pool/openssl-1_1
SHA256
2
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Accepting request 650515 from home:vitezslav_cizek:branches:security:tls

Browse Source 
- Update to 1.1.1a
  * Added EVP_PKEY_ECDH_KDF_X9_63 and ecdh_KDF_X9_63() as replacements for
    the EVP_PKEY_ECDH_KDF_X9_62 KDF type and ECDH_KDF_X9_62(). The old names
    are retained for backwards compatibility.
  * Fixed the issue that RAND_add()/RAND_seed() silently discards random input
    if its length exceeds 4096 bytes. The limit has been raised to a buffer size
    of two gigabytes and the error handling improved.
- drop upstream patches:
  * 0001-Add-a-constant-time-flag-to-one-of-the-bignums-to-av.patch
  * 0001-DSA-Check-for-sanity-of-input-parameters.patch
  * 0001-DSA-mod-inverse-fix.patch
  * openssl-CVE-2018-0734.patch
  * openssl-CVE-2018-0735.patch

OBS-URL: https://build.opensuse.org/request/show/650515
OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-1_1?expand=0&rev=26
This commit is contained in:
Tomáš Chvátal 2018-11-20 14:58:17 +00:00 committed by Git OBS Bridge
parent c7efd6c62c
commit ea11949bb4
11 changed files with 32 additions and 287 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

27
0001-Add-a-constant-time-flag-to-one-of-the-bignums-to-av.patch
View File

@ -1,27 +0,0 @@
From 00496b6423605391864fbbd1693f23631a1c5239 Mon Sep 17 00:00:00 2001
From: Pauli <paul.dale@oracle.com>
Date: Thu, 1 Nov 2018 08:44:11 +1000
Subject: [PATCH] Add a constant time flag to one of the bignums to avoid a
timing leak.
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7549)
---
crypto/dsa/dsa_ossl.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/crypto/dsa/dsa_ossl.c b/crypto/dsa/dsa_ossl.c
index 2dd2d7489a..7a0b0874c5 100644
--- a/crypto/dsa/dsa_ossl.c
+++ b/crypto/dsa/dsa_ossl.c
@@ -223,6 +223,7 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in,
} while (BN_is_zero(k));
BN_set_flags(k, BN_FLG_CONSTTIME);
+ BN_set_flags(l, BN_FLG_CONSTTIME);
if (dsa->flags & DSA_FLAG_CACHE_MONT_P) {
if (!BN_MONT_CTX_set_locked(&dsa->method_mont_p,
--
2.19.1

35
0001-DSA-Check-for-sanity-of-input-parameters.patch
View File

@ -1,35 +0,0 @@
From 3afd38b277a806b901e039c6ad281c5e5c97ef67 Mon Sep 17 00:00:00 2001
From: Vitezslav Cizek <vcizek@suse.com>
Date: Thu, 25 Oct 2018 13:53:26 +0200
Subject: [PATCH] DSA: Check for sanity of input parameters
dsa_builtin_paramgen2 expects the L parameter to be greater than N,
otherwise the generation will get stuck in an infinite loop.
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/7493)
---
crypto/dsa/dsa_gen.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/crypto/dsa/dsa_gen.c b/crypto/dsa/dsa_gen.c
index 46f4f01ee0..383d853b6d 100644
--- a/crypto/dsa/dsa_gen.c
+++ b/crypto/dsa/dsa_gen.c
@@ -327,6 +327,12 @@ int dsa_builtin_paramgen2(DSA *ret, size_t L, size_t N,
if (mctx == NULL)
goto err;
+ /* make sure L > N, otherwise we'll get trapped in an infinite loop */
+ if (L <= N) {
+ DSAerr(DSA_F_DSA_BUILTIN_PARAMGEN2, DSA_R_INVALID_PARAMETERS);
+ goto err;
+ }
+
if (evpmd == NULL) {
if (N == 160)
evpmd = EVP_sha1();
--
2.19.1

76
0001-DSA-mod-inverse-fix.patch
View File

@ -1,76 +0,0 @@
From 415c33563528667868c3c653a612e6fc8736fd79 Mon Sep 17 00:00:00 2001
From: Pauli <paul.dale@oracle.com>
Date: Mon, 29 Oct 2018 06:50:51 +1000
Subject: [PATCH] DSA mod inverse fix
There is a side channel attack against the division used to calculate one of
the modulo inverses in the DSA algorithm. This change takes advantage of the
primality of the modulo and Fermat's little theorem to calculate the inverse
without leaking information.
Thanks to Samuel Weiser for finding and reporting this.
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/7487)
---
crypto/dsa/dsa_ossl.c | 32 +++++++++++++++++++++++++++++++-
1 file changed, 31 insertions(+), 1 deletion(-)
diff --git a/crypto/dsa/dsa_ossl.c b/crypto/dsa/dsa_ossl.c
index ac1f65a51a..ca20811200 100644
--- a/crypto/dsa/dsa_ossl.c
+++ b/crypto/dsa/dsa_ossl.c
@@ -23,6 +23,8 @@ static int dsa_do_verify(const unsigned char *dgst, int dgst_len,
DSA_SIG *sig, DSA *dsa);
static int dsa_init(DSA *dsa);
static int dsa_finish(DSA *dsa);
+static BIGNUM *dsa_mod_inverse_fermat(const BIGNUM *k, const BIGNUM *q,
+ BN_CTX *ctx);
static DSA_METHOD openssl_dsa_meth = {
"OpenSSL DSA method",
@@ -259,7 +261,7 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in,
goto err;
/* Compute part of 's = inv(k) (m + xr) mod q' */
- if ((kinv = BN_mod_inverse(NULL, k, dsa->q, ctx)) == NULL)
+ if ((kinv = dsa_mod_inverse_fermat(k, dsa->q, ctx)) == NULL)
goto err;
BN_clear_free(*kinvp);
@@ -393,3 +395,31 @@ static int dsa_finish(DSA *dsa)
BN_MONT_CTX_free(dsa->method_mont_p);
return 1;
}
+
+/*
+ * Compute the inverse of k modulo q.
+ * Since q is prime, Fermat's Little Theorem applies, which reduces this to
+ * mod-exp operation. Both the exponent and modulus are public information
+ * so a mod-exp that doesn't leak the base is sufficient. A newly allocated
+ * BIGNUM is returned which the caller must free.
+ */
+static BIGNUM *dsa_mod_inverse_fermat(const BIGNUM *k, const BIGNUM *q,
+ BN_CTX *ctx)
+{
+ BIGNUM *res = NULL;
+ BIGNUM *r, *e;
+
+ if ((r = BN_new()) == NULL)
+ return NULL;
+
+ BN_CTX_start(ctx);
+ if ((e = BN_CTX_get(ctx)) != NULL
+ && BN_set_word(r, 2)
+ && BN_sub(e, q, r)
+ && BN_mod_exp_mont(r, k, e, q, ctx, NULL))
+ res = r;
+ else
+ BN_free(r);
+ BN_CTX_end(ctx);
+ return res;
+}
--
2.19.1

3
openssl-1.1.1.tar.gz
View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:2836875a0f89c03d0fdf483941512613a50cfb421d6fd94b9f41d7279d586a3d
size 8337920

11
openssl-1.1.1.tar.gz.asc
View File

@ -1,11 +0,0 @@
-----BEGIN PGP SIGNATURE-----
iQEzBAABCgAdFiEEhlersmDwVrHlGQg52cTSbQ5gRJEFAluXuZ8ACgkQ2cTSbQ5g
RJE8LQgAiaOFIraF4VQu/mWxUKiO0IkoH//tgorru7XBnhG1F4RgCGNtoiACUgDz
uWZDiFusutYQtZ6ANekBkqDwN1FhUhjg929jDuYhQEKGgncxkjHK8mWrObSY73TC
16AOV21GH0rCrwBotdGO2eLgae2Qgrrek/3a7O0iRWKugwZoKB4D9a/JJc2LGkQJ
UwIO7jx5RHEVoSPr1mQcquF0qGKDXtN575AGk1Kl1W5M3s0Zaemtl1gxCqDYYF0U
dPlP6beEM6r9LuNJtO/rjXz+ZJD9CzF3+O/fgCdxvkmjRklBaOf8qMJdlrkpsURQ
S0ulq/7KguoluU1IJxnF5XsK+yQKWw==
=wvEX
-----END PGP SIGNATURE-----

3
openssl-1.1.1a.tar.gz Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:fc20130f8b7cbd2fb918b2f14e2f429e109c31ddd0fb38fc5d71d9ffed3f9f41
size 8350547

11
openssl-1.1.1a.tar.gz.asc Normal file
View File

@ -0,0 +1,11 @@
-----BEGIN PGP SIGNATURE-----
iQEzBAABCgAdFiEEhlersmDwVrHlGQg52cTSbQ5gRJEFAlv0DbMACgkQ2cTSbQ5g
RJGUbggAl++4r/VsG6AN1h+yvJZuUtwE9mhTkiYvywhWOUOTdIJLzTUDaEhpgu6R
uFCbdL2wazXWYVFvCl5MRX9wHkSPWoC9WB6SJe7fMC+NngnPHjcfw9jGSLJneEFn
JaGyZMVaoiKelQpmlGRk8X2kLcdAe/c/L6WRvv89thxvlq2zJnjSH0UfqS9LOlP0
5tVeSz85JhyVoRSxGl/2GhYN2WrI0cY8JN2tz62ijnC/J/LX5KhP0y4Qvh9nqW+m
0apP+iabyUKdCabSjElEmLVg2CwieQYdN/gAQhpae4P6Qk0tC155xNbgDMgxVD+d
/rgBC9pXpM1za7WxAq4iQ6C9zFYapA==
=D+/A
-----END PGP SIGNATURE-----

17
openssl-1_1.changes
View File

@ -1,3 +1,20 @@
-------------------------------------------------------------------
Tue Nov 20 14:31:28 UTC 2018 - Vítězslav Čížek <vcizek@suse.com>
- Update to 1.1.1a
* Added EVP_PKEY_ECDH_KDF_X9_63 and ecdh_KDF_X9_63() as replacements for
the EVP_PKEY_ECDH_KDF_X9_62 KDF type and ECDH_KDF_X9_62(). The old names
are retained for backwards compatibility.
* Fixed the issue that RAND_add()/RAND_seed() silently discards random input
if its length exceeds 4096 bytes. The limit has been raised to a buffer size
of two gigabytes and the error handling improved.
- drop upstream patches:
* 0001-Add-a-constant-time-flag-to-one-of-the-bignums-to-av.patch
* 0001-DSA-Check-for-sanity-of-input-parameters.patch
* 0001-DSA-mod-inverse-fix.patch
* openssl-CVE-2018-0734.patch
* openssl-CVE-2018-0735.patch
-------------------------------------------------------------------
Mon Nov 5 12:53:54 UTC 2018 - Vítězslav Čížek <vcizek@suse.com>

8
openssl-1_1.spec
View File

@ -21,7 +21,7 @@
%define _rname openssl
Name: openssl-1_1
# Don't forget to update the version in the "openssl" package!
Version: 1.1.1
Version: 1.1.1a
Release: 0
Summary: Secure Sockets and Transport Layer Security
License: OpenSSL
@ -43,12 +43,6 @@ Patch3: openssl-pkgconfig.patch
Patch4: openssl-DEFAULT_SUSE_cipher.patch
Patch5: openssl-ppc64-config.patch
Patch6: openssl-no-date.patch
Patch7: 0001-DSA-Check-for-sanity-of-input-parameters.patch
# OpenSSL Security Advisory [30 October 2018]
Patch8: openssl-CVE-2018-0734.patch
Patch9: openssl-CVE-2018-0735.patch
Patch10: 0001-DSA-mod-inverse-fix.patch
Patch11: 0001-Add-a-constant-time-flag-to-one-of-the-bignums-to-av.patch
BuildRequires: bc
BuildRequires: ed
BuildRequires: pkgconfig

92
openssl-CVE-2018-0734.patch
View File

@ -1,92 +0,0 @@
commit a9cfb8c2aa7254a4aa6a1716909e3f8cb78049b6
Author: Pauli <paul.dale@oracle.com>
Date: Wed Oct 24 07:42:46 2018 +1000
Timing vulnerability in DSA signature generation (CVE-2018-0734).
Avoid a timing attack that leaks information via a side channel that
triggers when a BN is resized. Increasing the size of the BNs
prior to doing anything with them suppresses the attack.
Thanks due to Samuel Weiser for finding and locating this.
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/7486)
Index: openssl-1.1.1/crypto/dsa/dsa_ossl.c
===================================================================
--- openssl-1.1.1.orig/crypto/dsa/dsa_ossl.c 2018-11-05 13:11:47.440790686 +0100
+++ openssl-1.1.1/crypto/dsa/dsa_ossl.c 2018-11-05 13:12:08.220924384 +0100
@@ -9,6 +9,7 @@
#include <stdio.h>
#include "internal/cryptlib.h"
+#include "internal/bn_int.h"
#include <openssl/bn.h>
#include <openssl/sha.h>
#include "dsa_locl.h"
@@ -178,9 +179,9 @@ static int dsa_sign_setup(DSA *dsa, BN_C
{
BN_CTX *ctx = NULL;
BIGNUM *k, *kinv = NULL, *r = *rp;
- BIGNUM *l, *m;
+ BIGNUM *l;
int ret = 0;
- int q_bits;
+ int q_bits, q_words;
if (!dsa->p || !dsa->q || !dsa->g) {
DSAerr(DSA_F_DSA_SIGN_SETUP, DSA_R_MISSING_PARAMETERS);
@@ -189,8 +190,7 @@ static int dsa_sign_setup(DSA *dsa, BN_C
k = BN_new();
l = BN_new();
- m = BN_new();
- if (k == NULL || l == NULL || m == NULL)
+ if (k == NULL || l == NULL)
goto err;
if (ctx_in == NULL) {
@@ -201,9 +201,9 @@ static int dsa_sign_setup(DSA *dsa, BN_C
/* Preallocate space */
q_bits = BN_num_bits(dsa->q);
- if (!BN_set_bit(k, q_bits)
- || !BN_set_bit(l, q_bits)
- || !BN_set_bit(m, q_bits))
+ q_words = bn_get_top(dsa->q);
+ if (!bn_wexpand(k, q_words + 2)
+ || !bn_wexpand(l, q_words + 2))
goto err;
/* Get random k */
@@ -238,14 +238,17 @@ static int dsa_sign_setup(DSA *dsa, BN_C
* small timing information leakage. We then choose the sum that is
* one bit longer than the modulus.
*
- * TODO: revisit the BN_copy aiming for a memory access agnostic
- * conditional copy.
+ * There are some concerns about the efficacy of doing this. More
+ * specificly refer to the discussion starting with:
+ * https://github.com/openssl/openssl/pull/7486#discussion_r228323705
+ * The fix is to rework BN so these gymnastics aren't required.
*/
if (!BN_add(l, k, dsa->q)
- || !BN_add(m, l, dsa->q)
- || !BN_copy(k, BN_num_bits(l) > q_bits ? l : m))
+ || !BN_add(k, l, dsa->q))
goto err;
+ BN_consttime_swap(BN_is_bit_set(l, q_bits), k, l, q_words + 2);
+
if ((dsa)->meth->bn_mod_exp != NULL) {
if (!dsa->meth->bn_mod_exp(dsa, r, dsa->g, k, dsa->p, ctx,
dsa->method_mont_p))
@@ -273,7 +276,6 @@ static int dsa_sign_setup(DSA *dsa, BN_C
BN_CTX_free(ctx);
BN_clear_free(k);
BN_clear_free(l);
- BN_clear_free(m);
return ret;
}

36
openssl-CVE-2018-0735.patch
View File

@ -1,36 +0,0 @@
commit 99540ec79491f59ed8b46b4edf130e17dc907f52
Author: Pauli <paul.dale@oracle.com>
Date: Fri Oct 26 10:54:58 2018 +1000
Timing vulnerability in ECDSA signature generation (CVE-2018-0735)
Preallocate an extra limb for some of the big numbers to avoid a reallocation
that can potentially provide a side channel.
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/7486)
diff --git a/crypto/ec/ec_mult.c b/crypto/ec/ec_mult.c
index 7e1b3650e7..0e0a5e1394 100644
--- a/crypto/ec/ec_mult.c
+++ b/crypto/ec/ec_mult.c
@@ -206,8 +206,8 @@ int ec_scalar_mul_ladder(const EC_GROUP *group, EC_POINT *r,
*/
cardinality_bits = BN_num_bits(cardinality);
group_top = bn_get_top(cardinality);
- if ((bn_wexpand(k, group_top + 1) == NULL)
- || (bn_wexpand(lambda, group_top + 1) == NULL)) {
+ if ((bn_wexpand(k, group_top + 2) == NULL)
+ || (bn_wexpand(lambda, group_top + 2) == NULL)) {
ECerr(EC_F_EC_SCALAR_MUL_LADDER, ERR_R_BN_LIB);
goto err;
}
@@ -244,7 +244,7 @@ int ec_scalar_mul_ladder(const EC_GROUP *group, EC_POINT *r,
* k := scalar + 2*cardinality
*/
kbit = BN_is_bit_set(lambda, cardinality_bits);
- BN_consttime_swap(kbit, k, lambda, group_top + 1);
+ BN_consttime_swap(kbit, k, lambda, group_top + 2);
group_top = bn_get_top(group->field);
if ((bn_wexpand(s->X, group_top) == NULL)