Hello community, here is the log from the commit of package tboot for openSUSE:Factory checked in at 2018-03-16 10:43:50 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/tboot (Old) and /work/SRC/openSUSE:Factory/.tboot.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "tboot" Fri Mar 16 10:43:50 2018 rev:32 rq:587462 version:20170711_1.9.6 Changes: -------- --- /work/SRC/openSUSE:Factory/tboot/tboot.changes 2018-02-22 15:03:03.836670196 +0100 +++ /work/SRC/openSUSE:Factory/.tboot.new/tboot.changes 2018-03-16 10:45:09.320570880 +0100 @@ -1,0 +2,10 @@ +Thu Mar 15 09:49:03 UTC 2018 - [email protected] + +- tboot-signature-segfault.patch: Intermediate patch necessary for + tboot-ssl-broken.patch. Upstream tried to fix OpenSSL issues here, but + failed to do so. +- tboot-ssl-broken.patch: Fixed memory corruption when using OpenSSL + functionality like in lcp2_crtpollist (bnc#1083693). Fix has not yet been + commented on by upstream (posted on tboot-devel mailing list). + +------------------------------------------------------------------- New: ---- tboot-signature-segfault.patch tboot-ssl-broken.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ tboot.spec ++++++ --- /var/tmp/diff_new_pack.uywoS8/_old 2018-03-16 10:45:10.376532857 +0100 +++ /var/tmp/diff_new_pack.uywoS8/_new 2018-03-16 10:45:10.380532713 +0100 @@ -30,7 +30,12 @@ Patch5: tboot-openssl-1-1-0.patch Patch6: tboot-CVE-2017-16837.patch Patch7: tboot-distributor.patch -# PATCH-FIX-UPSTREAM -- https://sourceforge.net/p/tboot/code/merge-requests/1/ +# a stark history regarding SSL: ssl functions never really worked in tboot, +# even the signature-segfault upstream fix didn't fix the root causes. +# ssl-broken.patch is my own patch that I have published on the tboot-devel +# mailing list, but no response so far. +Patch8: tboot-signature-segfault.patch +Patch9: tboot-ssl-broken.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build ExclusiveArch: %{ix86} x86_64 BuildRequires: openssl-devel @@ -58,6 +63,8 @@ %patch5 -p1 %patch6 -p1 %patch7 -p1 +%patch8 -p1 +%patch9 -p1 %build export CFLAGS="%{optflags}" @@ -107,7 +114,7 @@ %postun %if 0%{?update_bootloader_check_type_reinit_post:1} # there is no clean solution for refresh during package removal at the moment. -# %posttrans is not executed during package removal. +# %%posttrans is not executed during package removal. %update_bootloader_check_type_reinit_post grub2 grub2-efi %update_bootloader_posttrans %else ++++++ tboot-signature-segfault.patch ++++++ changeset: 506:09fae64a7515 user: Ning Sun <[email protected]> date: Sat Sep 02 01:40:15 2017 -0700 summary: Fix openssl-1.0.2 double frees Index: tboot-1.9.6/lcptools-v2/crtpollist.c =================================================================== --- tboot-1.9.6.orig/lcptools-v2/crtpollist.c +++ tboot-1.9.6/lcptools-v2/crtpollist.c @@ -160,15 +160,14 @@ static lcp_signature_t2 *read_rsa_pubkey memset(sig, 0, sizeof(lcp_rsa_signature_t) + 2*keysize); sig->rsa_signature.pubkey_size = keysize; - - BIGNUM *modulus = BN_new(); - + /* OpenSSL Version 1.1.0 and later don't allow direct access to RSA stuct */ #if OPENSSL_VERSION_NUMBER >= 0x10100000L + BIGNUM *modulus = BN_new(); RSA_get0_key(pubkey, (const BIGNUM **)&modulus, NULL, NULL); #else - modulus = pubkey->n; + BIGNUM *modulus = BN_dup(pubkey->n); #endif unsigned char key[keysize]; Index: tboot-1.9.6/lcptools-v2/lcputils.c =================================================================== --- tboot-1.9.6.orig/lcptools-v2/lcputils.c +++ tboot-1.9.6/lcptools-v2/lcputils.c @@ -384,8 +384,8 @@ bool verify_signature(const uint8_t *dat #if OPENSSL_VERSION_NUMBER >= 0x10100000L RSA_set0_key(rsa_pubkey, modulus, exponent, NULL); #else - rsa_pubkey->n = modulus; - rsa_pubkey->e = exponent; + rsa_pubkey->n = BN_dup(modulus); + rsa_pubkey->e = BN_dup(exponent); rsa_pubkey->d = rsa_pubkey->p = rsa_pubkey->q = NULL; #endif Index: tboot-1.9.6/lcptools/crtpollist.c =================================================================== --- tboot-1.9.6.orig/lcptools/crtpollist.c +++ tboot-1.9.6/lcptools/crtpollist.c @@ -155,14 +155,14 @@ static lcp_signature_t *read_pubkey_file memset(sig, 0, sizeof(*sig) + 2*keysize); sig->pubkey_size = keysize; - - BIGNUM *modulus = BN_new(); + /* OpenSSL Version 1.1.0 and later don't allow direct access to RSA stuct */ #if OPENSSL_VERSION_NUMBER >= 0x10100000L + BIGNUM *modulus = BN_new(); RSA_get0_key(pubkey, (const BIGNUM **)&modulus, NULL, NULL); #else - modulus = pubkey->n; + BIGNUM *modulus = BN_dup(pubkey->n); #endif unsigned char key[keysize]; BN_bn2bin(modulus, key); Index: tboot-1.9.6/lcptools/lcputils2.c =================================================================== --- tboot-1.9.6.orig/lcptools/lcputils2.c +++ tboot-1.9.6/lcptools/lcputils2.c @@ -288,8 +288,8 @@ bool verify_signature(const uint8_t *dat #if OPENSSL_VERSION_NUMBER >= 0x10100000L RSA_set0_key(rsa_pubkey, modulus, exponent, NULL); #else - rsa_pubkey->n = modulus; - rsa_pubkey->e = exponent; + rsa_pubkey->n = BN_dup(modulus); + rsa_pubkey->e = BN_dup(exponent); rsa_pubkey->d = rsa_pubkey->p = rsa_pubkey->q = NULL; #endif ++++++ tboot-ssl-broken.patch ++++++ Index: tboot-1.9.6/lcptools-v2/crtpollist.c =================================================================== --- tboot-1.9.6.orig/lcptools-v2/crtpollist.c +++ tboot-1.9.6/lcptools-v2/crtpollist.c @@ -132,6 +132,7 @@ static lcp_signature_t2 *read_rsa_pubkey if ( fp == NULL ) { ERROR("Error: failed to open .pem file %s: %s\n", file, strerror(errno)); + fclose(fp); return NULL; } @@ -141,6 +142,7 @@ static lcp_signature_t2 *read_rsa_pubkey ERROR("Error: failed to read .pem file %s: %s\n", file, ERR_error_string(ERR_get_error(), NULL)); ERR_free_strings(); + fclose(fp); return NULL; } @@ -148,6 +150,7 @@ static lcp_signature_t2 *read_rsa_pubkey if ( keysize == 0 ) { ERROR("Error: public key size is 0\n"); RSA_free(pubkey); + fclose(fp); return NULL; } @@ -155,19 +158,20 @@ static lcp_signature_t2 *read_rsa_pubkey if ( sig == NULL ) { ERROR("Error: failed to allocate sig\n"); RSA_free(pubkey); + fclose(fp); return NULL; } memset(sig, 0, sizeof(lcp_rsa_signature_t) + 2*keysize); sig->rsa_signature.pubkey_size = keysize; + const BIGNUM *modulus = NULL; /* OpenSSL Version 1.1.0 and later don't allow direct access to RSA stuct */ #if OPENSSL_VERSION_NUMBER >= 0x10100000L - BIGNUM *modulus = BN_new(); - RSA_get0_key(pubkey, (const BIGNUM **)&modulus, NULL, NULL); + RSA_get0_key(pubkey, &modulus, NULL, NULL); #else - BIGNUM *modulus = BN_dup(pubkey->n); + modulus = pubkey->n; #endif unsigned char key[keysize]; @@ -183,8 +187,8 @@ static lcp_signature_t2 *read_rsa_pubkey } LOG("read rsa pubkey succeed!\n"); - BN_free(modulus); RSA_free(pubkey); + fclose(fp); return sig; } @@ -386,13 +390,13 @@ static bool ecdsa_sign_tpm20_list_data(l return false; } - BIGNUM *r = BN_new(); - BIGNUM *s = BN_new(); - + const BIGNUM *r = NULL; + const BIGNUM *s = NULL; + /* OpenSSL Version 1.1.0 and later don't allow direct access to ECDSA_SIG stuct */ #if OPENSSL_VERSION_NUMBER >= 0x10100000L - ECDSA_SIG_get0(ecdsasig, (const BIGNUM **)&r, (const BIGNUM **)&s); + ECDSA_SIG_get0(ecdsasig, &r, &s); #else r = ecdsasig->r; s = ecdsasig->s; @@ -415,8 +419,7 @@ static bool ecdsa_sign_tpm20_list_data(l display_tpm20_signature(" ", sig, pollist->sig_alg, false); } - BN_free(r); - BN_free(s); + ECDSA_SIG_free(ecdsasig); return true; } return false; Index: tboot-1.9.6/lcptools-v2/lcputils.c =================================================================== --- tboot-1.9.6.orig/lcptools-v2/lcputils.c +++ tboot-1.9.6/lcptools-v2/lcputils.c @@ -371,9 +371,8 @@ bool verify_signature(const uint8_t *dat return false; } - BIGNUM *modulus = BN_new(); + BIGNUM *modulus = BN_bin2bn(key, pubkey_size, NULL); BIGNUM *exponent = BN_new(); - modulus = BN_bin2bn(key, pubkey_size, NULL); /* uses fixed exponent (LCP_SIG_EXPONENT) */ char exp[32]; @@ -384,8 +383,8 @@ bool verify_signature(const uint8_t *dat #if OPENSSL_VERSION_NUMBER >= 0x10100000L RSA_set0_key(rsa_pubkey, modulus, exponent, NULL); #else - rsa_pubkey->n = BN_dup(modulus); - rsa_pubkey->e = BN_dup(exponent); + rsa_pubkey->n = modulus; + rsa_pubkey->e = exponent; rsa_pubkey->d = rsa_pubkey->p = rsa_pubkey->q = NULL; #endif @@ -407,8 +406,6 @@ bool verify_signature(const uint8_t *dat tb_hash_t digest; if ( !hash_buffer(data, data_size, &digest, hashalg) ) { ERROR("Error: failed to hash list\n"); - BN_free(modulus); - BN_free(exponent); RSA_free(rsa_pubkey); return false; } @@ -451,8 +448,6 @@ bool verify_signature(const uint8_t *dat ERROR("Error: failed to verify list: %s\n", ERR_error_string(ERR_get_error(), NULL)); ERR_free_strings(); - BN_free(modulus); - BN_free(exponent); RSA_free(rsa_pubkey); return false; } @@ -467,8 +462,6 @@ bool verify_signature(const uint8_t *dat ERROR("Error: failed to verify list: %s\n", ERR_error_string(ERR_get_error(), NULL)); ERR_free_strings(); - BN_free(modulus); - BN_free(exponent); RSA_free(rsa_pubkey); return false; } @@ -483,8 +476,6 @@ bool verify_signature(const uint8_t *dat ERROR("Error: failed to verify list: %s\n", ERR_error_string(ERR_get_error(), NULL)); ERR_free_strings(); - BN_free(modulus); - BN_free(exponent); RSA_free(rsa_pubkey); return false; } @@ -499,8 +490,6 @@ bool verify_signature(const uint8_t *dat ERROR("Error: failed to verify list: %s\n", ERR_error_string(ERR_get_error(), NULL)); ERR_free_strings(); - BN_free(modulus); - BN_free(exponent); RSA_free(rsa_pubkey); return false; } @@ -508,13 +497,10 @@ bool verify_signature(const uint8_t *dat default : LOG("unknown hash alg\n"); - BN_free(modulus); - BN_free(exponent); + RSA_free(rsa_pubkey); return false; } - BN_free(modulus); - BN_free(exponent); RSA_free(rsa_pubkey); return true; } Index: tboot-1.9.6/lcptools/crtpollist.c =================================================================== --- tboot-1.9.6.orig/lcptools/crtpollist.c +++ tboot-1.9.6/lcptools/crtpollist.c @@ -156,13 +156,14 @@ static lcp_signature_t *read_pubkey_file memset(sig, 0, sizeof(*sig) + 2*keysize); sig->pubkey_size = keysize; + const BIGNUM *modulus = NULL; + /* OpenSSL Version 1.1.0 and later don't allow direct access to RSA stuct */ #if OPENSSL_VERSION_NUMBER >= 0x10100000L - BIGNUM *modulus = BN_new(); - RSA_get0_key(pubkey, (const BIGNUM **)&modulus, NULL, NULL); + RSA_get0_key(pubkey, &modulus, NULL, NULL); #else - BIGNUM *modulus = BN_dup(pubkey->n); + modulus = pubkey->n; #endif unsigned char key[keysize]; BN_bn2bin(modulus, key); @@ -175,8 +176,7 @@ static lcp_signature_t *read_pubkey_file LOG("signature:\n"); display_signature(" ", sig, false); } - - BN_free(modulus); + RSA_free(pubkey); return sig; } Index: tboot-1.9.6/lcptools/lcputils2.c =================================================================== --- tboot-1.9.6.orig/lcptools/lcputils2.c +++ tboot-1.9.6/lcptools/lcputils2.c @@ -274,31 +274,29 @@ bool verify_signature(const uint8_t *dat ERROR("Error: failed to allocate key\n"); return false; } - BIGNUM *modulus = BN_new(); + + BIGNUM *modulus = BN_bin2bn(key, pubkey_size, NULL); BIGNUM *exponent = BN_new(); - modulus = BN_bin2bn(key, pubkey_size, NULL); /* uses fixed exponent (LCP_SIG_EXPONENT) */ char exp[32]; snprintf(exp, sizeof(exp), "%u", LCP_SIG_EXPONENT); BN_dec2bn(&exponent, exp); - + /* OpenSSL Version 1.1.0 and later don't allow direct access to RSA stuct */ #if OPENSSL_VERSION_NUMBER >= 0x10100000L - RSA_set0_key(rsa_pubkey, modulus, exponent, NULL); + RSA_set0_key(rsa_pubkey, modulus, exponent, NULL); #else - rsa_pubkey->n = BN_dup(modulus); - rsa_pubkey->e = BN_dup(exponent); - rsa_pubkey->d = rsa_pubkey->p = rsa_pubkey->q = NULL; + rsa_pubkey->n = modulus; + rsa_pubkey->e = exponent; + rsa_pubkey->d = rsa_pubkey->p = rsa_pubkey->q = NULL; #endif /* first create digest of data */ tb_hash_t digest; if ( !hash_buffer(data, data_size, &digest, TB_HALG_SHA1_LG) ) { ERROR("Error: failed to hash list\n"); - BN_free(modulus); - BN_free(exponent); RSA_free(rsa_pubkey); return false; } @@ -339,14 +337,10 @@ bool verify_signature(const uint8_t *dat ERROR("Error: failed to verify list: %s\n", ERR_error_string(ERR_get_error(), NULL)); ERR_free_strings(); - BN_free(modulus); - BN_free(exponent); - RSA_free(rsa_pubkey); + RSA_free(rsa_pubkey); return false; } - - BN_free(modulus); - BN_free(exponent); + RSA_free(rsa_pubkey); return true; }
