diff --git a/backport-Coverity-1508506-misuse-of-time_t.patch b/backport-Coverity-1508506-misuse-of-time_t.patch new file mode 100644 index 0000000000000000000000000000000000000000..e95f6fdb51f1e4eade51012b2ace0acfdc7fd185 --- /dev/null +++ b/backport-Coverity-1508506-misuse-of-time_t.patch @@ -0,0 +1,177 @@ +From 07ecb790b02c0e8781ae591e7efb2a4f93177354 Mon Sep 17 00:00:00 2001 +From: Pauli +Date: Tue, 16 Aug 2022 11:05:02 +1000 +Subject: [PATCH] Coverity 1508506: misuse of time_t + +Fixes a bug in the cookie code which would have caused problems for ten +minutes before and after the lower 32 bits of time_t rolled over. + +Reviewed-by: Ben Kaduk +Reviewed-by: Matt Caswell +(Merged from https://github.com/openssl/openssl/pull/19022) +--- + ssl/packet.c | 6 +++--- + ssl/packet_local.h | 37 +++++++++++++++++++++++++++++++++++- + ssl/statem/extensions_srvr.c | 14 +++++++------- + 3 files changed, 46 insertions(+), 11 deletions(-) + +diff --git a/ssl/packet.c b/ssl/packet.c +index 1ddde969f3..691a82b706 100644 +--- a/ssl/packet.c ++++ b/ssl/packet.c +@@ -161,7 +161,7 @@ int WPACKET_set_flags(WPACKET *pkt, unsigned int flags) + } + + /* Store the |value| of length |len| at location |data| */ +-static int put_value(unsigned char *data, size_t value, size_t len) ++static int put_value(unsigned char *data, uint64_t value, size_t len) + { + for (data += len - 1; len > 0; len--) { + *data = (unsigned char)(value & 0xff); +@@ -306,12 +306,12 @@ int WPACKET_start_sub_packet(WPACKET *pkt) + return WPACKET_start_sub_packet_len__(pkt, 0); + } + +-int WPACKET_put_bytes__(WPACKET *pkt, unsigned int val, size_t size) ++int WPACKET_put_bytes__(WPACKET *pkt, uint64_t val, size_t size) + { + unsigned char *data; + + /* Internal API, so should not fail */ +- if (!ossl_assert(size <= sizeof(unsigned int)) ++ if (!ossl_assert(size <= sizeof(uint64_t)) + || !WPACKET_allocate_bytes(pkt, size, &data) + || !put_value(data, val, size)) + return 0; +diff --git a/ssl/packet_local.h b/ssl/packet_local.h +index 1b6c2fb9bc..e93680d8bb 100644 +--- a/ssl/packet_local.h ++++ b/ssl/packet_local.h +@@ -227,6 +227,28 @@ __owur static ossl_inline int PACKET_peek_net_4(const PACKET *pkt, + return 1; + } + ++/* ++ * Peek ahead at 8 bytes in network order from |pkt| and store the value in ++ * |*data| ++ */ ++__owur static ossl_inline int PACKET_peek_net_8(const PACKET *pkt, ++ uint64_t *data) ++{ ++ if (PACKET_remaining(pkt) < 8) ++ return 0; ++ ++ *data = ((uint64_t)(*pkt->curr)) << 56; ++ *data |= ((uint64_t)(*(pkt->curr + 1))) << 48; ++ *data |= ((uint64_t)(*(pkt->curr + 2))) << 40; ++ *data |= ((uint64_t)(*(pkt->curr + 3))) << 32; ++ *data |= ((uint64_t)(*(pkt->curr + 4))) << 24; ++ *data |= ((uint64_t)(*(pkt->curr + 5))) << 16; ++ *data |= ((uint64_t)(*(pkt->curr + 6))) << 8; ++ *data |= *(pkt->curr + 7); ++ ++ return 1; ++} ++ + /* Equivalent of n2l */ + /* Get 4 bytes in network order from |pkt| and store the value in |*data| */ + __owur static ossl_inline int PACKET_get_net_4(PACKET *pkt, unsigned long *data) +@@ -250,6 +272,17 @@ __owur static ossl_inline int PACKET_get_net_4_len(PACKET *pkt, size_t *data) + + return ret; + } ++ ++/* Get 8 bytes in network order from |pkt| and store the value in |*data| */ ++__owur static ossl_inline int PACKET_get_net_8(PACKET *pkt, uint64_t *data) ++{ ++ if (!PACKET_peek_net_8(pkt, data)) ++ return 0; ++ ++ packet_forward(pkt, 8); ++ ++ return 1; ++} + + /* Peek ahead at 1 byte from |pkt| and store the value in |*data| */ + __owur static ossl_inline int PACKET_peek_1(const PACKET *pkt, +@@ -808,7 +841,7 @@ int WPACKET_sub_reserve_bytes__(WPACKET *pkt, size_t len, + * 1 byte will fail. Don't call this directly. Use the convenience macros below + * instead. + */ +-int WPACKET_put_bytes__(WPACKET *pkt, unsigned int val, size_t bytes); ++int WPACKET_put_bytes__(WPACKET *pkt, uint64_t val, size_t bytes); + + /* + * Convenience macros for calling WPACKET_put_bytes with different +@@ -822,6 +855,8 @@ int WPACKET_put_bytes__(WPACKET *pkt, unsigned int val, size_t bytes); + WPACKET_put_bytes__((pkt), (val), 3) + #define WPACKET_put_bytes_u32(pkt, val) \ + WPACKET_put_bytes__((pkt), (val), 4) ++#define WPACKET_put_bytes_u64(pkt, val) \ ++ WPACKET_put_bytes__((pkt), (val), 8) + + /* Set a maximum size that we will not allow the WPACKET to grow beyond */ + int WPACKET_set_max_size(WPACKET *pkt, size_t maxsize); +diff --git a/ssl/statem/extensions_srvr.c b/ssl/statem/extensions_srvr.c +index f110053273..93a9b675e6 100644 +--- a/ssl/statem/extensions_srvr.c ++++ b/ssl/statem/extensions_srvr.c +@@ -12,16 +12,16 @@ + #include "statem_local.h" + #include "internal/cryptlib.h" + +-#define COOKIE_STATE_FORMAT_VERSION 0 ++#define COOKIE_STATE_FORMAT_VERSION 1 + + /* + * 2 bytes for packet length, 2 bytes for format version, 2 bytes for + * protocol version, 2 bytes for group id, 2 bytes for cipher id, 1 byte for +- * key_share present flag, 4 bytes for timestamp, 2 bytes for the hashlen, ++ * key_share present flag, 8 bytes for timestamp, 2 bytes for the hashlen, + * EVP_MAX_MD_SIZE for transcript hash, 1 byte for app cookie length, app cookie + * length bytes, SHA256_DIGEST_LENGTH bytes for the HMAC of the whole thing. + */ +-#define MAX_COOKIE_SIZE (2 + 2 + 2 + 2 + 2 + 1 + 4 + 2 + EVP_MAX_MD_SIZE + 1 \ ++#define MAX_COOKIE_SIZE (2 + 2 + 2 + 2 + 2 + 1 + 8 + 2 + EVP_MAX_MD_SIZE + 1 \ + + SSL_COOKIE_LENGTH + SHA256_DIGEST_LENGTH) + + /* +@@ -741,7 +741,7 @@ int tls_parse_ctos_cookie(SSL *s, PACKET *pkt, unsigned int context, X509 *x, + unsigned char hmac[SHA256_DIGEST_LENGTH]; + unsigned char hrr[MAX_HRR_SIZE]; + size_t rawlen, hmaclen, hrrlen, ciphlen; +- unsigned long tm, now; ++ uint64_t tm, now; + + /* Ignore any cookie if we're not set up to verify it */ + if (s->ctx->verify_stateless_cookie_cb == NULL +@@ -851,7 +851,7 @@ int tls_parse_ctos_cookie(SSL *s, PACKET *pkt, unsigned int context, X509 *x, + } + + if (!PACKET_get_1(&cookie, &key_share) +- || !PACKET_get_net_4(&cookie, &tm) ++ || !PACKET_get_net_8(&cookie, &tm) + || !PACKET_get_length_prefixed_2(&cookie, &chhash) + || !PACKET_get_length_prefixed_1(&cookie, &appcookie) + || PACKET_remaining(&cookie) != SHA256_DIGEST_LENGTH) { +@@ -861,7 +861,7 @@ int tls_parse_ctos_cookie(SSL *s, PACKET *pkt, unsigned int context, X509 *x, + } + + /* We tolerate a cookie age of up to 10 minutes (= 60 * 10 seconds) */ +- now = (unsigned long)time(NULL); ++ now = time(NULL); + if (tm > now || (now - tm) > 600) { + /* Cookie is stale. Ignore it */ + return 1; +@@ -1799,7 +1799,7 @@ EXT_RETURN tls_construct_stoc_cookie(SSL *s, WPACKET *pkt, unsigned int context, + &ciphlen) + /* Is there a key_share extension present in this HRR? */ + || !WPACKET_put_bytes_u8(pkt, s->s3->peer_tmp == NULL) +- || !WPACKET_put_bytes_u32(pkt, (unsigned int)time(NULL)) ++ || !WPACKET_put_bytes_u64(pkt, time(NULL)) + || !WPACKET_start_sub_packet_u16(pkt) + || !WPACKET_reserve_bytes(pkt, EVP_MAX_MD_SIZE, &hashval1)) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_COOKIE, +-- +2.36.1 + diff --git a/backport-Fix-a-logic-flaw-in-test_mod_exp_zero.patch b/backport-Fix-a-logic-flaw-in-test_mod_exp_zero.patch new file mode 100644 index 0000000000000000000000000000000000000000..910c2ace4be21a4129fd49336c5ff2885610c46f --- /dev/null +++ b/backport-Fix-a-logic-flaw-in-test_mod_exp_zero.patch @@ -0,0 +1,33 @@ +From ed8af0502167c80ba70522d88e719f874e24ebfd Mon Sep 17 00:00:00 2001 +From: Bernd Edlinger +Date: Fri, 16 Dec 2022 19:30:29 +0100 +Subject: [PATCH] Fix a logic flaw in test_mod_exp_zero + +Due to the logic flaw, possible test failures +in this test case might be ignored. + +Reviewed-by: Shane Lontis +Reviewed-by: Tomas Mraz +(Merged from https://github.com/openssl/openssl/pull/19929) + +(cherry picked from commit 42061268ee8f9ae0555d522870740fc91b744f4f) +--- + test/exptest.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/test/exptest.c b/test/exptest.c +index cde4d6bc45..a327773ec4 100644 +--- a/test/exptest.c ++++ b/test/exptest.c +@@ -49,7 +49,7 @@ static int test_mod_exp_zero(void) + BIGNUM *r = NULL; + BN_ULONG one_word = 1; + BN_CTX *ctx = BN_CTX_new(); +- int ret = 1, failed = 0; ++ int ret = 0, failed = 0; + + if (!TEST_ptr(m = BN_new()) + || !TEST_ptr(a = BN_new()) +-- +2.36.1 + diff --git a/backport-Limit-size-of-modulus-for-bn_mul_mont-and-BN_mod_exp.patch b/backport-Limit-size-of-modulus-for-bn_mul_mont-and-BN_mod_exp.patch new file mode 100644 index 0000000000000000000000000000000000000000..0100c5cfa94db731ce44862d5631cc1d70ec0afe --- /dev/null +++ b/backport-Limit-size-of-modulus-for-bn_mul_mont-and-BN_mod_exp.patch @@ -0,0 +1,208 @@ +From 5bbd921ff5610bb5cca7475813f7f689f2a670e6 Mon Sep 17 00:00:00 2001 +From: Bernd Edlinger +Date: Tue, 8 Nov 2022 17:43:22 +0100 +Subject: [PATCH] Limit size of modulus for bn_mul_mont and + BN_mod_exp_mont_consttime + +Otherwise the alloca can cause an exception. + +Issue reported by Jiayi Lin. + +Reviewed-by: Tomas Mraz +Reviewed-by: Paul Dale +(Merged from https://github.com/openssl/openssl/pull/19735) +--- + crypto/bn/bn_exp.c | 34 +++++++++++++++++++++++++++------- + crypto/bn/bn_local.h | 20 ++++++++++++++++++++ + crypto/bn/bn_mont.c | 2 +- + test/exptest.c | 29 +++++++++++++++++++++++++++++ + 4 files changed, 77 insertions(+), 8 deletions(-) + +diff --git a/crypto/bn/bn_exp.c b/crypto/bn/bn_exp.c +index e21dcff027..31043c8bc2 100644 +--- a/crypto/bn/bn_exp.c ++++ b/crypto/bn/bn_exp.c +@@ -37,6 +37,15 @@ extern unsigned int OPENSSL_sparcv9cap_P[]; + /* maximum precomputation table size for *variable* sliding windows */ + #define TABLE_SIZE 32 + ++/* ++ * Beyond this limit the constant time code is disabled due to ++ * the possible overflow in the computation of powerbufLen in ++ * BN_mod_exp_mont_consttime. ++ * When this limit is exceeded, the computation will be done using ++ * non-constant time code, but it will take very long. ++ */ ++#define BN_CONSTTIME_SIZE_LIMIT (INT_MAX / BN_BYTES / 256) ++ + /* this one works - simple but works */ + int BN_exp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx) + { +@@ -305,12 +314,6 @@ int BN_mod_exp_mont(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p, + BIGNUM *val[TABLE_SIZE]; + BN_MONT_CTX *mont = NULL; + +- if (BN_get_flags(p, BN_FLG_CONSTTIME) != 0 +- || BN_get_flags(a, BN_FLG_CONSTTIME) != 0 +- || BN_get_flags(m, BN_FLG_CONSTTIME) != 0) { +- return BN_mod_exp_mont_consttime(rr, a, p, m, ctx, in_mont); +- } +- + bn_check_top(a); + bn_check_top(p); + bn_check_top(m); +@@ -319,6 +322,14 @@ int BN_mod_exp_mont(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p, + BNerr(BN_F_BN_MOD_EXP_MONT, BN_R_CALLED_WITH_EVEN_MODULUS); + return 0; + } ++ ++ if (m->top <= BN_CONSTTIME_SIZE_LIMIT ++ && (BN_get_flags(p, BN_FLG_CONSTTIME) != 0 ++ || BN_get_flags(a, BN_FLG_CONSTTIME) != 0 ++ || BN_get_flags(m, BN_FLG_CONSTTIME) != 0)) { ++ return BN_mod_exp_mont_consttime(rr, a, p, m, ctx, in_mont); ++ } ++ + bits = BN_num_bits(p); + if (bits == 0) { + /* x**0 mod 1, or x**0 mod -1 is still zero. */ +@@ -618,6 +629,11 @@ int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p, + + top = m->top; + ++ if (top > BN_CONSTTIME_SIZE_LIMIT) { ++ /* Prevent overflowing the powerbufLen computation below */ ++ return BN_mod_exp_mont(rr, a, p, m, ctx, in_mont); ++ } ++ + /* + * Use all bits stored in |p|, rather than |BN_num_bits|, so we do not leak + * whether the top bits are zero. +@@ -697,7 +713,7 @@ int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p, + else + #endif + #if defined(OPENSSL_BN_ASM_MONT5) +- if (window >= 5) { ++ if (window >= 5 && top <= BN_SOFT_LIMIT) { + window = 5; /* ~5% improvement for RSA2048 sign, and even + * for RSA4096 */ + /* reserve space for mont->N.d[] copy */ +@@ -758,6 +774,9 @@ int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p, + if (!bn_to_mont_fixed_top(&am, a, mont, ctx)) + goto err; + ++ if (top > BN_SOFT_LIMIT) ++ goto fallback; ++ + #if defined(SPARC_T4_MONT) + if (t4) { + typedef int (*bn_pwr5_mont_f) (BN_ULONG *tp, const BN_ULONG *np, +@@ -1029,6 +1048,7 @@ int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p, + } else + #endif + { ++ fallback: + if (!MOD_EXP_CTIME_COPY_TO_PREBUF(&tmp, top, powerbuf, 0, window)) + goto err; + if (!MOD_EXP_CTIME_COPY_TO_PREBUF(&am, top, powerbuf, 1, window)) +diff --git a/crypto/bn/bn_local.h b/crypto/bn/bn_local.h +index 8ad69ccd36..62a969b134 100644 +--- a/crypto/bn/bn_local.h ++++ b/crypto/bn/bn_local.h +@@ -35,6 +35,26 @@ + /* #define BN_DEBUG */ + /* #define BN_DEBUG_RAND */ + ++/* ++ * This should limit the stack usage due to alloca to about 4K. ++ * BN_SOFT_LIMIT is a soft limit equivalent to 2*OPENSSL_RSA_MAX_MODULUS_BITS. ++ * Beyond that size bn_mul_mont is no longer used, and the constant time ++ * assembler code is disabled, due to the blatant alloca and bn_mul_mont usage. ++ * Note that bn_mul_mont does an alloca that is hidden away in assembly. ++ * It is not recommended to do computations with numbers exceeding this limit, ++ * since the result will be highly version dependent: ++ * While the current OpenSSL version will use non-optimized, but safe code, ++ * previous versions will use optimized code, that may crash due to unexpected ++ * stack overflow, and future versions may very well turn this into a hard ++ * limit. ++ * Note however, that it is possible to override the size limit using ++ * "./config -DBN_SOFT_LIMIT=" if necessary, and the O/S specific ++ * stack limit is known and taken into consideration. ++ */ ++# ifndef BN_SOFT_LIMIT ++# define BN_SOFT_LIMIT (4096 / BN_BYTES) ++# endif ++ + # ifndef OPENSSL_SMALL_FOOTPRINT + # define BN_MUL_COMBA + # define BN_SQR_COMBA +diff --git a/crypto/bn/bn_mont.c b/crypto/bn/bn_mont.c +index 1e5045a010..3d4a1bda45 100644 +--- a/crypto/bn/bn_mont.c ++++ b/crypto/bn/bn_mont.c +@@ -42,7 +42,7 @@ int bn_mul_mont_fixed_top(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, + int num = mont->N.top; + + #if defined(OPENSSL_BN_ASM_MONT) && defined(MONT_WORD) +- if (num > 1 && a->top == num && b->top == num) { ++ if (num > 1 && num <= BN_SOFT_LIMIT && a->top == num && b->top == num) { + if (bn_wexpand(r, num) == NULL) + return 0; + if (bn_mul_mont(r->d, a->d, b->d, mont->N.d, mont->n0, num)) { +diff --git a/test/exptest.c b/test/exptest.c +index a327773ec4..5cab57c851 100644 +--- a/test/exptest.c ++++ b/test/exptest.c +@@ -50,6 +50,7 @@ static int test_mod_exp_zero(void) + BN_ULONG one_word = 1; + BN_CTX *ctx = BN_CTX_new(); + int ret = 0, failed = 0; ++ BN_MONT_CTX *mont = NULL; + + if (!TEST_ptr(m = BN_new()) + || !TEST_ptr(a = BN_new()) +@@ -94,6 +95,33 @@ static int test_mod_exp_zero(void) + if (!TEST_true(a_is_zero_mod_one("BN_mod_exp_mont_consttime", r, a))) + failed = 1; + ++ if (!TEST_ptr(mont = BN_MONT_CTX_new())) ++ goto err; ++ ++ ERR_set_mark(); ++ /* mont is not set but passed in */ ++ if (!TEST_false(BN_mod_exp_mont_consttime(r, p, a, m, ctx, mont))) ++ goto err; ++ if (!TEST_false(BN_mod_exp_mont(r, p, a, m, ctx, mont))) ++ goto err; ++ ERR_pop_to_mark(); ++ ++ if (!TEST_true(BN_MONT_CTX_set(mont, m, ctx))) ++ goto err; ++ ++ /* we compute 0 ** a mod 1 here, to execute code that uses mont */ ++ if (!TEST_true(BN_mod_exp_mont_consttime(r, p, a, m, ctx, mont))) ++ goto err; ++ ++ if (!TEST_true(a_is_zero_mod_one("BN_mod_exp_mont_consttime", r, a))) ++ failed = 1; ++ ++ if (!TEST_true(BN_mod_exp_mont(r, p, a, m, ctx, mont))) ++ goto err; ++ ++ if (!TEST_true(a_is_zero_mod_one("BN_mod_exp_mont", r, a))) ++ failed = 1; ++ + /* + * A different codepath exists for single word multiplication + * in non-constant-time only. +@@ -114,6 +142,7 @@ static int test_mod_exp_zero(void) + BN_free(a); + BN_free(p); + BN_free(m); ++ BN_MONT_CTX_free(mont); + BN_CTX_free(ctx); + + return ret; +-- +2.36.1 + diff --git a/openssl.spec b/openssl.spec index 20ee9c05a2faa633044c50becf4e30f38e68e74d..93a2cb381a20faf79caf45e7c0b8178311fc03a7 100644 --- a/openssl.spec +++ b/openssl.spec @@ -2,7 +2,7 @@ Name: openssl Epoch: 1 Version: 1.1.1m -Release: 18 +Release: 19 Summary: Cryptography and SSL/TLS Toolkit License: OpenSSL and SSLeay URL: https://www.openssl.org/ @@ -114,6 +114,9 @@ Patch103: backport-Fix-the-ceiling-on-how-much-encryption-growth-we-can.patch Patch104: backport-Ensure-our-buffer-allocation-allows-for-the-Explicit.patch Patch105: backport-Add-a-test-for-large-app-data.patch Patch106: backport-Add-DTLS-support-to-the-large-app-data-test.patch +Patch107: backport-Fix-a-logic-flaw-in-test_mod_exp_zero.patch +Patch108: backport-Coverity-1508506-misuse-of-time_t.patch +Patch109: backport-Limit-size-of-modulus-for-bn_mul_mont-and-BN_mod_exp.patch BuildRequires: gcc perl make lksctp-tools-devel coreutils util-linux zlib-devel @@ -317,6 +320,9 @@ make test || : %ldconfig_scriptlets libs %changelog +* Thu Mar 16 2023 wangcheng - 1:1.1.1m-19 ++ backport some patches + * Fri Feb 24 2023 wangcheng - 1:1.1.1m-18 - backport some patches