Accepting request 646414 from home:vitezslav_cizek:branches:security:tls

- OpenSSL Security Advisory [30 October 2018]
  * Timing vulnerability in ECDSA signature generation
    (bsc#1113651, CVE-2018-0735)
  * Timing vulnerability in DSA signature generation
    (bsc#1113652, CVE-2018-0734)
  * And more timing fixes
- Add patches:
  * openssl-CVE-2018-0734.patch
  * openssl-CVE-2018-0735.patch
  * 0001-DSA-mod-inverse-fix.patch
  * 0001-Add-a-constant-time-flag-to-one-of-the-bignums-to-av.patch

- Fix infinite loop in DSA generation with incorrect parameters
  (bsc#1112209)
  * 0001-DSA-Check-for-sanity-of-input-parameters.patch

OBS-URL: https://build.opensuse.org/request/show/646414
OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-1_1?expand=0&rev=24
This commit is contained in:
Vítězslav Čížek 2018-11-05 14:01:24 +00:00 committed by Git OBS Bridge
parent 332d0e46eb
commit c921472ddf
8 changed files with 324 additions and 0 deletions

View File

@ -0,0 +1,27 @@
From 00496b6423605391864fbbd1693f23631a1c5239 Mon Sep 17 00:00:00 2001
From: Pauli <paul.dale@oracle.com>
Date: Thu, 1 Nov 2018 08:44:11 +1000
Subject: [PATCH] Add a constant time flag to one of the bignums to avoid a
timing leak.
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7549)
---
crypto/dsa/dsa_ossl.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/crypto/dsa/dsa_ossl.c b/crypto/dsa/dsa_ossl.c
index 2dd2d7489a..7a0b0874c5 100644
--- a/crypto/dsa/dsa_ossl.c
+++ b/crypto/dsa/dsa_ossl.c
@@ -223,6 +223,7 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in,
} while (BN_is_zero(k));
BN_set_flags(k, BN_FLG_CONSTTIME);
+ BN_set_flags(l, BN_FLG_CONSTTIME);
if (dsa->flags & DSA_FLAG_CACHE_MONT_P) {
if (!BN_MONT_CTX_set_locked(&dsa->method_mont_p,
--
2.19.1

View File

@ -0,0 +1,35 @@
From 3afd38b277a806b901e039c6ad281c5e5c97ef67 Mon Sep 17 00:00:00 2001
From: Vitezslav Cizek <vcizek@suse.com>
Date: Thu, 25 Oct 2018 13:53:26 +0200
Subject: [PATCH] DSA: Check for sanity of input parameters
dsa_builtin_paramgen2 expects the L parameter to be greater than N,
otherwise the generation will get stuck in an infinite loop.
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/7493)
---
crypto/dsa/dsa_gen.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/crypto/dsa/dsa_gen.c b/crypto/dsa/dsa_gen.c
index 46f4f01ee0..383d853b6d 100644
--- a/crypto/dsa/dsa_gen.c
+++ b/crypto/dsa/dsa_gen.c
@@ -327,6 +327,12 @@ int dsa_builtin_paramgen2(DSA *ret, size_t L, size_t N,
if (mctx == NULL)
goto err;
+ /* make sure L > N, otherwise we'll get trapped in an infinite loop */
+ if (L <= N) {
+ DSAerr(DSA_F_DSA_BUILTIN_PARAMGEN2, DSA_R_INVALID_PARAMETERS);
+ goto err;
+ }
+
if (evpmd == NULL) {
if (N == 160)
evpmd = EVP_sha1();
--
2.19.1

View File

@ -0,0 +1,76 @@
From 415c33563528667868c3c653a612e6fc8736fd79 Mon Sep 17 00:00:00 2001
From: Pauli <paul.dale@oracle.com>
Date: Mon, 29 Oct 2018 06:50:51 +1000
Subject: [PATCH] DSA mod inverse fix
There is a side channel attack against the division used to calculate one of
the modulo inverses in the DSA algorithm. This change takes advantage of the
primality of the modulo and Fermat's little theorem to calculate the inverse
without leaking information.
Thanks to Samuel Weiser for finding and reporting this.
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/7487)
---
crypto/dsa/dsa_ossl.c | 32 +++++++++++++++++++++++++++++++-
1 file changed, 31 insertions(+), 1 deletion(-)
diff --git a/crypto/dsa/dsa_ossl.c b/crypto/dsa/dsa_ossl.c
index ac1f65a51a..ca20811200 100644
--- a/crypto/dsa/dsa_ossl.c
+++ b/crypto/dsa/dsa_ossl.c
@@ -23,6 +23,8 @@ static int dsa_do_verify(const unsigned char *dgst, int dgst_len,
DSA_SIG *sig, DSA *dsa);
static int dsa_init(DSA *dsa);
static int dsa_finish(DSA *dsa);
+static BIGNUM *dsa_mod_inverse_fermat(const BIGNUM *k, const BIGNUM *q,
+ BN_CTX *ctx);
static DSA_METHOD openssl_dsa_meth = {
"OpenSSL DSA method",
@@ -259,7 +261,7 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in,
goto err;
/* Compute part of 's = inv(k) (m + xr) mod q' */
- if ((kinv = BN_mod_inverse(NULL, k, dsa->q, ctx)) == NULL)
+ if ((kinv = dsa_mod_inverse_fermat(k, dsa->q, ctx)) == NULL)
goto err;
BN_clear_free(*kinvp);
@@ -393,3 +395,31 @@ static int dsa_finish(DSA *dsa)
BN_MONT_CTX_free(dsa->method_mont_p);
return 1;
}
+
+/*
+ * Compute the inverse of k modulo q.
+ * Since q is prime, Fermat's Little Theorem applies, which reduces this to
+ * mod-exp operation. Both the exponent and modulus are public information
+ * so a mod-exp that doesn't leak the base is sufficient. A newly allocated
+ * BIGNUM is returned which the caller must free.
+ */
+static BIGNUM *dsa_mod_inverse_fermat(const BIGNUM *k, const BIGNUM *q,
+ BN_CTX *ctx)
+{
+ BIGNUM *res = NULL;
+ BIGNUM *r, *e;
+
+ if ((r = BN_new()) == NULL)
+ return NULL;
+
+ BN_CTX_start(ctx);
+ if ((e = BN_CTX_get(ctx)) != NULL
+ && BN_set_word(r, 2)
+ && BN_sub(e, q, r)
+ && BN_mod_exp_mont(r, k, e, q, ctx, NULL))
+ res = r;
+ else
+ BN_free(r);
+ BN_CTX_end(ctx);
+ return res;
+}
--
2.19.1

View File

@ -1,3 +1,25 @@
-------------------------------------------------------------------
Mon Nov 5 12:53:54 UTC 2018 - Vítězslav Čížek <vcizek@suse.com>
- OpenSSL Security Advisory [30 October 2018]
* Timing vulnerability in ECDSA signature generation
(bsc#1113651, CVE-2018-0735)
* Timing vulnerability in DSA signature generation
(bsc#1113652, CVE-2018-0734)
* And more timing fixes
- Add patches:
* openssl-CVE-2018-0734.patch
* openssl-CVE-2018-0735.patch
* 0001-DSA-mod-inverse-fix.patch
* 0001-Add-a-constant-time-flag-to-one-of-the-bignums-to-av.patch
-------------------------------------------------------------------
Mon Nov 5 11:00:54 UTC 2018 - Vítězslav Čížek <vcizek@suse.com>
- Fix infinite loop in DSA generation with incorrect parameters
(bsc#1112209)
* 0001-DSA-Check-for-sanity-of-input-parameters.patch
-------------------------------------------------------------------
Thu Oct 25 13:32:33 UTC 2018 - Cristian Rodríguez <crrodriguez@opensuse.org>

View File

@ -43,6 +43,12 @@ Patch3: openssl-pkgconfig.patch
Patch4: openssl-DEFAULT_SUSE_cipher.patch
Patch5: openssl-ppc64-config.patch
Patch6: openssl-no-date.patch
Patch7: 0001-DSA-Check-for-sanity-of-input-parameters.patch
# OpenSSL Security Advisory [30 October 2018]
Patch8: openssl-CVE-2018-0734.patch
Patch9: openssl-CVE-2018-0735.patch
Patch10: 0001-DSA-mod-inverse-fix.patch
Patch11: 0001-Add-a-constant-time-flag-to-one-of-the-bignums-to-av.patch
BuildRequires: bc
BuildRequires: ed
BuildRequires: pkgconfig

View File

@ -0,0 +1,92 @@
commit a9cfb8c2aa7254a4aa6a1716909e3f8cb78049b6
Author: Pauli <paul.dale@oracle.com>
Date: Wed Oct 24 07:42:46 2018 +1000
Timing vulnerability in DSA signature generation (CVE-2018-0734).
Avoid a timing attack that leaks information via a side channel that
triggers when a BN is resized. Increasing the size of the BNs
prior to doing anything with them suppresses the attack.
Thanks due to Samuel Weiser for finding and locating this.
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/7486)
Index: openssl-1.1.1/crypto/dsa/dsa_ossl.c
===================================================================
--- openssl-1.1.1.orig/crypto/dsa/dsa_ossl.c 2018-11-05 13:11:47.440790686 +0100
+++ openssl-1.1.1/crypto/dsa/dsa_ossl.c 2018-11-05 13:12:08.220924384 +0100
@@ -9,6 +9,7 @@
#include <stdio.h>
#include "internal/cryptlib.h"
+#include "internal/bn_int.h"
#include <openssl/bn.h>
#include <openssl/sha.h>
#include "dsa_locl.h"
@@ -178,9 +179,9 @@ static int dsa_sign_setup(DSA *dsa, BN_C
{
BN_CTX *ctx = NULL;
BIGNUM *k, *kinv = NULL, *r = *rp;
- BIGNUM *l, *m;
+ BIGNUM *l;
int ret = 0;
- int q_bits;
+ int q_bits, q_words;
if (!dsa->p || !dsa->q || !dsa->g) {
DSAerr(DSA_F_DSA_SIGN_SETUP, DSA_R_MISSING_PARAMETERS);
@@ -189,8 +190,7 @@ static int dsa_sign_setup(DSA *dsa, BN_C
k = BN_new();
l = BN_new();
- m = BN_new();
- if (k == NULL || l == NULL || m == NULL)
+ if (k == NULL || l == NULL)
goto err;
if (ctx_in == NULL) {
@@ -201,9 +201,9 @@ static int dsa_sign_setup(DSA *dsa, BN_C
/* Preallocate space */
q_bits = BN_num_bits(dsa->q);
- if (!BN_set_bit(k, q_bits)
- || !BN_set_bit(l, q_bits)
- || !BN_set_bit(m, q_bits))
+ q_words = bn_get_top(dsa->q);
+ if (!bn_wexpand(k, q_words + 2)
+ || !bn_wexpand(l, q_words + 2))
goto err;
/* Get random k */
@@ -238,14 +238,17 @@ static int dsa_sign_setup(DSA *dsa, BN_C
* small timing information leakage. We then choose the sum that is
* one bit longer than the modulus.
*
- * TODO: revisit the BN_copy aiming for a memory access agnostic
- * conditional copy.
+ * There are some concerns about the efficacy of doing this. More
+ * specificly refer to the discussion starting with:
+ * https://github.com/openssl/openssl/pull/7486#discussion_r228323705
+ * The fix is to rework BN so these gymnastics aren't required.
*/
if (!BN_add(l, k, dsa->q)
- || !BN_add(m, l, dsa->q)
- || !BN_copy(k, BN_num_bits(l) > q_bits ? l : m))
+ || !BN_add(k, l, dsa->q))
goto err;
+ BN_consttime_swap(BN_is_bit_set(l, q_bits), k, l, q_words + 2);
+
if ((dsa)->meth->bn_mod_exp != NULL) {
if (!dsa->meth->bn_mod_exp(dsa, r, dsa->g, k, dsa->p, ctx,
dsa->method_mont_p))
@@ -273,7 +276,6 @@ static int dsa_sign_setup(DSA *dsa, BN_C
BN_CTX_free(ctx);
BN_clear_free(k);
BN_clear_free(l);
- BN_clear_free(m);
return ret;
}

View File

@ -0,0 +1,36 @@
commit 99540ec79491f59ed8b46b4edf130e17dc907f52
Author: Pauli <paul.dale@oracle.com>
Date: Fri Oct 26 10:54:58 2018 +1000
Timing vulnerability in ECDSA signature generation (CVE-2018-0735)
Preallocate an extra limb for some of the big numbers to avoid a reallocation
that can potentially provide a side channel.
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/7486)
diff --git a/crypto/ec/ec_mult.c b/crypto/ec/ec_mult.c
index 7e1b3650e7..0e0a5e1394 100644
--- a/crypto/ec/ec_mult.c
+++ b/crypto/ec/ec_mult.c
@@ -206,8 +206,8 @@ int ec_scalar_mul_ladder(const EC_GROUP *group, EC_POINT *r,
*/
cardinality_bits = BN_num_bits(cardinality);
group_top = bn_get_top(cardinality);
- if ((bn_wexpand(k, group_top + 1) == NULL)
- || (bn_wexpand(lambda, group_top + 1) == NULL)) {
+ if ((bn_wexpand(k, group_top + 2) == NULL)
+ || (bn_wexpand(lambda, group_top + 2) == NULL)) {
ECerr(EC_F_EC_SCALAR_MUL_LADDER, ERR_R_BN_LIB);
goto err;
}
@@ -244,7 +244,7 @@ int ec_scalar_mul_ladder(const EC_GROUP *group, EC_POINT *r,
* k := scalar + 2*cardinality
*/
kbit = BN_is_bit_set(lambda, cardinality_bits);
- BN_consttime_swap(kbit, k, lambda, group_top + 1);
+ BN_consttime_swap(kbit, k, lambda, group_top + 2);
group_top = bn_get_top(group->field);
if ((bn_wexpand(s->X, group_top) == NULL)

View File

@ -0,0 +1,30 @@
diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
index d75158e..0b0eaf5 100644
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -130,6 +130,13 @@ static const struct {
},
};
+static int SUSE_allow_SSL3() {
+ if (getenv("OPENSSL_ALLOW_SSL3") != NULL)
+ return 1;
+
+ return 0;
+}
+
static int dane_ctx_enable(struct dane_ctx_st *dctx)
{
const EVP_MD **mdevp;
@@ -3049,6 +3056,11 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *meth)
ssl_ctx_system_config(ret);
+ /* Allow SSLv3 if user explicitly asked for it */
+ if (!SUSE_allow_SSL3()) {
+ ret->options |= SSL_OP_NO_SSLv3;
+ }
+
return ret;
err:
SSLerr(SSL_F_SSL_CTX_NEW, ERR_R_MALLOC_FAILURE);