From 8419f769c73f8e1825473fc94e56221841bf0eda Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Jun 24 2019 13:13:12 +0000 Subject: Do not try to use EC groups disallowed in FIPS mode in TLS Also fix Valgrind regression with constant-time code --- diff --git a/openssl-1.1.1-fips.patch b/openssl-1.1.1-fips.patch index d59c440..3ff5aa4 100644 --- a/openssl-1.1.1-fips.patch +++ b/openssl-1.1.1-fips.patch @@ -11673,6 +11673,45 @@ diff -up openssl-1.1.1b/ssl/ssl_lib.c.fips openssl-1.1.1b/ssl/ssl_lib.c } if ((ret->ca_names = sk_X509_NAME_new_null()) == NULL) +diff -up openssl-1.1.1c/ssl/ssl_locl.h.fips openssl-1.1.1c/ssl/ssl_locl.h +--- openssl-1.1.1c/ssl/ssl_locl.h.fips 2019-06-03 16:44:58.963560101 +0200 ++++ openssl-1.1.1c/ssl/ssl_locl.h 2019-06-24 14:43:19.547353076 +0200 +@@ -1507,6 +1507,7 @@ typedef struct tls_group_info_st { + # define TLS_CURVE_PRIME 0x0 + # define TLS_CURVE_CHAR2 0x1 + # define TLS_CURVE_CUSTOM 0x2 ++# define TLS_CURVE_FIPS 0x80 + + typedef struct cert_pkey_st CERT_PKEY; + +diff -up openssl-1.1.1c/ssl/t1_lib.c.fips openssl-1.1.1c/ssl/t1_lib.c +--- openssl-1.1.1c/ssl/t1_lib.c.fips 2019-05-28 15:12:21.000000000 +0200 ++++ openssl-1.1.1c/ssl/t1_lib.c 2019-06-24 14:49:00.638576235 +0200 +@@ -156,11 +156,11 @@ static const TLS_GROUP_INFO nid_list[] = + {NID_secp192k1, 80, TLS_CURVE_PRIME}, /* secp192k1 (18) */ + {NID_X9_62_prime192v1, 80, TLS_CURVE_PRIME}, /* secp192r1 (19) */ + {NID_secp224k1, 112, TLS_CURVE_PRIME}, /* secp224k1 (20) */ +- {NID_secp224r1, 112, TLS_CURVE_PRIME}, /* secp224r1 (21) */ ++ {NID_secp224r1, 112, TLS_CURVE_PRIME | TLS_CURVE_FIPS}, /* secp224r1 (21) */ + {NID_secp256k1, 128, TLS_CURVE_PRIME}, /* secp256k1 (22) */ +- {NID_X9_62_prime256v1, 128, TLS_CURVE_PRIME}, /* secp256r1 (23) */ +- {NID_secp384r1, 192, TLS_CURVE_PRIME}, /* secp384r1 (24) */ +- {NID_secp521r1, 256, TLS_CURVE_PRIME}, /* secp521r1 (25) */ ++ {NID_X9_62_prime256v1, 128, TLS_CURVE_PRIME | TLS_CURVE_FIPS}, /* secp256r1 (23) */ ++ {NID_secp384r1, 192, TLS_CURVE_PRIME | TLS_CURVE_FIPS}, /* secp384r1 (24) */ ++ {NID_secp521r1, 256, TLS_CURVE_PRIME | TLS_CURVE_FIPS}, /* secp521r1 (25) */ + {NID_brainpoolP256r1, 128, TLS_CURVE_PRIME}, /* brainpoolP256r1 (26) */ + {NID_brainpoolP384r1, 192, TLS_CURVE_PRIME}, /* brainpoolP384r1 (27) */ + {NID_brainpoolP512r1, 256, TLS_CURVE_PRIME}, /* brainpool512r1 (28) */ +@@ -255,6 +255,8 @@ int tls_curve_allowed(SSL *s, uint16_t c + if (cinfo->flags & TLS_CURVE_CHAR2) + return 0; + # endif ++ if (FIPS_mode() && !(cinfo->flags & TLS_CURVE_FIPS)) ++ return 0; + ctmp[0] = curve >> 8; + ctmp[1] = curve & 0xff; + return ssl_security(s, op, cinfo->secbits, cinfo->nid, (void *)ctmp); diff -up openssl-1.1.1b/test/dsatest.c.fips openssl-1.1.1b/test/dsatest.c --- openssl-1.1.1b/test/dsatest.c.fips 2019-02-26 15:15:30.000000000 +0100 +++ openssl-1.1.1b/test/dsatest.c 2019-02-28 11:30:06.824745335 +0100 diff --git a/openssl-1.1.1-upstream-sync.patch b/openssl-1.1.1-upstream-sync.patch index 1603155..7e03b8d 100644 --- a/openssl-1.1.1-upstream-sync.patch +++ b/openssl-1.1.1-upstream-sync.patch @@ -24,7 +24,7 @@ diff -up openssl-1.1.1c/crypto/err/err.c.sync openssl-1.1.1c/crypto/err/err.c # define NUM_SYS_STR_REASONS 127 static ERR_STRING_DATA SYS_str_reasons[NUM_SYS_STR_REASONS + 1]; -@@ -219,26 +219,30 @@ static void build_SYS_str_reasons(void) +@@ -219,21 +219,23 @@ static void build_SYS_str_reasons(void) ERR_STRING_DATA *str = &SYS_str_reasons[i - 1]; str->error = ERR_PACK(ERR_LIB_SYS, 0, i); @@ -35,8 +35,7 @@ diff -up openssl-1.1.1c/crypto/err/err.c.sync openssl-1.1.1c/crypto/err/err.c + */ + if (str->string == NULL && cnt < sizeof(strerror_pool)) { if (openssl_strerror_r(i, cur, sizeof(strerror_pool) - cnt)) { -- size_t l = strlen(cur); -+ size_t l = strlen(cur) + 1; + size_t l = strlen(cur); str->string = cur; cnt += l; @@ -50,21 +49,10 @@ diff -up openssl-1.1.1c/crypto/err/err.c.sync openssl-1.1.1c/crypto/err/err.c + * some (most? all?) messages. Lets trim them off. */ - while (ossl_isspace(cur[-1])) { -- cur--; -- cnt--; -+ if (cur > strerror_pool && ossl_isspace(cur[-1])) { -+ while (cur > strerror_pool && ossl_isspace(cur[-1])) { -+ cur--; -+ cnt--; -+ } -+ *cur++ = '\0'; -+ cnt++; ++ while (cur > strerror_pool && ossl_isspace(cur[-1])) { + cur--; + cnt--; } -- *cur++ = '\0'; -- cnt++; - } - } - if (str->string == NULL) diff -up openssl-1.1.1c/crypto/rand/rand_lib.c.sync openssl-1.1.1c/crypto/rand/rand_lib.c --- openssl-1.1.1c/crypto/rand/rand_lib.c.sync 2019-05-29 17:20:17.175099183 +0200 +++ openssl-1.1.1c/crypto/rand/rand_lib.c 2019-05-30 11:51:20.784850208 +0200 @@ -456,3 +444,91 @@ index fa19e7d80d..56e323f5bc 100644 -- 2.20.1 +diff -up openssl-1.1.1c/include/internal/constant_time_locl.h.valgrind openssl-1.1.1c/include/internal/constant_time_locl.h +--- openssl-1.1.1c/include/internal/constant_time_locl.h.valgrind 2019-05-28 15:12:21.000000000 +0200 ++++ openssl-1.1.1c/include/internal/constant_time_locl.h 2019-06-24 15:02:12.796053536 +0200 +@@ -213,18 +213,66 @@ static ossl_inline unsigned char constan + return constant_time_eq_8((unsigned)(a), (unsigned)(b)); + } + ++/* Returns the value unmodified, but avoids optimizations. */ ++static ossl_inline unsigned int value_barrier(unsigned int a) ++{ ++#if !defined(OPENSSL_NO_ASM) && defined(__GNUC__) ++ unsigned int r; ++ __asm__("" : "=r"(r) : "0"(a)); ++#else ++ volatile unsigned int r = a; ++#endif ++ return r; ++} ++ ++/* Convenience method for uint32_t. */ ++static ossl_inline uint32_t value_barrier_32(uint32_t a) ++{ ++#if !defined(OPENSSL_NO_ASM) && defined(__GNUC__) ++ uint32_t r; ++ __asm__("" : "=r"(r) : "0"(a)); ++#else ++ volatile uint32_t r = a; ++#endif ++ return r; ++} ++ ++/* Convenience method for uint64_t. */ ++static ossl_inline uint64_t value_barrier_64(uint64_t a) ++{ ++#if !defined(OPENSSL_NO_ASM) && defined(__GNUC__) ++ uint64_t r; ++ __asm__("" : "=r"(r) : "0"(a)); ++#else ++ volatile uint64_t r = a; ++#endif ++ return r; ++} ++ ++/* Convenience method for size_t. */ ++static ossl_inline size_t value_barrier_s(size_t a) ++{ ++#if !defined(OPENSSL_NO_ASM) && defined(__GNUC__) ++ size_t r; ++ __asm__("" : "=r"(r) : "0"(a)); ++#else ++ volatile size_t r = a; ++#endif ++ return r; ++} ++ + static ossl_inline unsigned int constant_time_select(unsigned int mask, + unsigned int a, + unsigned int b) + { +- return (mask & a) | (~mask & b); ++ return (value_barrier(mask) & a) | (value_barrier(~mask) & b); + } + + static ossl_inline size_t constant_time_select_s(size_t mask, + size_t a, + size_t b) + { +- return (mask & a) | (~mask & b); ++ return (value_barrier_s(mask) & a) | (value_barrier_s(~mask) & b); + } + + static ossl_inline unsigned char constant_time_select_8(unsigned char mask, +@@ -249,13 +297,13 @@ static ossl_inline int constant_time_sel + static ossl_inline uint32_t constant_time_select_32(uint32_t mask, uint32_t a, + uint32_t b) + { +- return (mask & a) | (~mask & b); ++ return (value_barrier_32(mask) & a) | (value_barrier_32(~mask) & b); + } + + static ossl_inline uint64_t constant_time_select_64(uint64_t mask, uint64_t a, + uint64_t b) + { +- return (mask & a) | (~mask & b); ++ return (value_barrier_64(mask) & a) | (value_barrier_64(~mask) & b); + } + + /* diff --git a/openssl.spec b/openssl.spec index ce289c9..d2a5a74 100644 --- a/openssl.spec +++ b/openssl.spec @@ -22,7 +22,7 @@ Summary: Utilities from the general purpose cryptography library with TLS implementation Name: openssl Version: 1.1.1c -Release: 3%{?dist} +Release: 4%{?dist} Epoch: 1 # We have to remove certain patented algorithms from the openssl source # tarball with the hobble-openssl script which is included below. @@ -454,6 +454,11 @@ export LD_LIBRARY_PATH %ldconfig_scriptlets libs %changelog +* Mon Jun 24 2019 Tomáš Mráz 1.1.1c-4 +- do not try to use EC groups disallowed in FIPS mode + in TLS +- fix Valgrind regression with constant-time code + * Mon Jun 3 2019 Tomáš Mráz 1.1.1c-3 - add upstream patch to defer sending KeyUpdate after pending writes are complete