From 08c722bcd1e5c9d42dfaf178ddb564f9cf0e317e Mon Sep 17 00:00:00 2001 From: Dmitry Belyavskiy Date: Fri, 19 Jan 2024 15:18:50 +0100 Subject: [PATCH] SSL ECDHE Kex fails when pkcs11 engine is set in config file Resolves: RHEL-20249 --- 0134-engine-based-ECDHE-kex.patch | 47 +++++++++++++++++++++++++++++++ openssl.spec | 4 +++ 2 files changed, 51 insertions(+) create mode 100644 0134-engine-based-ECDHE-kex.patch diff --git a/0134-engine-based-ECDHE-kex.patch b/0134-engine-based-ECDHE-kex.patch new file mode 100644 index 0000000..fee56f7 --- /dev/null +++ b/0134-engine-based-ECDHE-kex.patch @@ -0,0 +1,47 @@ +diff --git a/crypto/evp/ctrl_params_translate.c b/crypto/evp/ctrl_params_translate.c +index 448a3c3043c1c..9010fa6c4638c 100644 +--- a/crypto/evp/ctrl_params_translate.c ++++ b/crypto/evp/ctrl_params_translate.c +@@ -1134,6 +1134,7 @@ static int fix_ec_paramgen_curve_nid(enum state state, + const struct translation_st *translation, + struct translation_ctx_st *ctx) + { ++ char *p2 = NULL; + int ret; + + if ((ret = default_check(state, translation, ctx)) <= 0) +@@ -1146,13 +1147,25 @@ static int fix_ec_paramgen_curve_nid(enum state state, + if (state == PRE_CTRL_TO_PARAMS) { + ctx->p2 = (char *)OBJ_nid2sn(ctx->p1); + ctx->p1 = 0; ++ } else if (state == PRE_PARAMS_TO_CTRL) { ++ /* ++ * We're translating from params to ctrl and setting the curve name. ++ * The ctrl function needs it to be a NID, but meanwhile, we need ++ * space to get the curve name from the param. |ctx->name_buf| is ++ * sufficient for that. ++ * The double indirection is necessary for default_fixup_args()'s ++ * call of OSSL_PARAM_get_utf8_string() to be done correctly. ++ */ ++ p2 = ctx->name_buf; ++ ctx->p2 = &p2; ++ ctx->sz = sizeof(ctx->name_buf); + } + + if ((ret = default_fixup_args(state, translation, ctx)) <= 0) + return ret; + + if (state == PRE_PARAMS_TO_CTRL) { +- ctx->p1 = OBJ_sn2nid(ctx->p2); ++ ctx->p1 = OBJ_sn2nid(p2); + ctx->p2 = NULL; + } + +@@ -2789,6 +2802,7 @@ static int evp_pkey_ctx_setget_params_to_ctrl(EVP_PKEY_CTX *pctx, + if (translation->fixup_args != NULL) + fixup = translation->fixup_args; + ctx.action_type = translation->action_type; ++ ctx.ctrl_cmd = translation->ctrl_num; + } + ctx.pctx = pctx; + ctx.params = params; diff --git a/openssl.spec b/openssl.spec index df98386..ec1af2e 100644 --- a/openssl.spec +++ b/openssl.spec @@ -210,6 +210,8 @@ Patch131: 0131-sslgroups-memleak.patch Patch132: 0132-CVE-2023-6129.patch # https://github.com/openssl/openssl/commit/18c02492138d1eb8b6548cb26e7b625fb2414a2a Patch133: 0133-CVE-2023-6237.patch +# https://github.com/openssl/openssl/pull/20780 +Patch134: 0134-engine-based-ECDHE-kex.patch License: ASL 2.0 URL: http://www.openssl.org/ @@ -550,6 +552,8 @@ ln -s /etc/crypto-policies/back-ends/openssl_fips.config $RPM_BUILD_ROOT%{_sysco Resolves: RHEL-21151 - Excessive time spent checking invalid RSA public keys (CVE-2023-6237) Resolves: RHEL-21654 +- SSL ECDHE Kex fails when pkcs11 engine is set in config file + Resolves: RHEL-20249 * Mon Oct 16 2023 Dmitry Belyavskiy - 1:3.0.7-25 - Provide relevant diagnostics when FIPS checksum is corrupted