import openssl-3.0.7-25.el9_3

c9 imports/c9/openssl-3.0.7-25.el9_3
MSVSphere Packaging Team 10 months ago
parent 793e37c596
commit 4dc75a0704

@ -57,7 +57,21 @@ diff -up openssl-3.0.1/crypto/dh/dh_key.c.fips3 openssl-3.0.1/crypto/dh/dh_key.c
dh->dirty_cnt++; dh->dirty_cnt++;
ok = 1; ok = 1;
err: err:
diff -up openssl-3.0.1/crypto/ec/ec_key.c.fips3 openssl-3.0.1/crypto/ec/ec_key.c diff -up openssl-3.0.7/crypto/ec/ec_key.c.f188 openssl-3.0.7/crypto/ec/ec_key.c
--- openssl-3.0.7/crypto/ec/ec_key.c.f188 2023-11-08 10:58:05.910031253 +0100
+++ openssl-3.0.7/crypto/ec/ec_key.c 2023-11-08 10:59:42.338526883 +0100
@@ -326,6 +326,11 @@ static int ec_generate_key(EC_KEY *eckey
eckey->dirty_cnt++;
#ifdef FIPS_MODULE
+ if (ossl_ec_key_public_check(eckey, ctx) <= 0) {
+ ERR_raise(ERR_LIB_EC, EC_R_INVALID_KEY);
+ goto err;
+ }
+
pairwise_test = 1;
#endif /* FIPS_MODULE */
diff -up openssl-3.0.1/providers/implementations/exchange/ecdh_exch.c.fips3 openssl-3.0.1/providers/implementations/exchange/ecdh_exch.c diff -up openssl-3.0.1/providers/implementations/exchange/ecdh_exch.c.fips3 openssl-3.0.1/providers/implementations/exchange/ecdh_exch.c
--- openssl-3.0.1/providers/implementations/exchange/ecdh_exch.c.fips3 2022-07-25 13:42:46.814952053 +0200 --- openssl-3.0.1/providers/implementations/exchange/ecdh_exch.c.fips3 2022-07-25 13:42:46.814952053 +0200
+++ openssl-3.0.1/providers/implementations/exchange/ecdh_exch.c 2022-07-25 13:52:12.292065706 +0200 +++ openssl-3.0.1/providers/implementations/exchange/ecdh_exch.c 2022-07-25 13:52:12.292065706 +0200
@ -360,3 +374,17 @@ diff -up openssl-3.0.7/providers/implementations/signature/rsa_sig.c.pairwise op
const OSSL_DISPATCH ossl_rsa_signature_functions[] = { const OSSL_DISPATCH ossl_rsa_signature_functions[] = {
{ OSSL_FUNC_SIGNATURE_NEWCTX, (void (*)(void))rsa_newctx }, { OSSL_FUNC_SIGNATURE_NEWCTX, (void (*)(void))rsa_newctx },
{ OSSL_FUNC_SIGNATURE_SIGN_INIT, (void (*)(void))rsa_sign_init }, { OSSL_FUNC_SIGNATURE_SIGN_INIT, (void (*)(void))rsa_sign_init },
diff --git a/crypto/rsa/rsa_gen.c b/crypto/rsa/rsa_gen.c
index e0d139d..35f23b2 100644
--- a/crypto/rsa/rsa_gen.c
+++ b/crypto/rsa/rsa_gen.c
@@ -463,6 +463,9 @@ static int rsa_keygen(OSSL_LIB_CTX *libctx, RSA *rsa, int bits, int primes,
rsa->dmp1 = NULL;
rsa->dmq1 = NULL;
rsa->iqmp = NULL;
+#ifdef FIPS_MODULE
+ abort();
+#endif /* defined(FIPS_MODULE) */
}
}
return ok;

@ -9,21 +9,23 @@ party (section 6.4.2.3.1) for the KTS-OAEP key transport scheme and key
agreement schemes, but explicit key confirmation is not implemented and agreement schemes, but explicit key confirmation is not implemented and
cannot be implemented without protocol changes, and the FIPS provider cannot be implemented without protocol changes, and the FIPS provider
does not implement trusted third party validation, since it relies on does not implement trusted third party validation, since it relies on
its callers to do that. We must thus mark RSA-OAEP encryption and RSASVE its callers to do that. A request for guidance sent to NIST did clarify
as unapproved until we have received clarification from NIST on how that OpenSSL can claim KTS-OAEP and RSASVE as approved, but we did add
library modules such as OpenSSL should implement TTP validation. an indicator to mark them as unapproved previously and should thus keep
the indicator available.
This does not affect RSA-OAEP decryption, because it is approved as This does not affect RSA-OAEP decryption, because it is approved as
a component according to the FIPS 140-3 IG, section 2.4.G. a component according to the FIPS 140-3 IG, section 2.4.G.
Resolves: rhbz#2179331 Resolves: rhbz#2179331
Resolves: RHEL-14083
Signed-off-by: Clemens Lang <cllang@redhat.com> Signed-off-by: Clemens Lang <cllang@redhat.com>
--- ---
include/openssl/core_names.h | 2 ++ include/openssl/core_names.h | 2 ++
include/openssl/evp.h | 4 +++ include/openssl/evp.h | 4 +++
.../implementations/asymciphers/rsa_enc.c | 24 +++++++++++++++ .../implementations/asymciphers/rsa_enc.c | 19 ++++++++++++
providers/implementations/kem/rsa_kem.c | 30 ++++++++++++++++++- providers/implementations/kem/rsa_kem.c | 29 ++++++++++++++++++-
4 files changed, 59 insertions(+), 1 deletion(-) 4 files changed, 53 insertions(+), 1 deletion(-)
diff --git a/include/openssl/core_names.h b/include/openssl/core_names.h diff --git a/include/openssl/core_names.h b/include/openssl/core_names.h
index 832502a034..e15d208421 100644 index 832502a034..e15d208421 100644
@ -37,7 +39,7 @@ index 832502a034..e15d208421 100644
/* /*
* Encoder / decoder parameters * Encoder / decoder parameters
@@ -503,6 +504,7 @@ extern "C" { @@ -511,6 +512,7 @@ extern "C" {
/* KEM parameters */ /* KEM parameters */
#define OSSL_KEM_PARAM_OPERATION "operation" #define OSSL_KEM_PARAM_OPERATION "operation"
@ -49,7 +51,7 @@ diff --git a/include/openssl/evp.h b/include/openssl/evp.h
index ec2ba46fbd..3803b03422 100644 index ec2ba46fbd..3803b03422 100644
--- a/include/openssl/evp.h --- a/include/openssl/evp.h
+++ b/include/openssl/evp.h +++ b/include/openssl/evp.h
@@ -1757,6 +1757,10 @@ OSSL_DEPRECATEDIN_3_0 size_t EVP_PKEY_meth_get_count(void); @@ -1764,6 +1764,10 @@ OSSL_DEPRECATEDIN_3_0 size_t EVP_PKEY_meth_get_count(void);
OSSL_DEPRECATEDIN_3_0 const EVP_PKEY_METHOD *EVP_PKEY_meth_get0(size_t idx); OSSL_DEPRECATEDIN_3_0 const EVP_PKEY_METHOD *EVP_PKEY_meth_get0(size_t idx);
# endif # endif
@ -64,25 +66,22 @@ diff --git a/providers/implementations/asymciphers/rsa_enc.c b/providers/impleme
index 568452ec56..2e7ea632d7 100644 index 568452ec56..2e7ea632d7 100644
--- a/providers/implementations/asymciphers/rsa_enc.c --- a/providers/implementations/asymciphers/rsa_enc.c
+++ b/providers/implementations/asymciphers/rsa_enc.c +++ b/providers/implementations/asymciphers/rsa_enc.c
@@ -399,6 +399,27 @@ static int rsa_get_ctx_params(void *vprsactx, OSSL_PARAM *params) @@ -452,6 +452,24 @@ static int rsa_get_ctx_params(void *vprsactx, OSSL_PARAM *params)
if (p != NULL && !OSSL_PARAM_set_uint(p, prsactx->alt_version)) if (p != NULL && !OSSL_PARAM_set_uint(p, prsactx->alt_version))
return 0; return 0;
+#ifdef FIPS_MODULE +#ifdef FIPS_MODULE
+ p = OSSL_PARAM_locate(params, OSSL_ASYM_CIPHER_PARAM_REDHAT_FIPS_INDICATOR); + p = OSSL_PARAM_locate(params, OSSL_ASYM_CIPHER_PARAM_REDHAT_FIPS_INDICATOR);
+ if (p != NULL) { + if (p != NULL) {
+ int fips_indicator = EVP_PKEY_REDHAT_FIPS_INDICATOR_APPROVED;
+
+ /* NIST SP 800-56Br2 section 6.4.2.1 requires either explicit key + /* NIST SP 800-56Br2 section 6.4.2.1 requires either explicit key
+ * confirmation (section 6.4.2.3.2), or assurance from a trusted third + * confirmation (section 6.4.2.3.2), or assurance from a trusted third
+ * party (section 6.4.2.3.1) for the KTS-OAEP key transport scheme, but + * party (section 6.4.2.3.1) for the KTS-OAEP key transport scheme, but
+ * explicit key confirmation is not implemented here and cannot be + * explicit key confirmation is not implemented here and cannot be
+ * implemented without protocol changes, and the FIPS provider does not + * implemented without protocol changes, and the FIPS provider does not
+ * implement trusted third party validation, since it relies on its + * implement trusted third party validation, since it relies on its
+ * callers to do that. We must thus mark RSA-OAEP as unapproved until + * callers to do that. A request for guidance sent to NIST resulted in
+ * we have received clarification from NIST on how library modules such + * further clarification which allows OpenSSL to claim RSA-OAEP. */
+ * as OpenSSL should implement TTP validation. */ + int fips_indicator = EVP_PKEY_REDHAT_FIPS_INDICATOR_APPROVED;
+ fips_indicator = EVP_PKEY_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
+ +
+ if (!OSSL_PARAM_set_int(p, fips_indicator)) + if (!OSSL_PARAM_set_int(p, fips_indicator))
+ return 0; + return 0;
@ -92,7 +91,7 @@ index 568452ec56..2e7ea632d7 100644
return 1; return 1;
} }
@@ -465,6 +493,7 @@ static const OSSL_PARAM known_gettable_ctx_params[] = { @@ -465,6 +483,7 @@ static const OSSL_PARAM known_gettable_ctx_params[] = {
OSSL_PARAM_uint(OSSL_ASYM_CIPHER_PARAM_TLS_NEGOTIATED_VERSION, NULL), OSSL_PARAM_uint(OSSL_ASYM_CIPHER_PARAM_TLS_NEGOTIATED_VERSION, NULL),
#ifdef FIPS_MODULE #ifdef FIPS_MODULE
OSSL_PARAM_octet_string(OSSL_ASYM_CIPHER_PARAM_REDHAT_KAT_OEAP_SEED, NULL, 0), OSSL_PARAM_octet_string(OSSL_ASYM_CIPHER_PARAM_REDHAT_KAT_OEAP_SEED, NULL, 0),
@ -104,7 +103,7 @@ diff --git a/providers/implementations/kem/rsa_kem.c b/providers/implementations
index 882cf16125..b4cc0f9237 100644 index 882cf16125..b4cc0f9237 100644
--- a/providers/implementations/kem/rsa_kem.c --- a/providers/implementations/kem/rsa_kem.c
+++ b/providers/implementations/kem/rsa_kem.c +++ b/providers/implementations/kem/rsa_kem.c
@@ -151,11 +151,39 @@ static int rsakem_decapsulate_init(void *vprsactx, void *vrsa, @@ -151,11 +151,38 @@ static int rsakem_decapsulate_init(void *vprsactx, void *vrsa,
static int rsakem_get_ctx_params(void *vprsactx, OSSL_PARAM *params) static int rsakem_get_ctx_params(void *vprsactx, OSSL_PARAM *params)
{ {
PROV_RSA_CTX *ctx = (PROV_RSA_CTX *)vprsactx; PROV_RSA_CTX *ctx = (PROV_RSA_CTX *)vprsactx;
@ -124,10 +123,9 @@ index 882cf16125..b4cc0f9237 100644
+ * explicit key confirmation is not implemented here and cannot be + * explicit key confirmation is not implemented here and cannot be
+ * implemented without protocol changes, and the FIPS provider does not + * implemented without protocol changes, and the FIPS provider does not
+ * implement trusted third party validation, since it relies on its + * implement trusted third party validation, since it relies on its
+ * callers to do that. We must thus mark RSASVE unapproved until we + * callers to do that. A request for guidance sent to NIST resulted in
+ * have received clarification from NIST on how library modules such as + * further clarification which allows OpenSSL to claim RSASVE. */
+ * OpenSSL should implement TTP validation. */ + int fips_indicator = EVP_PKEY_REDHAT_FIPS_INDICATOR_APPROVED;
+ int fips_indicator = EVP_PKEY_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
+ +
+ if (!OSSL_PARAM_set_int(p, fips_indicator)) + if (!OSSL_PARAM_set_int(p, fips_indicator))
+ return 0; + return 0;

@ -0,0 +1,318 @@
diff --git a/crypto/evp/evp_enc.c b/crypto/evp/evp_enc.c
index d2ed3fd378..6a819590e6 100644
--- a/crypto/evp/evp_enc.c
+++ b/crypto/evp/evp_enc.c
@@ -223,6 +223,42 @@ static int evp_cipher_init_internal(EVP_CIPHER_CTX *ctx,
return 0;
}
+#ifndef FIPS_MODULE
+ /*
+ * Fix for CVE-2023-5363
+ * Passing in a size as part of the init call takes effect late
+ * so, force such to occur before the initialisation.
+ *
+ * The FIPS provider's internal library context is used in a manner
+ * such that this is not an issue.
+ */
+ if (params != NULL) {
+ OSSL_PARAM param_lens[3] = { OSSL_PARAM_END, OSSL_PARAM_END,
+ OSSL_PARAM_END };
+ OSSL_PARAM *q = param_lens;
+ const OSSL_PARAM *p;
+
+ p = OSSL_PARAM_locate_const(params, OSSL_CIPHER_PARAM_KEYLEN);
+ if (p != NULL)
+ memcpy(q++, p, sizeof(*q));
+
+ /*
+ * Note that OSSL_CIPHER_PARAM_AEAD_IVLEN is a synomym for
+ * OSSL_CIPHER_PARAM_IVLEN so both are covered here.
+ */
+ p = OSSL_PARAM_locate_const(params, OSSL_CIPHER_PARAM_IVLEN);
+ if (p != NULL)
+ memcpy(q++, p, sizeof(*q));
+
+ if (q != param_lens) {
+ if (!EVP_CIPHER_CTX_set_params(ctx, param_lens)) {
+ ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_LENGTH);
+ return 0;
+ }
+ }
+ }
+#endif
+
if (enc) {
if (ctx->cipher->einit == NULL) {
ERR_raise(ERR_LIB_EVP, EVP_R_INITIALIZATION_ERROR);
diff --git a/test/evp_extra_test.c b/test/evp_extra_test.c
index cfffa21350..2318bf6a68 100644
--- a/test/evp_extra_test.c
+++ b/test/evp_extra_test.c
@@ -4851,6 +4851,253 @@ static int test_ecx_not_private_key(int tst)
return options;
}
+static int aes_gcm_encrypt(const unsigned char *gcm_key, size_t gcm_key_s,
+ const unsigned char *gcm_iv, size_t gcm_ivlen,
+ const unsigned char *gcm_pt, size_t gcm_pt_s,
+ const unsigned char *gcm_aad, size_t gcm_aad_s,
+ const unsigned char *gcm_ct, size_t gcm_ct_s,
+ const unsigned char *gcm_tag, size_t gcm_tag_s)
+{
+ int ret = 0;
+ EVP_CIPHER_CTX *ctx;
+ EVP_CIPHER *cipher = NULL;
+ int outlen, tmplen;
+ unsigned char outbuf[1024];
+ unsigned char outtag[16];
+ OSSL_PARAM params[2] = {
+ OSSL_PARAM_END, OSSL_PARAM_END
+ };
+
+ if (!TEST_ptr(ctx = EVP_CIPHER_CTX_new())
+ || !TEST_ptr(cipher = EVP_CIPHER_fetch(testctx, "AES-256-GCM", "")))
+ goto err;
+
+ params[0] = OSSL_PARAM_construct_size_t(OSSL_CIPHER_PARAM_AEAD_IVLEN,
+ &gcm_ivlen);
+
+ if (!TEST_true(EVP_EncryptInit_ex2(ctx, cipher, gcm_key, gcm_iv, params))
+ || (gcm_aad != NULL
+ && !TEST_true(EVP_EncryptUpdate(ctx, NULL, &outlen,
+ gcm_aad, gcm_aad_s)))
+ || !TEST_true(EVP_EncryptUpdate(ctx, outbuf, &outlen,
+ gcm_pt, gcm_pt_s))
+ || !TEST_true(EVP_EncryptFinal_ex(ctx, outbuf, &tmplen)))
+ goto err;
+
+ params[0] = OSSL_PARAM_construct_octet_string(OSSL_CIPHER_PARAM_AEAD_TAG,
+ outtag, sizeof(outtag));
+
+ if (!TEST_true(EVP_CIPHER_CTX_get_params(ctx, params))
+ || !TEST_mem_eq(outbuf, outlen, gcm_ct, gcm_ct_s)
+ || !TEST_mem_eq(outtag, gcm_tag_s, gcm_tag, gcm_tag_s))
+ goto err;
+
+ ret = 1;
+err:
+ EVP_CIPHER_free(cipher);
+ EVP_CIPHER_CTX_free(ctx);
+
+ return ret;
+}
+
+static int aes_gcm_decrypt(const unsigned char *gcm_key, size_t gcm_key_s,
+ const unsigned char *gcm_iv, size_t gcm_ivlen,
+ const unsigned char *gcm_pt, size_t gcm_pt_s,
+ const unsigned char *gcm_aad, size_t gcm_aad_s,
+ const unsigned char *gcm_ct, size_t gcm_ct_s,
+ const unsigned char *gcm_tag, size_t gcm_tag_s)
+{
+ int ret = 0;
+ EVP_CIPHER_CTX *ctx;
+ EVP_CIPHER *cipher = NULL;
+ int outlen;
+ unsigned char outbuf[1024];
+ OSSL_PARAM params[2] = {
+ OSSL_PARAM_END, OSSL_PARAM_END
+ };
+
+ if ((ctx = EVP_CIPHER_CTX_new()) == NULL)
+ goto err;
+
+ if ((cipher = EVP_CIPHER_fetch(testctx, "AES-256-GCM", "")) == NULL)
+ goto err;
+
+ params[0] = OSSL_PARAM_construct_size_t(OSSL_CIPHER_PARAM_AEAD_IVLEN,
+ &gcm_ivlen);
+
+ if (!TEST_true(EVP_DecryptInit_ex2(ctx, cipher, gcm_key, gcm_iv, params))
+ || (gcm_aad != NULL
+ && !TEST_true(EVP_DecryptUpdate(ctx, NULL, &outlen,
+ gcm_aad, gcm_aad_s)))
+ || !TEST_true(EVP_DecryptUpdate(ctx, outbuf, &outlen,
+ gcm_ct, gcm_ct_s))
+ || !TEST_mem_eq(outbuf, outlen, gcm_pt, gcm_pt_s))
+ goto err;
+
+ params[0] = OSSL_PARAM_construct_octet_string(OSSL_CIPHER_PARAM_AEAD_TAG,
+ (void*)gcm_tag, gcm_tag_s);
+
+ if (!TEST_true(EVP_CIPHER_CTX_set_params(ctx, params))
+ ||!TEST_true(EVP_DecryptFinal_ex(ctx, outbuf, &outlen)))
+ goto err;
+
+ ret = 1;
+err:
+ EVP_CIPHER_free(cipher);
+ EVP_CIPHER_CTX_free(ctx);
+
+ return ret;
+}
+
+static int test_aes_gcm_ivlen_change_cve_2023_5363(void)
+{
+ /* AES-GCM test data obtained from NIST public test vectors */
+ static const unsigned char gcm_key[] = {
+ 0xd0, 0xc2, 0x67, 0xc1, 0x9f, 0x30, 0xd8, 0x0b, 0x89, 0x14, 0xbb, 0xbf,
+ 0xb7, 0x2f, 0x73, 0xb8, 0xd3, 0xcd, 0x5f, 0x6a, 0x78, 0x70, 0x15, 0x84,
+ 0x8a, 0x7b, 0x30, 0xe3, 0x8f, 0x16, 0xf1, 0x8b,
+ };
+ static const unsigned char gcm_iv[] = {
+ 0xb6, 0xdc, 0xda, 0x95, 0xac, 0x99, 0x77, 0x76, 0x25, 0xae, 0x87, 0xf8,
+ 0xa3, 0xa9, 0xdd, 0x64, 0xd7, 0x9b, 0xbd, 0x5f, 0x4a, 0x0e, 0x54, 0xca,
+ 0x1a, 0x9f, 0xa2, 0xe3, 0xf4, 0x5f, 0x5f, 0xc2, 0xce, 0xa7, 0xb6, 0x14,
+ 0x12, 0x6f, 0xf0, 0xaf, 0xfd, 0x3e, 0x17, 0x35, 0x6e, 0xa0, 0x16, 0x09,
+ 0xdd, 0xa1, 0x3f, 0xd8, 0xdd, 0xf3, 0xdf, 0x4f, 0xcb, 0x18, 0x49, 0xb8,
+ 0xb3, 0x69, 0x2c, 0x5d, 0x4f, 0xad, 0x30, 0x91, 0x08, 0xbc, 0xbe, 0x24,
+ 0x01, 0x0f, 0xbe, 0x9c, 0xfb, 0x4f, 0x5d, 0x19, 0x7f, 0x4c, 0x53, 0xb0,
+ 0x95, 0x90, 0xac, 0x7b, 0x1f, 0x7b, 0xa0, 0x99, 0xe1, 0xf3, 0x48, 0x54,
+ 0xd0, 0xfc, 0xa9, 0xcc, 0x91, 0xf8, 0x1f, 0x9b, 0x6c, 0x9a, 0xe0, 0xdc,
+ 0x63, 0xea, 0x7d, 0x2a, 0x4a, 0x7d, 0xa5, 0xed, 0x68, 0x57, 0x27, 0x6b,
+ 0x68, 0xe0, 0xf2, 0xb8, 0x51, 0x50, 0x8d, 0x3d,
+ };
+ static const unsigned char gcm_pt[] = {
+ 0xb8, 0xb6, 0x88, 0x36, 0x44, 0xe2, 0x34, 0xdf, 0x24, 0x32, 0x91, 0x07,
+ 0x4f, 0xe3, 0x6f, 0x81,
+ };
+ static const unsigned char gcm_ct[] = {
+ 0xff, 0x4f, 0xb3, 0xf3, 0xf9, 0xa2, 0x51, 0xd4, 0x82, 0xc2, 0xbe, 0xf3,
+ 0xe2, 0xd0, 0xec, 0xed,
+ };
+ static const unsigned char gcm_tag[] = {
+ 0xbd, 0x06, 0x38, 0x09, 0xf7, 0xe1, 0xc4, 0x72, 0x0e, 0xf2, 0xea, 0x63,
+ 0xdb, 0x99, 0x6c, 0x21,
+ };
+
+ return aes_gcm_encrypt(gcm_key, sizeof(gcm_key), gcm_iv, sizeof(gcm_iv),
+ gcm_pt, sizeof(gcm_pt), NULL, 0,
+ gcm_ct, sizeof(gcm_ct), gcm_tag, sizeof(gcm_tag))
+ && aes_gcm_decrypt(gcm_key, sizeof(gcm_key), gcm_iv, sizeof(gcm_iv),
+ gcm_pt, sizeof(gcm_pt), NULL, 0,
+ gcm_ct, sizeof(gcm_ct), gcm_tag, sizeof(gcm_tag));
+}
+
+#ifndef OPENSSL_NO_RC4
+static int rc4_encrypt(const unsigned char *rc4_key, size_t rc4_key_s,
+ const unsigned char *rc4_pt, size_t rc4_pt_s,
+ const unsigned char *rc4_ct, size_t rc4_ct_s)
+{
+ int ret = 0;
+ EVP_CIPHER_CTX *ctx;
+ EVP_CIPHER *cipher = NULL;
+ int outlen, tmplen;
+ unsigned char outbuf[1024];
+ OSSL_PARAM params[2] = {
+ OSSL_PARAM_END, OSSL_PARAM_END
+ };
+
+ if (!TEST_ptr(ctx = EVP_CIPHER_CTX_new())
+ || !TEST_ptr(cipher = EVP_CIPHER_fetch(testctx, "RC4", "")))
+ goto err;
+
+ params[0] = OSSL_PARAM_construct_size_t(OSSL_CIPHER_PARAM_KEYLEN,
+ &rc4_key_s);
+
+ if (!TEST_true(EVP_EncryptInit_ex2(ctx, cipher, rc4_key, NULL, params))
+ || !TEST_true(EVP_EncryptUpdate(ctx, outbuf, &outlen,
+ rc4_pt, rc4_pt_s))
+ || !TEST_true(EVP_EncryptFinal_ex(ctx, outbuf, &tmplen)))
+ goto err;
+
+ if (!TEST_mem_eq(outbuf, outlen, rc4_ct, rc4_ct_s))
+ goto err;
+
+ ret = 1;
+err:
+ EVP_CIPHER_free(cipher);
+ EVP_CIPHER_CTX_free(ctx);
+
+ return ret;
+}
+
+static int rc4_decrypt(const unsigned char *rc4_key, size_t rc4_key_s,
+ const unsigned char *rc4_pt, size_t rc4_pt_s,
+ const unsigned char *rc4_ct, size_t rc4_ct_s)
+{
+ int ret = 0;
+ EVP_CIPHER_CTX *ctx;
+ EVP_CIPHER *cipher = NULL;
+ int outlen;
+ unsigned char outbuf[1024];
+ OSSL_PARAM params[2] = {
+ OSSL_PARAM_END, OSSL_PARAM_END
+ };
+
+ if ((ctx = EVP_CIPHER_CTX_new()) == NULL)
+ goto err;
+
+ if ((cipher = EVP_CIPHER_fetch(testctx, "RC4", "")) == NULL)
+ goto err;
+
+ params[0] = OSSL_PARAM_construct_size_t(OSSL_CIPHER_PARAM_KEYLEN,
+ &rc4_key_s);
+
+ if (!TEST_true(EVP_DecryptInit_ex2(ctx, cipher, rc4_key, NULL, params))
+ || !TEST_true(EVP_DecryptUpdate(ctx, outbuf, &outlen,
+ rc4_ct, rc4_ct_s))
+ || !TEST_mem_eq(outbuf, outlen, rc4_pt, rc4_pt_s))
+ goto err;
+
+ ret = 1;
+err:
+ EVP_CIPHER_free(cipher);
+ EVP_CIPHER_CTX_free(ctx);
+
+ return ret;
+}
+
+static int test_aes_rc4_keylen_change_cve_2023_5363(void)
+{
+ /* RC4 test data obtained from RFC 6229 */
+ static const struct {
+ unsigned char key[5];
+ unsigned char padding[11];
+ } rc4_key = {
+ { /* Five bytes of key material */
+ 0x83, 0x32, 0x22, 0x77, 0x2a,
+ },
+ { /* Random padding to 16 bytes */
+ 0x80, 0xad, 0x97, 0xbd, 0xc9, 0x73, 0xdf, 0x8a, 0xaa, 0x32, 0x91
+ }
+ };
+ static const unsigned char rc4_pt[] = {
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
+ };
+ static const unsigned char rc4_ct[] = {
+ 0x80, 0xad, 0x97, 0xbd, 0xc9, 0x73, 0xdf, 0x8a,
+ 0x2e, 0x87, 0x9e, 0x92, 0xa4, 0x97, 0xef, 0xda
+ };
+
+ if (lgcyprov == NULL)
+ return TEST_skip("Test requires legacy provider to be loaded");
+
+ return rc4_encrypt(rc4_key.key, sizeof(rc4_key.key),
+ rc4_pt, sizeof(rc4_pt), rc4_ct, sizeof(rc4_ct))
+ && rc4_decrypt(rc4_key.key, sizeof(rc4_key.key),
+ rc4_pt, sizeof(rc4_pt), rc4_ct, sizeof(rc4_ct));
+}
+#endif
+
int setup_tests(void)
{
OPTION_CHOICE o;
@@ -4994,6 +5241,12 @@ int setup_tests(void)
ADD_ALL_TESTS(test_ecx_short_keys, OSSL_NELEM(ecxnids));
+ /* Test cases for CVE-2023-5363 */
+ ADD_TEST(test_aes_gcm_ivlen_change_cve_2023_5363);
+#ifndef OPENSSL_NO_RC4
+ ADD_TEST(test_aes_rc4_keylen_change_cve_2023_5363);
+#endif
+
return 1;
}

@ -0,0 +1,49 @@
From 0d873f9f647764df147d818a6e998b1c318bac31 Mon Sep 17 00:00:00 2001
From: Clemens Lang <cllang@redhat.com>
Date: Mon, 16 Oct 2023 15:30:26 +0200
Subject: [PATCH] rsa: Add SP800-56Br2 6.4.1.2.1 (3.c) check
The code did not yet check that the length of the RSA key is positive
and even.
Signed-off-by: Clemens Lang <cllang@redhat.com>
Upstream-Status: Backport [8b268541d9aabee51699aef22963407362830ef9]
---
crypto/rsa/rsa_sp800_56b_check.c | 5 +++++
test/rsa_sp800_56b_test.c | 4 ++++
2 files changed, 9 insertions(+)
diff --git a/crypto/rsa/rsa_sp800_56b_check.c b/crypto/rsa/rsa_sp800_56b_check.c
index fc8f19b487..e6b79e953d 100644
--- a/crypto/rsa/rsa_sp800_56b_check.c
+++ b/crypto/rsa/rsa_sp800_56b_check.c
@@ -403,6 +403,11 @@ int ossl_rsa_sp800_56b_check_keypair(const RSA *rsa, const BIGNUM *efixed,
ERR_raise(ERR_LIB_RSA, RSA_R_INVALID_KEYPAIR);
return 0;
}
+ /* (Step 3.c): check that the modulus length is a positive even integer */
+ if (nbits <= 0 || (nbits & 0x1)) {
+ ERR_raise(ERR_LIB_RSA, RSA_R_INVALID_KEYPAIR);
+ return 0;
+ }
ctx = BN_CTX_new_ex(rsa->libctx);
if (ctx == NULL)
diff --git a/test/rsa_sp800_56b_test.c b/test/rsa_sp800_56b_test.c
index 7660019f47..aa58bbbe6c 100644
--- a/test/rsa_sp800_56b_test.c
+++ b/test/rsa_sp800_56b_test.c
@@ -458,6 +458,10 @@ static int test_invalid_keypair(void)
&& TEST_true(BN_add_word(n, 1))
&& TEST_false(ossl_rsa_sp800_56b_check_keypair(key, NULL, -1, 2048))
&& TEST_true(BN_sub_word(n, 1))
+ /* check that validation fails if len(n) is not even */
+ && TEST_true(BN_lshift1(n, n))
+ && TEST_false(ossl_rsa_sp800_56b_check_keypair(key, NULL, -1, 2049))
+ && TEST_true(BN_rshift1(n, n))
/* check p */
&& TEST_true(BN_sub_word(p, 2))
&& TEST_true(BN_mul(n, p, q, ctx))
--
2.41.0

@ -29,7 +29,7 @@ print(string.sub(hash, 0, 16))
Summary: Utilities from the general purpose cryptography library with TLS implementation Summary: Utilities from the general purpose cryptography library with TLS implementation
Name: openssl Name: openssl
Version: 3.0.7 Version: 3.0.7
Release: 24%{?dist} Release: 25%{?dist}
Epoch: 1 Epoch: 1
# We have to remove certain patented algorithms from the openssl source # We have to remove certain patented algorithms from the openssl source
# tarball with the hobble-openssl script which is included below. # tarball with the hobble-openssl script which is included below.
@ -197,6 +197,9 @@ Patch121: 0121-FIPS-cms-defaults.patch
Patch122: 0122-CVE-2023-2650.patch Patch122: 0122-CVE-2023-2650.patch
# https://github.com/openssl/openssl/pull/19386 # https://github.com/openssl/openssl/pull/19386
Patch123: 0123-ibmca-atexit-crash.patch Patch123: 0123-ibmca-atexit-crash.patch
Patch128: 0128-CVE-2023-5363.patch
# https://github.com/openssl/openssl/pull/22403
Patch129: 0129-rsa-Add-SP800-56Br2-6.4.1.2.1-3.c-check.patch
License: ASL 2.0 License: ASL 2.0
URL: http://www.openssl.org/ URL: http://www.openssl.org/
@ -522,6 +525,19 @@ ln -s /etc/crypto-policies/back-ends/openssl_fips.config $RPM_BUILD_ROOT%{_sysco
%ldconfig_scriptlets libs %ldconfig_scriptlets libs
%changelog %changelog
* Wed Oct 25 2023 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.0.7-25
- Fix incorrect cipher key and IV length processing (CVE-2023-5363)
Resolves: RHEL-13249
- Switch explicit FIPS indicator for RSA-OAEP to approved following
clarification with CMVP
Resolves: RHEL-14614
- Backport the check required by SP800-56Br2 6.4.1.2.1 (3.c)
Resolves: RHEL-14614
- Add missing ECDH Public Key Check in FIPS mode
Resolves: RHEL-15993
- In FIPS mode, prevent any other operations when rsa_keygen_pairwise_test fails
Resolves: RHEL-17111
* Wed Jul 12 2023 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.0.7-24 * Wed Jul 12 2023 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.0.7-24
- Make FIPS module configuration more crypto-policies friendly - Make FIPS module configuration more crypto-policies friendly
Related: rhbz#2216256 Related: rhbz#2216256

Loading…
Cancel
Save