[PA-6132] : Applied CVE Patches to openssl-1.1.1k-7

puppetlabs · Feb 23, 2024 · 2356543 · 2356543
1 parent c59ee5a
commit 2356543
Show file tree

Hide file tree

Showing 5 changed files with 339 additions and 9 deletions.
diff --git a/configs/components/openssl-1.1.1-fips.rb b/configs/components/openssl-1.1.1-fips.rb
@@ -24,6 +24,10 @@
   pkg.add_source 'file://resources/patches/openssl/openssl-1.1.1k-7-fips-spec-file.patch'
   pkg.add_source 'file://resources/patches/openssl/openssl-1.1.1-fips-remove-env-check.patch'
   pkg.add_source 'file://resources/patches/openssl/openssl-1.1.1l-sm2-plaintext.patch'
+  pkg.add_source 'file://resources/patches/openssl/openssl-1.1.1k-CVE-2023-3446-fips.patch'
+  pkg.add_source 'file://resources/patches/openssl/openssl-1.1.1k-CVE-2023-5678-fips.patch'
+  pkg.add_source 'file://resources/patches/openssl/openssl-1.1.1k-CVE-2024-0727-fips.patch'
+
 
   if platform.name =~ /-7-/
     pkg.add_source 'file://resources/patches/openssl/openssl-1.1.1-fips-post-rand.patch'
@@ -55,7 +59,10 @@
       "cd openssl-#{pkg.get_version} && /usr/bin/patch --strip=1 --fuzz=0 --ignore-whitespace --no-backup-if-mismatch < ../openssl-1.1.1-fips-force-fips-mode.patch && cd -",
       "cd openssl-#{pkg.get_version} && /usr/bin/patch --strip=1 --fuzz=0 --ignore-whitespace --no-backup-if-mismatch < ../openssl-1.1.1k-7-fips-spec-file.patch && cd -",
       "cd openssl-#{pkg.get_version} && /usr/bin/patch --strip=1 --fuzz=0 --ignore-whitespace --no-backup-if-mismatch < ../openssl-1.1.1-fips-remove-env-check.patch && cd -",
-      "cd openssl-#{pkg.get_version} && /usr/bin/patch --strip=1 --fuzz=0 --ignore-whitespace --no-backup-if-mismatch < ../openssl-1.1.1l-sm2-plaintext.patch && cd -"
+      "cd openssl-#{pkg.get_version} && /usr/bin/patch --strip=1 --fuzz=0 --ignore-whitespace --no-backup-if-mismatch < ../openssl-1.1.1l-sm2-plaintext.patch && cd -",
+      "cd openssl-#{pkg.get_version} && /usr/bin/patch --strip=1 --fuzz=0 --ignore-whitespace --no-backup-if-mismatch < ../openssl-1.1.1k-CVE-2023-3446-fips.patch  && cd -",
+      "cd openssl-#{pkg.get_version} && /usr/bin/patch --strip=1 --fuzz=0 --ignore-whitespace --no-backup-if-mismatch < ../openssl-1.1.1k-CVE-2023-5678-fips.patch  && cd -",
+      "cd openssl-#{pkg.get_version} && /usr/bin/patch --strip=1 --fuzz=0 --ignore-whitespace --no-backup-if-mismatch < ../openssl-1.1.1k-CVE-2024-0727-fips.patch  && cd -"
     ]
   end
 

diff --git a/resources/patches/openssl/openssl-1.1.1k-7-fips-spec-file.patch b/resources/patches/openssl/openssl-1.1.1k-7-fips-spec-file.patch
@@ -1,28 +1,34 @@
 --- a/SPECS/openssl.spec	2024-02-20 10:19:41
-+++ b/SPECS/openssl.spec	2024-02-23 11:38:58
-@@ -87,6 +87,10 @@
++++ b/SPECS/openssl.spec	2024-02-22 20:31:28
+@@ -87,6 +87,13 @@
  Patch84: openssl-1.1.1-cve-2022-1292.patch
  Patch85: openssl-1.1.1-cve-2022-2068.patch
  Patch86: openssl-1.1.1-cve-2022-2097.patch
 +Patch100: openssl-1.1.1-force-fips-on-init.patch
 +Patch101: openssl-1.1.1-openssl-cnf-fips-mode.patch
 +Patch102: openssl-1.1.1-remove-env-check.patch
 +Patch103: openssl-1.1.1l-sm2-plaintext.patch
++Patch104: openssl-1.1.1k-CVE-2023-3446-fips.patch
++Patch105: openssl-1.1.1k-CVE-2023-5678-fips.patch
++Patch106: openssl-1.1.1k-CVE-2024-0727-fips.patch
 
  License: OpenSSL and ASL 2.0
  URL: http://www.openssl.org/
-@@ -212,6 +216,10 @@
+@@ -212,6 +219,13 @@
  %patch84 -p1 -b .cve-2022-1292
  %patch85 -p1 -b .cve-2022-2068
  %patch86 -p1 -b .cve-2022-2097
 +%patch100 -p1 -b .force-fips-on-init
 +%patch101 -p1 -b .openssl-cnf-fips-mode
 +%patch102 -p1 -b .remove-env-check
 +%patch103 -p1 -b .sm2-plaintext
++%patch104 -p1 -F2 -b .CVE-2023-3446-fips
++%patch105 -p1 -F2 -b .CVE-2023-5678-fips
++%patch106 -p1 -b .CVE-2024-0727-fips
 
  %build
  # Figure out which flags we want to use.
-@@ -220,7 +228,7 @@
+@@ -220,7 +234,7 @@
  %ifarch %ix86
  sslarch=linux-elf
  if ! echo %{_target} | grep -q i686 ; then
@@ -31,7 +37,7 @@
  fi
  %endif
  %ifarch x86_64
-@@ -286,13 +294,13 @@
+@@ -286,13 +300,13 @@
  # usable on all platforms.  The Configure script already knows to use -fPIC and
  # RPM_OPT_FLAGS, so we can skip specifiying them here.
  ./Configure \
@@ -52,7 +58,7 @@
 
  # Do not run this in a production package the FIPS symbols must be patched-in
  #util/mkdef.pl crypto update
-@@ -352,9 +360,9 @@
+@@ -352,9 +366,9 @@
  make DESTDIR=$RPM_BUILD_ROOT install
  rename so.%{soversion} so.%{version} $RPM_BUILD_ROOT%{_libdir}/*.so.%{soversion}
  for lib in $RPM_BUILD_ROOT%{_libdir}/*.so.%{version} ; do
@@ -65,7 +71,7 @@
  done
 
  # Install a makefile for generating keys and self-signed certs, and a script
-@@ -375,21 +383,21 @@
+@@ -375,21 +389,21 @@
  pushd $RPM_BUILD_ROOT%{_mandir}
  ln -s -f config.5 man5/openssl.cnf.5
  for manpage in man*/* ; do
@@ -99,7 +105,7 @@
  done
  popd
 
-@@ -424,11 +432,11 @@
+@@ -424,11 +438,11 @@
  # can have both a 32- and 64-bit version of the library, and they each need
  # their own correct-but-different versions of opensslconf.h to be usable.
  install -m644 %{SOURCE10} \

diff --git a/resources/patches/openssl/openssl-1.1.1k-CVE-2023-3446-fips.patch b/resources/patches/openssl/openssl-1.1.1k-CVE-2023-3446-fips.patch
@@ -0,0 +1,53 @@
+--- /dev/null	2024-02-22 20:27:57
++++ openssl-1.1.1k/SOURCES/openssl-1.1.1k-CVE-2023-3446-fips.patch	2024-02-22 20:24:39
+@@ -0,0 +1,50 @@
++diff --git a/crypto/dh/dh_err.c b/crypto/dh/dh_err.c
++index 7285587b4a..8dd8ca0f92 100644
++--- a/crypto/dh/dh_err.c
+++++ b/crypto/dh/dh_err.c
++@@ -18,6 +18,7 @@ static const ERR_STRING_DATA DH_str_functs[] = {
++     {ERR_PACK(ERR_LIB_DH, DH_F_DHPARAMS_PRINT_FP, 0), "DHparams_print_fp"},
++     {ERR_PACK(ERR_LIB_DH, DH_F_DH_BUILTIN_GENPARAMS, 0),
++      "dh_builtin_genparams"},
+++    {ERR_PACK(ERR_LIB_DH, DH_F_DH_CHECK, 0), "DH_check"},
++     {ERR_PACK(ERR_LIB_DH, DH_F_DH_CHECK_EX, 0), "DH_check_ex"},
++     {ERR_PACK(ERR_LIB_DH, DH_F_DH_CHECK_PARAMS_EX, 0), "DH_check_params_ex"},
++     {ERR_PACK(ERR_LIB_DH, DH_F_DH_CHECK_PUB_KEY_EX, 0), "DH_check_pub_key_ex"},
++diff --git a/crypto/err/openssl.txt b/crypto/err/openssl.txt
++index 7e1776375d..df2fc4e830 100644
++--- a/crypto/err/openssl.txt
+++++ b/crypto/err/openssl.txt
++@@ -401,6 +401,7 @@ CT_F_SCT_SET_VERSION:104:SCT_set_version
++ DH_F_COMPUTE_KEY:102:compute_key
++ DH_F_DHPARAMS_PRINT_FP:101:DHparams_print_fp
++ DH_F_DH_BUILTIN_GENPARAMS:106:dh_builtin_genparams
+++DH_F_DH_CHECK:126:DH_check
++ DH_F_DH_CHECK_EX:121:DH_check_ex
++ DH_F_DH_CHECK_PARAMS_EX:122:DH_check_params_ex
++ DH_F_DH_CHECK_PUB_KEY_EX:123:DH_check_pub_key_ex
++diff --git a/include/openssl/dh.h b/include/openssl/dh.h
++index 3527540cdd..892e31559d 100644
++--- a/include/openssl/dh.h
+++++ b/include/openssl/dh.h
++@@ -29,6 +29,9 @@ extern "C" {
++ # ifndef OPENSSL_DH_MAX_MODULUS_BITS
++ #  define OPENSSL_DH_MAX_MODULUS_BITS    10000
++ # endif
+++# ifndef OPENSSL_DH_CHECK_MAX_MODULUS_BITS
+++#  define OPENSSL_DH_CHECK_MAX_MODULUS_BITS  32768
+++# endif
++ 
++ # define OPENSSL_DH_FIPS_MIN_MODULUS_BITS 1024
++ 
++diff --git a/include/openssl/dherr.h b/include/openssl/dherr.h
++index 916b3bed0b..9955f24652 100644
++--- a/include/openssl/dherr.h
+++++ b/include/openssl/dherr.h
++@@ -30,6 +30,7 @@ int ERR_load_DH_strings(void);
++ #  define DH_F_COMPUTE_KEY                                 102
++ #  define DH_F_DHPARAMS_PRINT_FP                           101
++ #  define DH_F_DH_BUILTIN_GENPARAMS                        106
+++#  define DH_F_DH_CHECK                                    126
++ #  define DH_F_DH_CHECK_EX                                 121
++ #  define DH_F_DH_CHECK_PARAMS_EX                          122
++ #  define DH_F_DH_CHECK_PUB_KEY_EX                         123
diff --git a/resources/patches/openssl/openssl-1.1.1k-CVE-2023-5678-fips.patch b/resources/patches/openssl/openssl-1.1.1k-CVE-2023-5678-fips.patch
@@ -0,0 +1,145 @@
+--- /dev/null	2024-02-21 18:23:03
++++ openssl-1.1.1k/SOURCES/openssl-1.1.1k-CVE-2023-5678-fips.patch	2024-02-14 12:51:49
+@@ -0,0 +1,142 @@
++Backport of:
++
++From db925ae2e65d0d925adef429afc37f75bd1c2017 Mon Sep 17 00:00:00 2001
++From: Richard Levitte <[email protected]>
++Date: Fri, 20 Oct 2023 09:18:19 +0200
++Subject: [PATCH] Make DH_check_pub_key() and DH_generate_key() safer yet
++
++We already check for an excessively large P in DH_generate_key(), but not in
++DH_check_pub_key(), and none of them check for an excessively large Q.
++
++This change adds all the missing excessive size checks of P and Q.
++
++It's to be noted that behaviours surrounding excessively sized P and Q
++differ.  DH_check() raises an error on the excessively sized P, but only
++sets a flag for the excessively sized Q.  This behaviour is mimicked in
++DH_check_pub_key().
++
++Reviewed-by: Tomas Mraz <[email protected]>
++Reviewed-by: Matt Caswell <[email protected]>
++Reviewed-by: Hugo Landau <[email protected]>
++(Merged from https://github.com/openssl/openssl/pull/22518)
++
++(cherry picked from commit ddeb4b6c6d527e54ce9a99cba785c0f7776e54b6)
++---
++ crypto/dh/dh_check.c    | 12 ++++++++++++
++ crypto/dh/dh_err.c      |  3 ++-
++ crypto/dh/dh_key.c      | 12 ++++++++++++
++ crypto/err/openssl.txt  |  1 +
++ include/crypto/dherr.h  |  2 +-
++ include/openssl/dh.h    |  6 +++---
++ include/openssl/dherr.h |  3 ++-
++ 7 files changed, 33 insertions(+), 6 deletions(-)
++
++--- a/crypto/dh/dh_check.c
+++++ b/crypto/dh/dh_check.c
++@@ -201,6 +201,19 @@ int DH_check_pub_key(const DH *dh, const
++     if (ctx == NULL)
++         goto err;
++     BN_CTX_start(ctx);
+++
+++    /* Don't do any checks at all with an excessively large modulus */
+++    if (BN_num_bits(dh->p) > OPENSSL_DH_CHECK_MAX_MODULUS_BITS) {
+++        DHerr(DH_F_DH_CHECK, DH_R_MODULUS_TOO_LARGE);
+++        *ret = DH_MODULUS_TOO_LARGE | DH_CHECK_PUBKEY_INVALID;
+++        goto err;
+++    }
+++
+++    if (dh->q != NULL && BN_ucmp(dh->p, dh->q) < 0) {
+++        *ret |= DH_CHECK_INVALID_Q_VALUE | DH_CHECK_PUBKEY_INVALID;
+++        goto out;
+++    }
+++
++     tmp = BN_CTX_get(ctx);
++     if (tmp == NULL || !BN_set_word(tmp, 1))
++         goto err;
++@@ -219,6 +232,7 @@ int DH_check_pub_key(const DH *dh, const
++             *ret |= DH_CHECK_PUBKEY_INVALID;
++     }
++ 
+++ out:
++     ok = 1;
++  err:
++     BN_CTX_end(ctx);
++--- a/crypto/dh/dh_err.c
+++++ b/crypto/dh/dh_err.c
++@@ -82,6 +82,7 @@ static const ERR_STRING_DATA DH_str_reas
++     {ERR_PACK(ERR_LIB_DH, 0, DH_R_PARAMETER_ENCODING_ERROR),
++     "parameter encoding error"},
++     {ERR_PACK(ERR_LIB_DH, 0, DH_R_PEER_KEY_ERROR), "peer key error"},
+++    {ERR_PACK(ERR_LIB_DH, 0, DH_R_Q_TOO_LARGE), "q too large"},
++     {ERR_PACK(ERR_LIB_DH, 0, DH_R_SHARED_INFO_ERROR), "shared info error"},
++     {ERR_PACK(ERR_LIB_DH, 0, DH_R_UNABLE_TO_CHECK_GENERATOR),
++     "unable to check generator"},
++--- a/crypto/dh/dh_key.c
+++++ b/crypto/dh/dh_key.c
++@@ -87,6 +87,12 @@ static int generate_key(DH *dh)
++         return 0;
++     }
++ 
+++    if (dh->q != NULL
+++        && BN_num_bits(dh->q) > OPENSSL_DH_MAX_MODULUS_BITS) {
+++        DHerr(DH_F_GENERATE_KEY, DH_R_Q_TOO_LARGE);
+++        return 0;
+++    }
+++
++     ctx = BN_CTX_new();
++     if (ctx == NULL)
++         goto err;
++@@ -180,6 +186,12 @@ static int compute_key(unsigned char *ke
++         goto err;
++     }
++ 
+++    if (dh->q != NULL
+++        && BN_num_bits(dh->q) > OPENSSL_DH_MAX_MODULUS_BITS) {
+++        DHerr(DH_F_COMPUTE_KEY, DH_R_Q_TOO_LARGE);
+++        goto err;
+++    }
+++
++     ctx = BN_CTX_new();
++     if (ctx == NULL)
++         goto err;
++--- a/crypto/err/openssl.txt
+++++ b/crypto/err/openssl.txt
++@@ -2110,6 +2110,7 @@ DH_R_NO_PARAMETERS_SET:107:no parameters
++ DH_R_NO_PRIVATE_VALUE:100:no private value
++ DH_R_PARAMETER_ENCODING_ERROR:105:parameter encoding error
++ DH_R_PEER_KEY_ERROR:111:peer key error
+++DH_R_Q_TOO_LARGE:130:q too large
++ DH_R_SHARED_INFO_ERROR:113:shared info error
++ DH_R_UNABLE_TO_CHECK_GENERATOR:121:unable to check generator
++ DSA_R_BAD_Q_VALUE:102:bad q value
++--- a/include/openssl/dh.h
+++++ b/include/openssl/dh.h
++@@ -71,14 +71,16 @@ DECLARE_ASN1_ITEM(DHparams)
++ /* #define DH_GENERATOR_3       3 */
++ # define DH_GENERATOR_5          5
++ 
++-/* DH_check error codes */
+++/* DH_check error codes, some of them shared with DH_check_pub_key */
++ # define DH_CHECK_P_NOT_PRIME            0x01
++ # define DH_CHECK_P_NOT_SAFE_PRIME       0x02
++ # define DH_UNABLE_TO_CHECK_GENERATOR    0x04
++ # define DH_NOT_SUITABLE_GENERATOR       0x08
++ # define DH_CHECK_Q_NOT_PRIME            0x10
++-# define DH_CHECK_INVALID_Q_VALUE        0x20
+++# define DH_CHECK_INVALID_Q_VALUE        0x20 /* +DH_check_pub_key */
++ # define DH_CHECK_INVALID_J_VALUE        0x40
+++# define DH_MODULUS_TOO_SMALL            0x80
+++# define DH_MODULUS_TOO_LARGE            0x100 /* +DH_check_pub_key */
++ 
++ /* DH_check_pub_key error codes */
++ # define DH_CHECK_PUBKEY_TOO_SMALL       0x01
++--- a/include/openssl/dherr.h
+++++ b/include/openssl/dherr.h
++@@ -82,6 +82,7 @@ int ERR_load_DH_strings(void);
++ #  define DH_R_NO_PRIVATE_VALUE                            100
++ #  define DH_R_PARAMETER_ENCODING_ERROR                    105
++ #  define DH_R_PEER_KEY_ERROR                              111
+++#  define DH_R_Q_TOO_LARGE                                 130
++ #  define DH_R_SHARED_INFO_ERROR                           113
++ #  define DH_R_UNABLE_TO_CHECK_GENERATOR                   121
++