* Fixed a bug in the BN_mod_sqrt() function that can cause it to loop foreverfor non-prime moduli ([CVE-2022-0778])
Signed-off-by: Ralph Siemsen <ralph.siem...@linaro.org> --- .../openssl/openssl/CVE-2022-0778.patch | 71 +++++++++++++++++++ .../openssl/openssl_1.1.1l.bb | 1 + 2 files changed, 72 insertions(+) create mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2022-0778.patch diff --git a/meta/recipes-connectivity/openssl/openssl/CVE-2022-0778.patch b/meta/recipes-connectivity/openssl/openssl/CVE-2022-0778.patch new file mode 100644 index 0000000000..86b90ccf8d --- /dev/null +++ b/meta/recipes-connectivity/openssl/openssl/CVE-2022-0778.patch @@ -0,0 +1,71 @@ +From 3118eb64934499d93db3230748a452351d1d9a65 Mon Sep 17 00:00:00 2001 +From: Tomas Mraz <to...@openssl.org> +Date: Mon, 28 Feb 2022 18:26:21 +0100 +Subject: [PATCH] Fix possible infinite loop in BN_mod_sqrt() + +The calculation in some cases does not finish for non-prime p. + +This fixes CVE-2022-0778. + +Based on patch by David Benjamin <david...@google.com>. + +Reviewed-by: Paul Dale <pa...@openssl.org> +Reviewed-by: Matt Caswell <m...@openssl.org> + +Upstream-Status: Backport [https://git.openssl.org/gitweb/?p=openssl.git;a=patch;h=3118eb64934499d93db3230748a452351d1d9a65] +CVE: CVE-2022-0778 +Signed-off-by: Ralph Siemsen <ralph.siem...@linaro.org> + +--- + crypto/bn/bn_sqrt.c | 30 ++++++++++++++++++------------ + 1 file changed, 18 insertions(+), 12 deletions(-) + +diff --git a/crypto/bn/bn_sqrt.c b/crypto/bn/bn_sqrt.c +index 1723d5ded5a8..53b0f559855c 100644 +--- a/crypto/bn/bn_sqrt.c ++++ b/crypto/bn/bn_sqrt.c +@@ -14,7 +14,8 @@ BIGNUM *BN_mod_sqrt(BIGNUM *in, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx) + /* + * Returns 'ret' such that ret^2 == a (mod p), using the Tonelli/Shanks + * algorithm (cf. Henri Cohen, "A Course in Algebraic Computational Number +- * Theory", algorithm 1.5.1). 'p' must be prime! ++ * Theory", algorithm 1.5.1). 'p' must be prime, otherwise an error or ++ * an incorrect "result" will be returned. + */ + { + BIGNUM *ret = in; +@@ -301,18 +302,23 @@ BIGNUM *BN_mod_sqrt(BIGNUM *in, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx) + goto vrfy; + } + +- /* find smallest i such that b^(2^i) = 1 */ +- i = 1; +- if (!BN_mod_sqr(t, b, p, ctx)) +- goto end; +- while (!BN_is_one(t)) { +- i++; +- if (i == e) { +- BNerr(BN_F_BN_MOD_SQRT, BN_R_NOT_A_SQUARE); +- goto end; ++ /* Find the smallest i, 0 < i < e, such that b^(2^i) = 1. */ ++ for (i = 1; i < e; i++) { ++ if (i == 1) { ++ if (!BN_mod_sqr(t, b, p, ctx)) ++ goto end; ++ ++ } else { ++ if (!BN_mod_mul(t, t, t, p, ctx)) ++ goto end; + } +- if (!BN_mod_mul(t, t, t, p, ctx)) +- goto end; ++ if (BN_is_one(t)) ++ break; ++ } ++ /* If not found, a is not a square or p is not prime. */ ++ if (i >= e) { ++ BNerr(BN_F_BN_MOD_SQRT, BN_R_NOT_A_SQUARE); ++ goto end; + } + + /* t := y^2^(e - i - 1) */ diff --git a/meta/recipes-connectivity/openssl/openssl_1.1.1l.bb b/meta/recipes-connectivity/openssl/openssl_1.1.1l.bb index 24466e11b1..669152ac5e 100644 --- a/meta/recipes-connectivity/openssl/openssl_1.1.1l.bb +++ b/meta/recipes-connectivity/openssl/openssl_1.1.1l.bb @@ -19,6 +19,7 @@ SRC_URI = "http://www.openssl.org/source/openssl-${PV}.tar.gz \ file://reproducible.patch \ file://reproducibility.patch \ file://CVE-2021-4160.patch \ + file://CVE-2022-0778.patch \ " SRC_URI_append_class-nativesdk = " \ -- 2.25.1
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#163434): https://lists.openembedded.org/g/openembedded-core/message/163434 Mute This Topic: https://lists.openembedded.org/mt/89853727/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-