Skip to content

Commit

Permalink
[PA-6132] : Applied CVE patched for openssl-1.1.1k-6. Following patch…
Browse files Browse the repository at this point in the history 
…es were applied:

1. CVE-2023-3446
2. CVE-2023-5678
3. CVE-2024-0727
  • Loading branch information
@span786
span786 committed Feb 27, 2024
1 parent 1a4f299 commit f0431d8
Show file tree
Hide file tree
Showing 5 changed files with 350 additions and 19 deletions.
8 changes: 7 additions & 1 deletion configs/components/openssl-1.1.1-fips.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,9 @@
pkg.add_source 'file://resources/patches/openssl/openssl-1.1.1-fips-spec-file.patch'
pkg.add_source 'file://resources/patches/openssl/openssl-1.1.1-fips-remove-env-check.patch'
pkg.add_source 'file://resources/patches/openssl/openssl-1.1.1l-sm2-plaintext.patch'
pkg.add_source 'file://resources/patches/openssl/openssl-1.1.1k-CVE-2023-3446-fips.patch'
pkg.add_source 'file://resources/patches/openssl/openssl-1.1.1k-CVE-2023-5678-fips.patch'
pkg.add_source 'file://resources/patches/openssl/openssl-1.1.1k-CVE-2024-0727-fips.patch'

if platform.name =~ /-7-/
pkg.add_source 'file://resources/patches/openssl/openssl-1.1.1-fips-post-rand.patch'
Expand Down Expand Up @@ -55,7 +58,10 @@
"cd openssl-#{pkg.get_version} && /usr/bin/patch --strip=1 --fuzz=0 --ignore-whitespace --no-backup-if-mismatch < ../openssl-1.1.1-fips-force-fips-mode.patch && cd -",
"cd openssl-#{pkg.get_version} && /usr/bin/patch --strip=1 --fuzz=0 --ignore-whitespace --no-backup-if-mismatch < ../openssl-1.1.1-fips-spec-file.patch && cd -",
"cd openssl-#{pkg.get_version} && /usr/bin/patch --strip=1 --fuzz=0 --ignore-whitespace --no-backup-if-mismatch < ../openssl-1.1.1-fips-remove-env-check.patch && cd -",
"cd openssl-#{pkg.get_version} && /usr/bin/patch --strip=1 --fuzz=0 --ignore-whitespace --no-backup-if-mismatch < ../openssl-1.1.1l-sm2-plaintext.patch && cd -"
"cd openssl-#{pkg.get_version} && /usr/bin/patch --strip=1 --fuzz=0 --ignore-whitespace --no-backup-if-mismatch < ../openssl-1.1.1l-sm2-plaintext.patch && cd -",
"cd openssl-#{pkg.get_version} && /usr/bin/patch --strip=1 --fuzz=0 --ignore-whitespace --no-backup-if-mismatch < ../openssl-1.1.1k-CVE-2023-3446-fips.patch && cd -",
"cd openssl-#{pkg.get_version} && /usr/bin/patch --strip=1 --fuzz=0 --ignore-whitespace --no-backup-if-mismatch < ../openssl-1.1.1k-CVE-2023-5678-fips.patch && cd -",
"cd openssl-#{pkg.get_version} && /usr/bin/patch --strip=1 --fuzz=0 --ignore-whitespace --no-backup-if-mismatch < ../openssl-1.1.1k-CVE-2024-0727-fips.patch && cd -"
]
end

Expand Down
43 changes: 25 additions & 18 deletions resources/patches/openssl/openssl-1.1.1-fips-spec-file.patch
View file
Original file line number Diff line number Diff line change
@@ -1,13 +1,16 @@
--- a/SPECS/openssl.spec 2019-05-11 00:45:45.000000000 +0000
+++ b/SPECS/openssl.spec 2020-01-13 15:16:29.224852120 +0000
@@ -83,16 +83,20 @@
@@ -83,16 +83,23 @@
Patch75: openssl-1.1.1-tls13-curves.patch
Patch81: openssl-1.1.1-read-buff.patch
Patch82: openssl-1.1.1-cve-2022-0778.patch
+Patch100: openssl-1.1.1-force-fips-on-init.patch
+Patch101: openssl-1.1.1-openssl-cnf-fips-mode.patch
+Patch102: openssl-1.1.1-remove-env-check.patch
+Patch103: openssl-1.1.1l-sm2-plaintext.patch
+Patch104: openssl-1.1.1k-CVE-2023-3446-fips.patch
+Patch105: openssl-1.1.1k-CVE-2023-5678-fips.patch
+Patch106: openssl-1.1.1k-CVE-2024-0727-fips.patch

License: OpenSSL and ASL 2.0
URL: http://www.openssl.org/
Expand All @@ -23,15 +26,15 @@
BuildRequires: perl(Module::Load::Conditional), perl(File::Temp)
BuildRequires: perl(Time::HiRes)
BuildRequires: perl(FindBin), perl(lib), perl(File::Compare), perl(File::Copy)
@@ -107,7 +112,6 @@
@@ -109,7 +116,6 @@
Summary: A general purpose cryptography library with TLS implementation
Requires: ca-certificates >= 2008-5
Requires: crypto-policies >= 20180730
-Recommends: openssl-pkcs11%{?_isa}
# Needed obsoletes due to the base/lib subpackage split
Obsoletes: openssl < 1:1.0.1-0.3.beta3
Obsoletes: openssl-fips < 1:1.0.1e-28
@@ -141,7 +145,7 @@
@@ -143,7 +149,7 @@

%package perl
Summary: Perl scripts provided with OpenSSL
Expand All @@ -40,18 +43,22 @@
Requires: %{name}%{?_isa} = %{epoch}:%{version}-%{release}

%description perl
@@ -208,6 +215,10 @@
@@ -204,7 +210,13 @@
%patch80 -p1 -b .s390x-test-aes
%patch81 -p1 -b .read-buff
%patch82 -p1 -b .cve-2022-0778
-
+%patch100 -p1 -b .force-fips-on-init
+%patch101 -p1 -b .openssl-cnf-fips-mode
+%patch102 -p1 -b .remove-env-check
+%patch103 -p1 -b .sm2-plaintext

+%patch104 -p1 -F2 -b .CVE-2023-3446-fips
+%patch105 -p1 -F2 -b .CVE-2023-5678-fips
+%patch106 -p1 -b .CVE-2024-0727-fips

%build
@@ -266,7 +275,7 @@
# Figure out which flags we want to use.
@@ -270,7 +282,7 @@
# marked as not requiring an executable stack.
# Also add -DPURIFY to make using valgrind with openssl easier as we do not
# want to depend on the uninitialized memory as a source of entropy anyway.
Expand All @@ -60,18 +67,18 @@

export HASHBANGPERL=/usr/bin/perl

@@ -275,8 +284,8 @@
@@ -279,8 +291,8 @@
# usable on all platforms. The Configure script already knows to use -fPIC and
# RPM_OPT_FLAGS, so we can skip specifiying them here.
./Configure \
- --prefix=%{_prefix} --openssldir=%{_sysconfdir}/pki/tls ${sslflags} \
- --system-ciphers-file=%{_sysconfdir}/crypto-policies/back-ends/openssl.config \
+ --prefix=%{_prefix} --openssldir=%{_prefix}/ssl ${sslflags} \
+ --system-ciphers-file=%{_prefix}/etc/crypto-policies/back-ends/openssl.config \
zlib enable-camellia enable-seed enable-rfc3779 enable-sctp \
enable-cms enable-md2 enable-rc5\
enable-weak-ssl-ciphers \
@@ -348,14 +357,14 @@
- --prefix=%{_prefix} --openssldir=%{_sysconfdir}/pki/tls ${sslflags} \
- --system-ciphers-file=%{_sysconfdir}/crypto-policies/back-ends/openssl.config \
+ --prefix=%{_prefix} --openssldir=%{_prefix}/ssl ${sslflags} \
+ --system-ciphers-file=%{_prefix}/etc/crypto-policies/back-ends/openssl.config \
zlib enable-camellia enable-seed enable-rfc3779 enable-sctp \
enable-cms enable-md2 enable-rc5\
enable-weak-ssl-ciphers \
@@ -352,14 +364,14 @@

# Install a makefile for generating keys and self-signed certs, and a script
# for generating them on the fly.
Expand All @@ -89,7 +96,7 @@

# Drop the SSLv3 methods from includes
sed -i '/ifndef OPENSSL_NO_SSL3_METHOD/,+4d' $RPM_BUILD_ROOT%{_includedir}/openssl/ssl.h
@@ -382,19 +391,19 @@
@@ -386,19 +398,19 @@
done
popd

Expand Down Expand Up @@ -118,7 +125,7 @@

# Determine which arch opensslconf.h is going to try to #include.
basearch=%{_arch}
@@ -441,12 +450,12 @@
@@ -445,12 +457,12 @@
%files libs
%{!?_licensedir:%global license %%doc}
%license LICENSE
Expand All @@ -137,7 +144,7 @@
%attr(0755,root,root) %{_libdir}/libcrypto.so.%{version}
%attr(0755,root,root) %{_libdir}/libcrypto.so.%{soversion}
%attr(0755,root,root) %{_libdir}/libssl.so.%{version}
@@ -473,11 +482,11 @@
@@ -477,11 +489,11 @@
%{_mandir}/man1*/c_rehash*
%{_mandir}/man1*/tsget*
%{_mandir}/man1*/openssl-tsget*
Expand Down
54 changes: 54 additions & 0 deletions resources/patches/openssl/openssl-1.1.1k-CVE-2023-3446-fips.patch
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,54 @@
--- /dev/null 2024-02-22 20:27:57
+++ openssl-1.1.1k/SOURCES/openssl-1.1.1k-CVE-2023-3446-fips.patch 2024-02-22 20:24:39
@@ -0,0 +1,50 @@
+diff --git a/crypto/dh/dh_err.c b/crypto/dh/dh_err.c
+index 7285587b4a..8dd8ca0f92 100644
+--- a/crypto/dh/dh_err.c
++++ b/crypto/dh/dh_err.c
+@@ -18,6 +18,7 @@ static const ERR_STRING_DATA DH_str_functs[] = {
+ {ERR_PACK(ERR_LIB_DH, DH_F_DHPARAMS_PRINT_FP, 0), "DHparams_print_fp"},
+ {ERR_PACK(ERR_LIB_DH, DH_F_DH_BUILTIN_GENPARAMS, 0),
+ "dh_builtin_genparams"},
++ {ERR_PACK(ERR_LIB_DH, DH_F_DH_CHECK, 0), "DH_check"},
+ {ERR_PACK(ERR_LIB_DH, DH_F_DH_CHECK_EX, 0), "DH_check_ex"},
+ {ERR_PACK(ERR_LIB_DH, DH_F_DH_CHECK_PARAMS_EX, 0), "DH_check_params_ex"},
+ {ERR_PACK(ERR_LIB_DH, DH_F_DH_CHECK_PUB_KEY_EX, 0), "DH_check_pub_key_ex"},
+diff --git a/crypto/err/openssl.txt b/crypto/err/openssl.txt
+index 7e1776375d..df2fc4e830 100644
+--- a/crypto/err/openssl.txt
++++ b/crypto/err/openssl.txt
+@@ -401,6 +401,7 @@ CT_F_SCT_SET_VERSION:104:SCT_set_version
+ DH_F_COMPUTE_KEY:102:compute_key
+ DH_F_DHPARAMS_PRINT_FP:101:DHparams_print_fp
+ DH_F_DH_BUILTIN_GENPARAMS:106:dh_builtin_genparams
++DH_F_DH_CHECK:126:DH_check
+ DH_F_DH_CHECK_EX:121:DH_check_ex
+ DH_F_DH_CHECK_PARAMS_EX:122:DH_check_params_ex
+ DH_F_DH_CHECK_PUB_KEY_EX:123:DH_check_pub_key_ex
+diff --git a/include/openssl/dh.h b/include/openssl/dh.h
+index 3527540cdd..892e31559d 100644
+--- a/include/openssl/dh.h
++++ b/include/openssl/dh.h
+@@ -29,6 +29,9 @@ extern "C" {
+ # ifndef OPENSSL_DH_MAX_MODULUS_BITS
+ # define OPENSSL_DH_MAX_MODULUS_BITS 10000
+ # endif
++# ifndef OPENSSL_DH_CHECK_MAX_MODULUS_BITS
++# define OPENSSL_DH_CHECK_MAX_MODULUS_BITS 32768
++# endif
+
+ # define OPENSSL_DH_FIPS_MIN_MODULUS_BITS 1024
+
+diff --git a/include/openssl/dherr.h b/include/openssl/dherr.h
+index 916b3bed0b..9955f24652 100644
+--- a/include/openssl/dherr.h
++++ b/include/openssl/dherr.h
+@@ -30,6 +30,7 @@ int ERR_load_DH_strings(void);
+ # define DH_F_COMPUTE_KEY 102
+ # define DH_F_DHPARAMS_PRINT_FP 101
+ # define DH_F_DH_BUILTIN_GENPARAMS 106
++# define DH_F_DH_CHECK 126
+ # define DH_F_DH_CHECK_EX 121
+ # define DH_F_DH_CHECK_PARAMS_EX 122
+ # define DH_F_DH_CHECK_PUB_KEY_EX 123
+
145 changes: 145 additions & 0 deletions resources/patches/openssl/openssl-1.1.1k-CVE-2023-5678-fips.patch
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,145 @@
--- /dev/null 2024-02-26 19:17:51
+++ openssl-1.1.1k-6/SOURCES/openssl-1.1.1k-CVE-2023-5678-fips.patch 2024-02-01 02:02:19
@@ -0,0 +1,142 @@
+Backport of:
+
+From db925ae2e65d0d925adef429afc37f75bd1c2017 Mon Sep 17 00:00:00 2001
+From: Richard Levitte <[email protected]>
+Date: Fri, 20 Oct 2023 09:18:19 +0200
+Subject: [PATCH] Make DH_check_pub_key() and DH_generate_key() safer yet
+
+We already check for an excessively large P in DH_generate_key(), but not in
+DH_check_pub_key(), and none of them check for an excessively large Q.
+
+This change adds all the missing excessive size checks of P and Q.
+
+It's to be noted that behaviours surrounding excessively sized P and Q
+differ. DH_check() raises an error on the excessively sized P, but only
+sets a flag for the excessively sized Q. This behaviour is mimicked in
+DH_check_pub_key().
+
+Reviewed-by: Tomas Mraz <[email protected]>
+Reviewed-by: Matt Caswell <[email protected]>
+Reviewed-by: Hugo Landau <[email protected]>
+(Merged from https://github.com/openssl/openssl/pull/22518)
+
+(cherry picked from commit ddeb4b6c6d527e54ce9a99cba785c0f7776e54b6)
+---
+ crypto/dh/dh_check.c | 12 ++++++++++++
+ crypto/dh/dh_err.c | 3 ++-
+ crypto/dh/dh_key.c | 12 ++++++++++++
+ crypto/err/openssl.txt | 1 +
+ include/crypto/dherr.h | 2 +-
+ include/openssl/dh.h | 6 +++---
+ include/openssl/dherr.h | 3 ++-
+ 7 files changed, 33 insertions(+), 6 deletions(-)
+
+--- a/crypto/dh/dh_check.c
++++ b/crypto/dh/dh_check.c
+@@ -201,6 +201,19 @@ int DH_check_pub_key(const DH *dh, const
+ if (ctx == NULL)
+ goto err;
+ BN_CTX_start(ctx);
++
++ /* Don't do any checks at all with an excessively large modulus */
++ if (BN_num_bits(dh->p) > OPENSSL_DH_CHECK_MAX_MODULUS_BITS) {
++ DHerr(DH_F_DH_CHECK, DH_R_MODULUS_TOO_LARGE);
++ *ret = DH_MODULUS_TOO_LARGE | DH_CHECK_PUBKEY_INVALID;
++ goto err;
++ }
++
++ if (dh->q != NULL && BN_ucmp(dh->p, dh->q) < 0) {
++ *ret |= DH_CHECK_INVALID_Q_VALUE | DH_CHECK_PUBKEY_INVALID;
++ goto out;
++ }
++
+ tmp = BN_CTX_get(ctx);
+ if (tmp == NULL || !BN_set_word(tmp, 1))
+ goto err;
+@@ -219,6 +232,7 @@ int DH_check_pub_key(const DH *dh, const
+ *ret |= DH_CHECK_PUBKEY_INVALID;
+ }
+
++ out:
+ ok = 1;
+ err:
+ BN_CTX_end(ctx);
+--- a/crypto/dh/dh_err.c
++++ b/crypto/dh/dh_err.c
+@@ -82,6 +82,7 @@ static const ERR_STRING_DATA DH_str_reas
+ {ERR_PACK(ERR_LIB_DH, 0, DH_R_PARAMETER_ENCODING_ERROR),
+ "parameter encoding error"},
+ {ERR_PACK(ERR_LIB_DH, 0, DH_R_PEER_KEY_ERROR), "peer key error"},
++ {ERR_PACK(ERR_LIB_DH, 0, DH_R_Q_TOO_LARGE), "q too large"},
+ {ERR_PACK(ERR_LIB_DH, 0, DH_R_SHARED_INFO_ERROR), "shared info error"},
+ {ERR_PACK(ERR_LIB_DH, 0, DH_R_UNABLE_TO_CHECK_GENERATOR),
+ "unable to check generator"},
+--- a/crypto/dh/dh_key.c
++++ b/crypto/dh/dh_key.c
+@@ -87,6 +87,12 @@ static int generate_key(DH *dh)
+ return 0;
+ }
+
++ if (dh->q != NULL
++ && BN_num_bits(dh->q) > OPENSSL_DH_MAX_MODULUS_BITS) {
++ DHerr(DH_F_GENERATE_KEY, DH_R_Q_TOO_LARGE);
++ return 0;
++ }
++
+ ctx = BN_CTX_new();
+ if (ctx == NULL)
+ goto err;
+@@ -180,6 +186,12 @@ static int compute_key(unsigned char *ke
+ goto err;
+ }
+
++ if (dh->q != NULL
++ && BN_num_bits(dh->q) > OPENSSL_DH_MAX_MODULUS_BITS) {
++ DHerr(DH_F_COMPUTE_KEY, DH_R_Q_TOO_LARGE);
++ goto err;
++ }
++
+ ctx = BN_CTX_new();
+ if (ctx == NULL)
+ goto err;
+--- a/crypto/err/openssl.txt
++++ b/crypto/err/openssl.txt
+@@ -2110,6 +2110,7 @@ DH_R_NO_PARAMETERS_SET:107:no parameters
+ DH_R_NO_PRIVATE_VALUE:100:no private value
+ DH_R_PARAMETER_ENCODING_ERROR:105:parameter encoding error
+ DH_R_PEER_KEY_ERROR:111:peer key error
++DH_R_Q_TOO_LARGE:130:q too large
+ DH_R_SHARED_INFO_ERROR:113:shared info error
+ DH_R_UNABLE_TO_CHECK_GENERATOR:121:unable to check generator
+ DSA_R_BAD_Q_VALUE:102:bad q value
+--- a/include/openssl/dh.h
++++ b/include/openssl/dh.h
+@@ -71,14 +71,16 @@ DECLARE_ASN1_ITEM(DHparams)
+ /* #define DH_GENERATOR_3 3 */
+ # define DH_GENERATOR_5 5
+
+-/* DH_check error codes */
++/* DH_check error codes, some of them shared with DH_check_pub_key */
+ # define DH_CHECK_P_NOT_PRIME 0x01
+ # define DH_CHECK_P_NOT_SAFE_PRIME 0x02
+ # define DH_UNABLE_TO_CHECK_GENERATOR 0x04
+ # define DH_NOT_SUITABLE_GENERATOR 0x08
+ # define DH_CHECK_Q_NOT_PRIME 0x10
+-# define DH_CHECK_INVALID_Q_VALUE 0x20
++# define DH_CHECK_INVALID_Q_VALUE 0x20 /* +DH_check_pub_key */
+ # define DH_CHECK_INVALID_J_VALUE 0x40
++# define DH_MODULUS_TOO_SMALL 0x80
++# define DH_MODULUS_TOO_LARGE 0x100 /* +DH_check_pub_key */
+
+ /* DH_check_pub_key error codes */
+ # define DH_CHECK_PUBKEY_TOO_SMALL 0x01
+--- a/include/openssl/dherr.h
++++ b/include/openssl/dherr.h
+@@ -82,6 +82,7 @@ int ERR_load_DH_strings(void);
+ # define DH_R_NO_PRIVATE_VALUE 100
+ # define DH_R_PARAMETER_ENCODING_ERROR 105
+ # define DH_R_PEER_KEY_ERROR 111
++# define DH_R_Q_TOO_LARGE 130
+ # define DH_R_SHARED_INFO_ERROR 113
+ # define DH_R_UNABLE_TO_CHECK_GENERATOR 121
+
Loading

0 comments on commit f0431d8

Please sign in to comment.