rpm/tboot
SHA256
1
0
Fork 0
forked from pool/tboot
Code Pull Requests Activity

- tboot-ssl-broken.patch: Fixed memory corruption when using OpenSSL

Browse Source 
functionality like in lcp2_crtpollist (bnc#1083693). Fix has not yet been
  commented on by upstream (posted on tboot-devel mailing list).

OBS-URL: https://build.opensuse.org/package/show/security/tboot?expand=0&rev=75
This commit is contained in:
Matthias Gerstner 2018-03-15 09:50:48 +00:00 committed by Git OBS Bridge
parent e922ce366c
commit 77676033d6
4 changed files with 364 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

80
tboot-signature-segfault.patch Normal file
View File

@ -0,0 +1,80 @@
changeset: 506:09fae64a7515
user: Ning Sun <ning.sun@intel.com>
date: Sat Sep 02 01:40:15 2017 -0700
summary: Fix openssl-1.0.2 double frees
Index: tboot-1.9.6/lcptools-v2/crtpollist.c
===================================================================
--- tboot-1.9.6.orig/lcptools-v2/crtpollist.c
+++ tboot-1.9.6/lcptools-v2/crtpollist.c
@@ -160,15 +160,14 @@ static lcp_signature_t2 *read_rsa_pubkey
memset(sig, 0, sizeof(lcp_rsa_signature_t) + 2*keysize);
sig->rsa_signature.pubkey_size = keysize;
-
- BIGNUM *modulus = BN_new();
-
+
/* OpenSSL Version 1.1.0 and later don't allow direct access to RSA
stuct */
#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+ BIGNUM *modulus = BN_new();
RSA_get0_key(pubkey, (const BIGNUM **)&modulus, NULL, NULL);
#else
- modulus = pubkey->n;
+ BIGNUM *modulus = BN_dup(pubkey->n);
#endif
unsigned char key[keysize];
Index: tboot-1.9.6/lcptools-v2/lcputils.c
===================================================================
--- tboot-1.9.6.orig/lcptools-v2/lcputils.c
+++ tboot-1.9.6/lcptools-v2/lcputils.c
@@ -384,8 +384,8 @@ bool verify_signature(const uint8_t *dat
#if OPENSSL_VERSION_NUMBER >= 0x10100000L
RSA_set0_key(rsa_pubkey, modulus, exponent, NULL);
#else
- rsa_pubkey->n = modulus;
- rsa_pubkey->e = exponent;
+ rsa_pubkey->n = BN_dup(modulus);
+ rsa_pubkey->e = BN_dup(exponent);
rsa_pubkey->d = rsa_pubkey->p = rsa_pubkey->q = NULL;
#endif
Index: tboot-1.9.6/lcptools/crtpollist.c
===================================================================
--- tboot-1.9.6.orig/lcptools/crtpollist.c
+++ tboot-1.9.6/lcptools/crtpollist.c
@@ -155,14 +155,14 @@ static lcp_signature_t *read_pubkey_file
memset(sig, 0, sizeof(*sig) + 2*keysize);
sig->pubkey_size = keysize;
-
- BIGNUM *modulus = BN_new();
+
/* OpenSSL Version 1.1.0 and later don't allow direct access to RSA
stuct */
#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+ BIGNUM *modulus = BN_new();
RSA_get0_key(pubkey, (const BIGNUM **)&modulus, NULL, NULL);
#else
- modulus = pubkey->n;
+ BIGNUM *modulus = BN_dup(pubkey->n);
#endif
unsigned char key[keysize];
BN_bn2bin(modulus, key);
Index: tboot-1.9.6/lcptools/lcputils2.c
===================================================================
--- tboot-1.9.6.orig/lcptools/lcputils2.c
+++ tboot-1.9.6/lcptools/lcputils2.c
@@ -288,8 +288,8 @@ bool verify_signature(const uint8_t *dat
#if OPENSSL_VERSION_NUMBER >= 0x10100000L
RSA_set0_key(rsa_pubkey, modulus, exponent, NULL);
#else
- rsa_pubkey->n = modulus;
- rsa_pubkey->e = exponent;
+ rsa_pubkey->n = BN_dup(modulus);
+ rsa_pubkey->e = BN_dup(exponent);
rsa_pubkey->d = rsa_pubkey->p = rsa_pubkey->q = NULL;
#endif

268
tboot-ssl-broken.patch Normal file
View File

@ -0,0 +1,268 @@
Index: tboot-1.9.6/lcptools-v2/crtpollist.c
===================================================================
--- tboot-1.9.6.orig/lcptools-v2/crtpollist.c
+++ tboot-1.9.6/lcptools-v2/crtpollist.c
@@ -132,6 +132,7 @@ static lcp_signature_t2 *read_rsa_pubkey
if ( fp == NULL ) {
ERROR("Error: failed to open .pem file %s: %s\n", file,
strerror(errno));
+ fclose(fp);
return NULL;
}
@@ -141,6 +142,7 @@ static lcp_signature_t2 *read_rsa_pubkey
ERROR("Error: failed to read .pem file %s: %s\n", file,
ERR_error_string(ERR_get_error(), NULL));
ERR_free_strings();
+ fclose(fp);
return NULL;
}
@@ -148,6 +150,7 @@ static lcp_signature_t2 *read_rsa_pubkey
if ( keysize == 0 ) {
ERROR("Error: public key size is 0\n");
RSA_free(pubkey);
+ fclose(fp);
return NULL;
}
@@ -155,19 +158,20 @@ static lcp_signature_t2 *read_rsa_pubkey
if ( sig == NULL ) {
ERROR("Error: failed to allocate sig\n");
RSA_free(pubkey);
+ fclose(fp);
return NULL;
}
memset(sig, 0, sizeof(lcp_rsa_signature_t) + 2*keysize);
sig->rsa_signature.pubkey_size = keysize;
+ const BIGNUM *modulus = NULL;
/* OpenSSL Version 1.1.0 and later don't allow direct access to RSA
stuct */
#if OPENSSL_VERSION_NUMBER >= 0x10100000L
- BIGNUM *modulus = BN_new();
- RSA_get0_key(pubkey, (const BIGNUM **)&modulus, NULL, NULL);
+ RSA_get0_key(pubkey, &modulus, NULL, NULL);
#else
- BIGNUM *modulus = BN_dup(pubkey->n);
+ modulus = pubkey->n;
#endif
unsigned char key[keysize];
@@ -183,8 +187,8 @@ static lcp_signature_t2 *read_rsa_pubkey
}
LOG("read rsa pubkey succeed!\n");
- BN_free(modulus);
RSA_free(pubkey);
+ fclose(fp);
return sig;
}
@@ -386,13 +390,13 @@ static bool ecdsa_sign_tpm20_list_data(l
return false;
}
- BIGNUM *r = BN_new();
- BIGNUM *s = BN_new();
-
+ const BIGNUM *r = NULL;
+ const BIGNUM *s = NULL;
+
/* OpenSSL Version 1.1.0 and later don't allow direct access to
ECDSA_SIG stuct */
#if OPENSSL_VERSION_NUMBER >= 0x10100000L
- ECDSA_SIG_get0(ecdsasig, (const BIGNUM **)&r, (const BIGNUM **)&s);
+ ECDSA_SIG_get0(ecdsasig, &r, &s);
#else
r = ecdsasig->r;
s = ecdsasig->s;
@@ -415,8 +419,7 @@ static bool ecdsa_sign_tpm20_list_data(l
display_tpm20_signature(" ", sig, pollist->sig_alg, false);
}
- BN_free(r);
- BN_free(s);
+ ECDSA_SIG_free(ecdsasig);
return true;
}
return false;
Index: tboot-1.9.6/lcptools-v2/lcputils.c
===================================================================
--- tboot-1.9.6.orig/lcptools-v2/lcputils.c
+++ tboot-1.9.6/lcptools-v2/lcputils.c
@@ -371,9 +371,8 @@ bool verify_signature(const uint8_t *dat
return false;
}
- BIGNUM *modulus = BN_new();
+ BIGNUM *modulus = BN_bin2bn(key, pubkey_size, NULL);
BIGNUM *exponent = BN_new();
- modulus = BN_bin2bn(key, pubkey_size, NULL);
/* uses fixed exponent (LCP_SIG_EXPONENT) */
char exp[32];
@@ -384,8 +383,8 @@ bool verify_signature(const uint8_t *dat
#if OPENSSL_VERSION_NUMBER >= 0x10100000L
RSA_set0_key(rsa_pubkey, modulus, exponent, NULL);
#else
- rsa_pubkey->n = BN_dup(modulus);
- rsa_pubkey->e = BN_dup(exponent);
+ rsa_pubkey->n = modulus;
+ rsa_pubkey->e = exponent;
rsa_pubkey->d = rsa_pubkey->p = rsa_pubkey->q = NULL;
#endif
@@ -407,8 +406,6 @@ bool verify_signature(const uint8_t *dat
tb_hash_t digest;
if ( !hash_buffer(data, data_size, &digest, hashalg) ) {
ERROR("Error: failed to hash list\n");
- BN_free(modulus);
- BN_free(exponent);
RSA_free(rsa_pubkey);
return false;
}
@@ -451,8 +448,6 @@ bool verify_signature(const uint8_t *dat
ERROR("Error: failed to verify list: %s\n",
ERR_error_string(ERR_get_error(), NULL));
ERR_free_strings();
- BN_free(modulus);
- BN_free(exponent);
RSA_free(rsa_pubkey);
return false;
}
@@ -467,8 +462,6 @@ bool verify_signature(const uint8_t *dat
ERROR("Error: failed to verify list: %s\n",
ERR_error_string(ERR_get_error(), NULL));
ERR_free_strings();
- BN_free(modulus);
- BN_free(exponent);
RSA_free(rsa_pubkey);
return false;
}
@@ -483,8 +476,6 @@ bool verify_signature(const uint8_t *dat
ERROR("Error: failed to verify list: %s\n",
ERR_error_string(ERR_get_error(), NULL));
ERR_free_strings();
- BN_free(modulus);
- BN_free(exponent);
RSA_free(rsa_pubkey);
return false;
}
@@ -499,8 +490,6 @@ bool verify_signature(const uint8_t *dat
ERROR("Error: failed to verify list: %s\n",
ERR_error_string(ERR_get_error(), NULL));
ERR_free_strings();
- BN_free(modulus);
- BN_free(exponent);
RSA_free(rsa_pubkey);
return false;
}
@@ -508,13 +497,10 @@ bool verify_signature(const uint8_t *dat
default :
LOG("unknown hash alg\n");
- BN_free(modulus);
- BN_free(exponent);
+ RSA_free(rsa_pubkey);
return false;
}
- BN_free(modulus);
- BN_free(exponent);
RSA_free(rsa_pubkey);
return true;
}
Index: tboot-1.9.6/lcptools/crtpollist.c
===================================================================
--- tboot-1.9.6.orig/lcptools/crtpollist.c
+++ tboot-1.9.6/lcptools/crtpollist.c
@@ -156,13 +156,14 @@ static lcp_signature_t *read_pubkey_file
memset(sig, 0, sizeof(*sig) + 2*keysize);
sig->pubkey_size = keysize;
+ const BIGNUM *modulus = NULL;
+
/* OpenSSL Version 1.1.0 and later don't allow direct access to RSA
stuct */
#if OPENSSL_VERSION_NUMBER >= 0x10100000L
- BIGNUM *modulus = BN_new();
- RSA_get0_key(pubkey, (const BIGNUM **)&modulus, NULL, NULL);
+ RSA_get0_key(pubkey, &modulus, NULL, NULL);
#else
- BIGNUM *modulus = BN_dup(pubkey->n);
+ modulus = pubkey->n;
#endif
unsigned char key[keysize];
BN_bn2bin(modulus, key);
@@ -175,8 +176,7 @@ static lcp_signature_t *read_pubkey_file
LOG("signature:\n");
display_signature(" ", sig, false);
}
-
- BN_free(modulus);
+
RSA_free(pubkey);
return sig;
}
Index: tboot-1.9.6/lcptools/lcputils2.c
===================================================================
--- tboot-1.9.6.orig/lcptools/lcputils2.c
+++ tboot-1.9.6/lcptools/lcputils2.c
@@ -274,31 +274,29 @@ bool verify_signature(const uint8_t *dat
ERROR("Error: failed to allocate key\n");
return false;
}
- BIGNUM *modulus = BN_new();
+
+ BIGNUM *modulus = BN_bin2bn(key, pubkey_size, NULL);
BIGNUM *exponent = BN_new();
- modulus = BN_bin2bn(key, pubkey_size, NULL);
/* uses fixed exponent (LCP_SIG_EXPONENT) */
char exp[32];
snprintf(exp, sizeof(exp), "%u", LCP_SIG_EXPONENT);
BN_dec2bn(&exponent, exp);
-
+
/* OpenSSL Version 1.1.0 and later don't allow direct access to RSA
stuct */
#if OPENSSL_VERSION_NUMBER >= 0x10100000L
- RSA_set0_key(rsa_pubkey, modulus, exponent, NULL);
+ RSA_set0_key(rsa_pubkey, modulus, exponent, NULL);
#else
- rsa_pubkey->n = BN_dup(modulus);
- rsa_pubkey->e = BN_dup(exponent);
- rsa_pubkey->d = rsa_pubkey->p = rsa_pubkey->q = NULL;
+ rsa_pubkey->n = modulus;
+ rsa_pubkey->e = exponent;
+ rsa_pubkey->d = rsa_pubkey->p = rsa_pubkey->q = NULL;
#endif
/* first create digest of data */
tb_hash_t digest;
if ( !hash_buffer(data, data_size, &digest, TB_HALG_SHA1_LG) ) {
ERROR("Error: failed to hash list\n");
- BN_free(modulus);
- BN_free(exponent);
RSA_free(rsa_pubkey);
return false;
}
@@ -339,14 +337,10 @@ bool verify_signature(const uint8_t *dat
ERROR("Error: failed to verify list: %s\n",
ERR_error_string(ERR_get_error(), NULL));
ERR_free_strings();
- BN_free(modulus);
- BN_free(exponent);
- RSA_free(rsa_pubkey);
+ RSA_free(rsa_pubkey);
return false;
}
-
- BN_free(modulus);
- BN_free(exponent);
+
RSA_free(rsa_pubkey);
return true;
}

7
tboot.changes
View File

@ -1,3 +1,10 @@
-------------------------------------------------------------------
Thu Mar 15 09:49:03 UTC 2018 - matthias.gerstner@suse.com
- tboot-ssl-broken.patch: Fixed memory corruption when using OpenSSL
functionality like in lcp2_crtpollist (bnc#1083693). Fix has not yet been
commented on by upstream (posted on tboot-devel mailing list).
-------------------------------------------------------------------
Wed Feb 21 12:26:10 UTC 2018 - matthias.gerstner@suse.com

11
tboot.spec
View File

@ -30,7 +30,12 @@ Patch4: tboot-grub2-fix-xen-submenu-name.patch
Patch5: tboot-openssl-1-1-0.patch
Patch6: tboot-CVE-2017-16837.patch
Patch7: tboot-distributor.patch
# PATCH-FIX-UPSTREAM -- https://sourceforge.net/p/tboot/code/merge-requests/1/
# a stark history regarding SSL: ssl functions never really worked in tboot,
# even the signature-segfault upstream fix didn't fix the root causes.
# ssl-broken.patch is my own patch that I have published on the tboot-devel
# mailing list, but no response so far.
Patch8: tboot-signature-segfault.patch
Patch9: tboot-ssl-broken.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-build
ExclusiveArch: %{ix86} x86_64
BuildRequires: openssl-devel
@ -58,6 +63,8 @@ verified launch of an OS kernel/VMM.
%patch5 -p1
%patch6 -p1
%patch7 -p1
%patch8 -p1
%patch9 -p1
%build
export CFLAGS="%{optflags}"
@ -107,7 +114,7 @@ make debug=y install DISTDIR="%{buildroot}" MANPATH="%{buildroot}/%{_mandir}"
%postun
%if 0%{?update_bootloader_check_type_reinit_post:1}
# there is no clean solution for refresh during package removal at the moment.
# %posttrans is not executed during package removal.
# %%posttrans is not executed during package removal.
%update_bootloader_check_type_reinit_post grub2 grub2-efi
%update_bootloader_posttrans
%else