diff --git a/CVE-2022-0778-Add-a-negative-testcase-for-BN_mod_sqrt.patch b/CVE-2022-0778-Add-a-negative-testcase-for-BN_mod_sqrt.patch new file mode 100644 index 0000000000000000000000000000000000000000..b066c77c4f093338e088175dfe4914a2b4e3ae2f --- /dev/null +++ b/CVE-2022-0778-Add-a-negative-testcase-for-BN_mod_sqrt.patch @@ -0,0 +1,58 @@ +From 3ef5c3034e5c545f34d6929568f3f2b10ac4bdf0 Mon Sep 17 00:00:00 2001 +From: Tomas Mraz +Date: Mon, 28 Feb 2022 18:26:35 +0100 +Subject: [PATCH] Add a negative testcase for BN_mod_sqrt + +Reviewed-by: Paul Dale +Reviewed-by: Matt Caswell +--- + test/bntest.c | 11 ++++++++++- + test/recipes/10-test_bn_data/bnmod.txt | 12 ++++++++++++ + 2 files changed, 22 insertions(+), 1 deletion(-) + +diff --git a/test/bntest.c b/test/bntest.c +index 390dd80073..1cab660bca 100644 +--- a/test/bntest.c ++++ b/test/bntest.c +@@ -1729,8 +1729,17 @@ static int file_modsqrt(STANZA *s) + || !TEST_ptr(ret2 = BN_new())) + goto err; + ++ if (BN_is_negative(mod_sqrt)) { ++ /* A negative testcase */ ++ if (!TEST_ptr_null(BN_mod_sqrt(ret, a, p, ctx))) ++ goto err; ++ ++ st = 1; ++ goto err; ++ } ++ + /* There are two possible answers. */ +- if (!TEST_true(BN_mod_sqrt(ret, a, p, ctx)) ++ if (!TEST_ptr(BN_mod_sqrt(ret, a, p, ctx)) + || !TEST_true(BN_sub(ret2, p, ret))) + goto err; + +diff --git a/test/recipes/10-test_bn_data/bnmod.txt b/test/recipes/10-test_bn_data/bnmod.txt +index 5ea4d031f2..e28cc6bfb0 100644 +--- a/test/recipes/10-test_bn_data/bnmod.txt ++++ b/test/recipes/10-test_bn_data/bnmod.txt +@@ -2799,3 +2799,15 @@ P = 9df9d6cc20b8540411af4e5357ef2b0353cb1f2ab5ffc3e246b41c32f71e951f + ModSqrt = a1d52989f12f204d3d2167d9b1e6c8a6174c0c786a979a5952383b7b8bd186 + A = 2eee37cf06228a387788188e650bc6d8a2ff402931443f69156a29155eca07dcb45f3aac238d92943c0c25c896098716baa433f25bd696a142f5a69d5d937e81 + P = 9df9d6cc20b8540411af4e5357ef2b0353cb1f2ab5ffc3e246b41c32f71e951f ++ ++# Negative testcases for BN_mod_sqrt() ++ ++# This one triggers an infinite loop with unfixed implementation ++# It should just fail. ++ModSqrt = -1 ++A = 20a7ee ++P = 460201 ++ ++ModSqrt = -1 ++A = 65bebdb00a96fc814ec44b81f98b59fba3c30203928fa5214c51e0a97091645280c947b005847f239758482b9bfc45b066fde340d1fe32fc9c1bf02e1b2d0ed ++P = 9df9d6cc20b8540411af4e5357ef2b0353cb1f2ab5ffc3e246b41c32f71e951f +-- +2.27.0 + diff --git a/CVE-2022-0778-Fix-possible-infinite-loop-in-BN_mod_sqrt.patch b/CVE-2022-0778-Fix-possible-infinite-loop-in-BN_mod_sqrt.patch new file mode 100644 index 0000000000000000000000000000000000000000..653b8fba621d07cb8b7a4d1dfff33ceb8a57be91 --- /dev/null +++ b/CVE-2022-0778-Fix-possible-infinite-loop-in-BN_mod_sqrt.patch @@ -0,0 +1,69 @@ +From 3118eb64934499d93db3230748a452351d1d9a65 Mon Sep 17 00:00:00 2001 +From: Tomas Mraz +Date: Mon, 28 Feb 2022 18:26:21 +0100 +Subject: [PATCH] Fix possible infinite loop in BN_mod_sqrt() + +The calculation in some cases does not finish for non-prime p. + +This fixes CVE-2022-0778. + +Based on patch by David Benjamin . + +Reviewed-by: Paul Dale +Reviewed-by: Matt Caswell +--- + crypto/bn/bn_sqrt.c | 30 ++++++++++++++++++------------ + 1 file changed, 18 insertions(+), 12 deletions(-) + +diff --git a/crypto/bn/bn_sqrt.c b/crypto/bn/bn_sqrt.c +index 1723d5ded5..53b0f55985 100644 +--- a/crypto/bn/bn_sqrt.c ++++ b/crypto/bn/bn_sqrt.c +@@ -14,7 +14,8 @@ BIGNUM *BN_mod_sqrt(BIGNUM *in, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx) + /* + * Returns 'ret' such that ret^2 == a (mod p), using the Tonelli/Shanks + * algorithm (cf. Henri Cohen, "A Course in Algebraic Computational Number +- * Theory", algorithm 1.5.1). 'p' must be prime! ++ * Theory", algorithm 1.5.1). 'p' must be prime, otherwise an error or ++ * an incorrect "result" will be returned. + */ + { + BIGNUM *ret = in; +@@ -301,18 +302,23 @@ BIGNUM *BN_mod_sqrt(BIGNUM *in, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx) + goto vrfy; + } + +- /* find smallest i such that b^(2^i) = 1 */ +- i = 1; +- if (!BN_mod_sqr(t, b, p, ctx)) +- goto end; +- while (!BN_is_one(t)) { +- i++; +- if (i == e) { +- BNerr(BN_F_BN_MOD_SQRT, BN_R_NOT_A_SQUARE); +- goto end; ++ /* Find the smallest i, 0 < i < e, such that b^(2^i) = 1. */ ++ for (i = 1; i < e; i++) { ++ if (i == 1) { ++ if (!BN_mod_sqr(t, b, p, ctx)) ++ goto end; ++ ++ } else { ++ if (!BN_mod_mul(t, t, t, p, ctx)) ++ goto end; + } +- if (!BN_mod_mul(t, t, t, p, ctx)) +- goto end; ++ if (BN_is_one(t)) ++ break; ++ } ++ /* If not found, a is not a square or p is not prime. */ ++ if (i >= e) { ++ BNerr(BN_F_BN_MOD_SQRT, BN_R_NOT_A_SQUARE); ++ goto end; + } + + /* t := y^2^(e - i - 1) */ +-- +2.27.0 + diff --git a/openssl.spec b/openssl.spec index e2bbdbd8a140f88cad4f0918597956cbacbbb5b3..53e5cfde128ac57c0a8714e6a5540c3a07ebed72 100644 --- a/openssl.spec +++ b/openssl.spec @@ -2,7 +2,7 @@ Name: openssl Epoch: 1 Version: 1.1.1f -Release: 7 +Release: 8 Summary: Cryptography and SSL/TLS Toolkit License: OpenSSL and SSLeay URL: https://www.openssl.org/ @@ -26,6 +26,8 @@ Patch15: CVE-2021-3711-0003-Extend-tests-for-SM2-decryption.patch Patch16: CVE-2021-3712-0001-Fix-a-read-buffer-overrun-in-X509_aux_print.patch Patch17: CVE-2021-3712-0002-Fix-EC_GROUP_new_from_ecparameters-to-check-the-base.patch Patch18: CVE-2021-4160.patch +Patch19: CVE-2022-0778-Add-a-negative-testcase-for-BN_mod_sqrt.patch +Patch20: CVE-2022-0778-Fix-possible-infinite-loop-in-BN_mod_sqrt.patch BuildRequires: gcc make lksctp-tools-devel coreutils util-linux zlib-devel @@ -202,6 +204,9 @@ make test || : %{_pkgdocdir}/html/ %changelog +* Mon Mar 21 2022 wangcheng156 - 1:1.1.1f-8 +- fix CVE + * Sat Feb 26 2022 zhujianwei001 - 1:1.1.1f-7 - fix CVE-2021-4160