL_RETRY_VERIFY) ++ return WORK_MORE_A; + + /* + * Inconsistency alert: cert_chain does include the peer's certificate, +diff --git a/test/rpktest.c b/test/rpktest.c +index ac824798f1..624d366508 100644 +--- a/test/rpktest.c ++++ b/test/rpktest.c +@@ -89,12 +89,14 @@ static int rpk_verify_server_cb(int ok, X509_STORE_CTX *ctx) + * idx = 13 - resumption with client authentication + * idx = 14 - resumption with client authentication, no ticket + * idx = 15 - like 0, but use non-default libctx ++ * idx = 16 - like 7, but with SSL_VERIFY_PEER connection should fail ++ * idx = 17 - like 8, but with SSL_VERIFY_PEER connection should fail + * +- * 16 * 2 * 4 * 2 * 2 * 2 * 2 = 2048 tests ++ * 18 * 2 * 4 * 2 * 2 * 2 * 2 = 2048 tests + */ + static int test_rpk(int idx) + { +-# define RPK_TESTS 16 ++# define RPK_TESTS 18 + # define RPK_DIMS (2 * 4 * 2 * 2 * 2 * 2) + SSL_CTX *cctx = NULL, *sctx = NULL; + SSL *clientssl = NULL, *serverssl = NULL; +@@ -114,6 +116,7 @@ static int test_rpk(int idx) + int idx_cert, idx_prot; + int client_auth = 0; + int resumption = 0; ++ int want_error = SSL_ERROR_NONE; + long server_verify_result = 0; + long client_verify_result = 0; + OSSL_LIB_CTX *test_libctx = NULL; +@@ -188,7 +191,7 @@ static int test_rpk(int idx) + #ifdef OPENSSL_NO_ECDSA + /* Can't get other_key if it's ECDSA */ + if (other_pkey == NULL && idx_cert == 0 +- && (idx == 4 || idx == 6 || idx == 7)) { ++ && (idx == 4 || idx == 6 || idx == 7 || idx == 16)) { + testresult = TEST_skip("EDCSA disabled"); + goto end; + } +@@ -266,8 +269,10 @@ static int test_rpk(int idx) + goto end; + /* Only a private key */ + if (idx == 1) { +- if (idx_server_server_rpk == 0 || idx_client_server_rpk == 0) ++ if (idx_server_server_rpk == 0 || idx_client_server_rpk == 0) { + expected = 0; ++ want_error = SSL_ERROR_SSL; ++ } + } else { + /* Add certificate */ + if (!TEST_int_eq(SSL_use_certificate_file(serverssl, cert_file, SSL_FILETYPE_PEM), 1)) +@@ -333,12 +338,14 @@ static int test_rpk(int idx) + client_expected = -1; + if (!TEST_true(SSL_add_expected_rpk(clientssl, other_pkey))) + goto end; ++ SSL_set_verify(clientssl, SSL_VERIFY_NONE, rpk_verify_client_cb); + client_verify_result = X509_V_ERR_DANE_NO_MATCH; + break; + case 8: + if (idx_server_server_rpk == 1 && idx_client_server_rpk == 1) + client_expected = -1; + /* no peer keys */ ++ SSL_set_verify(clientssl, SSL_VERIFY_NONE, rpk_verify_client_cb); + client_verify_result = X509_V_ERR_RPK_UNTRUSTED; + break; + case 9: +@@ -370,9 +377,13 @@ static int test_rpk(int idx) + if (!TEST_int_eq(SSL_use_PrivateKey_file(clientssl, privkey_file, SSL_FILETYPE_PEM), 1)) + goto end; + /* Since there's no cert, this is expected to fail without RPK support */ +- if (!idx_server_client_rpk || !idx_client_client_rpk) ++ if (!idx_server_client_rpk || !idx_client_client_rpk) { + expected = 0; +- SSL_set_verify(serverssl, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, rpk_verify_server_cb); ++ want_error = SSL_ERROR_SSL; ++ SSL_set_verify(serverssl, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, NULL); ++ } else { ++ SSL_set_verify(serverssl, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, rpk_verify_server_cb); ++ } + client_auth = 1; + break; + case 11: +@@ -449,31 +460,52 @@ static int test_rpk(int idx) + if (!TEST_true(SSL_add_expected_rpk(clientssl, pkey))) + goto end; + break; ++ case 16: ++ if (idx_server_server_rpk == 1 && idx_client_server_rpk == 1) { ++ /* wrong expected server key */ ++ expected = 0; ++ want_error = SSL_ERROR_SSL; ++ SSL_set_verify(serverssl, SSL_VERIFY_PEER, NULL); ++ } ++ if (!TEST_true(SSL_add_expected_rpk(clientssl, other_pkey))) ++ goto end; ++ break; ++ case 17: ++ if (idx_server_server_rpk == 1 && idx_client_server_rpk == 1) { ++ /* no expected server keys */ ++ expected = 0; ++ want_error = SSL_ERROR_SSL; ++ SSL_set_verify(serverssl, SSL_VERIFY_PEER, NULL); ++ } ++ break; + } + +- ret = create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE); ++ ret = create_ssl_connection(serverssl, clientssl, want_error); + if (!TEST_int_eq(expected, ret)) + goto end; + ++ if (expected <= 0) { ++ testresult = 1; ++ goto end; ++ } ++ + /* Make sure client gets RPK or certificate as configured */ +- if (expected == 1) { +- if (idx_server_server_rpk && idx_client_server_rpk) { +- if (!TEST_long_eq(SSL_get_verify_result(clientssl), client_verify_result)) +- goto end; +- if (!TEST_ptr(SSL_get0_peer_rpk(clientssl))) +- goto end; +- if (!TEST_int_eq(SSL_get_negotiated_server_cert_type(serverssl), TLSEXT_cert_type_rpk)) +- goto end; +- if (!TEST_int_eq(SSL_get_negotiated_server_cert_type(clientssl), TLSEXT_cert_type_rpk)) +- goto end; +- } else { +- if (!TEST_ptr(SSL_get0_peer_certificate(clientssl))) +- goto end; +- if (!TEST_int_eq(SSL_get_negotiated_server_cert_type(serverssl), TLSEXT_cert_type_x509)) +- goto end; +- if (!TEST_int_eq(SSL_get_negotiated_server_cert_type(clientssl), TLSEXT_cert_type_x509)) +- goto end; +- } ++ if (idx_server_server_rpk && idx_client_server_rpk) { ++ if (!TEST_long_eq(SSL_get_verify_result(clientssl), client_verify_result)) ++ goto end; ++ if (!TEST_ptr(SSL_get0_peer_rpk(clientssl))) ++ goto end; ++ if (!TEST_int_eq(SSL_get_negotiated_server_cert_type(serverssl), TLSEXT_cert_type_rpk)) ++ goto end; ++ if (!TEST_int_eq(SSL_get_negotiated_server_cert_type(clientssl), TLSEXT_cert_type_rpk)) ++ goto end; ++ } else { ++ if (!TEST_ptr(SSL_get0_peer_certificate(clientssl))) ++ goto end; ++ if (!TEST_int_eq(SSL_get_negotiated_server_cert_type(serverssl), TLSEXT_cert_type_x509)) ++ goto end; ++ if (!TEST_int_eq(SSL_get_negotiated_server_cert_type(clientssl), TLSEXT_cert_type_x509)) ++ goto end; + } + + if (idx == 9) { +@@ -500,8 +532,7 @@ static int test_rpk(int idx) + if (!TEST_int_eq(SSL_get_negotiated_client_cert_type(clientssl), TLSEXT_cert_type_rpk)) + goto end; + } else { +- /* only if connection is expected to succeed */ +- if (expected == 1 && !TEST_ptr(SSL_get0_peer_certificate(serverssl))) ++ if (!TEST_ptr(SSL_get0_peer_certificate(serverssl))) + goto end; + if (!TEST_int_eq(SSL_get_negotiated_client_cert_type(serverssl), TLSEXT_cert_type_x509)) + goto end; +@@ -591,7 +622,7 @@ static int test_rpk(int idx) + } + + ret = create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE); +- if (!TEST_int_eq(expected, ret)) ++ if (!TEST_true(ret)) + goto end; + verify = SSL_get_verify_result(clientssl); + if (!TEST_int_eq(client_expected, verify)) diff --git a/openssl.spec b/openssl.spec index 27b75b9..a16cf46 100644 --- a/openssl.spec +++ b/openssl.spec @@ -29,7 +29,7 @@ print(string.sub(hash, 0, 16)) Summary: Utilities from the general purpose cryptography library with TLS implementation Name: openssl Version: 3.2.2 -Release: 15%{?dist}.alma.1 +Release: 16%{?dist}.alma.1 Epoch: 1 Source: openssl-%{version}.tar.gz Source2: Makefile.certificate @@ -184,7 +184,11 @@ Patch139: 0139-CVE-2024-6119.patch # https://github.com/openssl/openssl/pull/26197 Patch140: 0140-prov_no-cache.patch # https://github.com/openssl/openssl/pull/25959 +# https://github.com/openssl/openssl/pull/26722 Patch141: 0141-print-pq-group.patch +# https://github.com/openssl/openssl/pull/26429 +Patch142: 0142-CVE-2024-13176-Minerva.patch +Patch143: 0143-CVE-2024-12797.patch License: Apache-2.0 URL: http://www.openssl.org/ @@ -542,9 +546,20 @@ touch $RPM_BUILD_ROOT/%{_prefix}/include/openssl/engine.h %ldconfig_scriptlets libs %changelog -* Tue Feb 04 2025 Eduard Abdullin - 1:3.2.2-15.alma.1 +* Tue Feb 18 2025 Eduard Abdullin - 1:3.2.2-16.alma.1 - Redefine sslarch for x86_64_v2 arch +* Wed Jan 29 2025 Dmitry Belyavskiy - 1:3.2.2-16 +- Fix timing side-channel in ECDSA signature computation (CVE-2024-13176) + Resolves: RHEL-70879 +- Load system default cipher string from crypto-policies configuration file + should ignore errors. + Related: RHEL-71132 +- RFC7250 handshakes with unauthenticated servers don't abort as expected (CVE-2024-12797) + Resolves: RHEL-76754 +- Fix segfault on printing the temp key from s_client when connection is not established + Resolves: RHEL-79045 + * Thu Jan 02 2025 Dmitry Belyavskiy - 1:3.2.2-15 - Fix providers no_cache behavior Resolves: RHEL-71903