From a07c000ba65a36edea7c0e06ec4f8f504a9723e6 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Mar 12 2019 08:23:03 +0000 Subject: import openssl-1.0.2k-16.el7_6.1 --- diff --git a/SOURCES/openssl-1.0.2k-cve-2018-5407.patch b/SOURCES/openssl-1.0.2k-cve-2018-5407.patch new file mode 100644 index 0000000..4152f20 --- /dev/null +++ b/SOURCES/openssl-1.0.2k-cve-2018-5407.patch @@ -0,0 +1,305 @@ +diff -up openssl-1.0.2k/crypto/bn/bn_lib.c.ecc-ladder openssl-1.0.2k/crypto/bn/bn_lib.c +--- openssl-1.0.2k/crypto/bn/bn_lib.c.ecc-ladder 2019-02-06 12:58:50.575844123 +0100 ++++ openssl-1.0.2k/crypto/bn/bn_lib.c 2019-02-08 10:48:53.529291777 +0100 +@@ -877,6 +877,38 @@ void BN_consttime_swap(BN_ULONG conditio + a->top ^= t; + b->top ^= t; + ++ t = (a->neg ^ b->neg) & condition; ++ a->neg ^= t; ++ b->neg ^= t; ++ ++ /*- ++ * BN_FLG_STATIC_DATA: indicates that data may not be written to. Intention ++ * is actually to treat it as it's read-only data, and some (if not most) ++ * of it does reside in read-only segment. In other words observation of ++ * BN_FLG_STATIC_DATA in BN_consttime_swap should be treated as fatal ++ * condition. It would either cause SEGV or effectively cause data ++ * corruption. ++ * ++ * BN_FLG_MALLOCED: refers to BN structure itself, and hence must be ++ * preserved. ++ * ++ * BN_FLG_SECURE: must be preserved, because it determines how x->d was ++ * allocated and hence how to free it. ++ * ++ * BN_FLG_CONSTTIME: sufficient to mask and swap ++ * ++ * BN_FLG_FIXED_TOP: indicates that we haven't called bn_correct_top() on ++ * the data, so the d array may be padded with additional 0 values (i.e. ++ * top could be greater than the minimal value that it could be). We should ++ * be swapping it ++ */ ++ ++#define BN_CONSTTIME_SWAP_FLAGS (BN_FLG_CONSTTIME | BN_FLG_FIXED_TOP) ++ ++ t = ((a->flags ^ b->flags) & BN_CONSTTIME_SWAP_FLAGS) & condition; ++ a->flags ^= t; ++ b->flags ^= t; ++ + #define BN_CONSTTIME_SWAP(ind) \ + do { \ + t = (a->d[ind] ^ b->d[ind]) & condition; \ +diff -up openssl-1.0.2k/crypto/ec/ec_mult.c.ecc-ladder openssl-1.0.2k/crypto/ec/ec_mult.c +--- openssl-1.0.2k/crypto/ec/ec_mult.c.ecc-ladder 2017-01-26 14:22:03.000000000 +0100 ++++ openssl-1.0.2k/crypto/ec/ec_mult.c 2019-02-08 10:48:53.531291744 +0100 +@@ -306,6 +306,224 @@ static signed char *compute_wNAF(const B + return r; + } + ++#define EC_POINT_BN_set_flags(P, flags) do { \ ++ BN_set_flags(&(P)->X, (flags)); \ ++ BN_set_flags(&(P)->Y, (flags)); \ ++ BN_set_flags(&(P)->Z, (flags)); \ ++} while(0) ++ ++/*- ++ * This functions computes (in constant time) a point multiplication over the ++ * EC group. ++ * ++ * At a high level, it is Montgomery ladder with conditional swaps. ++ * ++ * It performs either a fixed scalar point multiplication ++ * (scalar * generator) ++ * when point is NULL, or a generic scalar point multiplication ++ * (scalar * point) ++ * when point is not NULL. ++ * ++ * scalar should be in the range [0,n) otherwise all constant time bets are off. ++ * ++ * NB: This says nothing about EC_POINT_add and EC_POINT_dbl, ++ * which of course are not constant time themselves. ++ * ++ * The product is stored in r. ++ * ++ * Returns 1 on success, 0 otherwise. ++ */ ++static int ec_mul_consttime(const EC_GROUP *group, EC_POINT *r, ++ const BIGNUM *scalar, const EC_POINT *point, ++ BN_CTX *ctx) ++{ ++ int i, cardinality_bits, group_top, kbit, pbit, Z_is_one; ++ EC_POINT *s = NULL; ++ BIGNUM *k = NULL; ++ BIGNUM *lambda = NULL; ++ BIGNUM *cardinality = NULL; ++ BN_CTX *new_ctx = NULL; ++ int ret = 0; ++ ++ if (ctx == NULL && (ctx = new_ctx = BN_CTX_new()) == NULL) ++ return 0; ++ ++ BN_CTX_start(ctx); ++ ++ s = EC_POINT_new(group); ++ if (s == NULL) ++ goto err; ++ ++ if (point == NULL) { ++ if (!EC_POINT_copy(s, group->generator)) ++ goto err; ++ } else { ++ if (!EC_POINT_copy(s, point)) ++ goto err; ++ } ++ ++ EC_POINT_BN_set_flags(s, BN_FLG_CONSTTIME); ++ ++ cardinality = BN_CTX_get(ctx); ++ lambda = BN_CTX_get(ctx); ++ k = BN_CTX_get(ctx); ++ if (k == NULL || !BN_mul(cardinality, &group->order, &group->cofactor, ctx)) ++ goto err; ++ ++ /* ++ * Group cardinalities are often on a word boundary. ++ * So when we pad the scalar, some timing diff might ++ * pop if it needs to be expanded due to carries. ++ * So expand ahead of time. ++ */ ++ cardinality_bits = BN_num_bits(cardinality); ++ group_top = cardinality->top; ++ if ((bn_wexpand(k, group_top + 2) == NULL) ++ || (bn_wexpand(lambda, group_top + 2) == NULL)) ++ goto err; ++ ++ if (!BN_copy(k, scalar)) ++ goto err; ++ ++ BN_set_flags(k, BN_FLG_CONSTTIME); ++ ++ if ((BN_num_bits(k) > cardinality_bits) || (BN_is_negative(k))) { ++ /*- ++ * this is an unusual input, and we don't guarantee ++ * constant-timeness ++ */ ++ if (!BN_nnmod(k, k, cardinality, ctx)) ++ goto err; ++ } ++ ++ if (!BN_add(lambda, k, cardinality)) ++ goto err; ++ BN_set_flags(lambda, BN_FLG_CONSTTIME); ++ if (!BN_add(k, lambda, cardinality)) ++ goto err; ++ /* ++ * lambda := scalar + cardinality ++ * k := scalar + 2*cardinality ++ */ ++ kbit = BN_is_bit_set(lambda, cardinality_bits); ++ BN_consttime_swap(kbit, k, lambda, group_top + 2); ++ ++ group_top = group->field.top; ++ if ((bn_wexpand(&s->X, group_top) == NULL) ++ || (bn_wexpand(&s->Y, group_top) == NULL) ++ || (bn_wexpand(&s->Z, group_top) == NULL) ++ || (bn_wexpand(&r->X, group_top) == NULL) ++ || (bn_wexpand(&r->Y, group_top) == NULL) ++ || (bn_wexpand(&r->Z, group_top) == NULL)) ++ goto err; ++ ++ /* top bit is a 1, in a fixed pos */ ++ if (!EC_POINT_copy(r, s)) ++ goto err; ++ ++ EC_POINT_BN_set_flags(r, BN_FLG_CONSTTIME); ++ ++ if (!EC_POINT_dbl(group, s, s, ctx)) ++ goto err; ++ ++ pbit = 0; ++ ++#define EC_POINT_CSWAP(c, a, b, w, t) do { \ ++ BN_consttime_swap(c, &(a)->X, &(b)->X, w); \ ++ BN_consttime_swap(c, &(a)->Y, &(b)->Y, w); \ ++ BN_consttime_swap(c, &(a)->Z, &(b)->Z, w); \ ++ t = ((a)->Z_is_one ^ (b)->Z_is_one) & (c); \ ++ (a)->Z_is_one ^= (t); \ ++ (b)->Z_is_one ^= (t); \ ++} while(0) ++ ++ /*- ++ * The ladder step, with branches, is ++ * ++ * k[i] == 0: S = add(R, S), R = dbl(R) ++ * k[i] == 1: R = add(S, R), S = dbl(S) ++ * ++ * Swapping R, S conditionally on k[i] leaves you with state ++ * ++ * k[i] == 0: T, U = R, S ++ * k[i] == 1: T, U = S, R ++ * ++ * Then perform the ECC ops. ++ * ++ * U = add(T, U) ++ * T = dbl(T) ++ * ++ * Which leaves you with state ++ * ++ * k[i] == 0: U = add(R, S), T = dbl(R) ++ * k[i] == 1: U = add(S, R), T = dbl(S) ++ * ++ * Swapping T, U conditionally on k[i] leaves you with state ++ * ++ * k[i] == 0: R, S = T, U ++ * k[i] == 1: R, S = U, T ++ * ++ * Which leaves you with state ++ * ++ * k[i] == 0: S = add(R, S), R = dbl(R) ++ * k[i] == 1: R = add(S, R), S = dbl(S) ++ * ++ * So we get the same logic, but instead of a branch it's a ++ * conditional swap, followed by ECC ops, then another conditional swap. ++ * ++ * Optimization: The end of iteration i and start of i-1 looks like ++ * ++ * ... ++ * CSWAP(k[i], R, S) ++ * ECC ++ * CSWAP(k[i], R, S) ++ * (next iteration) ++ * CSWAP(k[i-1], R, S) ++ * ECC ++ * CSWAP(k[i-1], R, S) ++ * ... ++ * ++ * So instead of two contiguous swaps, you can merge the condition ++ * bits and do a single swap. ++ * ++ * k[i] k[i-1] Outcome ++ * 0 0 No Swap ++ * 0 1 Swap ++ * 1 0 Swap ++ * 1 1 No Swap ++ * ++ * This is XOR. pbit tracks the previous bit of k. ++ */ ++ ++ for (i = cardinality_bits - 1; i >= 0; i--) { ++ kbit = BN_is_bit_set(k, i) ^ pbit; ++ EC_POINT_CSWAP(kbit, r, s, group_top, Z_is_one); ++ if (!EC_POINT_add(group, s, r, s, ctx)) ++ goto err; ++ if (!EC_POINT_dbl(group, r, r, ctx)) ++ goto err; ++ /* ++ * pbit logic merges this cswap with that of the ++ * next iteration ++ */ ++ pbit ^= kbit; ++ } ++ /* one final cswap to move the right value into r */ ++ EC_POINT_CSWAP(pbit, r, s, group_top, Z_is_one); ++#undef EC_POINT_CSWAP ++ ++ ret = 1; ++ ++ err: ++ EC_POINT_free(s); ++ BN_CTX_end(ctx); ++ BN_CTX_free(new_ctx); ++ ++ return ret; ++} ++ ++#undef EC_POINT_BN_set_flags ++ + /* + * TODO: table should be optimised for the wNAF-based implementation, + * sometimes smaller windows will give better performance (thus the +@@ -365,6 +583,34 @@ int ec_wNAF_mul(const EC_GROUP *group, E + return EC_POINT_set_to_infinity(group, r); + } + ++ if (!BN_is_zero(&group->order) && !BN_is_zero(&group->cofactor)) { ++ /*- ++ * Handle the common cases where the scalar is secret, enforcing a constant ++ * time scalar multiplication algorithm. ++ */ ++ if ((scalar != NULL) && (num == 0)) { ++ /*- ++ * In this case we want to compute scalar * GeneratorPoint: this ++ * codepath is reached most prominently by (ephemeral) key generation ++ * of EC cryptosystems (i.e. ECDSA keygen and sign setup, ECDH ++ * keygen/first half), where the scalar is always secret. This is why ++ * we ignore if BN_FLG_CONSTTIME is actually set and we always call the ++ * constant time version. ++ */ ++ return ec_mul_consttime(group, r, scalar, NULL, ctx); ++ } ++ if ((scalar == NULL) && (num == 1)) { ++ /*- ++ * In this case we want to compute scalar * GenericPoint: this codepath ++ * is reached most prominently by the second half of ECDH, where the ++ * secret scalar is multiplied by the peer's public point. To protect ++ * the secret scalar, we ignore if BN_FLG_CONSTTIME is actually set and ++ * we always call the constant time version. ++ */ ++ return ec_mul_consttime(group, r, scalars[0], points[0], ctx); ++ } ++ } ++ + for (i = 0; i < num; i++) { + if (group->meth != points[i]->meth) { + ECerr(EC_F_EC_WNAF_MUL, EC_R_INCOMPATIBLE_OBJECTS); diff --git a/SOURCES/openssl-1.0.2k-rsa-check.patch b/SOURCES/openssl-1.0.2k-rsa-check.patch new file mode 100644 index 0000000..a7ccd9c --- /dev/null +++ b/SOURCES/openssl-1.0.2k-rsa-check.patch @@ -0,0 +1,18 @@ +diff -up openssl-1.0.2k/crypto/rsa/rsa_gen.c.rsa-check openssl-1.0.2k/crypto/rsa/rsa_gen.c +--- openssl-1.0.2k/crypto/rsa/rsa_gen.c.rsa-check 2019-02-06 12:58:50.570844207 +0100 ++++ openssl-1.0.2k/crypto/rsa/rsa_gen.c 2019-02-06 13:10:57.058468214 +0100 +@@ -94,11 +94,11 @@ int fips_check_rsa(RSA *rsa) + + /* Perform pairwise consistency signature test */ + if (!fips_pkey_signature_test(pk, tbs, -1, +- NULL, 0, EVP_sha1(), ++ NULL, 0, EVP_sha256(), + EVP_MD_CTX_FLAG_PAD_PKCS1, NULL) +- || !fips_pkey_signature_test(pk, tbs, -1, NULL, 0, EVP_sha1(), ++ || !fips_pkey_signature_test(pk, tbs, -1, NULL, 0, EVP_sha256(), + EVP_MD_CTX_FLAG_PAD_X931, NULL) +- || !fips_pkey_signature_test(pk, tbs, -1, NULL, 0, EVP_sha1(), ++ || !fips_pkey_signature_test(pk, tbs, -1, NULL, 0, EVP_sha256(), + EVP_MD_CTX_FLAG_PAD_PSS, NULL)) + goto err; + /* Now perform pairwise consistency encrypt/decrypt test */ diff --git a/SPECS/openssl.spec b/SPECS/openssl.spec index 62e886e..fa17165 100644 --- a/SPECS/openssl.spec +++ b/SPECS/openssl.spec @@ -23,7 +23,7 @@ Summary: Utilities from the general purpose cryptography library with TLS implementation Name: openssl Version: 1.0.2k -Release: 16%{?dist} +Release: 16%{?dist}.1 Epoch: 1 # We have to remove certain patented algorithms from the openssl source # tarball with the hobble-openssl script which is included below. @@ -87,6 +87,7 @@ Patch96: openssl-1.0.2e-speed-doc.patch Patch97: openssl-1.0.2k-no-ssl2.patch Patch98: openssl-1.0.2k-long-hello.patch Patch99: openssl-1.0.2k-fips-randlock.patch +Patch106: openssl-1.0.2k-rsa-check.patch # Backported fixes including security fixes Patch80: openssl-1.0.2e-wrap-pad.patch Patch81: openssl-1.0.2a-padlock64.patch @@ -104,6 +105,7 @@ Patch102: openssl-1.0.2k-cve-2018-0732.patch Patch103: openssl-1.0.2k-cve-2018-0737.patch Patch104: openssl-1.0.2k-cve-2018-0739.patch Patch105: openssl-1.0.2k-cve-2018-0495.patch +Patch107: openssl-1.0.2k-cve-2018-5407.patch License: OpenSSL Group: System Environment/Libraries @@ -223,6 +225,7 @@ cp %{SOURCE12} %{SOURCE13} crypto/ec/ %patch97 -p1 -b .no-ssl2 %patch98 -p1 -b .long-hello %patch99 -p1 -b .randlock +%patch106 -p1 -b .rsa-check %patch80 -p1 -b .wrap %patch81 -p1 -b .padlock64 @@ -240,6 +243,7 @@ cp %{SOURCE12} %{SOURCE13} crypto/ec/ %patch103 -p1 -b .gen-timing %patch104 -p1 -b .asn1-recursive %patch105 -p1 -b .rohnp-fix +%patch107 -p1 -b .ecc-ladder sed -i 's/SHLIB_VERSION_NUMBER "1.0.0"/SHLIB_VERSION_NUMBER "%{version}"/' crypto/opensslv.h @@ -539,6 +543,10 @@ rm -rf $RPM_BUILD_ROOT/%{_libdir}/fipscanister.* %postun libs -p /sbin/ldconfig %changelog +* Wed Feb 6 2019 Tomáš Mráz 1.0.2k-16.1 +- use SHA-256 in FIPS RSA pairwise key check +- fix CVE-2018-5407 - EC signature local timing side-channel key extraction + * Tue Aug 14 2018 Tomáš Mráz 1.0.2k-16 - fix CVE-2018-0495 - ROHNP - Key Extraction Side Channel on DSA, ECDSA - fix incorrect error message on FIPS DSA parameter generation (#1603597)