From fa96b8cfdd3f3b68c7d5a44a8680f830f3eb6dda0f2ded112d284f5e477d3d31 Mon Sep 17 00:00:00 2001 From: Dominique Leuenberger Date: Fri, 22 Apr 2016 14:17:16 +0000 Subject: [PATCH] Accepting request 390473 from Base:System 1 OBS-URL: https://build.opensuse.org/request/show/390473 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openssl?expand=0&rev=131 --- bsc936563_hack.patch | 13 -- openssl-fips-clearerror.patch | 12 ++ ...ips-dont-fall-back-to-default-digest.patch | 128 ++++++++++++++++++ openssl-fips-fix-odd-rsakeybits.patch | 14 ++ openssl-fips-rsagen-d-bits.patch | 39 ++++++ openssl-fips-selftests_in_nonfips_mode.patch | 74 ++++++++++ openssl-fips_RSA_compute_d_with_lcm.patch | 42 ++++++ openssl-fips_disallow_ENGINE_loading.patch | 16 +++ openssl-fips_disallow_x931_rand_method.patch | 13 ++ openssl-ocloexec.patch | 42 +++--- openssl-rsakeygen-minimum-distance.patch | 65 +++++++++ openssl-urandom-reseeding.patch | 100 ++++++++++++++ openssl.changes | 27 ++++ openssl.spec | 27 +++- 14 files changed, 572 insertions(+), 40 deletions(-) delete mode 100644 bsc936563_hack.patch create mode 100644 openssl-fips-clearerror.patch create mode 100644 openssl-fips-dont-fall-back-to-default-digest.patch create mode 100644 openssl-fips-fix-odd-rsakeybits.patch create mode 100644 openssl-fips-rsagen-d-bits.patch create mode 100644 openssl-fips-selftests_in_nonfips_mode.patch create mode 100644 openssl-fips_RSA_compute_d_with_lcm.patch create mode 100644 openssl-fips_disallow_ENGINE_loading.patch create mode 100644 openssl-fips_disallow_x931_rand_method.patch create mode 100644 openssl-rsakeygen-minimum-distance.patch create mode 100644 openssl-urandom-reseeding.patch diff --git a/bsc936563_hack.patch b/bsc936563_hack.patch deleted file mode 100644 index ce27bf0..0000000 --- a/bsc936563_hack.patch +++ /dev/null @@ -1,13 +0,0 @@ -Index: openssl-1.0.2c/crypto/ec/Makefile -=================================================================== ---- openssl-1.0.2c.orig/crypto/ec/Makefile -+++ openssl-1.0.2c/crypto/ec/Makefile -@@ -10,7 +10,7 @@ CFLAG=-g - MAKEFILE= Makefile - AR= ar r - --CFLAGS= $(INCLUDES) $(CFLAG) -+CFLAGS= $(INCLUDES) $(CFLAG) -O0 - ASFLAGS= $(INCLUDES) $(ASFLAG) - AFLAGS= $(ASFLAGS) - diff --git a/openssl-fips-clearerror.patch b/openssl-fips-clearerror.patch new file mode 100644 index 0000000..42ce4c6 --- /dev/null +++ b/openssl-fips-clearerror.patch @@ -0,0 +1,12 @@ +Index: openssl-1.0.2g/crypto/o_init.c +=================================================================== +--- openssl-1.0.2g.orig/crypto/o_init.c 2016-04-14 10:54:05.763929573 +0200 ++++ openssl-1.0.2g/crypto/o_init.c 2016-04-14 10:59:08.366168879 +0200 +@@ -91,6 +91,7 @@ static void init_fips_mode(void) + NONFIPS_selftest_check(); + /* drop down to non-FIPS mode if it is not requested */ + FIPS_mode_set(0); ++ ERR_clear_error(); + } else { + /* abort if selftest failed */ + FIPS_selftest_check(); diff --git a/openssl-fips-dont-fall-back-to-default-digest.patch b/openssl-fips-dont-fall-back-to-default-digest.patch new file mode 100644 index 0000000..03b21b3 --- /dev/null +++ b/openssl-fips-dont-fall-back-to-default-digest.patch @@ -0,0 +1,128 @@ +Index: openssl-1.0.2g/apps/dgst.c +=================================================================== +--- openssl-1.0.2g.orig/apps/dgst.c 2016-03-01 14:35:53.000000000 +0100 ++++ openssl-1.0.2g/apps/dgst.c 2016-04-14 11:04:21.706558132 +0200 +@@ -147,7 +147,7 @@ int MAIN(int argc, char **argv) + /* first check the program name */ + program_name(argv[0], pname, sizeof pname); + +- md = EVP_get_digestbyname(pname); ++ md = EVP_get_digestbyname_fips_disabled(pname); + + argc--; + argv++; +@@ -235,7 +235,7 @@ int MAIN(int argc, char **argv) + macopts = sk_OPENSSL_STRING_new_null(); + if (!macopts || !sk_OPENSSL_STRING_push(macopts, *(++argv))) + break; +- } else if ((m = EVP_get_digestbyname(&((*argv)[1]))) != NULL) ++ } else if ((m = EVP_get_digestbyname_fips_disabled(&((*argv)[1]))) != NULL) + md = m; + else + break; +Index: openssl-1.0.2g/apps/apps.c +=================================================================== +--- openssl-1.0.2g.orig/apps/apps.c 2016-03-01 14:35:53.000000000 +0100 ++++ openssl-1.0.2g/apps/apps.c 2016-04-14 11:04:21.707558145 +0200 +@@ -3226,3 +3226,45 @@ int raw_write_stdout(const void *buf, in + return write(fileno(stdout), buf, siz); + } + #endif ++ ++ ++const EVP_MD *EVP_get_digestbyname_fips_disabled(const char *name) ++ { ++ int saved_fips_mode = FIPS_mode(); ++ EVP_MD *md; ++ ++ if (saved_fips_mode) ++ FIPS_mode_set(0); ++ ++ OpenSSL_add_all_digests(); ++ md=EVP_get_digestbyname(name); ++ ++ if (saved_fips_mode && !FIPS_mode_set(saved_fips_mode)) { ++ ERR_load_crypto_strings(); ++ ERR_print_errors(BIO_new_fp(stderr,BIO_NOCLOSE)); ++ EXIT(1); ++ } ++ ++ return md; ++ } ++ ++const EVP_CIPHER *EVP_get_cipherbyname_fips_disabled(const char *name) ++ { ++ int saved_fips_mode = FIPS_mode(); ++ EVP_CIPHER *ciph; ++ ++ if (saved_fips_mode) ++ FIPS_mode_set(0); ++ ++ OpenSSL_add_all_ciphers(); ++ ciph=EVP_get_cipherbyname(name); ++ ++ if (saved_fips_mode && !FIPS_mode_set(saved_fips_mode)) { ++ ERR_load_crypto_strings(); ++ ERR_print_errors(BIO_new_fp(stderr,BIO_NOCLOSE)); ++ EXIT(1); ++ } ++ ++ return ciph; ++ } ++ +Index: openssl-1.0.2g/apps/apps.h +=================================================================== +--- openssl-1.0.2g.orig/apps/apps.h 2016-03-01 14:35:53.000000000 +0100 ++++ openssl-1.0.2g/apps/apps.h 2016-04-14 11:04:21.707558145 +0200 +@@ -348,6 +348,9 @@ void print_cert_checks(BIO *bio, X509 *x + + void store_setup_crl_download(X509_STORE *st); + ++const EVP_MD *EVP_get_digestbyname_fips_disabled(const char *name); ++const EVP_CIPHER *EVP_get_cipherbyname_fips_disabled(const char *name); ++ + # define FORMAT_UNDEF 0 + # define FORMAT_ASN1 1 + # define FORMAT_TEXT 2 +Index: openssl-1.0.2g/apps/enc.c +=================================================================== +--- openssl-1.0.2g.orig/apps/enc.c 2016-03-01 14:35:05.000000000 +0100 ++++ openssl-1.0.2g/apps/enc.c 2016-04-15 13:57:22.782628623 +0200 +@@ -150,7 +150,7 @@ int MAIN(int argc, char **argv) + do_zlib = 1; + #endif + +- cipher = EVP_get_cipherbyname(pname); ++ cipher = EVP_get_cipherbyname_fips_disabled(pname); + #ifdef ZLIB + if (!do_zlib && !base64 && (cipher == NULL) + && (strcmp(pname, "enc") != 0)) +@@ -269,7 +269,7 @@ int MAIN(int argc, char **argv) + } else if (strcmp(*argv, "-non-fips-allow") == 0) + non_fips_allow = 1; + else if ((argv[0][0] == '-') && +- ((c = EVP_get_cipherbyname(&(argv[0][1]))) != NULL)) { ++ ((c = EVP_get_cipherbyname_fips_disabled(&(argv[0][1]))) != NULL)) { + cipher = c; + } else if (strcmp(*argv, "-none") == 0) + cipher = NULL; +@@ -322,6 +322,10 @@ int MAIN(int argc, char **argv) + argv++; + } + ++ /* drop out of fips mode if we should allow non-fips algos */ ++ if (non_fips_allow) ++ FIPS_mode_set(0); ++ + #ifndef OPENSSL_NO_ENGINE + setup_engine(bio_err, engine, 0); + #endif +@@ -338,7 +342,7 @@ int MAIN(int argc, char **argv) + goto end; + } + +- if (md && (dgst = EVP_get_digestbyname(md)) == NULL) { ++ if (md && (dgst = EVP_get_digestbyname_fips_disabled(md)) == NULL) { + BIO_printf(bio_err, "%s is an unsupported message digest type\n", md); + goto end; + } diff --git a/openssl-fips-fix-odd-rsakeybits.patch b/openssl-fips-fix-odd-rsakeybits.patch new file mode 100644 index 0000000..2a1475c --- /dev/null +++ b/openssl-fips-fix-odd-rsakeybits.patch @@ -0,0 +1,14 @@ +Index: openssl-1.0.2g/crypto/rsa/rsa_gen.c +=================================================================== +--- openssl-1.0.2g.orig/crypto/rsa/rsa_gen.c 2016-04-14 10:52:34.187646539 +0200 ++++ openssl-1.0.2g/crypto/rsa/rsa_gen.c 2016-04-14 10:53:39.335559301 +0200 +@@ -465,7 +465,8 @@ static int rsa_builtin_keygen(RSA *rsa, + goto err; + + bitsp = (bits + 1) / 2; +- bitsq = bits - bitsp; ++ /* Use the same number of bits for p and q, our checks assume it. */ ++ bitsq = bitsp; + + /* prepare a maximum for p and q */ + /* 0xB504F334 is (sqrt(2)/2)*2^32 */ diff --git a/openssl-fips-rsagen-d-bits.patch b/openssl-fips-rsagen-d-bits.patch new file mode 100644 index 0000000..9d31caa --- /dev/null +++ b/openssl-fips-rsagen-d-bits.patch @@ -0,0 +1,39 @@ +Index: openssl-1.0.2g/crypto/rsa/rsa_gen.c +=================================================================== +--- openssl-1.0.2g.orig/crypto/rsa/rsa_gen.c 2016-04-14 10:23:50.941168136 +0200 ++++ openssl-1.0.2g/crypto/rsa/rsa_gen.c 2016-04-14 10:47:56.651757817 +0200 +@@ -237,6 +237,12 @@ static int FIPS_rsa_builtin_keygen(RSA * + goto err; + } + ++ BN_copy(rsa->e, e_value); ++ ++ if (!BN_is_zero(rsa->p) && !BN_is_zero(rsa->q)) ++ test = 1; ++ ++retry: + /* prepare approximate minimum p and q */ + if (!BN_set_word(r0, 0xB504F334)) + goto err; +@@ -249,12 +255,6 @@ static int FIPS_rsa_builtin_keygen(RSA * + if (!BN_lshift(r3, r3, pbits - 100)) + goto err; + +- BN_copy(rsa->e, e_value); +- +- if (!BN_is_zero(rsa->p) && !BN_is_zero(rsa->q)) +- test = 1; +- +- retry: + /* generate p and q */ + for (i = 0; i < 5 * pbits; i++) { + ploop: +@@ -384,6 +384,8 @@ static int FIPS_rsa_builtin_keygen(RSA * + if (!BN_mod_inverse(rsa->d, rsa->e, lcm_p1_q1, ctx)) + goto err; /* d */ + ++ /* test 2^(bits/2) < d < LCM((p-1)*(q-1)) */ ++ /* the LCM part is covered due to the generation by modulo above */ + if (BN_num_bits(rsa->d) < pbits) + goto retry; /* d is too small */ + diff --git a/openssl-fips-selftests_in_nonfips_mode.patch b/openssl-fips-selftests_in_nonfips_mode.patch new file mode 100644 index 0000000..6b4fd1e --- /dev/null +++ b/openssl-fips-selftests_in_nonfips_mode.patch @@ -0,0 +1,74 @@ +Index: openssl-1.0.2g/crypto/fips/fips.c +=================================================================== +--- openssl-1.0.2g.orig/crypto/fips/fips.c 2016-04-14 10:49:37.460170356 +0200 ++++ openssl-1.0.2g/crypto/fips/fips.c 2016-04-14 10:49:47.270307813 +0200 +@@ -448,6 +448,44 @@ int FIPS_module_mode_set(int onoff, cons + return ret; + } + ++/* In non-FIPS mode, the selftests must succeed if the ++ * checksum files are present ++ */ ++void NONFIPS_selftest_check(void) ++ { ++ int rv; ++ char *hmacpath; ++ char path[PATH_MAX+1]; ++ ++ if (fips_selftest_fail) ++ { ++ /* check if the checksum files are installed */ ++ rv = get_library_path("libcrypto.so." SHLIB_VERSION_NUMBER, "FIPS_mode_set", path, sizeof(path)); ++ if (rv < 0) ++ OpenSSLDie(__FILE__,__LINE__, "FATAL FIPS SELFTEST FAILURE"); ++ ++ hmacpath = make_hmac_path(path); ++ if (hmacpath == NULL) ++ OpenSSLDie(__FILE__,__LINE__, "FATAL FIPS SELFTEST FAILURE"); ++ ++ if (access(hmacpath, F_OK)) ++ { ++ /* no hmac file is present, ignore the failed selftests */ ++ if (errno == ENOENT) ++ { ++ free(hmacpath); ++ return; ++ } ++ /* we fail on any other error */ ++ } ++ /* if the file exists, but the selftests failed ++ (eg wrong checksum), we fail too */ ++ free(hmacpath); ++ OpenSSLDie(__FILE__,__LINE__, "FATAL FIPS SELFTEST FAILURE"); ++ } ++ /* otherwise ok, selftests were successful */ ++ } ++ + static CRYPTO_THREADID fips_thread; + static int fips_thread_set = 0; + +Index: openssl-1.0.2g/crypto/fips/fips.h +=================================================================== +--- openssl-1.0.2g.orig/crypto/fips/fips.h 2016-04-14 10:49:47.270307813 +0200 ++++ openssl-1.0.2g/crypto/fips/fips.h 2016-04-14 10:50:45.867128848 +0200 +@@ -107,6 +107,7 @@ extern "C" { + int FIPS_selftest_drbg(void); + int FIPS_selftest_drbg_all(void); + int FIPS_selftest_cmac(void); ++ void NONFIPS_selftest_check(void); + + void FIPS_get_timevec(unsigned char *buf, unsigned long *pctr); + +Index: openssl-1.0.2g/crypto/o_init.c +=================================================================== +--- openssl-1.0.2g.orig/crypto/o_init.c 2016-04-14 10:49:47.270307813 +0200 ++++ openssl-1.0.2g/crypto/o_init.c 2016-04-14 10:51:31.634770112 +0200 +@@ -87,6 +87,8 @@ static void init_fips_mode(void) + */ + + if (buf[0] != '1') { ++ /* abort if selftest failed and the module is complete */ ++ NONFIPS_selftest_check(); + /* drop down to non-FIPS mode if it is not requested */ + FIPS_mode_set(0); + } else { diff --git a/openssl-fips_RSA_compute_d_with_lcm.patch b/openssl-fips_RSA_compute_d_with_lcm.patch new file mode 100644 index 0000000..80c93a7 --- /dev/null +++ b/openssl-fips_RSA_compute_d_with_lcm.patch @@ -0,0 +1,42 @@ +Index: openssl-1.0.2g/crypto/rsa/rsa_gen.c +=================================================================== +--- openssl-1.0.2g.orig/crypto/rsa/rsa_gen.c 2016-04-13 15:07:34.371851679 +0200 ++++ openssl-1.0.2g/crypto/rsa/rsa_gen.c 2016-04-13 15:18:00.630306031 +0200 +@@ -177,6 +177,7 @@ static int FIPS_rsa_builtin_keygen(RSA * + BIGNUM *r0 = NULL, *r1 = NULL, *r2 = NULL, *r3 = NULL, *tmp; + BIGNUM local_r0, local_d, local_p; + BIGNUM *pr0, *d, *p; ++ BIGNUM *gcd_p1_q1 = NULL, *lcm_p1_q1 = NULL; + BN_CTX *ctx = NULL; + int ok = -1; + int i; +@@ -204,6 +205,8 @@ static int FIPS_rsa_builtin_keygen(RSA * + r1 = BN_CTX_get(ctx); + r2 = BN_CTX_get(ctx); + r3 = BN_CTX_get(ctx); ++ gcd_p1_q1 = BN_CTX_get(ctx); ++ lcm_p1_q1 = BN_CTX_get(ctx); + + if (r3 == NULL) + goto err; +@@ -372,12 +375,18 @@ static int FIPS_rsa_builtin_keygen(RSA * + BN_with_flags(pr0, r0, BN_FLG_CONSTTIME); + } else + pr0 = r0; +- if (!BN_mod_inverse(rsa->d, rsa->e, pr0, ctx)) ++ ++ /* calculate lcm(p-1,q-1) = (p-1)*(q-1) / gcd(p-1,q-1) */ ++ if (!BN_gcd(gcd_p1_q1, r1, r2, ctx)) ++ goto err; /* gcd(p-1,q-1) */ ++ if (!BN_div(lcm_p1_q1, NULL, pr0, gcd_p1_q1, ctx)) ++ goto err; ++ if (!BN_mod_inverse(rsa->d, rsa->e, lcm_p1_q1, ctx)) + goto err; /* d */ + + if (BN_num_bits(rsa->d) < pbits) + goto retry; /* d is too small */ +- ++ + /* set up d for correct BN_FLG_CONSTTIME flag */ + if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) { + d = &local_d; diff --git a/openssl-fips_disallow_ENGINE_loading.patch b/openssl-fips_disallow_ENGINE_loading.patch new file mode 100644 index 0000000..1296268 --- /dev/null +++ b/openssl-fips_disallow_ENGINE_loading.patch @@ -0,0 +1,16 @@ +Index: openssl-1.0.2g/crypto/engine/eng_all.c +=================================================================== +--- openssl-1.0.2g.orig/crypto/engine/eng_all.c 2016-04-13 15:04:40.644190904 +0200 ++++ openssl-1.0.2g/crypto/engine/eng_all.c 2016-04-13 15:06:04.092468490 +0200 +@@ -70,11 +70,6 @@ void ENGINE_load_builtin_engines(void) + #ifdef OPENSSL_FIPS + OPENSSL_init_library(); + if (FIPS_mode()) { +- /* We allow loading dynamic engine as a third party +- engine might be FIPS validated. +- User is disallowed to load non-validated engines +- by security policy. */ +- ENGINE_load_dynamic(); + return; + } + #endif diff --git a/openssl-fips_disallow_x931_rand_method.patch b/openssl-fips_disallow_x931_rand_method.patch new file mode 100644 index 0000000..cbf69b4 --- /dev/null +++ b/openssl-fips_disallow_x931_rand_method.patch @@ -0,0 +1,13 @@ +Index: openssl-1.0.2g/crypto/fips/fips_rand_lib.c +=================================================================== +--- openssl-1.0.2g.orig/crypto/fips/fips_rand_lib.c 2016-04-13 15:01:53.236630810 +0200 ++++ openssl-1.0.2g/crypto/fips/fips_rand_lib.c 2016-04-13 15:02:48.986482927 +0200 +@@ -73,8 +73,6 @@ int FIPS_rand_set_method(const RAND_METH + if (!fips_rand_bits) { + if (meth == FIPS_drbg_method()) + fips_approved_rand_meth = 1; +- else if (meth == FIPS_x931_method()) +- fips_approved_rand_meth = 2; + else { + fips_approved_rand_meth = 0; + if (FIPS_module_mode()) { diff --git a/openssl-ocloexec.patch b/openssl-ocloexec.patch index 78ca5b2..3ab0ff2 100644 --- a/openssl-ocloexec.patch +++ b/openssl-ocloexec.patch @@ -1,7 +1,7 @@ Index: crypto/bio/b_sock.c =================================================================== ---- crypto/bio/b_sock.c.orig 2015-12-05 00:04:11.291027369 +0100 -+++ crypto/bio/b_sock.c 2015-12-05 00:04:13.283055286 +0100 +--- crypto/bio/b_sock.c.orig 2016-04-14 11:01:01.957760118 +0200 ++++ crypto/bio/b_sock.c 2016-04-14 11:01:04.759799369 +0200 @@ -723,7 +723,7 @@ int BIO_get_accept_socket(char *host, in } @@ -31,8 +31,8 @@ Index: crypto/bio/b_sock.c sa.len.i = (int)sa.len.s; Index: crypto/bio/bss_conn.c =================================================================== ---- crypto/bio/bss_conn.c.orig 2015-12-05 00:04:11.291027369 +0100 -+++ crypto/bio/bss_conn.c 2015-12-05 00:04:13.283055286 +0100 +--- crypto/bio/bss_conn.c.orig 2016-04-14 11:01:01.957760118 +0200 ++++ crypto/bio/bss_conn.c 2016-04-14 11:01:04.759799369 +0200 @@ -195,7 +195,7 @@ static int conn_state(BIO *b, BIO_CONNEC c->them.sin_addr.s_addr = htonl(l); c->state = BIO_CONN_S_CREATE_SOCKET; @@ -44,9 +44,9 @@ Index: crypto/bio/bss_conn.c ERR_add_error_data(4, "host=", c->param_hostname, Index: crypto/bio/bss_dgram.c =================================================================== ---- crypto/bio/bss_dgram.c.orig 2015-12-05 00:04:11.292027383 +0100 -+++ crypto/bio/bss_dgram.c 2015-12-05 00:04:13.284055300 +0100 -@@ -1177,7 +1177,7 @@ static int dgram_sctp_read(BIO *b, char +--- crypto/bio/bss_dgram.c.orig 2016-04-14 11:01:01.958760132 +0200 ++++ crypto/bio/bss_dgram.c 2016-04-14 11:01:04.760799384 +0200 +@@ -1175,7 +1175,7 @@ static int dgram_sctp_read(BIO *b, char msg.msg_control = cmsgbuf; msg.msg_controllen = 512; msg.msg_flags = 0; @@ -55,7 +55,7 @@ Index: crypto/bio/bss_dgram.c if (n <= 0) { if (n < 0) -@@ -1802,7 +1802,7 @@ int BIO_dgram_sctp_wait_for_dry(BIO *b) +@@ -1800,7 +1800,7 @@ int BIO_dgram_sctp_wait_for_dry(BIO *b) msg.msg_controllen = 0; msg.msg_flags = 0; @@ -64,7 +64,7 @@ Index: crypto/bio/bss_dgram.c if (n <= 0) { if ((n < 0) && (get_last_socket_error() != EAGAIN) && (get_last_socket_error() != EWOULDBLOCK)) -@@ -1824,7 +1824,7 @@ int BIO_dgram_sctp_wait_for_dry(BIO *b) +@@ -1822,7 +1822,7 @@ int BIO_dgram_sctp_wait_for_dry(BIO *b) msg.msg_controllen = 0; msg.msg_flags = 0; @@ -73,7 +73,7 @@ Index: crypto/bio/bss_dgram.c if (n <= 0) { if ((n < 0) && (get_last_socket_error() != EAGAIN) && (get_last_socket_error() != EWOULDBLOCK)) -@@ -1889,7 +1889,7 @@ int BIO_dgram_sctp_wait_for_dry(BIO *b) +@@ -1887,7 +1887,7 @@ int BIO_dgram_sctp_wait_for_dry(BIO *b) fcntl(b->num, F_SETFL, O_NONBLOCK); } @@ -82,7 +82,7 @@ Index: crypto/bio/bss_dgram.c if (is_dry) { fcntl(b->num, F_SETFL, sockflags); -@@ -1931,7 +1931,7 @@ int BIO_dgram_sctp_msg_waiting(BIO *b) +@@ -1929,7 +1929,7 @@ int BIO_dgram_sctp_msg_waiting(BIO *b) sockflags = fcntl(b->num, F_GETFL, 0); fcntl(b->num, F_SETFL, O_NONBLOCK); @@ -91,7 +91,7 @@ Index: crypto/bio/bss_dgram.c fcntl(b->num, F_SETFL, sockflags); /* if notification, process and try again */ -@@ -1951,7 +1951,7 @@ int BIO_dgram_sctp_msg_waiting(BIO *b) +@@ -1949,7 +1949,7 @@ int BIO_dgram_sctp_msg_waiting(BIO *b) msg.msg_control = NULL; msg.msg_controllen = 0; msg.msg_flags = 0; @@ -102,8 +102,8 @@ Index: crypto/bio/bss_dgram.c data->handle_notifications(b, data->notification_context, Index: crypto/bio/bss_file.c =================================================================== ---- crypto/bio/bss_file.c.orig 2015-12-05 00:04:11.292027383 +0100 -+++ crypto/bio/bss_file.c 2015-12-05 00:04:49.780566910 +0100 +--- crypto/bio/bss_file.c.orig 2016-04-14 11:01:01.958760132 +0200 ++++ crypto/bio/bss_file.c 2016-04-14 11:01:04.760799384 +0200 @@ -118,6 +118,10 @@ static BIO_METHOD methods_filep = { static FILE *file_fopen(const char *filename, const char *mode) { @@ -143,21 +143,21 @@ Index: crypto/bio/bss_file.c SYSerr(SYS_F_FOPEN, get_last_sys_error()); Index: crypto/rand/rand_unix.c =================================================================== ---- crypto/rand/rand_unix.c.orig 2015-12-05 00:04:11.292027383 +0100 -+++ crypto/rand/rand_unix.c 2015-12-05 00:04:13.285055314 +0100 -@@ -269,7 +269,7 @@ int RAND_poll(void) +--- crypto/rand/rand_unix.c.orig 2016-04-14 11:01:04.761799398 +0200 ++++ crypto/rand/rand_unix.c 2016-04-14 11:02:13.950768594 +0200 +@@ -270,7 +270,7 @@ int RAND_poll(void) for (i = 0; (i < sizeof(randomfiles) / sizeof(randomfiles[0])) && - (n < ENTROPY_NEEDED); i++) { + (n < sizeof(tmpbuf)); i++) { - if ((fd = open(randomfiles[i], O_RDONLY -+ if ((fd = open(randomfiles[i], O_RDONLY|O_CLOEXEC ++ if ((fd = open(randomfiles[i], O_RDONLY | O_CLOEXEC # ifdef O_NONBLOCK | O_NONBLOCK # endif Index: crypto/rand/randfile.c =================================================================== ---- crypto/rand/randfile.c.orig 2015-12-05 00:04:11.293027397 +0100 -+++ crypto/rand/randfile.c 2015-12-05 00:04:13.285055314 +0100 +--- crypto/rand/randfile.c.orig 2016-04-14 11:01:01.959760146 +0200 ++++ crypto/rand/randfile.c 2016-04-14 11:01:04.761799398 +0200 @@ -147,7 +147,7 @@ int RAND_load_file(const char *file, lon #ifdef OPENSSL_SYS_VMS in = vms_fopen(file, "rb", VMS_OPEN_ATTRS); diff --git a/openssl-rsakeygen-minimum-distance.patch b/openssl-rsakeygen-minimum-distance.patch new file mode 100644 index 0000000..ab93f2c --- /dev/null +++ b/openssl-rsakeygen-minimum-distance.patch @@ -0,0 +1,65 @@ +Index: openssl-1.0.2g/crypto/rsa/rsa_gen.c +=================================================================== +--- openssl-1.0.2g.orig/crypto/rsa/rsa_gen.c 2016-04-13 15:18:47.520016582 +0200 ++++ openssl-1.0.2g/crypto/rsa/rsa_gen.c 2016-04-13 15:36:32.309233030 +0200 +@@ -465,6 +465,19 @@ static int rsa_builtin_keygen(RSA *rsa, + bitsp = (bits + 1) / 2; + bitsq = bits - bitsp; + ++ /* prepare a maximum for p and q */ ++ /* 0xB504F334 is (sqrt(2)/2)*2^32 */ ++ if (!BN_set_word(r0, 0xB504F334)) ++ goto err; ++ if (!BN_lshift(r0, r0, bitsp - 32)) ++ goto err; ++ ++ /* prepare minimum p and q difference */ ++ if (!BN_one(r3)) ++ goto err; ++ if (!BN_lshift(r3, r3, bitsp - 100)) ++ goto err; ++ + /* We need the RSA components non-NULL */ + if (!rsa->n && ((rsa->n = BN_new()) == NULL)) + goto err; +@@ -489,6 +502,8 @@ static int rsa_builtin_keygen(RSA *rsa, + for (;;) { + if (!BN_generate_prime_ex(rsa->p, bitsp, 0, NULL, NULL, cb)) + goto err; ++ if (BN_cmp(rsa->p, r0) < 0) ++ continue; + if (!BN_sub(r2, rsa->p, BN_value_one())) + goto err; + if (!BN_gcd(r1, r2, rsa->e, ctx)) +@@ -501,21 +516,17 @@ static int rsa_builtin_keygen(RSA *rsa, + if (!BN_GENCB_call(cb, 3, 0)) + goto err; + for (;;) { +- /* +- * When generating ridiculously small keys, we can get stuck +- * continually regenerating the same prime values. Check for this and +- * bail if it happens 3 times. +- */ +- unsigned int degenerate = 0; +- do { +- if (!BN_generate_prime_ex(rsa->q, bitsq, 0, NULL, NULL, cb)) +- goto err; +- } while ((BN_cmp(rsa->p, rsa->q) == 0) && (++degenerate < 3)); +- if (degenerate == 3) { +- ok = 0; /* we set our own err */ +- RSAerr(RSA_F_RSA_BUILTIN_KEYGEN, RSA_R_KEY_SIZE_TOO_SMALL); ++ /* This function will take care of setting the topmost bit via BN_rand(..,1,1), so ++ * the maximum distance between p and q is less than 2^bitsq */ ++ if(!BN_generate_prime_ex(rsa->q, bitsq, 0, NULL, NULL, cb)) ++ goto err; ++ if (BN_cmp(rsa->q, r0) < 0) ++ continue; ++ /* check for minimum distance between p and q, 2^(bitsp-100) */ ++ if (!BN_sub(r2, rsa->q, rsa->p)) + goto err; +- } ++ if (BN_ucmp(r2, r3) <= 0) ++ continue; + if (!BN_sub(r2, rsa->q, BN_value_one())) + goto err; + if (!BN_gcd(r1, r2, rsa->e, ctx)) diff --git a/openssl-urandom-reseeding.patch b/openssl-urandom-reseeding.patch new file mode 100644 index 0000000..d692c76 --- /dev/null +++ b/openssl-urandom-reseeding.patch @@ -0,0 +1,100 @@ +Index: openssl-1.0.2g/crypto/rand/rand_unix.c +=================================================================== +--- openssl-1.0.2g.orig/crypto/rand/rand_unix.c 2016-04-15 14:27:32.058784436 +0200 ++++ openssl-1.0.2g/crypto/rand/rand_unix.c 2016-04-15 14:27:32.711794567 +0200 +@@ -245,7 +245,8 @@ int RAND_poll(void) + unsigned long l; + pid_t curr_pid = getpid(); + # if defined(DEVRANDOM) || defined(DEVRANDOM_EGD) +- unsigned char tmpbuf[ENTROPY_NEEDED]; ++ /* STATE_SIZE is 1023 ... but it was suggested to seed with 1024 bytes */ ++ unsigned char tmpbuf[1024]; + int n = 0; + # endif + # ifdef DEVRANDOM +@@ -268,7 +269,7 @@ int RAND_poll(void) + */ + + for (i = 0; (i < sizeof(randomfiles) / sizeof(randomfiles[0])) && +- (n < ENTROPY_NEEDED); i++) { ++ (n < sizeof(tmpbuf)); i++) { + if ((fd = open(randomfiles[i], O_RDONLY + # ifdef O_NONBLOCK + | O_NONBLOCK +@@ -355,7 +356,7 @@ int RAND_poll(void) + + if (try_read) { + r = read(fd, (unsigned char *)tmpbuf + n, +- ENTROPY_NEEDED - n); ++ sizeof(tmpbuf) - n); + if (r > 0) + n += r; + # if defined(OPENSSL_SYS_BEOS_R5) +@@ -376,7 +377,7 @@ int RAND_poll(void) + } + while ((r > 0 || + (errno == EINTR || errno == EAGAIN)) && usec != 0 +- && n < ENTROPY_NEEDED); ++ && n < sizeof(tmpbuf)); + + close(fd); + } +@@ -389,12 +390,12 @@ int RAND_poll(void) + * collecting daemon. + */ + +- for (egdsocket = egdsockets; *egdsocket && n < ENTROPY_NEEDED; ++ for (egdsocket = egdsockets; *egdsocket && n < sizeof(tmpbuf); + egdsocket++) { + int r; + + r = RAND_query_egd_bytes(*egdsocket, (unsigned char *)tmpbuf + n, +- ENTROPY_NEEDED - n); ++ sizeof(tmpbuf) - n); + if (r > 0) + n += r; + } +Index: openssl-1.0.2g/crypto/rand/md_rand.c +=================================================================== +--- openssl-1.0.2g.orig/crypto/rand/md_rand.c 2016-04-15 14:27:32.711794567 +0200 ++++ openssl-1.0.2g/crypto/rand/md_rand.c 2016-04-15 14:28:18.865510438 +0200 +@@ -360,6 +360,10 @@ int ssleay_rand_bytes(unsigned char *buf + if (num <= 0) + return 1; + ++ /* special rule for /dev/urandom seeding ... seed with as much bytes ++ * from /dev/urandom as you get out */ ++ RAND_load_file("/dev/urandom", num); ++ + EVP_MD_CTX_init(&m); + /* round upwards to multiple of MD_DIGEST_LENGTH/2 */ + num_ceil = +Index: openssl-1.0.2g/crypto/fips/fips_drbg_rand.c +=================================================================== +--- openssl-1.0.2g.orig/crypto/fips/fips_drbg_rand.c 2016-04-15 14:27:32.712794583 +0200 ++++ openssl-1.0.2g/crypto/fips/fips_drbg_rand.c 2016-04-15 14:29:30.192616518 +0200 +@@ -77,6 +77,11 @@ static int fips_drbg_bytes(unsigned char + int rv = 0; + unsigned char *adin = NULL; + size_t adinlen = 0; ++ ++ /* add entropy in 1:1 relation (number pulled bytes / number pushed from /dev/urandom) */ ++ if (count > dctx->min_entropy) ++ RAND_load_file("/dev/urandom", count - dctx->min_entropy); ++ + CRYPTO_w_lock(CRYPTO_LOCK_RAND); + do { + size_t rcnt; +Index: openssl-1.0.2g/crypto/rand/rand_lib.c +=================================================================== +--- openssl-1.0.2g.orig/crypto/rand/rand_lib.c 2016-04-15 14:27:32.712794583 +0200 ++++ openssl-1.0.2g/crypto/rand/rand_lib.c 2016-04-15 14:30:45.074777402 +0200 +@@ -238,7 +238,7 @@ static int drbg_rand_add(DRBG_CTX *ctx, + RAND_SSLeay()->add(in, inlen, entropy); + if (FIPS_rand_status()) { + CRYPTO_w_lock(CRYPTO_LOCK_RAND); +- FIPS_drbg_reseed(ctx, NULL, 0); ++ FIPS_drbg_reseed(ctx, in, inlen); + CRYPTO_w_unlock(CRYPTO_LOCK_RAND); + } + return 1; diff --git a/openssl.changes b/openssl.changes index 2b8c16c..97492a3 100644 --- a/openssl.changes +++ b/openssl.changes @@ -1,3 +1,30 @@ +------------------------------------------------------------------- +Fri Apr 15 16:55:05 UTC 2016 - dvaleev@suse.com + +- Remove a hack for bsc#936563 +- Drop bsc936563_hack.patch + +------------------------------------------------------------------- +Fri Apr 15 11:59:48 UTC 2016 - vcizek@suse.com + +- import fips patches from SLE-12 + * openssl-fips-clearerror.patch + * openssl-fips-dont-fall-back-to-default-digest.patch + * openssl-fips-fix-odd-rsakeybits.patch + * openssl-fips-rsagen-d-bits.patch + * openssl-fips-selftests_in_nonfips_mode.patch + * openssl-fips_RSA_compute_d_with_lcm.patch + * openssl-fips_disallow_ENGINE_loading.patch + * openssl-fips_disallow_x931_rand_method.patch + * openssl-rsakeygen-minimum-distance.patch + * openssl-urandom-reseeding.patch + +------------------------------------------------------------------- +Tue Mar 8 12:50:28 UTC 2016 - vcizek@suse.com + +- add support for "ciphers" providing no encryption (bsc#937085) + * don't build with -DSSL_FORBID_ENULL + ------------------------------------------------------------------- Tue Mar 1 14:40:18 UTC 2016 - vcizek@suse.com diff --git a/openssl.spec b/openssl.spec index 10dbd24..a47e759 100644 --- a/openssl.spec +++ b/openssl.spec @@ -73,7 +73,17 @@ Patch34: openssl-fips-hidden.patch Patch35: openssl-1.0.1e-add-suse-default-cipher.patch Patch37: openssl-1.0.1e-add-test-suse-default-cipher-suite.patch Patch38: openssl-missing_FIPS_ec_group_new_by_curve_name.patch -Patch40: bsc936563_hack.patch +# FIPS patches from SLE-12 +Patch50: openssl-fips_disallow_x931_rand_method.patch +Patch51: openssl-fips_disallow_ENGINE_loading.patch +Patch52: openssl-fips_RSA_compute_d_with_lcm.patch +Patch53: openssl-rsakeygen-minimum-distance.patch +Patch54: openssl-urandom-reseeding.patch +Patch55: openssl-fips-rsagen-d-bits.patch +Patch56: openssl-fips-selftests_in_nonfips_mode.patch +Patch57: openssl-fips-fix-odd-rsakeybits.patch +Patch58: openssl-fips-clearerror.patch +Patch59: openssl-fips-dont-fall-back-to-default-digest.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build @@ -184,15 +194,21 @@ this package's base documentation. %patch35 -p1 %patch37 -p1 %patch38 -p1 +%patch50 -p1 +%patch51 -p1 +%patch52 -p1 +%patch53 -p1 +%patch54 -p1 +%patch55 -p1 +%patch56 -p1 +%patch57 -p1 +%patch58 -p1 +%patch59 -p1 %if 0%{?suse_version} >= 1120 %patch3 %endif %patch8 -p1 %patch14 -p1 -#workaround https://gcc.gnu.org/bugzilla/show_bug.cgi?id=66728 -%ifarch ppc64le -%patch40 -p1 -%endif cp -p %{S:10} . cp -p %{S:11} . echo "adding/overwriting some entries in the 'table' hash in Configure" @@ -264,7 +280,6 @@ $RPM_OPT_FLAGS -O3 -std=gnu99 \ -fno-common \ -DTERMIO \ -DPURIFY \ --DSSL_FORBID_ENULL \ -D_GNU_SOURCE \ -DOPENSSL_NO_BUF_FREELISTS \ $(getconf LFS_CFLAGS) \