pool/openssl-3
SHA256
2
0
Fork 2
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
dcc7abb986
openssl-3/openssl-FIPS-embed-hmac.patch
Pedro Monreal Gonzalez 6e95485a74 - Update to 3.1.7: 
* Major changes between OpenSSL 3.1.6 and OpenSSL 3.1.7 [3 Sep 2024]
    - Fixed possible denial of service in X.509 name checks (CVE-2024-6119)
    - Fixed possible buffer overread in SSL_select_next_proto()
      (CVE-2024-5535)
  * Major changes between OpenSSL 3.1.5 and OpenSSL 3.1.6 [4 Jun 2024]
    - Fixed potential use after free after SSL_free_buffers() is
      called (CVE-2024-4741)
    - Fixed an issue where checking excessively long DSA keys or
      parameters may be very slow (CVE-2024-4603)
    - Fixed unbounded memory growth with session handling in TLSv1.3
      (CVE-2024-2511)
  * Major changes between OpenSSL 3.1.4 and OpenSSL 3.1.5 [30 Jan 2024]
    - Fixed PKCS12 Decoding crashes (CVE-2024-0727)
    - Fixed Excessive time spent checking invalid RSA public keys
      [CVE-2023-6237)
    - Fixed POLY1305 MAC implementation corrupting vector registers
      on PowerPC CPUs which support PowerISA 2.07 (CVE-2023-6129)
    - Fix excessive time spent in DH check / generation with large
      Q parameter value (CVE-2023-5678)
  * Update openssl.keyring with BA5473A2B0587B07FB27CF2D216094DFD0CB81EF
  * Rebase patches:
    - openssl-Force-FIPS.patch
    - openssl-FIPS-embed-hmac.patch
    - openssl-FIPS-services-minimize.patch
    - openssl-FIPS-RSA-disable-shake.patch
    - openssl-CVE-2023-50782.patch
  * Remove patches fixed in the update:
    - openssl-Improve-performance-for-6x-unrolling-with-vpermxor-i.patch
    - openssl-CVE-2024-6119.patch openssl-CVE-2024-5535.patch

OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-3?expand=0&rev=119
2024-10-22 12:02:36 +00:00

247 lines
8.3 KiB
Diff
Raw Blame History

From e364a858262c8f563954544cc81e66f1b3b8db8c Mon Sep 17 00:00:00 2001
From: rpm-build <rpm-build>
Date: Thu, 19 Oct 2023 13:12:40 +0200
Subject: [PATCH 16/46] 0033-FIPS-embed-hmac.patch
Patch-name: 0033-FIPS-embed-hmac.patch
Patch-id: 33
Patch-status: |
# # Embed HMAC into the fips.so
From-dist-git-commit: 5c67b5adc311af297f425c09e3e1ac7ca8483911
---
providers/fips/self_test.c | 70 ++++++++++++++++++++++++---
test/fipsmodule.cnf | 2 +
test/recipes/00-prep_fipsmodule_cnf.t | 2 +-
test/recipes/01-test_fipsmodule_cnf.t | 2 +-
test/recipes/03-test_fipsinstall.t | 2 +-
test/recipes/30-test_defltfips.t | 2 +-
test/recipes/80-test_ssl_new.t | 2 +-
test/recipes/90-test_sslapi.t | 2 +-
8 files changed, 71 insertions(+), 13 deletions(-)
create mode 100644 test/fipsmodule.cnf
Index: openssl-3.1.7/providers/fips/self_test.c
===================================================================
--- openssl-3.1.7.orig/providers/fips/self_test.c
+++ openssl-3.1.7/providers/fips/self_test.c
@@ -230,11 +230,27 @@ err:
return ok;
}
+#define HMAC_LEN 32
+/*
+ * The __attribute__ ensures we've created the .rodata1 section
+ * static ensures it's zero filled
+*/
+static const unsigned char __attribute__ ((section (".rodata1"))) fips_hmac_container[HMAC_LEN] = {0};
+
/*
* Calculate the HMAC SHA256 of data read using a BIO and read_cb, and verify
* the result matches the expected value.
* Return 1 if verified, or 0 if it fails.
*/
+#ifndef __USE_GNU
+#define __USE_GNU
+#include <dlfcn.h>
+#undef __USE_GNU
+#else
+#include <dlfcn.h>
+#endif
+#include <link.h>
+
static int verify_integrity(OSSL_CORE_BIO *bio, OSSL_FUNC_BIO_read_ex_fn read_ex_cb,
unsigned char *expected, size_t expected_len,
OSSL_LIB_CTX *libctx, OSSL_SELF_TEST *ev,
@@ -247,12 +263,23 @@ static int verify_integrity(OSSL_CORE_BI
EVP_MAC *mac = NULL;
EVP_MAC_CTX *ctx = NULL;
OSSL_PARAM params[2], *p = params;
+ Dl_info info;
+ void *extra_info = NULL;
+ struct link_map *lm = NULL;
+ unsigned long paddr;
+ unsigned long off = 0;
if (!integrity_self_test(ev, libctx))
goto err;
OSSL_SELF_TEST_onbegin(ev, event_type, OSSL_SELF_TEST_DESC_INTEGRITY_HMAC);
+ if (!dladdr1 ((const void *)fips_hmac_container,
+ &info, &extra_info, RTLD_DL_LINKMAP))
+ goto err;
+ lm = extra_info;
+ paddr = (unsigned long)fips_hmac_container - lm->l_addr;
+
mac = EVP_MAC_fetch(libctx, MAC_NAME, NULL);
if (mac == NULL)
goto err;
@@ -266,13 +293,42 @@ static int verify_integrity(OSSL_CORE_BI
if (!EVP_MAC_init(ctx, fixed_key, sizeof(fixed_key), params))
goto err;
- while (1) {
- status = read_ex_cb(bio, buf, sizeof(buf), &bytes_read);
+ while ((off + INTEGRITY_BUF_SIZE) <= paddr) {
+ status = read_ex_cb(bio, buf, INTEGRITY_BUF_SIZE, &bytes_read);
+ if (status != 1)
+ break;
+ if (!EVP_MAC_update(ctx, buf, bytes_read))
+ goto err;
+ off += bytes_read;
+ }
+
+ if (off + INTEGRITY_BUF_SIZE > paddr) {
+ int delta = paddr - off;
+ status = read_ex_cb(bio, buf, delta, &bytes_read);
+ if (status != 1)
+ goto err;
+ if (!EVP_MAC_update(ctx, buf, bytes_read))
+ goto err;
+ off += bytes_read;
+
+ status = read_ex_cb(bio, buf, HMAC_LEN, &bytes_read);
+ memset(buf, 0, HMAC_LEN);
+ if (status != 1)
+ goto err;
+ if (!EVP_MAC_update(ctx, buf, bytes_read))
+ goto err;
+ off += bytes_read;
+ }
+
+ while (bytes_read > 0) {
+ status = read_ex_cb(bio, buf, INTEGRITY_BUF_SIZE, &bytes_read);
if (status != 1)
break;
if (!EVP_MAC_update(ctx, buf, bytes_read))
goto err;
+ off += bytes_read;
}
+
if (!EVP_MAC_final(ctx, out, &out_len, sizeof(out)))
goto err;
@@ -282,6 +338,7 @@ static int verify_integrity(OSSL_CORE_BI
goto err;
ret = 1;
err:
+ OPENSSL_cleanse(out, sizeof(out));
OSSL_SELF_TEST_onend(ev, ret);
EVP_MAC_CTX_free(ctx);
EVP_MAC_free(mac);
@@ -335,8 +392,7 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS
return 0;
}
- if (st == NULL
- || st->module_checksum_data == NULL) {
+ if (st == NULL) {
ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_CONFIG_DATA);
goto end;
}
@@ -345,8 +401,9 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS
if (ev == NULL)
goto end;
- module_checksum = OPENSSL_hexstr2buf(st->module_checksum_data,
- &checksum_len);
+ module_checksum = fips_hmac_container;
+ checksum_len = sizeof(fips_hmac_container);
+
if (module_checksum == NULL) {
ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_CONFIG_DATA);
goto end;
@@ -420,7 +477,6 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS
end:
EVP_RAND_free(testrand);
OSSL_SELF_TEST_free(ev);
- OPENSSL_free(module_checksum);
OPENSSL_free(indicator_checksum);
if (st != NULL) {
Index: openssl-3.1.7/test/fipsmodule.cnf
===================================================================
--- /dev/null
+++ openssl-3.1.7/test/fipsmodule.cnf
@@ -0,0 +1,2 @@
+[fips_sect]
+activate = 1
Index: openssl-3.1.7/test/recipes/00-prep_fipsmodule_cnf.t
===================================================================
--- openssl-3.1.7.orig/test/recipes/00-prep_fipsmodule_cnf.t
+++ openssl-3.1.7/test/recipes/00-prep_fipsmodule_cnf.t
@@ -20,7 +20,7 @@ use lib srctop_dir('Configurations');
use lib bldtop_dir('.');
use platform;
-my $no_check = disabled("fips");
+my $no_check = 1;
plan skip_all => "FIPS module config file only supported in a fips build"
if $no_check;
Index: openssl-3.1.7/test/recipes/01-test_fipsmodule_cnf.t
===================================================================
--- openssl-3.1.7.orig/test/recipes/01-test_fipsmodule_cnf.t
+++ openssl-3.1.7/test/recipes/01-test_fipsmodule_cnf.t
@@ -23,7 +23,7 @@ use lib srctop_dir('Configurations');
use lib bldtop_dir('.');
use platform;
-my $no_check = disabled("fips");
+my $no_check = 1;
plan skip_all => "Test only supported in a fips build"
if $no_check;
plan tests => 1;
Index: openssl-3.1.7/test/recipes/03-test_fipsinstall.t
===================================================================
--- openssl-3.1.7.orig/test/recipes/03-test_fipsinstall.t
+++ openssl-3.1.7/test/recipes/03-test_fipsinstall.t
@@ -22,7 +22,7 @@ use lib srctop_dir('Configurations');
use lib bldtop_dir('.');
use platform;
-plan skip_all => "Test only supported in a fips build" if disabled("fips");
+plan skip_all => "Test only supported in a fips build" if 1;
# Compatible options for pedantic FIPS compliance
my @pedantic_okay =
Index: openssl-3.1.7/test/recipes/30-test_defltfips.t
===================================================================
--- openssl-3.1.7.orig/test/recipes/30-test_defltfips.t
+++ openssl-3.1.7/test/recipes/30-test_defltfips.t
@@ -24,7 +24,7 @@ use lib bldtop_dir('.');
plan skip_all => "Configuration loading is turned off"
if disabled("autoload-config");
-my $no_fips = disabled('fips') || ($ENV{NO_FIPS} // 0);
+my $no_fips = 1; #disabled('fips') || ($ENV{NO_FIPS} // 0);
plan tests =>
($no_fips ? 1 : 5);
Index: openssl-3.1.7/test/recipes/80-test_ssl_new.t
===================================================================
--- openssl-3.1.7.orig/test/recipes/80-test_ssl_new.t
+++ openssl-3.1.7/test/recipes/80-test_ssl_new.t
@@ -27,7 +27,7 @@ setup("test_ssl_new");
use lib srctop_dir('Configurations');
use lib bldtop_dir('.');
-my $no_fips = disabled('fips') || ($ENV{NO_FIPS} // 0);
+my $no_fips = 1; #disabled('fips') || ($ENV{NO_FIPS} // 0);
$ENV{TEST_CERTS_DIR} = srctop_dir("test", "certs");
Index: openssl-3.1.7/test/recipes/90-test_sslapi.t
===================================================================
--- openssl-3.1.7.orig/test/recipes/90-test_sslapi.t
+++ openssl-3.1.7/test/recipes/90-test_sslapi.t
@@ -14,7 +14,7 @@ BEGIN {
setup("test_sslapi");
}
-my $no_fips = disabled('fips') || ($ENV{NO_FIPS} // 0);
+my $no_fips = 1; #disabled('fips') || ($ENV{NO_FIPS} // 0);
my $fipsmodcfg_filename = "fipsmodule.cnf";
my $fipsmodcfg = bldtop_file("test", $fipsmodcfg_filename);
Reference in New Issue View Git Blame Copy Permalink