diff --git a/SOURCES/openssl-1.1.1-cve-2022-0778.patch b/SOURCES/openssl-1.1.1-cve-2022-0778.patch new file mode 100644 index 0000000..4e62b3f --- /dev/null +++ b/SOURCES/openssl-1.1.1-cve-2022-0778.patch @@ -0,0 +1,179 @@ +From 3118eb64934499d93db3230748a452351d1d9a65 Mon Sep 17 00:00:00 2001 +From: Tomas Mraz +Date: Mon, 28 Feb 2022 18:26:21 +0100 +Subject: [PATCH] Fix possible infinite loop in BN_mod_sqrt() + +The calculation in some cases does not finish for non-prime p. + +This fixes CVE-2022-0778. + +Based on patch by David Benjamin . + +Reviewed-by: Paul Dale +Reviewed-by: Matt Caswell +--- + crypto/bn/bn_sqrt.c | 30 ++++++++++++++++++------------ + 1 file changed, 18 insertions(+), 12 deletions(-) + +From b5fcb7e133725b8b2eb66f63f5142710ed63a6d1 Mon Sep 17 00:00:00 2001 +From: Tomas Mraz +Date: Mon, 28 Feb 2022 18:26:30 +0100 +Subject: [PATCH] Add documentation of BN_mod_sqrt() + +Reviewed-by: Paul Dale +Reviewed-by: Matt Caswell +--- + doc/man3/BN_add.pod | 15 +++++++++++++-- + 1 file changed, 13 insertions(+), 2 deletions(-) + +From 3ef5c3034e5c545f34d6929568f3f2b10ac4bdf0 Mon Sep 17 00:00:00 2001 +From: Tomas Mraz +Date: Mon, 28 Feb 2022 18:26:35 +0100 +Subject: [PATCH] Add a negative testcase for BN_mod_sqrt + +Reviewed-by: Paul Dale +Reviewed-by: Matt Caswell +--- + test/bntest.c | 11 ++++++++++- + test/recipes/10-test_bn_data/bnmod.txt | 12 ++++++++++++ + 2 files changed, 22 insertions(+), 1 deletion(-) + +diff --git a/crypto/bn/bn_sqrt.c b/crypto/bn/bn_sqrt.c +index 1723d5ded5a8..53b0f559855c 100644 +--- a/crypto/bn/bn_sqrt.c ++++ b/crypto/bn/bn_sqrt.c +@@ -14,7 +14,8 @@ BIGNUM *BN_mod_sqrt(BIGNUM *in, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx) + /* + * Returns 'ret' such that ret^2 == a (mod p), using the Tonelli/Shanks + * algorithm (cf. Henri Cohen, "A Course in Algebraic Computational Number +- * Theory", algorithm 1.5.1). 'p' must be prime! ++ * Theory", algorithm 1.5.1). 'p' must be prime, otherwise an error or ++ * an incorrect "result" will be returned. + */ + { + BIGNUM *ret = in; +@@ -301,18 +302,23 @@ BIGNUM *BN_mod_sqrt(BIGNUM *in, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx) + goto vrfy; + } + +- /* find smallest i such that b^(2^i) = 1 */ +- i = 1; +- if (!BN_mod_sqr(t, b, p, ctx)) +- goto end; +- while (!BN_is_one(t)) { +- i++; +- if (i == e) { +- BNerr(BN_F_BN_MOD_SQRT, BN_R_NOT_A_SQUARE); +- goto end; ++ /* Find the smallest i, 0 < i < e, such that b^(2^i) = 1. */ ++ for (i = 1; i < e; i++) { ++ if (i == 1) { ++ if (!BN_mod_sqr(t, b, p, ctx)) ++ goto end; ++ ++ } else { ++ if (!BN_mod_mul(t, t, t, p, ctx)) ++ goto end; + } +- if (!BN_mod_mul(t, t, t, p, ctx)) +- goto end; ++ if (BN_is_one(t)) ++ break; ++ } ++ /* If not found, a is not a square or p is not prime. */ ++ if (i >= e) { ++ BNerr(BN_F_BN_MOD_SQRT, BN_R_NOT_A_SQUARE); ++ goto end; + } + + /* t := y^2^(e - i - 1) */ +diff --git a/doc/man3/BN_add.pod b/doc/man3/BN_add.pod +index dccd4790ede7..1f5e37a4d183 100644 +--- a/doc/man3/BN_add.pod ++++ b/doc/man3/BN_add.pod +@@ -3,7 +3,7 @@ + =head1 NAME + + BN_add, BN_sub, BN_mul, BN_sqr, BN_div, BN_mod, BN_nnmod, BN_mod_add, +-BN_mod_sub, BN_mod_mul, BN_mod_sqr, BN_exp, BN_mod_exp, BN_gcd - ++BN_mod_sub, BN_mod_mul, BN_mod_sqr, BN_mod_sqrt, BN_exp, BN_mod_exp, BN_gcd - + arithmetic operations on BIGNUMs + + =head1 SYNOPSIS +@@ -36,6 +36,8 @@ arithmetic operations on BIGNUMs + + int BN_mod_sqr(BIGNUM *r, BIGNUM *a, const BIGNUM *m, BN_CTX *ctx); + ++ BIGNUM *BN_mod_sqrt(BIGNUM *in, BIGNUM *a, const BIGNUM *p, BN_CTX *ctx); ++ + int BN_exp(BIGNUM *r, BIGNUM *a, BIGNUM *p, BN_CTX *ctx); + + int BN_mod_exp(BIGNUM *r, BIGNUM *a, const BIGNUM *p, +@@ -87,6 +89,12 @@ L. + BN_mod_sqr() takes the square of I modulo B and places the + result in I. + ++BN_mod_sqrt() returns the modular square root of I such that ++C. The modulus I

must be a ++prime, otherwise an error or an incorrect "result" will be returned. ++The result is stored into I which can be NULL. The result will be ++newly allocated in that case. ++ + BN_exp() raises I to the I

-th power and places the result in I + (C). This function is faster than repeated applications of + BN_mul(). +@@ -108,7 +116,10 @@ the arguments. + + =head1 RETURN VALUES + +-For all functions, 1 is returned for success, 0 on error. The return ++The BN_mod_sqrt() returns the result (possibly incorrect if I

is ++not a prime), or NULL. ++ ++For all remaining functions, 1 is returned for success, 0 on error. The return + value should always be checked (e.g., C). + The error codes can be obtained by L. + +diff --git a/test/bntest.c b/test/bntest.c +index 390dd800733e..1cab660bcafb 100644 +--- a/test/bntest.c ++++ b/test/bntest.c +@@ -1729,8 +1729,17 @@ static int file_modsqrt(STANZA *s) + || !TEST_ptr(ret2 = BN_new())) + goto err; + ++ if (BN_is_negative(mod_sqrt)) { ++ /* A negative testcase */ ++ if (!TEST_ptr_null(BN_mod_sqrt(ret, a, p, ctx))) ++ goto err; ++ ++ st = 1; ++ goto err; ++ } ++ + /* There are two possible answers. */ +- if (!TEST_true(BN_mod_sqrt(ret, a, p, ctx)) ++ if (!TEST_ptr(BN_mod_sqrt(ret, a, p, ctx)) + || !TEST_true(BN_sub(ret2, p, ret))) + goto err; + +diff --git a/test/recipes/10-test_bn_data/bnmod.txt b/test/recipes/10-test_bn_data/bnmod.txt +index 5ea4d031f271..e28cc6bfb02e 100644 +--- a/test/recipes/10-test_bn_data/bnmod.txt ++++ b/test/recipes/10-test_bn_data/bnmod.txt +@@ -2799,3 +2799,15 @@ P = 9df9d6cc20b8540411af4e5357ef2b0353cb1f2ab5ffc3e246b41c32f71e951f + ModSqrt = a1d52989f12f204d3d2167d9b1e6c8a6174c0c786a979a5952383b7b8bd186 + A = 2eee37cf06228a387788188e650bc6d8a2ff402931443f69156a29155eca07dcb45f3aac238d92943c0c25c896098716baa433f25bd696a142f5a69d5d937e81 + P = 9df9d6cc20b8540411af4e5357ef2b0353cb1f2ab5ffc3e246b41c32f71e951f ++ ++# Negative testcases for BN_mod_sqrt() ++ ++# This one triggers an infinite loop with unfixed implementation ++# It should just fail. ++ModSqrt = -1 ++A = 20a7ee ++P = 460201 ++ ++ModSqrt = -1 ++A = 65bebdb00a96fc814ec44b81f98b59fba3c30203928fa5214c51e0a97091645280c947b005847f239758482b9bfc45b066fde340d1fe32fc9c1bf02e1b2d0ed ++P = 9df9d6cc20b8540411af4e5357ef2b0353cb1f2ab5ffc3e246b41c32f71e951f diff --git a/SPECS/openssl.spec b/SPECS/openssl.spec index 56ab8a7..1e0c070 100644 --- a/SPECS/openssl.spec +++ b/SPECS/openssl.spec @@ -22,7 +22,7 @@ Summary: Utilities from the general purpose cryptography library with TLS implementation Name: openssl Version: 1.1.1k -Release: 5%{?dist} +Release: 6%{?dist} Epoch: 1 # We have to remove certain patented algorithms from the openssl source # tarball with the hobble-openssl script which is included below. @@ -82,6 +82,7 @@ Patch56: openssl-1.1.1-s390x-ecc.patch Patch74: openssl-1.1.1-addrconfig.patch Patch75: openssl-1.1.1-tls13-curves.patch Patch81: openssl-1.1.1-read-buff.patch +Patch82: openssl-1.1.1-cve-2022-0778.patch License: OpenSSL and ASL 2.0 URL: http://www.openssl.org/ @@ -202,6 +203,7 @@ cp %{SOURCE13} test/ %patch79 -p1 -b .servername-cb %patch80 -p1 -b .s390x-test-aes %patch81 -p1 -b .read-buff +%patch82 -p1 -b .cve-2022-0778 %build @@ -486,6 +488,10 @@ export LD_LIBRARY_PATH %postun libs -p /sbin/ldconfig %changelog +* Wed Mar 23 2022 Clemens Lang - 1:1.1.1k-6 +- Fixes CVE-2022-0778 openssl: Infinite loop in BN_mod_sqrt() reachable when parsing certificates +- Resolves: rhbz#2067144 + * Fri Nov 12 2021 Sahana Prasad - 1:1.1.1k-5 - CVE-2021-3712 openssl: Read buffer overruns processing ASN.1 strings - Resolves: rhbz#2005400