diff --git a/SOURCES/openssl-1.1.1-cve-2022-0778.patch b/SOURCES/openssl-1.1.1-cve-2022-0778.patch
new file mode 100644
index 0000000..4e62b3f
--- /dev/null
+++ b/SOURCES/openssl-1.1.1-cve-2022-0778.patch
@@ -0,0 +1,179 @@
+From 3118eb64934499d93db3230748a452351d1d9a65 Mon Sep 17 00:00:00 2001
+From: Tomas Mraz <tomas@openssl.org>
+Date: Mon, 28 Feb 2022 18:26:21 +0100
+Subject: [PATCH] Fix possible infinite loop in BN_mod_sqrt()
+
+The calculation in some cases does not finish for non-prime p.
+
+This fixes CVE-2022-0778.
+
+Based on patch by David Benjamin <davidben@google.com>.
+
+Reviewed-by: Paul Dale <pauli@openssl.org>
+Reviewed-by: Matt Caswell <matt@openssl.org>
+---
+ crypto/bn/bn_sqrt.c | 30 ++++++++++++++++++------------
+ 1 file changed, 18 insertions(+), 12 deletions(-)
+
+From b5fcb7e133725b8b2eb66f63f5142710ed63a6d1 Mon Sep 17 00:00:00 2001
+From: Tomas Mraz <tomas@openssl.org>
+Date: Mon, 28 Feb 2022 18:26:30 +0100
+Subject: [PATCH] Add documentation of BN_mod_sqrt()
+
+Reviewed-by: Paul Dale <pauli@openssl.org>
+Reviewed-by: Matt Caswell <matt@openssl.org>
+---
+ doc/man3/BN_add.pod | 15 +++++++++++++--
+ 1 file changed, 13 insertions(+), 2 deletions(-)
+
+From 3ef5c3034e5c545f34d6929568f3f2b10ac4bdf0 Mon Sep 17 00:00:00 2001
+From: Tomas Mraz <tomas@openssl.org>
+Date: Mon, 28 Feb 2022 18:26:35 +0100
+Subject: [PATCH] Add a negative testcase for BN_mod_sqrt
+
+Reviewed-by: Paul Dale <pauli@openssl.org>
+Reviewed-by: Matt Caswell <matt@openssl.org>
+---
+ test/bntest.c | 11 ++++++++++-
+ test/recipes/10-test_bn_data/bnmod.txt | 12 ++++++++++++
+ 2 files changed, 22 insertions(+), 1 deletion(-)
+
+diff --git a/crypto/bn/bn_sqrt.c b/crypto/bn/bn_sqrt.c
+index 1723d5ded5a8..53b0f559855c 100644
+--- a/crypto/bn/bn_sqrt.c
++++ b/crypto/bn/bn_sqrt.c
+@@ -14,7 +14,8 @@ BIGNUM *BN_mod_sqrt(BIGNUM *in, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx)
+ /*
+ * Returns 'ret' such that ret^2 == a (mod p), using the Tonelli/Shanks
+ * algorithm (cf. Henri Cohen, "A Course in Algebraic Computational Number
+- * Theory", algorithm 1.5.1). 'p' must be prime!
++ * Theory", algorithm 1.5.1). 'p' must be prime, otherwise an error or
++ * an incorrect "result" will be returned.
+ */
+ {
+ BIGNUM *ret = in;
+@@ -301,18 +302,23 @@ BIGNUM *BN_mod_sqrt(BIGNUM *in, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx)
+ goto vrfy;
+ }
+
+- /* find smallest i such that b^(2^i) = 1 */
+- i = 1;
+- if (!BN_mod_sqr(t, b, p, ctx))
+- goto end;
+- while (!BN_is_one(t)) {
+- i++;
+- if (i == e) {
+- BNerr(BN_F_BN_MOD_SQRT, BN_R_NOT_A_SQUARE);
+- goto end;
++ /* Find the smallest i, 0 < i < e, such that b^(2^i) = 1. */
++ for (i = 1; i < e; i++) {
++ if (i == 1) {
++ if (!BN_mod_sqr(t, b, p, ctx))
++ goto end;
++
++ } else {
++ if (!BN_mod_mul(t, t, t, p, ctx))
++ goto end;
+ }
+- if (!BN_mod_mul(t, t, t, p, ctx))
+- goto end;
++ if (BN_is_one(t))
++ break;
++ }
++ /* If not found, a is not a square or p is not prime. */
++ if (i >= e) {
++ BNerr(BN_F_BN_MOD_SQRT, BN_R_NOT_A_SQUARE);
++ goto end;
+ }
+
+ /* t := y^2^(e - i - 1) */
+diff --git a/doc/man3/BN_add.pod b/doc/man3/BN_add.pod
+index dccd4790ede7..1f5e37a4d183 100644
+--- a/doc/man3/BN_add.pod
++++ b/doc/man3/BN_add.pod
+@@ -3,7 +3,7 @@
+ =head1 NAME
+
+ BN_add, BN_sub, BN_mul, BN_sqr, BN_div, BN_mod, BN_nnmod, BN_mod_add,
+-BN_mod_sub, BN_mod_mul, BN_mod_sqr, BN_exp, BN_mod_exp, BN_gcd -
++BN_mod_sub, BN_mod_mul, BN_mod_sqr, BN_mod_sqrt, BN_exp, BN_mod_exp, BN_gcd -
+ arithmetic operations on BIGNUMs
+
+ =head1 SYNOPSIS
+@@ -36,6 +36,8 @@ arithmetic operations on BIGNUMs
+
+ int BN_mod_sqr(BIGNUM *r, BIGNUM *a, const BIGNUM *m, BN_CTX *ctx);
+
++ BIGNUM *BN_mod_sqrt(BIGNUM *in, BIGNUM *a, const BIGNUM *p, BN_CTX *ctx);
++
+ int BN_exp(BIGNUM *r, BIGNUM *a, BIGNUM *p, BN_CTX *ctx);
+
+ int BN_mod_exp(BIGNUM *r, BIGNUM *a, const BIGNUM *p,
+@@ -87,6 +89,12 @@ L<BN_mod_mul_reciprocal(3)>.
+ BN_mod_sqr() takes the square of I<a> modulo B<m> and places the
+ result in I<r>.
+
++BN_mod_sqrt() returns the modular square root of I<a> such that
++C<in^2 = a (mod p)>. The modulus I<p> must be a
++prime, otherwise an error or an incorrect "result" will be returned.
++The result is stored into I<in> which can be NULL. The result will be
++newly allocated in that case.
++
+ BN_exp() raises I<a> to the I<p>-th power and places the result in I<r>
+ (C<r=a^p>). This function is faster than repeated applications of
+ BN_mul().
+@@ -108,7 +116,10 @@ the arguments.
+
+ =head1 RETURN VALUES
+
+-For all functions, 1 is returned for success, 0 on error. The return
++The BN_mod_sqrt() returns the result (possibly incorrect if I<p> is
++not a prime), or NULL.
++
++For all remaining functions, 1 is returned for success, 0 on error. The return
+ value should always be checked (e.g., C<if (!BN_add(r,a,b)) goto err;>).
+ The error codes can be obtained by L<ERR_get_error(3)>.
+
+diff --git a/test/bntest.c b/test/bntest.c
+index 390dd800733e..1cab660bcafb 100644
+--- a/test/bntest.c
++++ b/test/bntest.c
+@@ -1729,8 +1729,17 @@ static int file_modsqrt(STANZA *s)
+ || !TEST_ptr(ret2 = BN_new()))
+ goto err;
+
++ if (BN_is_negative(mod_sqrt)) {
++ /* A negative testcase */
++ if (!TEST_ptr_null(BN_mod_sqrt(ret, a, p, ctx)))
++ goto err;
++
++ st = 1;
++ goto err;
++ }
++
+ /* There are two possible answers. */
+- if (!TEST_true(BN_mod_sqrt(ret, a, p, ctx))
++ if (!TEST_ptr(BN_mod_sqrt(ret, a, p, ctx))
+ || !TEST_true(BN_sub(ret2, p, ret)))
+ goto err;
+
+diff --git a/test/recipes/10-test_bn_data/bnmod.txt b/test/recipes/10-test_bn_data/bnmod.txt
+index 5ea4d031f271..e28cc6bfb02e 100644
+--- a/test/recipes/10-test_bn_data/bnmod.txt
++++ b/test/recipes/10-test_bn_data/bnmod.txt
+@@ -2799,3 +2799,15 @@ P = 9df9d6cc20b8540411af4e5357ef2b0353cb1f2ab5ffc3e246b41c32f71e951f
+ ModSqrt = a1d52989f12f204d3d2167d9b1e6c8a6174c0c786a979a5952383b7b8bd186
+ A = 2eee37cf06228a387788188e650bc6d8a2ff402931443f69156a29155eca07dcb45f3aac238d92943c0c25c896098716baa433f25bd696a142f5a69d5d937e81
+ P = 9df9d6cc20b8540411af4e5357ef2b0353cb1f2ab5ffc3e246b41c32f71e951f
++
++# Negative testcases for BN_mod_sqrt()
++
++# This one triggers an infinite loop with unfixed implementation
++# It should just fail.
++ModSqrt = -1
++A = 20a7ee
++P = 460201
++
++ModSqrt = -1
++A = 65bebdb00a96fc814ec44b81f98b59fba3c30203928fa5214c51e0a97091645280c947b005847f239758482b9bfc45b066fde340d1fe32fc9c1bf02e1b2d0ed
++P = 9df9d6cc20b8540411af4e5357ef2b0353cb1f2ab5ffc3e246b41c32f71e951f
diff --git a/SPECS/openssl.spec b/SPECS/openssl.spec
index 56ab8a7..1e0c070 100644
--- a/SPECS/openssl.spec
+++ b/SPECS/openssl.spec
@@ -22,7 +22,7 @@
Summary: Utilities from the general purpose cryptography library with TLS implementation
Name: openssl
Version: 1.1.1k
-Release: 5%{?dist}
+Release: 6%{?dist}
Epoch: 1
# We have to remove certain patented algorithms from the openssl source
# tarball with the hobble-openssl script which is included below.
@@ -82,6 +82,7 @@ Patch56: openssl-1.1.1-s390x-ecc.patch
Patch74: openssl-1.1.1-addrconfig.patch
Patch75: openssl-1.1.1-tls13-curves.patch
Patch81: openssl-1.1.1-read-buff.patch
+Patch82: openssl-1.1.1-cve-2022-0778.patch
License: OpenSSL and ASL 2.0
URL: http://www.openssl.org/
@@ -202,6 +203,7 @@ cp %{SOURCE13} test/
%patch79 -p1 -b .servername-cb
%patch80 -p1 -b .s390x-test-aes
%patch81 -p1 -b .read-buff
+%patch82 -p1 -b .cve-2022-0778
%build
@@ -486,6 +488,10 @@ export LD_LIBRARY_PATH
%postun libs -p /sbin/ldconfig
%changelog
+* Wed Mar 23 2022 Clemens Lang <cllang@redhat.com> - 1:1.1.1k-6
+- Fixes CVE-2022-0778 openssl: Infinite loop in BN_mod_sqrt() reachable when parsing certificates
+- Resolves: rhbz#2067144
+
* Fri Nov 12 2021 Sahana Prasad <sahana@redhat.com> - 1:1.1.1k-5
- CVE-2021-3712 openssl: Read buffer overruns processing ASN.1 strings
- Resolves: rhbz#2005400