From dff4b6ea55761e32418e4dd991ad5efae4933a83 Mon Sep 17 00:00:00 2001 From: jinlun Date: Fri, 14 Jul 2023 11:11:45 +0800 Subject: [PATCH] fix CVE-2018-0737, CVE-2021-23840 --- backport-CVE-2018-0737.patch | 28 +++++++ backport-CVE-2021-23840.patch | 79 +++++++++++++++++++ ...n-endless-loop-in-rsa_builtin_keygen.patch | 58 ++++++++++++++ ...le-time-GCD-with-consttime-inversion.patch | 79 +++++++++++++++++++ backport-consttime-flag-changed.patch | 28 +++++++ ...pdate-EVP_F_EVP_DECRYPTDECRYPTUPDATE.patch | 38 +++++++++ ...-make-update-EVP_F_EVP_DECRYPTUPDATE.patch | 41 ++++++++++ shim.spec | 12 ++- 8 files changed, 362 insertions(+), 1 deletion(-) create mode 100644 backport-CVE-2018-0737.patch create mode 100644 backport-CVE-2021-23840.patch create mode 100644 backport-Fix-an-endless-loop-in-rsa_builtin_keygen.patch create mode 100644 backport-Replaced-variable-time-GCD-with-consttime-inversion.patch create mode 100644 backport-consttime-flag-changed.patch create mode 100644 backport-make-update-EVP_F_EVP_DECRYPTDECRYPTUPDATE.patch create mode 100644 backport-make-update-EVP_F_EVP_DECRYPTUPDATE.patch diff --git a/backport-CVE-2018-0737.patch b/backport-CVE-2018-0737.patch new file mode 100644 index 0000000..e929ec0 --- /dev/null +++ b/backport-CVE-2018-0737.patch @@ -0,0 +1,28 @@ +From 349a41da1ad88ad87825414752a8ff5fdd6a6c3f Mon Sep 17 00:00:00 2001 +From: Billy Brumley +Date: Wed, 11 Apr 2018 10:10:58 +0300 +Subject: [PATCH] RSA key generation: ensure BN_mod_inverse and BN_mod_exp_mont + both get called with BN_FLG_CONSTTIME flag set. + +CVE-2018-0737 + +Reviewed-by: Rich Salz +Reviewed-by: Matt Caswell +(cherry picked from commit 6939eab03a6e23d2bd2c3f5e34fe1d48e542e787) +--- + crypto/rsa/rsa_gen.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/Cryptlib/OpenSSL/crypto/rsa/rsa_gen.c b/Cryptlib/OpenSSL/crypto/rsa/rsa_gen.c +index 9ca5dfefb70..42b89a8dfaa 100644 +--- a/Cryptlib/OpenSSL/crypto/rsa/rsa_gen.c ++++ b/Cryptlib/OpenSSL/crypto/rsa/rsa_gen.c +@@ -156,6 +156,8 @@ static int rsa_builtin_keygen(RSA *rsa, int bits, BIGNUM *e_value, + if (BN_copy(rsa->e, e_value) == NULL) + goto err; + ++ BN_set_flags(rsa->p, BN_FLG_CONSTTIME); ++ BN_set_flags(rsa->q, BN_FLG_CONSTTIME); + BN_set_flags(r2, BN_FLG_CONSTTIME); + /* generate p and q */ + for (;;) { diff --git a/backport-CVE-2021-23840.patch b/backport-CVE-2021-23840.patch new file mode 100644 index 0000000..bbcadc4 --- /dev/null +++ b/backport-CVE-2021-23840.patch @@ -0,0 +1,79 @@ +Backport of: + +From 6a51b9e1d0cf0bf8515f7201b68fb0a3482b3dc1 Mon Sep 17 00:00:00 2001 +From: Matt Caswell +Date: Tue, 2 Feb 2021 17:17:23 +0000 +Subject: [PATCH] Don't overflow the output length in EVP_CipherUpdate calls + +CVE-2021-23840 + +Reviewed-by: Paul Dale +--- + crypto/err/openssl.txt | 3 ++- + crypto/evp/evp_enc.c | 27 +++++++++++++++++++++++++++ + crypto/evp/evp_err.c | 4 +++- + include/openssl/evperr.h | 7 +++---- + 4 files changed, 35 insertions(+), 6 deletions(-) + +--- a/Cryptlib/OpenSSL/crypto/evp/evp_enc.c ++++ b/Cryptlib/OpenSSL/crypto/evp/evp_enc.c +@@ -354,6 +354,19 @@ int EVP_EncryptUpdate(EVP_CIPHER_CTX *ct + return 1; + } else { + j = bl - i; ++ ++ /* ++ * Once we've processed the first j bytes from in, the amount of ++ * data left that is a multiple of the block length is: ++ * (inl - j) & ~(bl - 1) ++ * We must ensure that this amount of data, plus the one block that ++ * we process from ctx->buf does not exceed INT_MAX ++ */ ++ if (((inl - j) & ~(bl - 1)) > INT_MAX - bl) { ++ EVPerr(EVP_F_EVP_ENCRYPTDECRYPTUPDATE, ++ EVP_R_OUTPUT_WOULD_OVERFLOW); ++ return 0; ++ } + memcpy(&(ctx->buf[i]), in, j); + if (!M_do_cipher(ctx, out, ctx->buf, bl)) + return 0; +@@ -455,6 +468,19 @@ int EVP_DecryptUpdate(EVP_CIPHER_CTX *ct + OPENSSL_assert(b <= sizeof ctx->final); + + if (ctx->final_used) { ++ /* ++ * final_used is only ever set if buf_len is 0. Therefore the maximum ++ * length output we will ever see from evp_EncryptDecryptUpdate is ++ * the maximum multiple of the block length that is <= inl, or just: ++ * inl & ~(b - 1) ++ * Since final_used has been set then the final output length is: ++ * (inl & ~(b - 1)) + b ++ * This must never exceed INT_MAX ++ */ ++ if ((inl & ~(b - 1)) > INT_MAX - b) { ++ EVPerr(EVP_F_EVP_DECRYPTUPDATE, EVP_R_OUTPUT_WOULD_OVERFLOW); ++ return 0; ++ } + memcpy(out, ctx->final, b); + out += b; + fix_len = 1; +--- a/Cryptlib/OpenSSL/crypto/evp/evp_err.c ++++ b/Cryptlib/OpenSSL/crypto/evp/evp_err.c +@@ -215,6 +215,7 @@ static ERR_STRING_DATA EVP_str_reasons[] + {ERR_REASON(EVP_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE), + "operation not supported for this keytype"}, + {ERR_REASON(EVP_R_OPERATON_NOT_INITIALIZED), "operaton not initialized"}, ++ {ERR_REASON(EVP_R_OUTPUT_WOULD_OVERFLOW), "output would overflow"}, + {ERR_REASON(EVP_R_PKCS8_UNKNOWN_BROKEN_TYPE), + "pkcs8 unknown broken type"}, + {ERR_REASON(EVP_R_PRIVATE_KEY_DECODE_ERROR), "private key decode error"}, +--- a/Cryptlib/Include/openssl/evp.h ++++ b/Cryptlib/Include/openssl/evp.h +@@ -1509,6 +1509,7 @@ void ERR_load_EVP_strings(void); + # define EVP_R_NO_VERIFY_FUNCTION_CONFIGURED 105 + # define EVP_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE 150 + # define EVP_R_OPERATON_NOT_INITIALIZED 151 ++# define EVP_R_OUTPUT_WOULD_OVERFLOW 184 + # define EVP_R_PKCS8_UNKNOWN_BROKEN_TYPE 117 + # define EVP_R_PRIVATE_KEY_DECODE_ERROR 145 + # define EVP_R_PRIVATE_KEY_ENCODE_ERROR 146 diff --git a/backport-Fix-an-endless-loop-in-rsa_builtin_keygen.patch b/backport-Fix-an-endless-loop-in-rsa_builtin_keygen.patch new file mode 100644 index 0000000..af76bc1 --- /dev/null +++ b/backport-Fix-an-endless-loop-in-rsa_builtin_keygen.patch @@ -0,0 +1,58 @@ +From 32492093722636596018a799c438bfc04c343b40 Mon Sep 17 00:00:00 2001 +From: Rich Salz +Date: Mon, 6 Mar 2017 09:54:17 -0500 +Subject: [PATCH] Fix an endless loop in rsa_builtin_keygen. + +Cherry-picked by Matt Caswell from 69795831. + +Reviewed-by: Richard Levitte +Reviewed-by: Matt Caswell +(Merged from https://github.com/openssl/openssl/pull/4670) +--- + crypto/rsa/rsa_gen.c | 23 +++++++++++------------ + 1 file changed, 11 insertions(+), 12 deletions(-) + +diff --git a/Cryptlib/OpenSSL/crypto/rsa/rsa_gen.c b/Cryptlib/OpenSSL/crypto/rsa/rsa_gen.c +index 082c8da2efc..a85493d6097 100644 +--- a/Cryptlib/OpenSSL/crypto/rsa/rsa_gen.c ++++ b/Cryptlib/OpenSSL/crypto/rsa/rsa_gen.c +@@ -110,6 +110,16 @@ static int rsa_builtin_keygen(RSA *rsa, int bits, BIGNUM *e_value, + int bitsp, bitsq, ok = -1, n = 0; + BN_CTX *ctx = NULL; + ++ /* ++ * When generating ridiculously small keys, we can get stuck ++ * continually regenerating the same prime values. ++ */ ++ if (bits < 16) { ++ ok = 0; /* we set our own err */ ++ RSAerr(RSA_F_RSA_BUILTIN_KEYGEN, RSA_R_KEY_SIZE_TOO_SMALL); ++ goto err; ++ } ++ + ctx = BN_CTX_new(); + if (ctx == NULL) + goto err; +@@ -161,21 +171,10 @@ static int rsa_builtin_keygen(RSA *rsa, int bits, BIGNUM *e_value, + if (!BN_GENCB_call(cb, 3, 0)) + goto err; + for (;;) { +- /* +- * When generating ridiculously small keys, we can get stuck +- * continually regenerating the same prime values. Check for this and +- * bail if it happens 3 times. +- */ +- unsigned int degenerate = 0; + do { + if (!BN_generate_prime_ex(rsa->q, bitsq, 0, NULL, NULL, cb)) + goto err; +- } while ((BN_cmp(rsa->p, rsa->q) == 0) && (++degenerate < 3)); +- if (degenerate == 3) { +- ok = 0; /* we set our own err */ +- RSAerr(RSA_F_RSA_BUILTIN_KEYGEN, RSA_R_KEY_SIZE_TOO_SMALL); +- goto err; +- } ++ } while (BN_cmp(rsa->p, rsa->q) == 0); + if (!BN_sub(r2, rsa->q, BN_value_one())) + goto err; + if (!BN_gcd(r1, r2, rsa->e, ctx)) diff --git a/backport-Replaced-variable-time-GCD-with-consttime-inversion.patch b/backport-Replaced-variable-time-GCD-with-consttime-inversion.patch new file mode 100644 index 0000000..c5b3984 --- /dev/null +++ b/backport-Replaced-variable-time-GCD-with-consttime-inversion.patch @@ -0,0 +1,79 @@ +From 0b199a883e9170cdfe8e61c150bbaf8d8951f3e7 Mon Sep 17 00:00:00 2001 +From: Samuel Weiser +Date: Tue, 5 Dec 2017 15:55:17 +0100 +Subject: [PATCH] Replaced variable-time GCD with consttime inversion to avoid + side-channel attacks on RSA key generation + +Reviewed-by: Rich Salz +Reviewed-by: Kurt Roeckx +Reviewed-by: Matt Caswell +(Merged from https://github.com/openssl/openssl/pull/5170) + +(cherry picked from commit 9db724cfede4ba7a3668bff533973ee70145ec07) +--- + crypto/rsa/rsa_gen.c | 30 ++++++++++++++++++++++++------ + 1 file changed, 24 insertions(+), 6 deletions(-) + +diff --git a/Cryptlib/OpenSSL/crypto/rsa/rsa_gen.c b/Cryptlib/OpenSSL/crypto/rsa/rsa_gen.c +index a85493d6097..8553772f062 100644 +--- a/Cryptlib/OpenSSL/crypto/rsa/rsa_gen.c ++++ b/Cryptlib/OpenSSL/crypto/rsa/rsa_gen.c +@@ -109,6 +109,7 @@ static int rsa_builtin_keygen(RSA *rsa, int bits, BIGNUM *e_value, + BIGNUM *pr0, *d, *p; + int bitsp, bitsq, ok = -1, n = 0; + BN_CTX *ctx = NULL; ++ unsigned long error = 0; + + /* + * When generating ridiculously small keys, we can get stuck +@@ -155,16 +156,25 @@ static int rsa_builtin_keygen(RSA *rsa, int bits, BIGNUM *e_value, + if (BN_copy(rsa->e, e_value) == NULL) + goto err; + ++ BN_set_flags(rsa->e, BN_FLG_CONSTTIME); + /* generate p and q */ + for (;;) { + if (!BN_generate_prime_ex(rsa->p, bitsp, 0, NULL, NULL, cb)) + goto err; + if (!BN_sub(r2, rsa->p, BN_value_one())) + goto err; +- if (!BN_gcd(r1, r2, rsa->e, ctx)) +- goto err; +- if (BN_is_one(r1)) ++ if (BN_mod_inverse(r1, r2, rsa->e, ctx) != NULL) { ++ /* GCD == 1 since inverse exists */ + break; ++ } ++ error = ERR_peek_last_error(); ++ if (ERR_GET_LIB(error) == ERR_LIB_BN ++ && ERR_GET_REASON(error) == BN_R_NO_INVERSE) { ++ /* GCD != 1 */ ++ ERR_clear_error(); ++ } else { ++ goto err; ++ } + if (!BN_GENCB_call(cb, 2, n++)) + goto err; + } +@@ -177,10 +187,18 @@ static int rsa_builtin_keygen(RSA *rsa, int bits, BIGNUM *e_value, + } while (BN_cmp(rsa->p, rsa->q) == 0); + if (!BN_sub(r2, rsa->q, BN_value_one())) + goto err; +- if (!BN_gcd(r1, r2, rsa->e, ctx)) +- goto err; +- if (BN_is_one(r1)) ++ if (BN_mod_inverse(r1, r2, rsa->e, ctx) != NULL) { ++ /* GCD == 1 since inverse exists */ + break; ++ } ++ error = ERR_peek_last_error(); ++ if (ERR_GET_LIB(error) == ERR_LIB_BN ++ && ERR_GET_REASON(error) == BN_R_NO_INVERSE) { ++ /* GCD != 1 */ ++ ERR_clear_error(); ++ } else { ++ goto err; ++ } + if (!BN_GENCB_call(cb, 2, n++)) + goto err; + } diff --git a/backport-consttime-flag-changed.patch b/backport-consttime-flag-changed.patch new file mode 100644 index 0000000..9b74c56 --- /dev/null +++ b/backport-consttime-flag-changed.patch @@ -0,0 +1,28 @@ +From 0d6710289307d277ebc3354105c965b6e8ba8eb0 Mon Sep 17 00:00:00 2001 +From: Samuel Weiser +Date: Fri, 9 Feb 2018 14:11:47 +0100 +Subject: [PATCH] consttime flag changed + +Reviewed-by: Rich Salz +Reviewed-by: Kurt Roeckx +Reviewed-by: Matt Caswell +(Merged from https://github.com/openssl/openssl/pull/5170) + +(cherry picked from commit 7150a4720af7913cae16f2e4eaf768b578c0b298) +--- + crypto/rsa/rsa_gen.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/Cryptlib/OpenSSL/crypto/rsa/rsa_gen.c b/Cryptlib/OpenSSL/crypto/rsa/rsa_gen.c +index 610d82db665..9ca5dfefb70 100644 +--- a/Cryptlib/OpenSSL/crypto/rsa/rsa_gen.c ++++ b/Cryptlib/OpenSSL/crypto/rsa/rsa_gen.c +@@ -156,7 +156,7 @@ static int rsa_builtin_keygen(RSA *rsa, int bits, BIGNUM *e_value, + if (BN_copy(rsa->e, e_value) == NULL) + goto err; + +- BN_set_flags(rsa->e, BN_FLG_CONSTTIME); ++ BN_set_flags(r2, BN_FLG_CONSTTIME); + /* generate p and q */ + for (;;) { + if (!BN_generate_prime_ex(rsa->p, bitsp, 0, NULL, NULL, cb)) diff --git a/backport-make-update-EVP_F_EVP_DECRYPTDECRYPTUPDATE.patch b/backport-make-update-EVP_F_EVP_DECRYPTDECRYPTUPDATE.patch new file mode 100644 index 0000000..65c941d --- /dev/null +++ b/backport-make-update-EVP_F_EVP_DECRYPTDECRYPTUPDATE.patch @@ -0,0 +1,38 @@ +Backport of: + +From 4bd0db1feaaf97fbc2bd31f54f1fbdeab80b2b1a Mon Sep 17 00:00:00 2001 +From: Richard Levitte +Date: Sun, 9 Dec 2018 14:20:30 +0100 +Subject: [PATCH] make update + +Reviewed-by: Kurt Roeckx +Reviewed-by: Paul Dale +(Merged from https://github.com/openssl/openssl/pull/7852) + +(cherry picked from commit f2f734d4f9e34643a1d3e5b79d2447cd643519f8) +--- + crypto/err/openssl.txt | 1 + + crypto/evp/evp_err.c | 2 ++ + include/openssl/evperr.h | 1 + + 3 files changed, 4 insertions(+) + +--- a/Cryptlib/OpenSSL/crypto/evp/evp_err.c ++++ b/Cryptlib/OpenSSL/crypto/evp/evp_err.c +@@ -94,6 +94,7 @@ static ERR_STRING_DATA EVP_str_functs[] + {ERR_FUNC(EVP_F_EVP_DECRYPTFINAL_EX), "EVP_DecryptFinal_ex"}, + {ERR_FUNC(EVP_F_EVP_DECRYPTUPDATE), "EVP_DecryptUpdate"}, + {ERR_FUNC(EVP_F_EVP_DIGESTINIT_EX), "EVP_DigestInit_ex"}, ++ {ERR_FUNC(EVP_F_EVP_ENCRYPTDECRYPTUPDATE), "evp_EncryptDecryptUpdate"}, + {ERR_FUNC(EVP_F_EVP_ENCRYPTFINAL_EX), "EVP_EncryptFinal_ex"}, + {ERR_FUNC(EVP_F_EVP_ENCRYPTUPDATE), "EVP_EncryptUpdate"}, + {ERR_FUNC(EVP_F_EVP_MD_CTX_COPY_EX), "EVP_MD_CTX_copy_ex"}, +--- a/Cryptlib/Include/openssl/evp.h ++++ b/Cryptlib/Include/openssl/evp.h +@@ -1398,6 +1398,7 @@ void ERR_load_EVP_strings(void); + # define EVP_F_EVP_DECRYPTFINAL_EX 101 + # define EVP_F_EVP_DECRYPTUPDATE 166 + # define EVP_F_EVP_DIGESTINIT_EX 128 ++# define EVP_F_EVP_ENCRYPTDECRYPTUPDATE 219 + # define EVP_F_EVP_ENCRYPTFINAL_EX 127 + # define EVP_F_EVP_ENCRYPTUPDATE 167 + # define EVP_F_EVP_MD_CTX_COPY_EX 110 diff --git a/backport-make-update-EVP_F_EVP_DECRYPTUPDATE.patch b/backport-make-update-EVP_F_EVP_DECRYPTUPDATE.patch new file mode 100644 index 0000000..85ea540 --- /dev/null +++ b/backport-make-update-EVP_F_EVP_DECRYPTUPDATE.patch @@ -0,0 +1,41 @@ +Partial backport of: + +From 83151b73a4736bca1797f8edc2b0ad4cf7ac9146 Mon Sep 17 00:00:00 2001 +From: Andy Polyakov +Date: Mon, 25 Jul 2016 15:02:26 +0200 +Subject: [PATCH] evp/evp_enc.c: make assert error message more readable and + add EVPerr(PARTIALLY_OVERLAPPED) + +Reviewed-by: Stephen Henson +--- + crypto/evp/evp_enc.c | 28 +++++++++++++++++++--------- + crypto/evp/evp_err.c | 3 +++ + include/openssl/evp.h | 3 +++ + 3 files changed, 25 insertions(+), 9 deletions(-) + +--- a/Cryptlib/OpenSSL/crypto/evp/evp_err.c ++++ b/Cryptlib/OpenSSL/crypto/evp/evp_err.c +@@ -92,8 +92,10 @@ static ERR_STRING_DATA EVP_str_functs[] + {ERR_FUNC(EVP_F_EVP_CIPHER_CTX_SET_KEY_LENGTH), + "EVP_CIPHER_CTX_set_key_length"}, + {ERR_FUNC(EVP_F_EVP_DECRYPTFINAL_EX), "EVP_DecryptFinal_ex"}, ++ {ERR_FUNC(EVP_F_EVP_DECRYPTUPDATE), "EVP_DecryptUpdate"}, + {ERR_FUNC(EVP_F_EVP_DIGESTINIT_EX), "EVP_DigestInit_ex"}, + {ERR_FUNC(EVP_F_EVP_ENCRYPTFINAL_EX), "EVP_EncryptFinal_ex"}, ++ {ERR_FUNC(EVP_F_EVP_ENCRYPTUPDATE), "EVP_EncryptUpdate"}, + {ERR_FUNC(EVP_F_EVP_MD_CTX_COPY_EX), "EVP_MD_CTX_copy_ex"}, + {ERR_FUNC(EVP_F_EVP_MD_SIZE), "EVP_MD_size"}, + {ERR_FUNC(EVP_F_EVP_OPENINIT), "EVP_OpenInit"}, +--- a/Cryptlib/Include/openssl/evp.h ++++ b/Cryptlib/Include/openssl/evp.h +@@ -1396,8 +1396,10 @@ void ERR_load_EVP_strings(void); + # define EVP_F_EVP_CIPHER_CTX_CTRL 124 + # define EVP_F_EVP_CIPHER_CTX_SET_KEY_LENGTH 122 + # define EVP_F_EVP_DECRYPTFINAL_EX 101 ++# define EVP_F_EVP_DECRYPTUPDATE 166 + # define EVP_F_EVP_DIGESTINIT_EX 128 + # define EVP_F_EVP_ENCRYPTFINAL_EX 127 ++# define EVP_F_EVP_ENCRYPTUPDATE 167 + # define EVP_F_EVP_MD_CTX_COPY_EX 110 + # define EVP_F_EVP_MD_SIZE 162 + # define EVP_F_EVP_OPENINIT 102 diff --git a/shim.spec b/shim.spec index 706cb04..36703a3 100644 --- a/shim.spec +++ b/shim.spec @@ -25,7 +25,7 @@ Name: shim Version: 15.6 -Release: 10 +Release: 11 Summary: First-stage UEFI bootloader ExclusiveArch: x86_64 aarch64 License: BSD @@ -47,6 +47,13 @@ Patch10:backport-CVE-2021-23841.patch Patch11:backport-CVE-2021-3712.patch Patch12:backport-CVE-2022-0778.patch Patch13:backport-CVE-2023-0286.patch +Patch14:backport-Fix-an-endless-loop-in-rsa_builtin_keygen.patch +Patch15:backport-Replaced-variable-time-GCD-with-consttime-inversion.patch +Patch16:backport-consttime-flag-changed.patch +Patch17:backport-CVE-2018-0737.patch +Patch18:backport-make-update-EVP_F_EVP_DECRYPTUPDATE.patch +Patch19:backport-make-update-EVP_F_EVP_DECRYPTDECRYPTUPDATE.patch +Patch20:backport-CVE-2021-23840.patch # Feature for shim SMx support Patch9000:Feature-shim-openssl-add-ec-support.patch @@ -168,6 +175,9 @@ make test /usr/src/debug/%{name}-%{version}-%{release}/* %changelog +* Thu Jul 13 2023 jinlun - 15.6-11 +- fix CVE-2018-0737 , CVE-2021-23840 + * Thu Jun 08 2023 chendexi - 15.6-10 - delete debuginfo and debugsource subpackage buildarch -- Gitee