rpms
/
openssl
2
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Do not try to use EC groups disallowed in FIPS mode in TLS 

Also fix Valgrind regression with constant-time code
This commit is contained in:
Tomas Mraz 2019-06-24 15:13:12 +02:00
parent a71f5ae7ab
commit 8419f769c7
3 changed files with 138 additions and 18 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

39
openssl-1.1.1-fips.patch
View File

@ -11673,6 +11673,45 @@ diff -up openssl-1.1.1b/ssl/ssl_lib.c.fips openssl-1.1.1b/ssl/ssl_lib.c
}
if ((ret->ca_names = sk_X509_NAME_new_null()) == NULL)
diff -up openssl-1.1.1c/ssl/ssl_locl.h.fips openssl-1.1.1c/ssl/ssl_locl.h
--- openssl-1.1.1c/ssl/ssl_locl.h.fips 2019-06-03 16:44:58.963560101 +0200
+++ openssl-1.1.1c/ssl/ssl_locl.h 2019-06-24 14:43:19.547353076 +0200
@@ -1507,6 +1507,7 @@ typedef struct tls_group_info_st {
# define TLS_CURVE_PRIME 0x0
# define TLS_CURVE_CHAR2 0x1
# define TLS_CURVE_CUSTOM 0x2
+# define TLS_CURVE_FIPS 0x80
typedef struct cert_pkey_st CERT_PKEY;
diff -up openssl-1.1.1c/ssl/t1_lib.c.fips openssl-1.1.1c/ssl/t1_lib.c
--- openssl-1.1.1c/ssl/t1_lib.c.fips 2019-05-28 15:12:21.000000000 +0200
+++ openssl-1.1.1c/ssl/t1_lib.c 2019-06-24 14:49:00.638576235 +0200
@@ -156,11 +156,11 @@ static const TLS_GROUP_INFO nid_list[] =
{NID_secp192k1, 80, TLS_CURVE_PRIME}, /* secp192k1 (18) */
{NID_X9_62_prime192v1, 80, TLS_CURVE_PRIME}, /* secp192r1 (19) */
{NID_secp224k1, 112, TLS_CURVE_PRIME}, /* secp224k1 (20) */
- {NID_secp224r1, 112, TLS_CURVE_PRIME}, /* secp224r1 (21) */
+ {NID_secp224r1, 112, TLS_CURVE_PRIME | TLS_CURVE_FIPS}, /* secp224r1 (21) */
{NID_secp256k1, 128, TLS_CURVE_PRIME}, /* secp256k1 (22) */
- {NID_X9_62_prime256v1, 128, TLS_CURVE_PRIME}, /* secp256r1 (23) */
- {NID_secp384r1, 192, TLS_CURVE_PRIME}, /* secp384r1 (24) */
- {NID_secp521r1, 256, TLS_CURVE_PRIME}, /* secp521r1 (25) */
+ {NID_X9_62_prime256v1, 128, TLS_CURVE_PRIME | TLS_CURVE_FIPS}, /* secp256r1 (23) */
+ {NID_secp384r1, 192, TLS_CURVE_PRIME | TLS_CURVE_FIPS}, /* secp384r1 (24) */
+ {NID_secp521r1, 256, TLS_CURVE_PRIME | TLS_CURVE_FIPS}, /* secp521r1 (25) */
{NID_brainpoolP256r1, 128, TLS_CURVE_PRIME}, /* brainpoolP256r1 (26) */
{NID_brainpoolP384r1, 192, TLS_CURVE_PRIME}, /* brainpoolP384r1 (27) */
{NID_brainpoolP512r1, 256, TLS_CURVE_PRIME}, /* brainpool512r1 (28) */
@@ -255,6 +255,8 @@ int tls_curve_allowed(SSL *s, uint16_t c
if (cinfo->flags & TLS_CURVE_CHAR2)
return 0;
# endif
+ if (FIPS_mode() && !(cinfo->flags & TLS_CURVE_FIPS))
+ return 0;
ctmp[0] = curve >> 8;
ctmp[1] = curve & 0xff;
return ssl_security(s, op, cinfo->secbits, cinfo->nid, (void *)ctmp);
diff -up openssl-1.1.1b/test/dsatest.c.fips openssl-1.1.1b/test/dsatest.c
--- openssl-1.1.1b/test/dsatest.c.fips 2019-02-26 15:15:30.000000000 +0100
+++ openssl-1.1.1b/test/dsatest.c 2019-02-28 11:30:06.824745335 +0100

110
openssl-1.1.1-upstream-sync.patch
View File

@ -24,7 +24,7 @@ diff -up openssl-1.1.1c/crypto/err/err.c.sync openssl-1.1.1c/crypto/err/err.c
# define NUM_SYS_STR_REASONS 127
static ERR_STRING_DATA SYS_str_reasons[NUM_SYS_STR_REASONS + 1];
@@ -219,26 +219,30 @@ static void build_SYS_str_reasons(void)
@@ -219,21 +219,23 @@ static void build_SYS_str_reasons(void)
ERR_STRING_DATA *str = &SYS_str_reasons[i - 1];
str->error = ERR_PACK(ERR_LIB_SYS, 0, i);
@ -35,8 +35,7 @@ diff -up openssl-1.1.1c/crypto/err/err.c.sync openssl-1.1.1c/crypto/err/err.c
+ */
+ if (str->string == NULL && cnt < sizeof(strerror_pool)) {
if (openssl_strerror_r(i, cur, sizeof(strerror_pool) - cnt)) {
- size_t l = strlen(cur);
+ size_t l = strlen(cur) + 1;
size_t l = strlen(cur);
str->string = cur;
cnt += l;
@ -50,21 +49,10 @@ diff -up openssl-1.1.1c/crypto/err/err.c.sync openssl-1.1.1c/crypto/err/err.c
+ * some (most? all?) messages. Lets trim them off.
*/
- while (ossl_isspace(cur[-1])) {
- cur--;
- cnt--;
+ if (cur > strerror_pool && ossl_isspace(cur[-1])) {
+ while (cur > strerror_pool && ossl_isspace(cur[-1])) {
+ cur--;
+ cnt--;
+ }
+ *cur++ = '\0';
+ cnt++;
+ while (cur > strerror_pool && ossl_isspace(cur[-1])) {
cur--;
cnt--;
}
- *cur++ = '\0';
- cnt++;
}
}
if (str->string == NULL)
diff -up openssl-1.1.1c/crypto/rand/rand_lib.c.sync openssl-1.1.1c/crypto/rand/rand_lib.c
--- openssl-1.1.1c/crypto/rand/rand_lib.c.sync 2019-05-29 17:20:17.175099183 +0200
+++ openssl-1.1.1c/crypto/rand/rand_lib.c 2019-05-30 11:51:20.784850208 +0200
@ -456,3 +444,91 @@ index fa19e7d80d..56e323f5bc 100644
--
2.20.1
diff -up openssl-1.1.1c/include/internal/constant_time_locl.h.valgrind openssl-1.1.1c/include/internal/constant_time_locl.h
--- openssl-1.1.1c/include/internal/constant_time_locl.h.valgrind 2019-05-28 15:12:21.000000000 +0200
+++ openssl-1.1.1c/include/internal/constant_time_locl.h 2019-06-24 15:02:12.796053536 +0200
@@ -213,18 +213,66 @@ static ossl_inline unsigned char constan
return constant_time_eq_8((unsigned)(a), (unsigned)(b));
}
+/* Returns the value unmodified, but avoids optimizations. */
+static ossl_inline unsigned int value_barrier(unsigned int a)
+{
+#if !defined(OPENSSL_NO_ASM) && defined(__GNUC__)
+ unsigned int r;
+ __asm__("" : "=r"(r) : "0"(a));
+#else
+ volatile unsigned int r = a;
+#endif
+ return r;
+}
+
+/* Convenience method for uint32_t. */
+static ossl_inline uint32_t value_barrier_32(uint32_t a)
+{
+#if !defined(OPENSSL_NO_ASM) && defined(__GNUC__)
+ uint32_t r;
+ __asm__("" : "=r"(r) : "0"(a));
+#else
+ volatile uint32_t r = a;
+#endif
+ return r;
+}
+
+/* Convenience method for uint64_t. */
+static ossl_inline uint64_t value_barrier_64(uint64_t a)
+{
+#if !defined(OPENSSL_NO_ASM) && defined(__GNUC__)
+ uint64_t r;
+ __asm__("" : "=r"(r) : "0"(a));
+#else
+ volatile uint64_t r = a;
+#endif
+ return r;
+}
+
+/* Convenience method for size_t. */
+static ossl_inline size_t value_barrier_s(size_t a)
+{
+#if !defined(OPENSSL_NO_ASM) && defined(__GNUC__)
+ size_t r;
+ __asm__("" : "=r"(r) : "0"(a));
+#else
+ volatile size_t r = a;
+#endif
+ return r;
+}
+
static ossl_inline unsigned int constant_time_select(unsigned int mask,
unsigned int a,
unsigned int b)
{
- return (mask & a) | (~mask & b);
+ return (value_barrier(mask) & a) | (value_barrier(~mask) & b);
}
static ossl_inline size_t constant_time_select_s(size_t mask,
size_t a,
size_t b)
{
- return (mask & a) | (~mask & b);
+ return (value_barrier_s(mask) & a) | (value_barrier_s(~mask) & b);
}
static ossl_inline unsigned char constant_time_select_8(unsigned char mask,
@@ -249,13 +297,13 @@ static ossl_inline int constant_time_sel
static ossl_inline uint32_t constant_time_select_32(uint32_t mask, uint32_t a,
uint32_t b)
{
- return (mask & a) | (~mask & b);
+ return (value_barrier_32(mask) & a) | (value_barrier_32(~mask) & b);
}
static ossl_inline uint64_t constant_time_select_64(uint64_t mask, uint64_t a,
uint64_t b)
{
- return (mask & a) | (~mask & b);
+ return (value_barrier_64(mask) & a) | (value_barrier_64(~mask) & b);
}
/*

7
openssl.spec
View File

@ -22,7 +22,7 @@
Summary: Utilities from the general purpose cryptography library with TLS implementation
Name: openssl
Version: 1.1.1c
Release: 3%{?dist}
Release: 4%{?dist}
Epoch: 1
# We have to remove certain patented algorithms from the openssl source
# tarball with the hobble-openssl script which is included below.
@ -454,6 +454,11 @@ export LD_LIBRARY_PATH
%ldconfig_scriptlets libs
%changelog
* Mon Jun 24 2019 Tomáš Mráz <tmraz@redhat.com> 1.1.1c-4
- do not try to use EC groups disallowed in FIPS mode
in TLS
- fix Valgrind regression with constant-time code
* Mon Jun 3 2019 Tomáš Mráz <tmraz@redhat.com> 1.1.1c-3
- add upstream patch to defer sending KeyUpdate after
pending writes are complete