Hello community,

here is the log from the commit of package tboot for openSUSE:Factory checked 
in at 2018-03-16 10:43:50
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/tboot (Old)
 and      /work/SRC/openSUSE:Factory/.tboot.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Package is "tboot"

Fri Mar 16 10:43:50 2018 rev:32 rq:587462 version:20170711_1.9.6

Changes:
--------
--- /work/SRC/openSUSE:Factory/tboot/tboot.changes      2018-02-22 
15:03:03.836670196 +0100
+++ /work/SRC/openSUSE:Factory/.tboot.new/tboot.changes 2018-03-16 
10:45:09.320570880 +0100
@@ -1,0 +2,10 @@
+Thu Mar 15 09:49:03 UTC 2018 - matthias.gerst...@suse.com
+
+- tboot-signature-segfault.patch: Intermediate patch necessary for
+  tboot-ssl-broken.patch. Upstream tried to fix OpenSSL issues here, but
+  failed to do so.
+- tboot-ssl-broken.patch: Fixed memory corruption when using OpenSSL
+  functionality like in lcp2_crtpollist (bnc#1083693). Fix has not yet been
+  commented on by upstream (posted on tboot-devel mailing list).
+
+-------------------------------------------------------------------

New:
----
  tboot-signature-segfault.patch
  tboot-ssl-broken.patch

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Other differences:
------------------
++++++ tboot.spec ++++++
--- /var/tmp/diff_new_pack.uywoS8/_old  2018-03-16 10:45:10.376532857 +0100
+++ /var/tmp/diff_new_pack.uywoS8/_new  2018-03-16 10:45:10.380532713 +0100
@@ -30,7 +30,12 @@
 Patch5:         tboot-openssl-1-1-0.patch
 Patch6:         tboot-CVE-2017-16837.patch
 Patch7:         tboot-distributor.patch
-# PATCH-FIX-UPSTREAM -- https://sourceforge.net/p/tboot/code/merge-requests/1/
+# a stark history regarding SSL: ssl functions never really worked in tboot,
+# even the signature-segfault upstream fix didn't fix the root causes.
+# ssl-broken.patch is my own patch that I have published on the tboot-devel
+# mailing list, but no response so far.
+Patch8:         tboot-signature-segfault.patch
+Patch9:         tboot-ssl-broken.patch
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 ExclusiveArch:  %{ix86} x86_64
 BuildRequires:  openssl-devel
@@ -58,6 +63,8 @@
 %patch5 -p1
 %patch6 -p1
 %patch7 -p1
+%patch8 -p1
+%patch9 -p1
 
 %build
 export CFLAGS="%{optflags}"
@@ -107,7 +114,7 @@
 %postun
 %if 0%{?update_bootloader_check_type_reinit_post:1} 
 # there is no clean solution for refresh during package removal at the moment.
-# %posttrans is not executed during package removal.
+# %%posttrans is not executed during package removal.
 %update_bootloader_check_type_reinit_post grub2 grub2-efi
 %update_bootloader_posttrans
 %else

++++++ tboot-signature-segfault.patch ++++++
changeset:   506:09fae64a7515
user:        Ning Sun <ning....@intel.com>
date:        Sat Sep 02 01:40:15 2017 -0700
summary:     Fix openssl-1.0.2 double frees

Index: tboot-1.9.6/lcptools-v2/crtpollist.c
===================================================================
--- tboot-1.9.6.orig/lcptools-v2/crtpollist.c
+++ tboot-1.9.6/lcptools-v2/crtpollist.c
@@ -160,15 +160,14 @@ static lcp_signature_t2 *read_rsa_pubkey
 
     memset(sig, 0, sizeof(lcp_rsa_signature_t) + 2*keysize);
     sig->rsa_signature.pubkey_size = keysize;
-   
-    BIGNUM *modulus = BN_new();
-    
+
     /* OpenSSL Version 1.1.0 and later don't allow direct access to RSA 
        stuct */    
     #if OPENSSL_VERSION_NUMBER >= 0x10100000L
+        BIGNUM *modulus = BN_new();
         RSA_get0_key(pubkey, (const BIGNUM **)&modulus, NULL, NULL); 
     #else
-        modulus = pubkey->n;
+        BIGNUM *modulus = BN_dup(pubkey->n);
     #endif
 
     unsigned char key[keysize];
Index: tboot-1.9.6/lcptools-v2/lcputils.c
===================================================================
--- tboot-1.9.6.orig/lcptools-v2/lcputils.c
+++ tboot-1.9.6/lcptools-v2/lcputils.c
@@ -384,8 +384,8 @@ bool verify_signature(const uint8_t *dat
     #if OPENSSL_VERSION_NUMBER >= 0x10100000L
         RSA_set0_key(rsa_pubkey, modulus, exponent, NULL); 
     #else
-        rsa_pubkey->n = modulus;
-        rsa_pubkey->e = exponent;
+        rsa_pubkey->n = BN_dup(modulus);
+        rsa_pubkey->e = BN_dup(exponent);
         rsa_pubkey->d = rsa_pubkey->p = rsa_pubkey->q = NULL;
     #endif
 
Index: tboot-1.9.6/lcptools/crtpollist.c
===================================================================
--- tboot-1.9.6.orig/lcptools/crtpollist.c
+++ tboot-1.9.6/lcptools/crtpollist.c
@@ -155,14 +155,14 @@ static lcp_signature_t *read_pubkey_file
 
     memset(sig, 0, sizeof(*sig) + 2*keysize);
     sig->pubkey_size = keysize;
-   
-    BIGNUM *modulus = BN_new();
+
     /* OpenSSL Version 1.1.0 and later don't allow direct access to RSA 
        stuct */ 
     #if OPENSSL_VERSION_NUMBER >= 0x10100000L
+        BIGNUM *modulus = BN_new();
         RSA_get0_key(pubkey, (const BIGNUM **)&modulus, NULL, NULL); 
     #else
-       modulus = pubkey->n;
+        BIGNUM *modulus = BN_dup(pubkey->n);
     #endif
     unsigned char key[keysize];
     BN_bn2bin(modulus, key);
Index: tboot-1.9.6/lcptools/lcputils2.c
===================================================================
--- tboot-1.9.6.orig/lcptools/lcputils2.c
+++ tboot-1.9.6/lcptools/lcputils2.c
@@ -288,8 +288,8 @@ bool verify_signature(const uint8_t *dat
     #if OPENSSL_VERSION_NUMBER >= 0x10100000L
         RSA_set0_key(rsa_pubkey, modulus, exponent, NULL); 
     #else
-       rsa_pubkey->n = modulus;
-       rsa_pubkey->e = exponent;
+       rsa_pubkey->n = BN_dup(modulus);
+       rsa_pubkey->e = BN_dup(exponent);
        rsa_pubkey->d = rsa_pubkey->p = rsa_pubkey->q = NULL;
     #endif
 
++++++ tboot-ssl-broken.patch ++++++
Index: tboot-1.9.6/lcptools-v2/crtpollist.c
===================================================================
--- tboot-1.9.6.orig/lcptools-v2/crtpollist.c
+++ tboot-1.9.6/lcptools-v2/crtpollist.c
@@ -132,6 +132,7 @@ static lcp_signature_t2 *read_rsa_pubkey
     if ( fp == NULL ) {
         ERROR("Error: failed to open .pem file %s: %s\n", file,
                 strerror(errno));
+        fclose(fp);
         return NULL;
     }
 
@@ -141,6 +142,7 @@ static lcp_signature_t2 *read_rsa_pubkey
         ERROR("Error: failed to read .pem file %s: %s\n", file,
                 ERR_error_string(ERR_get_error(), NULL));
         ERR_free_strings();
+        fclose(fp);
         return NULL;
     }
 
@@ -148,6 +150,7 @@ static lcp_signature_t2 *read_rsa_pubkey
     if ( keysize == 0 ) {
         ERROR("Error: public key size is 0\n");
         RSA_free(pubkey);
+        fclose(fp);
         return NULL;
     }
 
@@ -155,19 +158,20 @@ static lcp_signature_t2 *read_rsa_pubkey
     if ( sig == NULL ) {
         ERROR("Error: failed to allocate sig\n");
         RSA_free(pubkey);
+        fclose(fp);
         return NULL;
     }
 
     memset(sig, 0, sizeof(lcp_rsa_signature_t) + 2*keysize);
     sig->rsa_signature.pubkey_size = keysize;
 
+    const BIGNUM *modulus = NULL;
     /* OpenSSL Version 1.1.0 and later don't allow direct access to RSA 
        stuct */    
     #if OPENSSL_VERSION_NUMBER >= 0x10100000L
-        BIGNUM *modulus = BN_new();
-        RSA_get0_key(pubkey, (const BIGNUM **)&modulus, NULL, NULL); 
+        RSA_get0_key(pubkey, &modulus, NULL, NULL);
     #else
-        BIGNUM *modulus = BN_dup(pubkey->n);
+        modulus = pubkey->n;
     #endif
 
     unsigned char key[keysize];
@@ -183,8 +187,8 @@ static lcp_signature_t2 *read_rsa_pubkey
     }
 
     LOG("read rsa pubkey succeed!\n");
-    BN_free(modulus);
     RSA_free(pubkey);
+    fclose(fp);
     return sig;
 }
 
@@ -386,13 +390,13 @@ static bool ecdsa_sign_tpm20_list_data(l
             return false;
         }
 
-        BIGNUM *r = BN_new();
-        BIGNUM *s = BN_new();
-        
+        const BIGNUM *r = NULL;
+        const BIGNUM *s = NULL;
+
        /* OpenSSL Version 1.1.0 and later don't allow direct access to 
           ECDSA_SIG stuct */ 
         #if OPENSSL_VERSION_NUMBER >= 0x10100000L
-           ECDSA_SIG_get0(ecdsasig, (const BIGNUM **)&r, (const BIGNUM **)&s);
+           ECDSA_SIG_get0(ecdsasig, &r, &s);
         #else
            r = ecdsasig->r;
            s = ecdsasig->s;
@@ -415,8 +419,7 @@ static bool ecdsa_sign_tpm20_list_data(l
             display_tpm20_signature("    ", sig, pollist->sig_alg, false);
         }
 
-       BN_free(r);
-       BN_free(s);
+        ECDSA_SIG_free(ecdsasig);
         return true;
     }
     return false;
Index: tboot-1.9.6/lcptools-v2/lcputils.c
===================================================================
--- tboot-1.9.6.orig/lcptools-v2/lcputils.c
+++ tboot-1.9.6/lcptools-v2/lcputils.c
@@ -371,9 +371,8 @@ bool verify_signature(const uint8_t *dat
         return false;
     }
 
-    BIGNUM *modulus = BN_new();
+    BIGNUM *modulus = BN_bin2bn(key, pubkey_size, NULL);
     BIGNUM *exponent = BN_new();
-    modulus = BN_bin2bn(key, pubkey_size, NULL);
 
     /* uses fixed exponent (LCP_SIG_EXPONENT) */
     char exp[32];
@@ -384,8 +383,8 @@ bool verify_signature(const uint8_t *dat
     #if OPENSSL_VERSION_NUMBER >= 0x10100000L
         RSA_set0_key(rsa_pubkey, modulus, exponent, NULL); 
     #else
-        rsa_pubkey->n = BN_dup(modulus);
-        rsa_pubkey->e = BN_dup(exponent);
+        rsa_pubkey->n = modulus;
+        rsa_pubkey->e = exponent;
         rsa_pubkey->d = rsa_pubkey->p = rsa_pubkey->q = NULL;
     #endif
 
@@ -407,8 +406,6 @@ bool verify_signature(const uint8_t *dat
     tb_hash_t digest;
     if ( !hash_buffer(data, data_size, &digest, hashalg) ) {
         ERROR("Error: failed to hash list\n");
-       BN_free(modulus);
-       BN_free(exponent);
         RSA_free(rsa_pubkey);
         return false;
     }
@@ -451,8 +448,6 @@ bool verify_signature(const uint8_t *dat
             ERROR("Error: failed to verify list: %s\n", 
                     ERR_error_string(ERR_get_error(), NULL));
             ERR_free_strings();
-           BN_free(modulus);
-           BN_free(exponent);
             RSA_free(rsa_pubkey);
             return false;
         }
@@ -467,8 +462,6 @@ bool verify_signature(const uint8_t *dat
             ERROR("Error: failed to verify list: %s\n", 
                     ERR_error_string(ERR_get_error(), NULL));
             ERR_free_strings();
-           BN_free(modulus);
-           BN_free(exponent);
             RSA_free(rsa_pubkey);
             return false;
         }
@@ -483,8 +476,6 @@ bool verify_signature(const uint8_t *dat
             ERROR("Error: failed to verify list: %s\n", 
                     ERR_error_string(ERR_get_error(), NULL));
             ERR_free_strings();
-           BN_free(modulus);
-           BN_free(exponent);
             RSA_free(rsa_pubkey);
             return false;
         }
@@ -499,8 +490,6 @@ bool verify_signature(const uint8_t *dat
             ERROR("Error: failed to verify list: %s\n", 
                     ERR_error_string(ERR_get_error(), NULL));
             ERR_free_strings();
-           BN_free(modulus);
-           BN_free(exponent);
             RSA_free(rsa_pubkey);
             return false;
         }
@@ -508,13 +497,10 @@ bool verify_signature(const uint8_t *dat
 
     default :
         LOG("unknown hash alg\n");
-       BN_free(modulus);
-       BN_free(exponent);
+        RSA_free(rsa_pubkey);
         return false;
     }
 
-    BN_free(modulus);
-    BN_free(exponent);
     RSA_free(rsa_pubkey);
     return true;
 }
Index: tboot-1.9.6/lcptools/crtpollist.c
===================================================================
--- tboot-1.9.6.orig/lcptools/crtpollist.c
+++ tboot-1.9.6/lcptools/crtpollist.c
@@ -156,13 +156,14 @@ static lcp_signature_t *read_pubkey_file
     memset(sig, 0, sizeof(*sig) + 2*keysize);
     sig->pubkey_size = keysize;
 
+    const BIGNUM *modulus = NULL;
+
     /* OpenSSL Version 1.1.0 and later don't allow direct access to RSA 
        stuct */ 
     #if OPENSSL_VERSION_NUMBER >= 0x10100000L
-        BIGNUM *modulus = BN_new();
-        RSA_get0_key(pubkey, (const BIGNUM **)&modulus, NULL, NULL); 
+        RSA_get0_key(pubkey, &modulus, NULL, NULL); 
     #else
-        BIGNUM *modulus = BN_dup(pubkey->n);
+        modulus = pubkey->n;
     #endif
     unsigned char key[keysize];
     BN_bn2bin(modulus, key);
@@ -175,8 +176,7 @@ static lcp_signature_t *read_pubkey_file
         LOG("signature:\n");
         display_signature("    ", sig, false);
     }
- 
-    BN_free(modulus);
+
     RSA_free(pubkey);
     return sig;
 }
Index: tboot-1.9.6/lcptools/lcputils2.c
===================================================================
--- tboot-1.9.6.orig/lcptools/lcputils2.c
+++ tboot-1.9.6/lcptools/lcputils2.c
@@ -274,31 +274,29 @@ bool verify_signature(const uint8_t *dat
         ERROR("Error: failed to allocate key\n");
         return false;
     }
-    BIGNUM *modulus = BN_new();
+
+    BIGNUM *modulus = BN_bin2bn(key, pubkey_size, NULL);
     BIGNUM *exponent = BN_new();
-    modulus = BN_bin2bn(key, pubkey_size, NULL);
 
     /* uses fixed exponent (LCP_SIG_EXPONENT) */
     char exp[32];
     snprintf(exp, sizeof(exp), "%u", LCP_SIG_EXPONENT);
     BN_dec2bn(&exponent, exp);
-    
+
     /* OpenSSL Version 1.1.0 and later don't allow direct access to RSA 
        stuct */ 
     #if OPENSSL_VERSION_NUMBER >= 0x10100000L
-        RSA_set0_key(rsa_pubkey, modulus, exponent, NULL); 
+        RSA_set0_key(rsa_pubkey, modulus, exponent, NULL);
     #else
-       rsa_pubkey->n = BN_dup(modulus);
-       rsa_pubkey->e = BN_dup(exponent);
-       rsa_pubkey->d = rsa_pubkey->p = rsa_pubkey->q = NULL;
+        rsa_pubkey->n = modulus;
+        rsa_pubkey->e = exponent;
+        rsa_pubkey->d = rsa_pubkey->p = rsa_pubkey->q = NULL;
     #endif
 
     /* first create digest of data */
     tb_hash_t digest;
     if ( !hash_buffer(data, data_size, &digest, TB_HALG_SHA1_LG) ) {
         ERROR("Error: failed to hash list\n");
-        BN_free(modulus);
-       BN_free(exponent);
         RSA_free(rsa_pubkey);
         return false;
     }
@@ -339,14 +337,10 @@ bool verify_signature(const uint8_t *dat
         ERROR("Error: failed to verify list: %s\n", 
               ERR_error_string(ERR_get_error(), NULL));
         ERR_free_strings();
-        BN_free(modulus);
-       BN_free(exponent);
-       RSA_free(rsa_pubkey);
+        RSA_free(rsa_pubkey);
         return false;
     }
-    
-    BN_free(modulus);
-    BN_free(exponent);
+
     RSA_free(rsa_pubkey);
     return true;
 }

Reply via email to