diff --git a/SOURCES/0004-Override-default-paths-for-the-CA-directory-tree.patch b/SOURCES/0004-Override-default-paths-for-the-CA-directory-tree.patch index 7c70c60..f16e22b 100644 --- a/SOURCES/0004-Override-default-paths-for-the-CA-directory-tree.patch +++ b/SOURCES/0004-Override-default-paths-for-the-CA-directory-tree.patch @@ -30,12 +30,17 @@ index c0afb96716..d6a5fabd16 100644 diff -up openssl-3.0.0-alpha16/apps/openssl.cnf.default-tls openssl-3.0.0-alpha16/apps/openssl.cnf --- openssl-3.0.0-alpha16/apps/openssl.cnf.default-tls 2021-07-06 13:41:39.204978272 +0200 +++ openssl-3.0.0-alpha16/apps/openssl.cnf 2021-07-06 13:49:50.362857683 +0200 -@@ -53,6 +53,8 @@ tsa_policy3 = 1.2.3.4.5.7 +@@ -53,6 +53,13 @@ tsa_policy3 = 1.2.3.4.5.7 [openssl_init] providers = provider_sect +# Load default TLS policy configuration +ssl_conf = ssl_module ++alg_section = evp_properties ++ ++[ evp_properties ] ++#This section is intentionally added empty here ++#to be tuned on particular systems # List of providers to load [provider_sect] diff --git a/SOURCES/0012-Disable-explicit-ec.patch b/SOURCES/0012-Disable-explicit-ec.patch index 550cdf4..aea4ccf 100644 --- a/SOURCES/0012-Disable-explicit-ec.patch +++ b/SOURCES/0012-Disable-explicit-ec.patch @@ -26,6 +26,94 @@ diff -up openssl-3.0.1/crypto/ec/ec_asn1.c.disable_explicit_ec openssl-3.0.1/cry ret->version = priv_key->version; if (priv_key->privateKey) { +diff --git a/crypto/ec/ec_lib.c b/crypto/ec/ec_lib.c +index a84e088c19..6c37bf78ae 100644 +--- a/crypto/ec/ec_lib.c ++++ b/crypto/ec/ec_lib.c +@@ -1724,6 +1724,11 @@ EC_GROUP *EC_GROUP_new_from_params(const OSSL_PARAM params[], + goto err; + } + if (named_group == group) { ++ if (EC_GROUP_check_named_curve(group, 0, NULL) == NID_undef) { ++ ERR_raise(ERR_LIB_EC, EC_R_UNKNOWN_GROUP); ++ goto err; ++ } ++#if 0 + /* + * If we did not find a named group then the encoding should be explicit + * if it was specified +@@ -1739,6 +1744,7 @@ EC_GROUP *EC_GROUP_new_from_params(const OSSL_PARAM params[], + goto err; + } + EC_GROUP_set_asn1_flag(group, OPENSSL_EC_EXPLICIT_CURVE); ++#endif + } else { + EC_GROUP_free(group); + group = named_group; +diff --git a/test/ectest.c b/test/ectest.c +index 4890b0555e..e11aec5b3b 100644 +--- a/test/ectest.c ++++ b/test/ectest.c +@@ -2301,10 +2301,11 @@ static int do_test_custom_explicit_fromdata(EC_GROUP *group, BN_CTX *ctx, + if (!TEST_ptr(params = OSSL_PARAM_BLD_to_param(bld)) + || !TEST_ptr(pctx = EVP_PKEY_CTX_new_from_name(NULL, "EC", NULL)) + || !TEST_int_gt(EVP_PKEY_fromdata_init(pctx), 0) +- || !TEST_int_gt(EVP_PKEY_fromdata(pctx, &pkeyparam, ++ || !TEST_int_le(EVP_PKEY_fromdata(pctx, &pkeyparam, + EVP_PKEY_KEY_PARAMETERS, params), 0)) + goto err; +- ++/* As creating the key should fail, the rest of the test is pointless */ ++# if 0 + /*- Check that all the set values are retrievable -*/ + + /* There should be no match to a group name since the generator changed */ +@@ -2433,6 +2434,7 @@ static int do_test_custom_explicit_fromdata(EC_GROUP *group, BN_CTX *ctx, + #endif + ) + goto err; ++#endif + ret = 1; + err: + BN_free(order_out); +@@ -2714,21 +2716,21 @@ static int custom_params_test(int id) + + /* Compute keyexchange in both directions */ + if (!TEST_ptr(pctx1 = EVP_PKEY_CTX_new(pkey1, NULL)) +- || !TEST_int_eq(EVP_PKEY_derive_init(pctx1), 1) +- || !TEST_int_eq(EVP_PKEY_derive_set_peer(pctx1, pkey2), 1) ++ || !TEST_int_le(EVP_PKEY_derive_init(pctx1), 0) ++/* || !TEST_int_eq(EVP_PKEY_derive_set_peer(pctx1, pkey2), 1) + || !TEST_int_eq(EVP_PKEY_derive(pctx1, NULL, &sslen), 1) + || !TEST_int_gt(bsize, sslen) +- || !TEST_int_eq(EVP_PKEY_derive(pctx1, buf1, &sslen), 1)) ++ || !TEST_int_eq(EVP_PKEY_derive(pctx1, buf1, &sslen), 1)*/) + goto err; + if (!TEST_ptr(pctx2 = EVP_PKEY_CTX_new(pkey2, NULL)) +- || !TEST_int_eq(EVP_PKEY_derive_init(pctx2), 1) +- || !TEST_int_eq(EVP_PKEY_derive_set_peer(pctx2, pkey1), 1) ++ || !TEST_int_le(EVP_PKEY_derive_init(pctx2), 1) ++/* || !TEST_int_eq(EVP_PKEY_derive_set_peer(pctx2, pkey1), 1) + || !TEST_int_eq(EVP_PKEY_derive(pctx2, NULL, &t), 1) + || !TEST_int_gt(bsize, t) + || !TEST_int_le(sslen, t) +- || !TEST_int_eq(EVP_PKEY_derive(pctx2, buf2, &t), 1)) ++ || !TEST_int_eq(EVP_PKEY_derive(pctx2, buf2, &t), 1) */) + goto err; +- ++#if 0 + /* Both sides should expect the same shared secret */ + if (!TEST_mem_eq(buf1, sslen, buf2, t)) + goto err; +@@ -2780,7 +2782,7 @@ static int custom_params_test(int id) + /* compare with previous result */ + || !TEST_mem_eq(buf1, t, buf2, sslen)) + goto err; +- ++#endif + ret = 1; + + err: diff -up openssl-3.0.1/test/endecode_test.c.disable_explicit_ec openssl-3.0.1/test/endecode_test.c --- openssl-3.0.1/test/endecode_test.c.disable_explicit_ec 2022-03-21 16:55:46.005558779 +0100 +++ openssl-3.0.1/test/endecode_test.c 2022-03-21 16:56:12.636792762 +0100 diff --git a/SOURCES/0024-load-legacy-prov.patch b/SOURCES/0024-load-legacy-prov.patch index c7d2958..52ac5d5 100644 --- a/SOURCES/0024-load-legacy-prov.patch +++ b/SOURCES/0024-load-legacy-prov.patch @@ -1,7 +1,7 @@ diff -up openssl-3.0.0/apps/openssl.cnf.legacy-prov openssl-3.0.0/apps/openssl.cnf --- openssl-3.0.0/apps/openssl.cnf.legacy-prov 2021-09-09 12:06:40.895793297 +0200 +++ openssl-3.0.0/apps/openssl.cnf 2021-09-09 12:12:33.947482500 +0200 -@@ -42,36 +42,29 @@ tsa_policy1 = 1.2.3.4.1 +@@ -42,14 +42,6 @@ tsa_policy1 = 1.2.3.4.1 tsa_policy2 = 1.2.3.4.5.6 tsa_policy3 = 1.2.3.4.5.7 @@ -16,7 +16,9 @@ diff -up openssl-3.0.0/apps/openssl.cnf.legacy-prov openssl-3.0.0/apps/openssl.c [openssl_init] providers = provider_sect # Load default TLS policy configuration - ssl_conf = ssl_module +@@ -42,23 +42,27 @@ [ evp_properties ] + #This section is intentionally added empty here + #to be tuned on particular systems -# List of providers to load -[provider_sect] @@ -52,6 +54,9 @@ diff -up openssl-3.0.0/apps/openssl.cnf.legacy-prov openssl-3.0.0/apps/openssl.c + +##[legacy_sect] +##activate = 1 ++ ++#Place the third party provider configuration files into this folder ++.include /etc/pki/tls/openssl.d [ ssl_module ] diff --git a/SOURCES/0032-Force-fips.patch b/SOURCES/0032-Force-fips.patch index 5f82475..c8af196 100644 --- a/SOURCES/0032-Force-fips.patch +++ b/SOURCES/0032-Force-fips.patch @@ -7,10 +7,11 @@ diff -up openssl-3.0.1/crypto/provider_conf.c.fipsact openssl-3.0.1/crypto/provider_conf.c --- openssl-3.0.1/crypto/provider_conf.c.fipsact 2022-05-12 12:44:31.199034948 +0200 +++ openssl-3.0.1/crypto/provider_conf.c 2022-05-12 12:49:17.468318373 +0200 -@@ -36,6 +36,7 @@ static int prov_already_activated(const +@@ -36,6 +36,8 @@ static int prov_already_activated(const #include #include #include ++#include +#include #include #include @@ -151,7 +152,7 @@ diff -up openssl-3.0.1/crypto/provider_conf.c.fipsact openssl-3.0.1/crypto/provi } else { OSSL_PROVIDER_INFO entry; -@@ -306,6 +317,30 @@ static int provider_conf_init(CONF_IMODU +@@ -306,6 +317,33 @@ static int provider_conf_init(CONF_IMODU return 0; } @@ -173,6 +174,9 @@ diff -up openssl-3.0.1/crypto/provider_conf.c.fipsact openssl-3.0.1/crypto/provi + if (provider_conf_activate(libctx, "fips", NULL, NULL, 0, NULL) != 1) + return 0; + } ++ /* provider_conf_load can return 1 even wwhen the test is failed so check explicitly */ ++ if (OSSL_PROVIDER_available(libctx, "fips") != 1) ++ return 0; + if (provider_conf_activate(libctx, "base", NULL, NULL, 0, NULL) != 1) + return 0; + if (EVP_default_properties_enable_fips(libctx, 1) != 1) diff --git a/SOURCES/0044-FIPS-140-3-keychecks.patch b/SOURCES/0044-FIPS-140-3-keychecks.patch index 38efa07..67cbd6d 100644 --- a/SOURCES/0044-FIPS-140-3-keychecks.patch +++ b/SOURCES/0044-FIPS-140-3-keychecks.patch @@ -57,7 +57,21 @@ diff -up openssl-3.0.1/crypto/dh/dh_key.c.fips3 openssl-3.0.1/crypto/dh/dh_key.c dh->dirty_cnt++; ok = 1; err: -diff -up openssl-3.0.1/crypto/ec/ec_key.c.fips3 openssl-3.0.1/crypto/ec/ec_key.c +diff -up openssl-3.0.7/crypto/ec/ec_key.c.f188 openssl-3.0.7/crypto/ec/ec_key.c +--- openssl-3.0.7/crypto/ec/ec_key.c.f188 2023-11-08 10:58:05.910031253 +0100 ++++ openssl-3.0.7/crypto/ec/ec_key.c 2023-11-08 10:59:42.338526883 +0100 +@@ -326,6 +326,11 @@ static int ec_generate_key(EC_KEY *eckey + eckey->dirty_cnt++; + + #ifdef FIPS_MODULE ++ if (ossl_ec_key_public_check(eckey, ctx) <= 0) { ++ ERR_raise(ERR_LIB_EC, EC_R_INVALID_KEY); ++ goto err; ++ } ++ + pairwise_test = 1; + #endif /* FIPS_MODULE */ + diff -up openssl-3.0.1/providers/implementations/exchange/ecdh_exch.c.fips3 openssl-3.0.1/providers/implementations/exchange/ecdh_exch.c --- openssl-3.0.1/providers/implementations/exchange/ecdh_exch.c.fips3 2022-07-25 13:42:46.814952053 +0200 +++ openssl-3.0.1/providers/implementations/exchange/ecdh_exch.c 2022-07-25 13:52:12.292065706 +0200 @@ -360,3 +374,17 @@ diff -up openssl-3.0.7/providers/implementations/signature/rsa_sig.c.pairwise op const OSSL_DISPATCH ossl_rsa_signature_functions[] = { { OSSL_FUNC_SIGNATURE_NEWCTX, (void (*)(void))rsa_newctx }, { OSSL_FUNC_SIGNATURE_SIGN_INIT, (void (*)(void))rsa_sign_init }, +diff --git a/crypto/rsa/rsa_gen.c b/crypto/rsa/rsa_gen.c +index e0d139d..35f23b2 100644 +--- a/crypto/rsa/rsa_gen.c ++++ b/crypto/rsa/rsa_gen.c +@@ -463,6 +463,9 @@ static int rsa_keygen(OSSL_LIB_CTX *libctx, RSA *rsa, int bits, int primes, + rsa->dmp1 = NULL; + rsa->dmq1 = NULL; + rsa->iqmp = NULL; ++#ifdef FIPS_MODULE ++ abort(); ++#endif /* defined(FIPS_MODULE) */ + } + } + return ok; diff --git a/SOURCES/0049-Selectively-disallow-SHA1-signatures.patch b/SOURCES/0049-Selectively-disallow-SHA1-signatures.patch index d453f97..4b6ecf2 100644 --- a/SOURCES/0049-Selectively-disallow-SHA1-signatures.patch +++ b/SOURCES/0049-Selectively-disallow-SHA1-signatures.patch @@ -287,22 +287,6 @@ index 699ada7c52..e534ad0a5f 100644 return mdnid; } -@@ -244,5 +254,15 @@ int ossl_digest_is_allowed(OSSL_LIB_CTX *ctx, const EVP_MD *md) - if (ossl_securitycheck_enabled(ctx)) - return ossl_digest_get_approved_nid(md) != NID_undef; - # endif /* OPENSSL_NO_FIPS_SECURITYCHECKS */ -+ -+#ifndef FIPS_MODULE -+ { -+ int mdnid = EVP_MD_nid(md); -+ if ((mdnid == NID_sha1 || mdnid == NID_md5_sha1) -+ && !ossl_ctx_legacy_digest_signatures_allowed(ctx, 0)) -+ return 0; -+ } -+#endif -+ - return 1; - } diff --git a/providers/common/securitycheck_default.c b/providers/common/securitycheck_default.c index de7f0d3a0a..ce54a94fbc 100644 --- a/providers/common/securitycheck_default.c diff --git a/SOURCES/0056-strcasecmp.patch b/SOURCES/0056-strcasecmp.patch index 8a005e6..01ca25e 100644 --- a/SOURCES/0056-strcasecmp.patch +++ b/SOURCES/0056-strcasecmp.patch @@ -19,7 +19,7 @@ diff -up openssl-3.0.7/crypto/o_str.c.cmp openssl-3.0.7/crypto/o_str.c -int OPENSSL_strcasecmp(const char *s1, const char *s2) +int -+#ifndef FIPS_MODULE ++#if !defined(FIPS_MODULE) && !defined(OPENSSL_SYS_UEFI) +__attribute__ ((symver ("OPENSSL_strcasecmp@@OPENSSL_3.0.3"), + symver ("OPENSSL_strcasecmp@OPENSSL_3.0.1"))) +#endif @@ -33,7 +33,7 @@ diff -up openssl-3.0.7/crypto/o_str.c.cmp openssl-3.0.7/crypto/o_str.c -int OPENSSL_strncasecmp(const char *s1, const char *s2, size_t n) +int -+#ifndef FIPS_MODULE ++#if !defined(FIPS_MODULE) && !defined(OPENSSL_SYS_UEFI) +__attribute__ ((symver ("OPENSSL_strncasecmp@@OPENSSL_3.0.3"), + symver ("OPENSSL_strncasecmp@OPENSSL_3.0.1"))) +#endif diff --git a/SOURCES/0113-asymciphers-kem-Add-explicit-FIPS-indicator.patch b/SOURCES/0113-asymciphers-kem-Add-explicit-FIPS-indicator.patch index 4c648d8..e8777f3 100644 --- a/SOURCES/0113-asymciphers-kem-Add-explicit-FIPS-indicator.patch +++ b/SOURCES/0113-asymciphers-kem-Add-explicit-FIPS-indicator.patch @@ -9,21 +9,23 @@ party (section 6.4.2.3.1) for the KTS-OAEP key transport scheme and key agreement schemes, but explicit key confirmation is not implemented and cannot be implemented without protocol changes, and the FIPS provider does not implement trusted third party validation, since it relies on -its callers to do that. We must thus mark RSA-OAEP encryption and RSASVE -as unapproved until we have received clarification from NIST on how -library modules such as OpenSSL should implement TTP validation. +its callers to do that. A request for guidance sent to NIST did clarify +that OpenSSL can claim KTS-OAEP and RSASVE as approved, but we did add +an indicator to mark them as unapproved previously and should thus keep +the indicator available. This does not affect RSA-OAEP decryption, because it is approved as a component according to the FIPS 140-3 IG, section 2.4.G. Resolves: rhbz#2179331 +Resolves: RHEL-14083 Signed-off-by: Clemens Lang --- include/openssl/core_names.h | 2 ++ include/openssl/evp.h | 4 +++ - .../implementations/asymciphers/rsa_enc.c | 24 +++++++++++++++ - providers/implementations/kem/rsa_kem.c | 30 ++++++++++++++++++- - 4 files changed, 59 insertions(+), 1 deletion(-) + .../implementations/asymciphers/rsa_enc.c | 19 ++++++++++++ + providers/implementations/kem/rsa_kem.c | 29 ++++++++++++++++++- + 4 files changed, 53 insertions(+), 1 deletion(-) diff --git a/include/openssl/core_names.h b/include/openssl/core_names.h index 832502a034..e15d208421 100644 @@ -37,7 +39,7 @@ index 832502a034..e15d208421 100644 /* * Encoder / decoder parameters -@@ -503,6 +504,7 @@ extern "C" { +@@ -511,6 +512,7 @@ extern "C" { /* KEM parameters */ #define OSSL_KEM_PARAM_OPERATION "operation" @@ -49,7 +51,7 @@ diff --git a/include/openssl/evp.h b/include/openssl/evp.h index ec2ba46fbd..3803b03422 100644 --- a/include/openssl/evp.h +++ b/include/openssl/evp.h -@@ -1757,6 +1757,10 @@ OSSL_DEPRECATEDIN_3_0 size_t EVP_PKEY_meth_get_count(void); +@@ -1764,6 +1764,10 @@ OSSL_DEPRECATEDIN_3_0 size_t EVP_PKEY_meth_get_count(void); OSSL_DEPRECATEDIN_3_0 const EVP_PKEY_METHOD *EVP_PKEY_meth_get0(size_t idx); # endif @@ -64,25 +66,22 @@ diff --git a/providers/implementations/asymciphers/rsa_enc.c b/providers/impleme index 568452ec56..2e7ea632d7 100644 --- a/providers/implementations/asymciphers/rsa_enc.c +++ b/providers/implementations/asymciphers/rsa_enc.c -@@ -399,6 +399,27 @@ static int rsa_get_ctx_params(void *vprsactx, OSSL_PARAM *params) +@@ -452,6 +452,24 @@ static int rsa_get_ctx_params(void *vprsactx, OSSL_PARAM *params) if (p != NULL && !OSSL_PARAM_set_uint(p, prsactx->alt_version)) return 0; +#ifdef FIPS_MODULE + p = OSSL_PARAM_locate(params, OSSL_ASYM_CIPHER_PARAM_REDHAT_FIPS_INDICATOR); + if (p != NULL) { -+ int fips_indicator = EVP_PKEY_REDHAT_FIPS_INDICATOR_APPROVED; -+ + /* NIST SP 800-56Br2 section 6.4.2.1 requires either explicit key + * confirmation (section 6.4.2.3.2), or assurance from a trusted third + * party (section 6.4.2.3.1) for the KTS-OAEP key transport scheme, but + * explicit key confirmation is not implemented here and cannot be + * implemented without protocol changes, and the FIPS provider does not + * implement trusted third party validation, since it relies on its -+ * callers to do that. We must thus mark RSA-OAEP as unapproved until -+ * we have received clarification from NIST on how library modules such -+ * as OpenSSL should implement TTP validation. */ -+ fips_indicator = EVP_PKEY_REDHAT_FIPS_INDICATOR_NOT_APPROVED; ++ * callers to do that. A request for guidance sent to NIST resulted in ++ * further clarification which allows OpenSSL to claim RSA-OAEP. */ ++ int fips_indicator = EVP_PKEY_REDHAT_FIPS_INDICATOR_APPROVED; + + if (!OSSL_PARAM_set_int(p, fips_indicator)) + return 0; @@ -92,7 +91,7 @@ index 568452ec56..2e7ea632d7 100644 return 1; } -@@ -465,6 +493,7 @@ static const OSSL_PARAM known_gettable_ctx_params[] = { +@@ -465,6 +483,7 @@ static const OSSL_PARAM known_gettable_ctx_params[] = { OSSL_PARAM_uint(OSSL_ASYM_CIPHER_PARAM_TLS_NEGOTIATED_VERSION, NULL), #ifdef FIPS_MODULE OSSL_PARAM_octet_string(OSSL_ASYM_CIPHER_PARAM_REDHAT_KAT_OEAP_SEED, NULL, 0), @@ -104,7 +103,7 @@ diff --git a/providers/implementations/kem/rsa_kem.c b/providers/implementations index 882cf16125..b4cc0f9237 100644 --- a/providers/implementations/kem/rsa_kem.c +++ b/providers/implementations/kem/rsa_kem.c -@@ -151,11 +151,39 @@ static int rsakem_decapsulate_init(void *vprsactx, void *vrsa, +@@ -151,11 +151,38 @@ static int rsakem_decapsulate_init(void *vprsactx, void *vrsa, static int rsakem_get_ctx_params(void *vprsactx, OSSL_PARAM *params) { PROV_RSA_CTX *ctx = (PROV_RSA_CTX *)vprsactx; @@ -124,10 +123,9 @@ index 882cf16125..b4cc0f9237 100644 + * explicit key confirmation is not implemented here and cannot be + * implemented without protocol changes, and the FIPS provider does not + * implement trusted third party validation, since it relies on its -+ * callers to do that. We must thus mark RSASVE unapproved until we -+ * have received clarification from NIST on how library modules such as -+ * OpenSSL should implement TTP validation. */ -+ int fips_indicator = EVP_PKEY_REDHAT_FIPS_INDICATOR_NOT_APPROVED; ++ * callers to do that. A request for guidance sent to NIST resulted in ++ * further clarification which allows OpenSSL to claim RSASVE. */ ++ int fips_indicator = EVP_PKEY_REDHAT_FIPS_INDICATOR_APPROVED; + + if (!OSSL_PARAM_set_int(p, fips_indicator)) + return 0; diff --git a/SOURCES/0125-CVE-2023-2975.patch b/SOURCES/0125-CVE-2023-2975.patch new file mode 100644 index 0000000..4717087 --- /dev/null +++ b/SOURCES/0125-CVE-2023-2975.patch @@ -0,0 +1,30 @@ +diff --git a/providers/implementations/ciphers/cipher_aes_siv.c b/providers/implementations/ciphers/cipher_aes_siv.c +index 45010b90db..b396c8651a 100644 +--- a/providers/implementations/ciphers/cipher_aes_siv.c ++++ b/providers/implementations/ciphers/cipher_aes_siv.c +@@ -120,14 +120,18 @@ static int siv_cipher(void *vctx, unsigned char *out, size_t *outl, + if (!ossl_prov_is_running()) + return 0; + +- if (inl == 0) { +- *outl = 0; +- return 1; +- } ++ /* Ignore just empty encryption/decryption call and not AAD. */ ++ if (out != NULL) { ++ if (inl == 0) { ++ if (outl != NULL) ++ *outl = 0; ++ return 1; ++ } + +- if (outsize < inl) { +- ERR_raise(ERR_LIB_PROV, PROV_R_OUTPUT_BUFFER_TOO_SMALL); +- return 0; ++ if (outsize < inl) { ++ ERR_raise(ERR_LIB_PROV, PROV_R_OUTPUT_BUFFER_TOO_SMALL); ++ return 0; ++ } + } + + if (ctx->hw->cipher(ctx, out, in, inl) <= 0) diff --git a/SOURCES/0126-CVE-2023-3446.patch b/SOURCES/0126-CVE-2023-3446.patch new file mode 100644 index 0000000..38132cf --- /dev/null +++ b/SOURCES/0126-CVE-2023-3446.patch @@ -0,0 +1,74 @@ +diff --git a/crypto/dh/dh_check.c b/crypto/dh/dh_check.c +index 0b391910d6..84a926998e 100644 +--- a/crypto/dh/dh_check.c ++++ b/crypto/dh/dh_check.c +@@ -152,6 +152,12 @@ int DH_check(const DH *dh, int *ret) + if (nid != NID_undef) + return 1; + ++ /* Don't do any checks at all with an excessively large modulus */ ++ if (BN_num_bits(dh->params.p) > OPENSSL_DH_CHECK_MAX_MODULUS_BITS) { ++ ERR_raise(ERR_LIB_DH, DH_R_MODULUS_TOO_LARGE); ++ return 0; ++ } ++ + if (!DH_check_params(dh, ret)) + return 0; + +diff --git a/include/openssl/dh.h b/include/openssl/dh.h +index b97871eca7..36420f51d8 100644 +--- a/include/openssl/dh.h ++++ b/include/openssl/dh.h +@@ -89,7 +89,11 @@ int EVP_PKEY_CTX_get0_dh_kdf_ukm(EVP_PKEY_CTX *ctx, unsigned char **ukm); + # include + + # ifndef OPENSSL_DH_MAX_MODULUS_BITS +-# define OPENSSL_DH_MAX_MODULUS_BITS 10000 ++# define OPENSSL_DH_MAX_MODULUS_BITS 10000 ++# endif ++ ++# ifndef OPENSSL_DH_CHECK_MAX_MODULUS_BITS ++# define OPENSSL_DH_CHECK_MAX_MODULUS_BITS 32768 + # endif + + # define OPENSSL_DH_FIPS_MIN_MODULUS_BITS 1024 +diff --git a/test/dhtest.c b/test/dhtest.c +index 7b587f3cfa..f8dd8f3aa7 100644 +--- a/test/dhtest.c ++++ b/test/dhtest.c +@@ -73,7 +73,7 @@ static int dh_test(void) + goto err1; + + /* check fails, because p is way too small */ +- if (!DH_check(dh, &i)) ++ if (!TEST_true(DH_check(dh, &i))) + goto err2; + i ^= DH_MODULUS_TOO_SMALL; + if (!TEST_false(i & DH_CHECK_P_NOT_PRIME) +@@ -124,6 +124,17 @@ static int dh_test(void) + /* We'll have a stale error on the queue from the above test so clear it */ + ERR_clear_error(); + ++ /* Modulus of size: dh check max modulus bits + 1 */ ++ if (!TEST_true(BN_set_word(p, 1)) ++ || !TEST_true(BN_lshift(p, p, OPENSSL_DH_CHECK_MAX_MODULUS_BITS))) ++ goto err3; ++ ++ /* ++ * We expect no checks at all for an excessively large modulus ++ */ ++ if (!TEST_false(DH_check(dh, &i))) ++ goto err3; ++ + /* + * II) key generation + */ +@@ -138,7 +149,7 @@ static int dh_test(void) + goto err3; + + /* ... and check whether it is valid */ +- if (!DH_check(a, &i)) ++ if (!TEST_true(DH_check(a, &i))) + goto err3; + if (!TEST_false(i & DH_CHECK_P_NOT_PRIME) + || !TEST_false(i & DH_CHECK_P_NOT_SAFE_PRIME) diff --git a/SOURCES/0127-CVE-2023-3817.patch b/SOURCES/0127-CVE-2023-3817.patch new file mode 100644 index 0000000..5fc72e7 --- /dev/null +++ b/SOURCES/0127-CVE-2023-3817.patch @@ -0,0 +1,57 @@ +diff --git a/crypto/dh/dh_check.c b/crypto/dh/dh_check.c +index aef6f9b1b7..fbe2797569 100644 +--- a/crypto/dh/dh_check.c ++++ b/crypto/dh/dh_check.c +@@ -143,7 +143,7 @@ int DH_check(const DH *dh, int *ret) + #ifdef FIPS_MODULE + return DH_check_params(dh, ret); + #else +- int ok = 0, r; ++ int ok = 0, r, q_good = 0; + BN_CTX *ctx = NULL; + BIGNUM *t1 = NULL, *t2 = NULL; + int nid = DH_get_nid((DH *)dh); +@@ -172,6 +172,13 @@ int DH_check(const DH *dh, int *ret) + goto err; + + if (dh->params.q != NULL) { ++ if (BN_ucmp(dh->params.p, dh->params.q) > 0) ++ q_good = 1; ++ else ++ *ret |= DH_CHECK_INVALID_Q_VALUE; ++ } ++ ++ if (q_good) { + if (BN_cmp(dh->params.g, BN_value_one()) <= 0) + *ret |= DH_NOT_SUITABLE_GENERATOR; + else if (BN_cmp(dh->params.g, dh->params.p) >= 0) +diff --git a/test/dhtest.c b/test/dhtest.c +index f8dd8f3aa7..d02b3b7c58 100644 +--- a/test/dhtest.c ++++ b/test/dhtest.c +@@ -124,6 +124,15 @@ static int dh_test(void) + /* We'll have a stale error on the queue from the above test so clear it */ + ERR_clear_error(); + ++ if (!TEST_ptr(BN_copy(q, p)) || !TEST_true(BN_add(q, q, BN_value_one()))) ++ goto err3; ++ ++ if (!TEST_true(DH_check(dh, &i))) ++ goto err3; ++ if (!TEST_true(i & DH_CHECK_INVALID_Q_VALUE) ++ || !TEST_false(i & DH_CHECK_Q_NOT_PRIME)) ++ goto err3; ++ + /* Modulus of size: dh check max modulus bits + 1 */ + if (!TEST_true(BN_set_word(p, 1)) + || !TEST_true(BN_lshift(p, p, OPENSSL_DH_CHECK_MAX_MODULUS_BITS))) +@@ -135,6 +144,9 @@ static int dh_test(void) + if (!TEST_false(DH_check(dh, &i))) + goto err3; + ++ /* We'll have a stale error on the queue from the above test so clear it */ ++ ERR_clear_error(); ++ + /* + * II) key generation + */ diff --git a/SOURCES/0128-CVE-2023-5363.patch b/SOURCES/0128-CVE-2023-5363.patch new file mode 100644 index 0000000..8610da0 --- /dev/null +++ b/SOURCES/0128-CVE-2023-5363.patch @@ -0,0 +1,318 @@ +diff --git a/crypto/evp/evp_enc.c b/crypto/evp/evp_enc.c +index d2ed3fd378..6a819590e6 100644 +--- a/crypto/evp/evp_enc.c ++++ b/crypto/evp/evp_enc.c +@@ -223,6 +223,42 @@ static int evp_cipher_init_internal(EVP_CIPHER_CTX *ctx, + return 0; + } + ++#ifndef FIPS_MODULE ++ /* ++ * Fix for CVE-2023-5363 ++ * Passing in a size as part of the init call takes effect late ++ * so, force such to occur before the initialisation. ++ * ++ * The FIPS provider's internal library context is used in a manner ++ * such that this is not an issue. ++ */ ++ if (params != NULL) { ++ OSSL_PARAM param_lens[3] = { OSSL_PARAM_END, OSSL_PARAM_END, ++ OSSL_PARAM_END }; ++ OSSL_PARAM *q = param_lens; ++ const OSSL_PARAM *p; ++ ++ p = OSSL_PARAM_locate_const(params, OSSL_CIPHER_PARAM_KEYLEN); ++ if (p != NULL) ++ memcpy(q++, p, sizeof(*q)); ++ ++ /* ++ * Note that OSSL_CIPHER_PARAM_AEAD_IVLEN is a synomym for ++ * OSSL_CIPHER_PARAM_IVLEN so both are covered here. ++ */ ++ p = OSSL_PARAM_locate_const(params, OSSL_CIPHER_PARAM_IVLEN); ++ if (p != NULL) ++ memcpy(q++, p, sizeof(*q)); ++ ++ if (q != param_lens) { ++ if (!EVP_CIPHER_CTX_set_params(ctx, param_lens)) { ++ ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_LENGTH); ++ return 0; ++ } ++ } ++ } ++#endif ++ + if (enc) { + if (ctx->cipher->einit == NULL) { + ERR_raise(ERR_LIB_EVP, EVP_R_INITIALIZATION_ERROR); +diff --git a/test/evp_extra_test.c b/test/evp_extra_test.c +index cfffa21350..2318bf6a68 100644 +--- a/test/evp_extra_test.c ++++ b/test/evp_extra_test.c +@@ -4851,6 +4851,253 @@ static int test_ecx_not_private_key(int tst) + return options; + } + ++static int aes_gcm_encrypt(const unsigned char *gcm_key, size_t gcm_key_s, ++ const unsigned char *gcm_iv, size_t gcm_ivlen, ++ const unsigned char *gcm_pt, size_t gcm_pt_s, ++ const unsigned char *gcm_aad, size_t gcm_aad_s, ++ const unsigned char *gcm_ct, size_t gcm_ct_s, ++ const unsigned char *gcm_tag, size_t gcm_tag_s) ++{ ++ int ret = 0; ++ EVP_CIPHER_CTX *ctx; ++ EVP_CIPHER *cipher = NULL; ++ int outlen, tmplen; ++ unsigned char outbuf[1024]; ++ unsigned char outtag[16]; ++ OSSL_PARAM params[2] = { ++ OSSL_PARAM_END, OSSL_PARAM_END ++ }; ++ ++ if (!TEST_ptr(ctx = EVP_CIPHER_CTX_new()) ++ || !TEST_ptr(cipher = EVP_CIPHER_fetch(testctx, "AES-256-GCM", ""))) ++ goto err; ++ ++ params[0] = OSSL_PARAM_construct_size_t(OSSL_CIPHER_PARAM_AEAD_IVLEN, ++ &gcm_ivlen); ++ ++ if (!TEST_true(EVP_EncryptInit_ex2(ctx, cipher, gcm_key, gcm_iv, params)) ++ || (gcm_aad != NULL ++ && !TEST_true(EVP_EncryptUpdate(ctx, NULL, &outlen, ++ gcm_aad, gcm_aad_s))) ++ || !TEST_true(EVP_EncryptUpdate(ctx, outbuf, &outlen, ++ gcm_pt, gcm_pt_s)) ++ || !TEST_true(EVP_EncryptFinal_ex(ctx, outbuf, &tmplen))) ++ goto err; ++ ++ params[0] = OSSL_PARAM_construct_octet_string(OSSL_CIPHER_PARAM_AEAD_TAG, ++ outtag, sizeof(outtag)); ++ ++ if (!TEST_true(EVP_CIPHER_CTX_get_params(ctx, params)) ++ || !TEST_mem_eq(outbuf, outlen, gcm_ct, gcm_ct_s) ++ || !TEST_mem_eq(outtag, gcm_tag_s, gcm_tag, gcm_tag_s)) ++ goto err; ++ ++ ret = 1; ++err: ++ EVP_CIPHER_free(cipher); ++ EVP_CIPHER_CTX_free(ctx); ++ ++ return ret; ++} ++ ++static int aes_gcm_decrypt(const unsigned char *gcm_key, size_t gcm_key_s, ++ const unsigned char *gcm_iv, size_t gcm_ivlen, ++ const unsigned char *gcm_pt, size_t gcm_pt_s, ++ const unsigned char *gcm_aad, size_t gcm_aad_s, ++ const unsigned char *gcm_ct, size_t gcm_ct_s, ++ const unsigned char *gcm_tag, size_t gcm_tag_s) ++{ ++ int ret = 0; ++ EVP_CIPHER_CTX *ctx; ++ EVP_CIPHER *cipher = NULL; ++ int outlen; ++ unsigned char outbuf[1024]; ++ OSSL_PARAM params[2] = { ++ OSSL_PARAM_END, OSSL_PARAM_END ++ }; ++ ++ if ((ctx = EVP_CIPHER_CTX_new()) == NULL) ++ goto err; ++ ++ if ((cipher = EVP_CIPHER_fetch(testctx, "AES-256-GCM", "")) == NULL) ++ goto err; ++ ++ params[0] = OSSL_PARAM_construct_size_t(OSSL_CIPHER_PARAM_AEAD_IVLEN, ++ &gcm_ivlen); ++ ++ if (!TEST_true(EVP_DecryptInit_ex2(ctx, cipher, gcm_key, gcm_iv, params)) ++ || (gcm_aad != NULL ++ && !TEST_true(EVP_DecryptUpdate(ctx, NULL, &outlen, ++ gcm_aad, gcm_aad_s))) ++ || !TEST_true(EVP_DecryptUpdate(ctx, outbuf, &outlen, ++ gcm_ct, gcm_ct_s)) ++ || !TEST_mem_eq(outbuf, outlen, gcm_pt, gcm_pt_s)) ++ goto err; ++ ++ params[0] = OSSL_PARAM_construct_octet_string(OSSL_CIPHER_PARAM_AEAD_TAG, ++ (void*)gcm_tag, gcm_tag_s); ++ ++ if (!TEST_true(EVP_CIPHER_CTX_set_params(ctx, params)) ++ ||!TEST_true(EVP_DecryptFinal_ex(ctx, outbuf, &outlen))) ++ goto err; ++ ++ ret = 1; ++err: ++ EVP_CIPHER_free(cipher); ++ EVP_CIPHER_CTX_free(ctx); ++ ++ return ret; ++} ++ ++static int test_aes_gcm_ivlen_change_cve_2023_5363(void) ++{ ++ /* AES-GCM test data obtained from NIST public test vectors */ ++ static const unsigned char gcm_key[] = { ++ 0xd0, 0xc2, 0x67, 0xc1, 0x9f, 0x30, 0xd8, 0x0b, 0x89, 0x14, 0xbb, 0xbf, ++ 0xb7, 0x2f, 0x73, 0xb8, 0xd3, 0xcd, 0x5f, 0x6a, 0x78, 0x70, 0x15, 0x84, ++ 0x8a, 0x7b, 0x30, 0xe3, 0x8f, 0x16, 0xf1, 0x8b, ++ }; ++ static const unsigned char gcm_iv[] = { ++ 0xb6, 0xdc, 0xda, 0x95, 0xac, 0x99, 0x77, 0x76, 0x25, 0xae, 0x87, 0xf8, ++ 0xa3, 0xa9, 0xdd, 0x64, 0xd7, 0x9b, 0xbd, 0x5f, 0x4a, 0x0e, 0x54, 0xca, ++ 0x1a, 0x9f, 0xa2, 0xe3, 0xf4, 0x5f, 0x5f, 0xc2, 0xce, 0xa7, 0xb6, 0x14, ++ 0x12, 0x6f, 0xf0, 0xaf, 0xfd, 0x3e, 0x17, 0x35, 0x6e, 0xa0, 0x16, 0x09, ++ 0xdd, 0xa1, 0x3f, 0xd8, 0xdd, 0xf3, 0xdf, 0x4f, 0xcb, 0x18, 0x49, 0xb8, ++ 0xb3, 0x69, 0x2c, 0x5d, 0x4f, 0xad, 0x30, 0x91, 0x08, 0xbc, 0xbe, 0x24, ++ 0x01, 0x0f, 0xbe, 0x9c, 0xfb, 0x4f, 0x5d, 0x19, 0x7f, 0x4c, 0x53, 0xb0, ++ 0x95, 0x90, 0xac, 0x7b, 0x1f, 0x7b, 0xa0, 0x99, 0xe1, 0xf3, 0x48, 0x54, ++ 0xd0, 0xfc, 0xa9, 0xcc, 0x91, 0xf8, 0x1f, 0x9b, 0x6c, 0x9a, 0xe0, 0xdc, ++ 0x63, 0xea, 0x7d, 0x2a, 0x4a, 0x7d, 0xa5, 0xed, 0x68, 0x57, 0x27, 0x6b, ++ 0x68, 0xe0, 0xf2, 0xb8, 0x51, 0x50, 0x8d, 0x3d, ++ }; ++ static const unsigned char gcm_pt[] = { ++ 0xb8, 0xb6, 0x88, 0x36, 0x44, 0xe2, 0x34, 0xdf, 0x24, 0x32, 0x91, 0x07, ++ 0x4f, 0xe3, 0x6f, 0x81, ++ }; ++ static const unsigned char gcm_ct[] = { ++ 0xff, 0x4f, 0xb3, 0xf3, 0xf9, 0xa2, 0x51, 0xd4, 0x82, 0xc2, 0xbe, 0xf3, ++ 0xe2, 0xd0, 0xec, 0xed, ++ }; ++ static const unsigned char gcm_tag[] = { ++ 0xbd, 0x06, 0x38, 0x09, 0xf7, 0xe1, 0xc4, 0x72, 0x0e, 0xf2, 0xea, 0x63, ++ 0xdb, 0x99, 0x6c, 0x21, ++ }; ++ ++ return aes_gcm_encrypt(gcm_key, sizeof(gcm_key), gcm_iv, sizeof(gcm_iv), ++ gcm_pt, sizeof(gcm_pt), NULL, 0, ++ gcm_ct, sizeof(gcm_ct), gcm_tag, sizeof(gcm_tag)) ++ && aes_gcm_decrypt(gcm_key, sizeof(gcm_key), gcm_iv, sizeof(gcm_iv), ++ gcm_pt, sizeof(gcm_pt), NULL, 0, ++ gcm_ct, sizeof(gcm_ct), gcm_tag, sizeof(gcm_tag)); ++} ++ ++#ifndef OPENSSL_NO_RC4 ++static int rc4_encrypt(const unsigned char *rc4_key, size_t rc4_key_s, ++ const unsigned char *rc4_pt, size_t rc4_pt_s, ++ const unsigned char *rc4_ct, size_t rc4_ct_s) ++{ ++ int ret = 0; ++ EVP_CIPHER_CTX *ctx; ++ EVP_CIPHER *cipher = NULL; ++ int outlen, tmplen; ++ unsigned char outbuf[1024]; ++ OSSL_PARAM params[2] = { ++ OSSL_PARAM_END, OSSL_PARAM_END ++ }; ++ ++ if (!TEST_ptr(ctx = EVP_CIPHER_CTX_new()) ++ || !TEST_ptr(cipher = EVP_CIPHER_fetch(testctx, "RC4", ""))) ++ goto err; ++ ++ params[0] = OSSL_PARAM_construct_size_t(OSSL_CIPHER_PARAM_KEYLEN, ++ &rc4_key_s); ++ ++ if (!TEST_true(EVP_EncryptInit_ex2(ctx, cipher, rc4_key, NULL, params)) ++ || !TEST_true(EVP_EncryptUpdate(ctx, outbuf, &outlen, ++ rc4_pt, rc4_pt_s)) ++ || !TEST_true(EVP_EncryptFinal_ex(ctx, outbuf, &tmplen))) ++ goto err; ++ ++ if (!TEST_mem_eq(outbuf, outlen, rc4_ct, rc4_ct_s)) ++ goto err; ++ ++ ret = 1; ++err: ++ EVP_CIPHER_free(cipher); ++ EVP_CIPHER_CTX_free(ctx); ++ ++ return ret; ++} ++ ++static int rc4_decrypt(const unsigned char *rc4_key, size_t rc4_key_s, ++ const unsigned char *rc4_pt, size_t rc4_pt_s, ++ const unsigned char *rc4_ct, size_t rc4_ct_s) ++{ ++ int ret = 0; ++ EVP_CIPHER_CTX *ctx; ++ EVP_CIPHER *cipher = NULL; ++ int outlen; ++ unsigned char outbuf[1024]; ++ OSSL_PARAM params[2] = { ++ OSSL_PARAM_END, OSSL_PARAM_END ++ }; ++ ++ if ((ctx = EVP_CIPHER_CTX_new()) == NULL) ++ goto err; ++ ++ if ((cipher = EVP_CIPHER_fetch(testctx, "RC4", "")) == NULL) ++ goto err; ++ ++ params[0] = OSSL_PARAM_construct_size_t(OSSL_CIPHER_PARAM_KEYLEN, ++ &rc4_key_s); ++ ++ if (!TEST_true(EVP_DecryptInit_ex2(ctx, cipher, rc4_key, NULL, params)) ++ || !TEST_true(EVP_DecryptUpdate(ctx, outbuf, &outlen, ++ rc4_ct, rc4_ct_s)) ++ || !TEST_mem_eq(outbuf, outlen, rc4_pt, rc4_pt_s)) ++ goto err; ++ ++ ret = 1; ++err: ++ EVP_CIPHER_free(cipher); ++ EVP_CIPHER_CTX_free(ctx); ++ ++ return ret; ++} ++ ++static int test_aes_rc4_keylen_change_cve_2023_5363(void) ++{ ++ /* RC4 test data obtained from RFC 6229 */ ++ static const struct { ++ unsigned char key[5]; ++ unsigned char padding[11]; ++ } rc4_key = { ++ { /* Five bytes of key material */ ++ 0x83, 0x32, 0x22, 0x77, 0x2a, ++ }, ++ { /* Random padding to 16 bytes */ ++ 0x80, 0xad, 0x97, 0xbd, 0xc9, 0x73, 0xdf, 0x8a, 0xaa, 0x32, 0x91 ++ } ++ }; ++ static const unsigned char rc4_pt[] = { ++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, ++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 ++ }; ++ static const unsigned char rc4_ct[] = { ++ 0x80, 0xad, 0x97, 0xbd, 0xc9, 0x73, 0xdf, 0x8a, ++ 0x2e, 0x87, 0x9e, 0x92, 0xa4, 0x97, 0xef, 0xda ++ }; ++ ++ if (lgcyprov == NULL) ++ return TEST_skip("Test requires legacy provider to be loaded"); ++ ++ return rc4_encrypt(rc4_key.key, sizeof(rc4_key.key), ++ rc4_pt, sizeof(rc4_pt), rc4_ct, sizeof(rc4_ct)) ++ && rc4_decrypt(rc4_key.key, sizeof(rc4_key.key), ++ rc4_pt, sizeof(rc4_pt), rc4_ct, sizeof(rc4_ct)); ++} ++#endif ++ + int setup_tests(void) + { + OPTION_CHOICE o; +@@ -4994,6 +5241,12 @@ int setup_tests(void) + + ADD_ALL_TESTS(test_ecx_short_keys, OSSL_NELEM(ecxnids)); + ++ /* Test cases for CVE-2023-5363 */ ++ ADD_TEST(test_aes_gcm_ivlen_change_cve_2023_5363); ++#ifndef OPENSSL_NO_RC4 ++ ADD_TEST(test_aes_rc4_keylen_change_cve_2023_5363); ++#endif ++ + return 1; + } + diff --git a/SOURCES/0129-rsa-Add-SP800-56Br2-6.4.1.2.1-3.c-check.patch b/SOURCES/0129-rsa-Add-SP800-56Br2-6.4.1.2.1-3.c-check.patch new file mode 100644 index 0000000..8ee8793 --- /dev/null +++ b/SOURCES/0129-rsa-Add-SP800-56Br2-6.4.1.2.1-3.c-check.patch @@ -0,0 +1,49 @@ +From 0d873f9f647764df147d818a6e998b1c318bac31 Mon Sep 17 00:00:00 2001 +From: Clemens Lang +Date: Mon, 16 Oct 2023 15:30:26 +0200 +Subject: [PATCH] rsa: Add SP800-56Br2 6.4.1.2.1 (3.c) check + +The code did not yet check that the length of the RSA key is positive +and even. + +Signed-off-by: Clemens Lang +Upstream-Status: Backport [8b268541d9aabee51699aef22963407362830ef9] +--- + crypto/rsa/rsa_sp800_56b_check.c | 5 +++++ + test/rsa_sp800_56b_test.c | 4 ++++ + 2 files changed, 9 insertions(+) + +diff --git a/crypto/rsa/rsa_sp800_56b_check.c b/crypto/rsa/rsa_sp800_56b_check.c +index fc8f19b487..e6b79e953d 100644 +--- a/crypto/rsa/rsa_sp800_56b_check.c ++++ b/crypto/rsa/rsa_sp800_56b_check.c +@@ -403,6 +403,11 @@ int ossl_rsa_sp800_56b_check_keypair(const RSA *rsa, const BIGNUM *efixed, + ERR_raise(ERR_LIB_RSA, RSA_R_INVALID_KEYPAIR); + return 0; + } ++ /* (Step 3.c): check that the modulus length is a positive even integer */ ++ if (nbits <= 0 || (nbits & 0x1)) { ++ ERR_raise(ERR_LIB_RSA, RSA_R_INVALID_KEYPAIR); ++ return 0; ++ } + + ctx = BN_CTX_new_ex(rsa->libctx); + if (ctx == NULL) +diff --git a/test/rsa_sp800_56b_test.c b/test/rsa_sp800_56b_test.c +index 7660019f47..aa58bbbe6c 100644 +--- a/test/rsa_sp800_56b_test.c ++++ b/test/rsa_sp800_56b_test.c +@@ -458,6 +458,10 @@ static int test_invalid_keypair(void) + && TEST_true(BN_add_word(n, 1)) + && TEST_false(ossl_rsa_sp800_56b_check_keypair(key, NULL, -1, 2048)) + && TEST_true(BN_sub_word(n, 1)) ++ /* check that validation fails if len(n) is not even */ ++ && TEST_true(BN_lshift1(n, n)) ++ && TEST_false(ossl_rsa_sp800_56b_check_keypair(key, NULL, -1, 2049)) ++ && TEST_true(BN_rshift1(n, n)) + /* check p */ + && TEST_true(BN_sub_word(p, 2)) + && TEST_true(BN_mul(n, p, q, ctx)) +-- +2.41.0 + diff --git a/SOURCES/0130-CVE-2023-5678.patch b/SOURCES/0130-CVE-2023-5678.patch new file mode 100644 index 0000000..aa98d3b --- /dev/null +++ b/SOURCES/0130-CVE-2023-5678.patch @@ -0,0 +1,143 @@ +diff --git a/crypto/dh/dh_check.c b/crypto/dh/dh_check.c +index 7ba2beae7f..e20eb62081 100644 +--- a/crypto/dh/dh_check.c ++++ b/crypto/dh/dh_check.c +@@ -249,6 +249,18 @@ int DH_check_pub_key_ex(const DH *dh, const BIGNUM *pub_key) + */ + int DH_check_pub_key(const DH *dh, const BIGNUM *pub_key, int *ret) + { ++ /* Don't do any checks at all with an excessively large modulus */ ++ if (BN_num_bits(dh->params.p) > OPENSSL_DH_CHECK_MAX_MODULUS_BITS) { ++ ERR_raise(ERR_LIB_DH, DH_R_MODULUS_TOO_LARGE); ++ *ret = DH_MODULUS_TOO_LARGE | DH_CHECK_PUBKEY_INVALID; ++ return 0; ++ } ++ ++ if (dh->params.q != NULL && BN_ucmp(dh->params.p, dh->params.q) < 0) { ++ *ret |= DH_CHECK_INVALID_Q_VALUE | DH_CHECK_PUBKEY_INVALID; ++ return 1; ++ } ++ + return ossl_ffc_validate_public_key(&dh->params, pub_key, ret); + } + +diff --git a/crypto/dh/dh_err.c b/crypto/dh/dh_err.c +index 4152397426..f76ac0dd14 100644 +--- a/crypto/dh/dh_err.c ++++ b/crypto/dh/dh_err.c +@@ -1,6 +1,6 @@ + /* + * Generated by util/mkerr.pl DO NOT EDIT +- * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. ++ * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the Apache License 2.0 (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy +@@ -54,6 +54,7 @@ static const ERR_STRING_DATA DH_str_reasons[] = { + {ERR_PACK(ERR_LIB_DH, 0, DH_R_PARAMETER_ENCODING_ERROR), + "parameter encoding error"}, + {ERR_PACK(ERR_LIB_DH, 0, DH_R_PEER_KEY_ERROR), "peer key error"}, ++ {ERR_PACK(ERR_LIB_DH, 0, DH_R_Q_TOO_LARGE), "q too large"}, + {ERR_PACK(ERR_LIB_DH, 0, DH_R_SHARED_INFO_ERROR), "shared info error"}, + {ERR_PACK(ERR_LIB_DH, 0, DH_R_UNABLE_TO_CHECK_GENERATOR), + "unable to check generator"}, +diff --git a/crypto/dh/dh_key.c b/crypto/dh/dh_key.c +index d84ea99241..afc49f5cdc 100644 +--- a/crypto/dh/dh_key.c ++++ b/crypto/dh/dh_key.c +@@ -49,6 +49,12 @@ int ossl_dh_compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh) + goto err; + } + ++ if (dh->params.q != NULL ++ && BN_num_bits(dh->params.q) > OPENSSL_DH_MAX_MODULUS_BITS) { ++ ERR_raise(ERR_LIB_DH, DH_R_Q_TOO_LARGE); ++ goto err; ++ } ++ + if (BN_num_bits(dh->params.p) < DH_MIN_MODULUS_BITS) { + ERR_raise(ERR_LIB_DH, DH_R_MODULUS_TOO_SMALL); + return 0; +@@ -267,6 +273,12 @@ static int generate_key(DH *dh) + return 0; + } + ++ if (dh->params.q != NULL ++ && BN_num_bits(dh->params.q) > OPENSSL_DH_MAX_MODULUS_BITS) { ++ ERR_raise(ERR_LIB_DH, DH_R_Q_TOO_LARGE); ++ return 0; ++ } ++ + if (BN_num_bits(dh->params.p) < DH_MIN_MODULUS_BITS) { + ERR_raise(ERR_LIB_DH, DH_R_MODULUS_TOO_SMALL); + return 0; +diff --git a/crypto/err/openssl.txt b/crypto/err/openssl.txt +index e51504b7ab..36de321b74 100644 +--- a/crypto/err/openssl.txt ++++ b/crypto/err/openssl.txt +@@ -500,6 +500,7 @@ DH_R_NO_PARAMETERS_SET:107:no parameters set + DH_R_NO_PRIVATE_VALUE:100:no private value + DH_R_PARAMETER_ENCODING_ERROR:105:parameter encoding error + DH_R_PEER_KEY_ERROR:111:peer key error ++DH_R_Q_TOO_LARGE:130:q too large + DH_R_SHARED_INFO_ERROR:113:shared info error + DH_R_UNABLE_TO_CHECK_GENERATOR:121:unable to check generator + DSA_R_BAD_FFC_PARAMETERS:114:bad ffc parameters +diff --git a/include/crypto/dherr.h b/include/crypto/dherr.h +index bb24d131eb..519327f795 100644 +--- a/include/crypto/dherr.h ++++ b/include/crypto/dherr.h +@@ -1,6 +1,6 @@ + /* + * Generated by util/mkerr.pl DO NOT EDIT +- * Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved. ++ * Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the Apache License 2.0 (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy +diff --git a/include/openssl/dh.h b/include/openssl/dh.h +index 6533260f20..50e0cf54be 100644 +--- a/include/openssl/dh.h ++++ b/include/openssl/dh.h +@@ -141,7 +141,7 @@ DECLARE_ASN1_ITEM(DHparams) + # define DH_GENERATOR_3 3 + # define DH_GENERATOR_5 5 + +-/* DH_check error codes */ ++/* DH_check error codes, some of them shared with DH_check_pub_key */ + /* + * NB: These values must align with the equivalently named macros in + * internal/ffc.h. +@@ -151,10 +151,10 @@ DECLARE_ASN1_ITEM(DHparams) + # define DH_UNABLE_TO_CHECK_GENERATOR 0x04 + # define DH_NOT_SUITABLE_GENERATOR 0x08 + # define DH_CHECK_Q_NOT_PRIME 0x10 +-# define DH_CHECK_INVALID_Q_VALUE 0x20 ++# define DH_CHECK_INVALID_Q_VALUE 0x20 /* +DH_check_pub_key */ + # define DH_CHECK_INVALID_J_VALUE 0x40 + # define DH_MODULUS_TOO_SMALL 0x80 +-# define DH_MODULUS_TOO_LARGE 0x100 ++# define DH_MODULUS_TOO_LARGE 0x100 /* +DH_check_pub_key */ + + /* DH_check_pub_key error codes */ + # define DH_CHECK_PUBKEY_TOO_SMALL 0x01 +diff --git a/include/openssl/dherr.h b/include/openssl/dherr.h +index 5d2a762a96..074a70145f 100644 +--- a/include/openssl/dherr.h ++++ b/include/openssl/dherr.h +@@ -1,6 +1,6 @@ + /* + * Generated by util/mkerr.pl DO NOT EDIT +- * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. ++ * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the Apache License 2.0 (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy +@@ -50,6 +50,7 @@ + # define DH_R_NO_PRIVATE_VALUE 100 + # define DH_R_PARAMETER_ENCODING_ERROR 105 + # define DH_R_PEER_KEY_ERROR 111 ++# define DH_R_Q_TOO_LARGE 130 + # define DH_R_SHARED_INFO_ERROR 113 + # define DH_R_UNABLE_TO_CHECK_GENERATOR 121 + diff --git a/SOURCES/0131-sslgroups-memleak.patch b/SOURCES/0131-sslgroups-memleak.patch new file mode 100644 index 0000000..f292790 --- /dev/null +++ b/SOURCES/0131-sslgroups-memleak.patch @@ -0,0 +1,12 @@ +diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c +index 51c2283db915d..0928a30c2d37b 100644 +--- a/ssl/t1_lib.c ++++ b/ssl/t1_lib.c +@@ -765,6 +765,7 @@ int tls1_set_groups_list(SSL_CTX *ctx, uint16_t **pext, size_t *pextlen, + tmparr = OPENSSL_memdup(gcb.gid_arr, gcb.gidcnt * sizeof(*tmparr)); + if (tmparr == NULL) + goto end; ++ OPENSSL_free(*pext); + *pext = tmparr; + *pextlen = gcb.gidcnt; + ret = 1; diff --git a/SOURCES/0132-CVE-2023-6129.patch b/SOURCES/0132-CVE-2023-6129.patch new file mode 100644 index 0000000..05e7300 --- /dev/null +++ b/SOURCES/0132-CVE-2023-6129.patch @@ -0,0 +1,86 @@ +diff --git a/crypto/poly1305/asm/poly1305-ppc.pl b/crypto/poly1305/asm/poly1305-ppc.pl +index 9f86134d923fb..2e601bb9c24be 100755 +--- a/crypto/poly1305/asm/poly1305-ppc.pl ++++ b/crypto/poly1305/asm/poly1305-ppc.pl +@@ -744,7 +744,7 @@ + my $LOCALS= 6*$SIZE_T; + my $VSXFRAME = $LOCALS + 6*$SIZE_T; + $VSXFRAME += 128; # local variables +- $VSXFRAME += 13*16; # v20-v31 offload ++ $VSXFRAME += 12*16; # v20-v31 offload + + my $BIG_ENDIAN = ($flavour !~ /le/) ? 4 : 0; + +@@ -919,12 +919,12 @@ + addi r11,r11,32 + stvx v22,r10,$sp + addi r10,r10,32 +- stvx v23,r10,$sp +- addi r10,r10,32 +- stvx v24,r11,$sp ++ stvx v23,r11,$sp + addi r11,r11,32 +- stvx v25,r10,$sp ++ stvx v24,r10,$sp + addi r10,r10,32 ++ stvx v25,r11,$sp ++ addi r11,r11,32 + stvx v26,r10,$sp + addi r10,r10,32 + stvx v27,r11,$sp +@@ -1153,12 +1153,12 @@ + addi r11,r11,32 + stvx v22,r10,$sp + addi r10,r10,32 +- stvx v23,r10,$sp +- addi r10,r10,32 +- stvx v24,r11,$sp ++ stvx v23,r11,$sp + addi r11,r11,32 +- stvx v25,r10,$sp ++ stvx v24,r10,$sp + addi r10,r10,32 ++ stvx v25,r11,$sp ++ addi r11,r11,32 + stvx v26,r10,$sp + addi r10,r10,32 + stvx v27,r11,$sp +@@ -1899,26 +1899,26 @@ + mtspr 256,r12 # restore vrsave + lvx v20,r10,$sp + addi r10,r10,32 +- lvx v21,r10,$sp +- addi r10,r10,32 +- lvx v22,r11,$sp ++ lvx v21,r11,$sp + addi r11,r11,32 +- lvx v23,r10,$sp ++ lvx v22,r10,$sp + addi r10,r10,32 +- lvx v24,r11,$sp ++ lvx v23,r11,$sp + addi r11,r11,32 +- lvx v25,r10,$sp ++ lvx v24,r10,$sp + addi r10,r10,32 +- lvx v26,r11,$sp ++ lvx v25,r11,$sp + addi r11,r11,32 +- lvx v27,r10,$sp ++ lvx v26,r10,$sp + addi r10,r10,32 +- lvx v28,r11,$sp ++ lvx v27,r11,$sp + addi r11,r11,32 +- lvx v29,r10,$sp ++ lvx v28,r10,$sp + addi r10,r10,32 +- lvx v30,r11,$sp +- lvx v31,r10,$sp ++ lvx v29,r11,$sp ++ addi r11,r11,32 ++ lvx v30,r10,$sp ++ lvx v31,r11,$sp + $POP r27,`$VSXFRAME-$SIZE_T*5`($sp) + $POP r28,`$VSXFRAME-$SIZE_T*4`($sp) + $POP r29,`$VSXFRAME-$SIZE_T*3`($sp) diff --git a/SOURCES/0133-CVE-2023-6237.patch b/SOURCES/0133-CVE-2023-6237.patch new file mode 100644 index 0000000..a6f7a9a --- /dev/null +++ b/SOURCES/0133-CVE-2023-6237.patch @@ -0,0 +1,93 @@ +diff --git a/crypto/rsa/rsa_sp800_56b_check.c b/crypto/rsa/rsa_sp800_56b_check.c +index fc8f19b48770b..bcbdd24fb8199 100644 +--- a/crypto/rsa/rsa_sp800_56b_check.c ++++ b/crypto/rsa/rsa_sp800_56b_check.c +@@ -289,6 +289,11 @@ int ossl_rsa_sp800_56b_check_public(const RSA *rsa) + return 0; + + nbits = BN_num_bits(rsa->n); ++ if (nbits > OPENSSL_RSA_MAX_MODULUS_BITS) { ++ ERR_raise(ERR_LIB_RSA, RSA_R_MODULUS_TOO_LARGE); ++ return 0; ++ } ++ + #ifdef FIPS_MODULE + /* + * (Step a): modulus must be 2048 or 3072 (caveat from SP800-56Br1) +@@ -324,7 +329,8 @@ int ossl_rsa_sp800_56b_check_public(const RSA *rsa) + goto err; + } + +- ret = ossl_bn_miller_rabin_is_prime(rsa->n, 0, ctx, NULL, 1, &status); ++ /* Highest number of MR rounds from FIPS 186-5 Section B.3 Table B.1 */ ++ ret = ossl_bn_miller_rabin_is_prime(rsa->n, 5, ctx, NULL, 1, &status); + #ifdef FIPS_MODULE + if (ret != 1 || status != BN_PRIMETEST_COMPOSITE_NOT_POWER_OF_PRIME) { + #else +diff --git a/test/recipes/91-test_pkey_check.t b/test/recipes/91-test_pkey_check.t +index dc7cc64533af2..f8088df14d36c 100644 +--- a/test/recipes/91-test_pkey_check.t ++++ b/test/recipes/91-test_pkey_check.t +@@ -70,7 +70,7 @@ push(@positive_tests, ( + "dhpkey.pem" + )) unless disabled("dh"); + +-my @negative_pubtests = (); ++my @negative_pubtests = ("rsapub_17k.pem"); # Too big RSA public key + + push(@negative_pubtests, ( + "dsapub_noparam.der" +diff --git a/test/recipes/91-test_pkey_check_data/rsapub_17k.pem b/test/recipes/91-test_pkey_check_data/rsapub_17k.pem +new file mode 100644 +index 0000000000000..9a2eaedaf1b22 +--- /dev/null ++++ b/test/recipes/91-test_pkey_check_data/rsapub_17k.pem +@@ -0,0 +1,48 @@ ++-----BEGIN PUBLIC KEY----- ++MIIIbzANBgkqhkiG9w0BAQEFAAOCCFwAMIIIVwKCCE4Ang+cE5H+hg3RbapDAHqR ++B9lUnp2MlAwsZxQ/FhYepaR60bFQeumbu7817Eo5YLMObVI99hF1C4u/qcpD4Jph ++gZt87/JAYDbP+DIh/5gUXCL9m5Fp4u7mvZaZdnlcftBvR1uKUTCAwc9pZ/Cfr8W2 ++GzrRODzsNYnk2DcZMfe2vRDuDZRopE+Y+I72rom2SZLxoN547N1daM/M/CL9KVQ/ ++XMI/YOpJrBI0jI3brMRhLkvLckwies9joufydlGbJkeil9H7/grj3fQZtFkZ2Pkj ++b87XDzRVX7wsEpAgPJxskL3jApokCp1kQYKG+Uc3dKM9Ade6IAPK7VKcmbAQTYw2 ++gZxsc28dtstazmfGz0ACCTSMrmbgWAM3oPL7RRzhrXDWgmYQ0jHefGh8SNTIgtPq ++TuHxPYkDMQNaf0LmDGCxqlnf4b5ld3YaU8zZ/RqIRx5v/+w0rJUvU53qY1bYSnL1 ++vbqKSnN2mip0GYyQ4AUgkS1NBV4rGYU/VTvzEjLfkg02KOtHKandvEoUjmZPzCT0 ++V2ZhGc8K1UJNGYlIiHqCdwCBoghvly/pYajTkDXyd6BsukzA5H3IkZB1xDgl035j ++/0Cr7QeZLEOdi9fPdSSaBT6OmD0WFuZfJF0wMr7ucRhWzPXvSensD9v7MBE7tNfH ++SLeTSx8tLt8UeWriiM+0CnkPR1IOqMOxubOyf1eV8NQqEWm5wEQG/0IskbOKnaHa ++PqLFJZn/bvyL3XK5OxVIJG3z6bnRDOMS9SzkjqgPdIO8tkySEHVSi/6iuGUltx3Y ++Fmq6ye/r34ekyHPbfn6UuTON7joM6SIXb5bHM64x4iMVWx4hMvDjfy0UqfywAUyu ++C1o7BExSMxxFG8GJcqR0K8akpPp7EM588PC+YuItoxzXgfUJnP3BQ1Beev2Ve7/J ++xeGZH0N4ntfr+cuaLAakAER9zDglwChWflw3NNFgIdAgSxXv3XXx5xDXpdP4lxUo ++F5zAN4Mero3yV90FaJl7Vhq/UFVidbwFc15jUDwaE0mKRcsBeVd3GOhoECAgE0id ++aIPT20z8oVY0FyTJlRk7QSjo8WjJSrHY/Fn14gctX07ZdfkufyL6w+NijBdYluvB ++nIrgHEvpkDEWoIa8qcx0EppoIcmqgMV2mTShfFYSybsO33Pm8WXec2FXjwhzs1Pi ++R/BuIW8rHPI67xqWm0h8dEw11vtfi9a/BBBikFHe59KBjMTG+lW/gADNvRoTzGh7 ++kN4+UVDS3jlSisRZZOn1XoeQtpubNYWgUsecjKy45IwIj8h1SHgn3wkmUesY0woN ++mOdoNtq+NezN4RFtbCOHhxFVpKKDi/HQP2ro0ykkXMDjwEIVf2Lii1Mg9UP8m+Ux ++AOqkTrIkdogkRx+70h7/wUOfDIFUq2JbKzqxJYamyEphcdAko7/B8efQKc61Z93O ++f2SHa4++4WI7wIIx18v5KV4M/cRmrfc8w9WRkQN3gBT5AJMuqwcSHVXBWvNQeGmi ++ScMh7X6cCZ0daEujqb8svq4WgsJ8UT4GaGBRIYtt7QUKEh+JQwNJzneRYZ3pzpaH ++UJeeoYobMlkp3rM9cYzdq90nBQiI9Jsbim9m9ggb2dMOS5CsI9S/IuG2O5uTjfxx ++wkwsd5nLDFtNXHYZ7W6XlVJ1Rc6zShnEmdCn3mmibb6OaMUmun2yl9ryEjVSoXLP ++fSA8W9K9yNhKTRkzdXJfqlC+s/ovX2xBGxsuOoUDaXhRVz0qmpKIHeSFjIP4iXq4 ++y8gDiwvM3HbZfvVonbg6siPwpn4uvw3hesojk1DKAENS52i6U3uK2fs1ALVxsFNS ++Yh914rDu0Q3e4RXVhURaYzoEbLCot6WGYeCCfQOK0rkETMv+sTYYscC8/THuW7SL ++HG5zy9Ed95N1Xmf8J+My7gM7ZFodGdHsWvdzEmqsdOFh6IVx/VfHFX0MDBq0t6lZ ++eRvVgVCfu3gkYLwPScn/04E02vOom51ISKHsF/I11erC66jjNYV9BSpH8O7sAHxZ ++EmPT2ZVVRSgivOHdQW/FZ3UZQQhVaVSympo2Eb4yWEMFn84Q8T+9Honj6gnB5PXz ++chmeCsOMlcg1mwWwhn0k+OAWEZy7VRUk5Ahp0fBAGJgwBdqrZ3kM356DjUkVBiYq ++4eHyvafNKmjf2mnFsI3g2NKRNyl1Lh63wyCFx60yYvBUfXF/W9PFJbD9CiP83kEW ++gV36gxTsbOSfhpO1OXR90ODy0kx06XzWmJCUugK8u9bx4F/CjV+LIHExuNJiethC ++A8sIup/MT0fWp4RO/SsVblGqfoqJTaPnhptQzeH2N07pbWkxeMuL6ppPuwFmfVjK ++FJndqCVrAukcPEOQ16iVURuloJMudqYRc9QKkJFsnv0W/iMNbqQGmXe8Q/5qFiys ++26NIQBiE2ad9hNLnoccEnmYSRgnW3ZPSKuq5TDdYyDqTZH2r8cam65pr3beKw2XC ++xw4cc7VaxiwGC2Mg2wRmwwPaTjrcEt6sMa3RjwFEVBxBFyM26wnTEZsTBquCxV0J ++pgERaeplkixP2Q0m7XAdlDaob973SM2vOoUgypzDchWmpx7u775bnOfU5CihwXl+ ++k0i09WZuT8bPmhEAiGCw5sNzMkz1BC2cCZFfJIkE2vc/wXYOrGxBTJo0EKaUFswa ++2dnP/u0bn+VksBUM7ywW9LJSXh4mN+tpzdeJtxEObKwX1I0dQxSPWmjd2++wMr9q ++Unre5fCrDToy2H7C2VKSpuOCT2/Kv4JDQRWwI4KxQOpn0UknAGNmfBoTtpIZ3LEb ++77oBUJdMQD7tQBBLL0a6f1TdK0dHVprWWawJ+gGFMiMQXqAqblHcxFKWuHv9bQID ++AQAB ++-----END PUBLIC KEY----- diff --git a/SOURCES/0134-engine-based-ECDHE-kex.patch b/SOURCES/0134-engine-based-ECDHE-kex.patch new file mode 100644 index 0000000..fee56f7 --- /dev/null +++ b/SOURCES/0134-engine-based-ECDHE-kex.patch @@ -0,0 +1,47 @@ +diff --git a/crypto/evp/ctrl_params_translate.c b/crypto/evp/ctrl_params_translate.c +index 448a3c3043c1c..9010fa6c4638c 100644 +--- a/crypto/evp/ctrl_params_translate.c ++++ b/crypto/evp/ctrl_params_translate.c +@@ -1134,6 +1134,7 @@ static int fix_ec_paramgen_curve_nid(enum state state, + const struct translation_st *translation, + struct translation_ctx_st *ctx) + { ++ char *p2 = NULL; + int ret; + + if ((ret = default_check(state, translation, ctx)) <= 0) +@@ -1146,13 +1147,25 @@ static int fix_ec_paramgen_curve_nid(enum state state, + if (state == PRE_CTRL_TO_PARAMS) { + ctx->p2 = (char *)OBJ_nid2sn(ctx->p1); + ctx->p1 = 0; ++ } else if (state == PRE_PARAMS_TO_CTRL) { ++ /* ++ * We're translating from params to ctrl and setting the curve name. ++ * The ctrl function needs it to be a NID, but meanwhile, we need ++ * space to get the curve name from the param. |ctx->name_buf| is ++ * sufficient for that. ++ * The double indirection is necessary for default_fixup_args()'s ++ * call of OSSL_PARAM_get_utf8_string() to be done correctly. ++ */ ++ p2 = ctx->name_buf; ++ ctx->p2 = &p2; ++ ctx->sz = sizeof(ctx->name_buf); + } + + if ((ret = default_fixup_args(state, translation, ctx)) <= 0) + return ret; + + if (state == PRE_PARAMS_TO_CTRL) { +- ctx->p1 = OBJ_sn2nid(ctx->p2); ++ ctx->p1 = OBJ_sn2nid(p2); + ctx->p2 = NULL; + } + +@@ -2789,6 +2802,7 @@ static int evp_pkey_ctx_setget_params_to_ctrl(EVP_PKEY_CTX *pctx, + if (translation->fixup_args != NULL) + fixup = translation->fixup_args; + ctx.action_type = translation->action_type; ++ ctx.ctrl_cmd = translation->ctrl_num; + } + ctx.pctx = pctx; + ctx.params = params; diff --git a/SOURCES/0135-CVE-2024-0727.patch b/SOURCES/0135-CVE-2024-0727.patch new file mode 100644 index 0000000..ddebf85 --- /dev/null +++ b/SOURCES/0135-CVE-2024-0727.patch @@ -0,0 +1,178 @@ +diff --git a/crypto/pkcs12/p12_add.c b/crypto/pkcs12/p12_add.c +index 6fd4184af5a52..80ce31b3bca66 100644 +--- a/crypto/pkcs12/p12_add.c ++++ b/crypto/pkcs12/p12_add.c +@@ -78,6 +78,12 @@ STACK_OF(PKCS12_SAFEBAG) *PKCS12_unpack_p7data(PKCS7 *p7) + ERR_raise(ERR_LIB_PKCS12, PKCS12_R_CONTENT_TYPE_NOT_DATA); + return NULL; + } ++ ++ if (p7->d.data == NULL) { ++ ERR_raise(ERR_LIB_PKCS12, PKCS12_R_DECODE_ERROR); ++ return NULL; ++ } ++ + return ASN1_item_unpack(p7->d.data, ASN1_ITEM_rptr(PKCS12_SAFEBAGS)); + } + +@@ -150,6 +156,12 @@ STACK_OF(PKCS12_SAFEBAG) *PKCS12_unpack_p7encdata(PKCS7 *p7, const char *pass, + { + if (!PKCS7_type_is_encrypted(p7)) + return NULL; ++ ++ if (p7->d.encrypted == NULL) { ++ ERR_raise(ERR_LIB_PKCS12, PKCS12_R_DECODE_ERROR); ++ return NULL; ++ } ++ + return PKCS12_item_decrypt_d2i_ex(p7->d.encrypted->enc_data->algorithm, + ASN1_ITEM_rptr(PKCS12_SAFEBAGS), + pass, passlen, +@@ -188,6 +200,12 @@ STACK_OF(PKCS7) *PKCS12_unpack_authsafes(const PKCS12 *p12) + ERR_raise(ERR_LIB_PKCS12, PKCS12_R_CONTENT_TYPE_NOT_DATA); + return NULL; + } ++ ++ if (p12->authsafes->d.data == NULL) { ++ ERR_raise(ERR_LIB_PKCS12, PKCS12_R_DECODE_ERROR); ++ return NULL; ++ } ++ + p7s = ASN1_item_unpack(p12->authsafes->d.data, + ASN1_ITEM_rptr(PKCS12_AUTHSAFES)); + if (p7s != NULL) { +diff --git a/crypto/pkcs12/p12_mutl.c b/crypto/pkcs12/p12_mutl.c +index 67a885a45f89e..68ff54d0e90ee 100644 +--- a/crypto/pkcs12/p12_mutl.c ++++ b/crypto/pkcs12/p12_mutl.c +@@ -98,6 +98,11 @@ static int pkcs12_gen_mac(PKCS12 *p12, const char *pass, int passlen, + return 0; + } + ++ if (p12->authsafes->d.data == NULL) { ++ ERR_raise(ERR_LIB_PKCS12, PKCS12_R_DECODE_ERROR); ++ return 0; ++ } ++ + salt = p12->mac->salt->data; + saltlen = p12->mac->salt->length; + if (p12->mac->iter == NULL) +diff --git a/crypto/pkcs12/p12_npas.c b/crypto/pkcs12/p12_npas.c +index 62230bc6187ff..1e5b5495991a4 100644 +--- a/crypto/pkcs12/p12_npas.c ++++ b/crypto/pkcs12/p12_npas.c +@@ -77,8 +77,9 @@ static int newpass_p12(PKCS12 *p12, const char *oldpass, const char *newpass) + bags = PKCS12_unpack_p7data(p7); + } else if (bagnid == NID_pkcs7_encrypted) { + bags = PKCS12_unpack_p7encdata(p7, oldpass, -1); +- if (!alg_get(p7->d.encrypted->enc_data->algorithm, +- &pbe_nid, &pbe_iter, &pbe_saltlen)) ++ if (p7->d.encrypted == NULL ++ || !alg_get(p7->d.encrypted->enc_data->algorithm, ++ &pbe_nid, &pbe_iter, &pbe_saltlen)) + goto err; + } else { + continue; +diff --git a/crypto/pkcs7/pk7_mime.c b/crypto/pkcs7/pk7_mime.c +index 49a0da5f819c4..8228315eeaa3a 100644 +--- a/crypto/pkcs7/pk7_mime.c ++++ b/crypto/pkcs7/pk7_mime.c +@@ -33,10 +33,13 @@ int SMIME_write_PKCS7(BIO *bio, PKCS7 *p7, BIO *data, int flags) + int ctype_nid = OBJ_obj2nid(p7->type); + const PKCS7_CTX *ctx = ossl_pkcs7_get0_ctx(p7); + +- if (ctype_nid == NID_pkcs7_signed) ++ if (ctype_nid == NID_pkcs7_signed) { ++ if (p7->d.sign == NULL) ++ return 0; + mdalgs = p7->d.sign->md_algs; +- else ++ } else { + mdalgs = NULL; ++ } + + flags ^= SMIME_OLDMIME; + +diff --git a/test/recipes/80-test_pkcs12.t b/test/recipes/80-test_pkcs12.t +index 1f0cb4d501488..b2c376249646d 100644 +--- a/test/recipes/80-test_pkcs12.t ++++ b/test/recipes/80-test_pkcs12.t +@@ -9,7 +9,7 @@ + use strict; + use warnings; + +-use OpenSSL::Test qw/:DEFAULT srctop_file/; ++use OpenSSL::Test qw/:DEFAULT srctop_file with/; + use OpenSSL::Test::Utils; + + use Encode; +@@ -54,7 +54,7 @@ if (eval { require Win32::API; 1; }) { + } + $ENV{OPENSSL_WIN32_UTF8}=1; + +-plan tests => 13; ++plan tests => 17; + + # Test different PKCS#12 formats + ok(run(test(["pkcs12_format_test"])), "test pkcs12 formats"); +@@ -148,4 +148,25 @@ ok(grep(/subject=CN = server.example/, @pkcs12info) == 1, + # Test that the expected friendly name is present in the output + ok(grep(/testname/, @pkcs12info) == 1, "test friendly name in output"); + ++# Test some bad pkcs12 files ++my $bad1 = srctop_file("test", "recipes", "80-test_pkcs12_data", "bad1.p12"); ++my $bad2 = srctop_file("test", "recipes", "80-test_pkcs12_data", "bad2.p12"); ++my $bad3 = srctop_file("test", "recipes", "80-test_pkcs12_data", "bad3.p12"); ++ ++with({ exit_checker => sub { return shift == 1; } }, ++ sub { ++ ok(run(app(["openssl", "pkcs12", "-in", $bad1, "-password", "pass:"])), ++ "test bad pkcs12 file 1"); ++ ++ ok(run(app(["openssl", "pkcs12", "-in", $bad1, "-password", "pass:", ++ "-nomacver"])), ++ "test bad pkcs12 file 1 (nomacver)"); ++ ++ ok(run(app(["openssl", "pkcs12", "-in", $bad2, "-password", "pass:"])), ++ "test bad pkcs12 file 2"); ++ ++ ok(run(app(["openssl", "pkcs12", "-in", $bad3, "-password", "pass:"])), ++ "test bad pkcs12 file 3"); ++ }); ++ + SetConsoleOutputCP($savedcp) if (defined($savedcp)); +diff --git a/test/recipes/80-test_pkcs12_data/bad1.p12 b/test/recipes/80-test_pkcs12_data/bad1.p12 +new file mode 100644 +index 0000000000000000000000000000000000000000..8f3387c7e356e4aa374729f3f3939343557b9c09 +GIT binary patch +literal 85 +zcmV-b0IL5mQvv}4Fbf6=Duzgg_YDCD0Wd)@F)$4V31Egu0c8UO0s#d81R(r{)waiY +rfR=Py6XX#<$m7-wj)xrauuD`}hF=Ng9=0`~S~)@=J%OiUaM0Oze6 +AD*ylh + +literal 0 +HcmV?d00001 + +diff --git a/test/recipes/80-test_pkcs12_data/bad3.p12 b/test/recipes/80-test_pkcs12_data/bad3.p12 +new file mode 100644 +index 0000000000000000000000000000000000000000..ef86a1d86fb0bc09471ca2596d82e7d521d973a4 +GIT binary patch +literal 104 +zcmXp=V`5}BkYnT2YV&CO&dbQoxImDF-+oA$5$MVJL*60=F*5iN*C_e&wD%dwCM*q{=+OBX|Z+F7XSHN#>B+I003La +BAqM~e + +literal 0 +HcmV?d00001 + diff --git a/SPECS/openssl.spec b/SPECS/openssl.spec index 5a65b10..944551b 100644 --- a/SPECS/openssl.spec +++ b/SPECS/openssl.spec @@ -29,7 +29,7 @@ print(string.sub(hash, 0, 16)) Summary: Utilities from the general purpose cryptography library with TLS implementation Name: openssl Version: 3.0.7 -Release: 24%{?dist} +Release: 27%{?dist} Epoch: 1 # We have to remove certain patented algorithms from the openssl source # tarball with the hobble-openssl script which is included below. @@ -197,6 +197,23 @@ Patch121: 0121-FIPS-cms-defaults.patch Patch122: 0122-CVE-2023-2650.patch # https://github.com/openssl/openssl/pull/19386 Patch123: 0123-ibmca-atexit-crash.patch +Patch125: 0125-CVE-2023-2975.patch +Patch126: 0126-CVE-2023-3446.patch +Patch127: 0127-CVE-2023-3817.patch +Patch128: 0128-CVE-2023-5363.patch +# https://github.com/openssl/openssl/pull/22403 +Patch129: 0129-rsa-Add-SP800-56Br2-6.4.1.2.1-3.c-check.patch +Patch130: 0130-CVE-2023-5678.patch +# https://github.com/openssl/openssl/pull/20317 +Patch131: 0131-sslgroups-memleak.patch +# https://github.com/openssl/openssl/commit/050d26383d4e264966fb83428e72d5d48f402d35 +Patch132: 0132-CVE-2023-6129.patch +# https://github.com/openssl/openssl/commit/18c02492138d1eb8b6548cb26e7b625fb2414a2a +Patch133: 0133-CVE-2023-6237.patch +# https://github.com/openssl/openssl/pull/20780 +Patch134: 0134-engine-based-ECDHE-kex.patch +# https://github.com/openssl/openssl/pull/23362 +Patch135: 0135-CVE-2024-0727.patch License: ASL 2.0 URL: http://www.openssl.org/ @@ -224,6 +241,9 @@ protocols. Summary: A general purpose cryptography library with TLS implementation Requires: ca-certificates >= 2008-5 Requires: crypto-policies >= 20180730 +%if ( %{defined rhel} && (! %{defined centos}) ) +Requires: openssl-fips-provider +%endif %description libs OpenSSL is a toolkit for supporting cryptography. The openssl-libs @@ -376,6 +396,14 @@ make test HARNESS_JOBS=8 # Add generation of HMAC checksum of the final stripped library # We manually copy standard definition of __spec_install_post # and add hmac calculation/embedding to fips.so +%if ( %{defined rhel} && (! %{defined centos}) ) +%define __spec_install_post \ + rm -rf $RPM_BUILD_ROOT/%{_libdir}/ossl-modules/fips.so \ + %{?__debug_package:%{__debug_install_post}} \ + %{__arch_install_post} \ + %{__os_install_post} \ +%{nil} +%else %define __spec_install_post \ %{?__debug_package:%{__debug_install_post}} \ %{__arch_install_post} \ @@ -385,6 +413,7 @@ make test HARNESS_JOBS=8 mv $RPM_BUILD_ROOT%{_libdir}/ossl-modules/fips.so.mac $RPM_BUILD_ROOT%{_libdir}/ossl-modules/fips.so \ rm $RPM_BUILD_ROOT%{_libdir}/ossl-modules/fips.so.hmac \ %{nil} +%endif %define __provides_exclude_from %{_libdir}/openssl @@ -408,6 +437,7 @@ done # Install a makefile for generating keys and self-signed certs, and a script # for generating them on the fly. mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/certs +mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/openssl.d install -m644 %{SOURCE2} $RPM_BUILD_ROOT%{_pkgdocdir}/Makefile.certificate install -m755 %{SOURCE6} $RPM_BUILD_ROOT%{_bindir}/make-dummy-cert install -m755 %{SOURCE7} $RPM_BUILD_ROOT%{_bindir}/renew-dummy-cert @@ -490,6 +520,7 @@ ln -s /etc/crypto-policies/back-ends/openssl_fips.config $RPM_BUILD_ROOT%{_sysco %dir %{_sysconfdir}/pki/tls/certs %dir %{_sysconfdir}/pki/tls/misc %dir %{_sysconfdir}/pki/tls/private +%dir %{_sysconfdir}/pki/tls/openssl.d %config(noreplace) %{_sysconfdir}/pki/tls/openssl.cnf %config(noreplace) %{_sysconfdir}/pki/tls/ct_log_list.cnf %config %{_sysconfdir}/pki/tls/fips_local.cnf @@ -522,6 +553,60 @@ ln -s /etc/crypto-policies/back-ends/openssl_fips.config $RPM_BUILD_ROOT%{_sysco %ldconfig_scriptlets libs %changelog +* Wed Feb 21 2024 Dmitry Belyavskiy - 1:3.0.7-27 +- Use certified FIPS module instead of freshly built one in Red Hat distribution + Related: RHEL-23474 + +* Tue Nov 21 2023 Dmitry Belyavskiy - 1:3.0.7-26 +- Avoid implicit function declaration when building openssl + Related: RHEL-1780 +- In FIPS mode, prevent any other operations when rsa_keygen_pairwise_test fails + Resolves: RHEL-17104 +- Add a directory for OpenSSL providers configuration + Resolves: RHEL-17193 +- Eliminate memory leak in OpenSSL when setting elliptic curves on SSL context + Resolves: RHEL-19515 +- POLY1305 MAC implementation corrupts vector registers on PowerPC (CVE-2023-6129) + Resolves: RHEL-21151 +- Excessive time spent checking invalid RSA public keys (CVE-2023-6237) + Resolves: RHEL-21654 +- SSL ECDHE Kex fails when pkcs11 engine is set in config file + Resolves: RHEL-20249 +- Denial of service via null dereference in PKCS#12 + Resolves: RHEL-22486 +- Use certified FIPS module instead of freshly built one in Red Hat distribution + Resolves: RHEL-23474 + +* Mon Oct 16 2023 Dmitry Belyavskiy - 1:3.0.7-25 +- Provide relevant diagnostics when FIPS checksum is corrupted + Resolves: RHEL-5317 +- Don't limit using SHA1 in KDFs in non-FIPS mode. + Resolves: RHEL-5295 +- Provide empty evp_properties section in main OpenSSL configuration file + Resolves: RHEL-11439 +- Avoid implicit function declaration when building openssl + Resolves: RHEL-1780 +- Forbid explicit curves when created via EVP_PKEY_fromdata + Resolves: RHEL-5304 +- AES-SIV cipher implementation contains a bug that causes it to ignore empty + associated data entries (CVE-2023-2975) + Resolves: RHEL-5302 +- Excessive time spent checking DH keys and parameters (CVE-2023-3446) + Resolves: RHEL-5306 +- Excessive time spent checking DH q parameter value (CVE-2023-3817) + Resolves: RHEL-5308 +- Fix incorrect cipher key and IV length processing (CVE-2023-5363) + Resolves: RHEL-13251 +- Switch explicit FIPS indicator for RSA-OAEP to approved following + clarification with CMVP + Resolves: RHEL-14083 +- Backport the check required by SP800-56Br2 6.4.1.2.1 (3.c) + Resolves: RHEL-14083 +- Add missing ECDH Public Key Check in FIPS mode + Resolves: RHEL-15990 +- Excessive time spent in DH check/generation with large Q parameter value (CVE-2023-5678) + Resolves: RHEL-15954 + * Wed Jul 12 2023 Dmitry Belyavskiy - 1:3.0.7-24 - Make FIPS module configuration more crypto-policies friendly Related: rhbz#2216256