Accepting request 1126087 from home:ohollmann:branches:security:tls

- Security fix: [bsc#1216922, CVE-2023-5678] * Fix excessive time spent in DH check / generation with large Q parameter value. * Applications that use the functions DH_generate_key() to generate an X9.42 DH key may experience long delays. Likewise, applications that use DH_check_pub_key(), DH_check_pub_key_ex () or EVP_PKEY_public_check() to check an X9.42 DH key or X9.42 DH parameters may experience long delays. Where the key or parameters that are being checked have been obtained from an untrusted source this may lead to a Denial of Service. * Add openssl-CVE-2023-5678.patch - Remove trailing spaces from changelog - Remove a hack for bsc#936563 bsc936563_hack.patch (bsc#936563) - Build with no-ssl3, for details on why this is needed read require us to patch dependant packages as the relevant functions are still available (SSLv3_(client|server)_method) - openssl.keyring: use Matt Caswells current key. - openSSL 1.0.1j - openssl.keyring: the 1.0.1i release was done by - 012-Fix-eckey_priv_encode.patch eckey_priv_encode should - 0001-Axe-builtin-printf-implementation-use-glibc-instead.patch it is already in RPM_OPT_FLAGS and is replaced by - Remove the "gmp" and "capi" shared engines, nobody noticed but they are just dummies that do nothing. - Use enable-rfc3779 to allow projects such as rpki.net - openssl-buffreelistbug-aka-CVE-2010-5298.patch fix - openssl-gcc-attributes.patch: fix thinko, CRYPTO_realloc_clean does - openssl-gcc-attributes.patch OBS-URL: https://build.opensuse.org/request/show/1126087 OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-1_1?expand=0&rev=150
2023-11-15 09:54:14 +00:00 · 2023-11-15 09:54:14 +00:00 · 6a02bab132
commit 6a02bab132
parent b51c004cd8
3 changed files with 288 additions and 95 deletions
--- a/openssl-1_1.changes
+++ b/openssl-1_1.changes
@ -1,3 +1,19 @@
+-------------------------------------------------------------------
+Mon Nov 13 09:29:26 UTC 2023 - Otto Hollmann <otto.hollmann@suse.com>
+
+- Security fix: [bsc#1216922, CVE-2023-5678]
+  * Fix excessive time spent in DH check / generation with large Q
+    parameter value.
+  * Applications that use the functions DH_generate_key() to generate
+    an X9.42 DH key may experience long delays. Likewise,
+    applications that use DH_check_pub_key(), DH_check_pub_key_ex
+    () or EVP_PKEY_public_check() to check an X9.42 DH key or X9.42
+    DH parameters may experience long delays. Where the key or
+    parameters that are being checked have been obtained from an
+    untrusted source this may lead to a Denial of Service.
+  * Add openssl-CVE-2023-5678.patch
+- Remove trailing spaces from changelog
+
 -------------------------------------------------------------------
 Thu Oct 19 15:03:14 UTC 2023 - Otto Hollmann <otto.hollmann@suse.com>

--- a/openssl-1_1.spec
+++ b/openssl-1_1.spec
@ -185,6 +185,9 @@ Patch111:       openssl-ec-powerpc64le-Add-asm-implementation-of-felem_-squa.pat
 Patch112:       openssl-ecc-Remove-extraneous-parentheses-in-secp384r1.patch
 Patch113:       openssl-powerpc-ecc-Fix-stack-allocation-secp384r1-asm.patch
 Patch114:       openssl-Improve-performance-for-6x-unrolling-with-vpermxor-i.patch
+# PATCH-FIX-UPSTREAM: bsc#1216922 CVE-2023-5678 Generating excessively long X9.42 DH keys or
+# checking excessively long X9.42 DH keys or parameters may be very slow
+Patch115:       openssl-CVE-2023-5678.patch
 BuildRequires:  jitterentropy-devel >= 3.4.0
 BuildRequires:  pkgconfig
 BuildRequires:  pkgconfig(zlib)
--- a/openssl-CVE-2023-5678.patch
+++ b/openssl-CVE-2023-5678.patch
@ -0,0 +1,174 @@
+From db925ae2e65d0d925adef429afc37f75bd1c2017 Mon Sep 17 00:00:00 2001
+From: Richard Levitte <levitte@openssl.org>
+Date: Fri, 20 Oct 2023 09:18:19 +0200
+Subject: [PATCH] Make DH_check_pub_key() and DH_generate_key() safer yet
+
+We already check for an excessively large P in DH_generate_key(), but not in
+DH_check_pub_key(), and none of them check for an excessively large Q.
+
+This change adds all the missing excessive size checks of P and Q.
+
+It's to be noted that behaviours surrounding excessively sized P and Q
+differ.  DH_check() raises an error on the excessively sized P, but only
+sets a flag for the excessively sized Q.  This behaviour is mimicked in
+DH_check_pub_key().
+
+Reviewed-by: Tomas Mraz <tomas@openssl.org>
+Reviewed-by: Matt Caswell <matt@openssl.org>
+Reviewed-by: Hugo Landau <hlandau@openssl.org>
+(Merged from https://github.com/openssl/openssl/pull/22518)
+
+(cherry picked from commit ddeb4b6c6d527e54ce9a99cba785c0f7776e54b6)
+---
+ crypto/dh/dh_check.c    | 12 ++++++++++++
+ crypto/dh/dh_err.c      |  3 ++-
+ crypto/dh/dh_key.c      | 12 ++++++++++++
+ crypto/err/openssl.txt  |  1 +
+ include/crypto/dherr.h  |  2 +-
+ include/openssl/dh.h    |  6 +++---
+ include/openssl/dherr.h |  3 ++-
+ 7 files changed, 33 insertions(+), 6 deletions(-)
+
+Index: openssl-1.1.1w/crypto/dh/dh_err.c
+===================================================================
+--- openssl-1.1.1w.orig/crypto/dh/dh_err.c
+++ openssl-1.1.1w/crypto/dh/dh_err.c
+@@ -21,6 +21,7 @@ static const ERR_STRING_DATA DH_str_func
+     {ERR_PACK(ERR_LIB_DH, DH_F_DH_CHECK, 0), "DH_check"},
+     {ERR_PACK(ERR_LIB_DH, DH_F_DH_CHECK_EX, 0), "DH_check_ex"},
+     {ERR_PACK(ERR_LIB_DH, DH_F_DH_CHECK_PARAMS_EX, 0), "DH_check_params_ex"},
+    {ERR_PACK(ERR_LIB_DH, DH_F_DH_CHECK_PUB_KEY, 0), "DH_check_pub_key"},
+     {ERR_PACK(ERR_LIB_DH, DH_F_DH_CHECK_PUB_KEY_EX, 0), "DH_check_pub_key_ex"},
+     {ERR_PACK(ERR_LIB_DH, DH_F_DH_CMS_DECRYPT, 0), "dh_cms_decrypt"},
+     {ERR_PACK(ERR_LIB_DH, DH_F_DH_CMS_SET_PEERKEY, 0), "dh_cms_set_peerkey"},
+@@ -87,6 +88,7 @@ static const ERR_STRING_DATA DH_str_reas
+     {ERR_PACK(ERR_LIB_DH, 0, DH_R_PARAMETER_ENCODING_ERROR),
+     "parameter encoding error"},
+     {ERR_PACK(ERR_LIB_DH, 0, DH_R_PEER_KEY_ERROR), "peer key error"},
+    {ERR_PACK(ERR_LIB_DH, 0, DH_R_Q_TOO_LARGE), "q too large"},
+     {ERR_PACK(ERR_LIB_DH, 0, DH_R_SHARED_INFO_ERROR), "shared info error"},
+     {ERR_PACK(ERR_LIB_DH, 0, DH_R_UNABLE_TO_CHECK_GENERATOR),
+     "unable to check generator"},
+Index: openssl-1.1.1w/crypto/err/openssl.txt
+===================================================================
+--- openssl-1.1.1w.orig/crypto/err/openssl.txt
+++ openssl-1.1.1w/crypto/err/openssl.txt
+@@ -404,6 +404,7 @@ DH_F_DH_BUILTIN_GENPARAMS:106:dh_builtin
+ DH_F_DH_CHECK:126:DH_check
+ DH_F_DH_CHECK_EX:121:DH_check_ex
+ DH_F_DH_CHECK_PARAMS_EX:122:DH_check_params_ex
+DH_F_DH_CHECK_PUB_KEY:128:DH_check_pub_key
+ DH_F_DH_CHECK_PUB_KEY_EX:123:DH_check_pub_key_ex
+ DH_F_DH_CMS_DECRYPT:114:dh_cms_decrypt
+ DH_F_DH_CMS_SET_PEERKEY:115:dh_cms_set_peerkey
+@@ -2226,6 +2227,7 @@ DH_R_NO_PARAMETERS_SET:107:no parameters
+ DH_R_NO_PRIVATE_VALUE:100:no private value
+ DH_R_PARAMETER_ENCODING_ERROR:105:parameter encoding error
+ DH_R_PEER_KEY_ERROR:111:peer key error
+DH_R_Q_TOO_LARGE:130:q too large
+ DH_R_SHARED_INFO_ERROR:113:shared info error
+ DH_R_UNABLE_TO_CHECK_GENERATOR:121:unable to check generator
+ DSA_R_BAD_Q_VALUE:102:bad q value
+Index: openssl-1.1.1w/include/openssl/dherr.h
+===================================================================
+--- openssl-1.1.1w.orig/include/openssl/dherr.h
+++ openssl-1.1.1w/include/openssl/dherr.h
+@@ -31,6 +31,7 @@ int ERR_load_DH_strings(void);
+ #  define DH_F_DH_CHECK                                    126
+ #  define DH_F_DH_CHECK_EX                                 121
+ #  define DH_F_DH_CHECK_PARAMS_EX                          122
+#  define DH_F_DH_CHECK_PUB_KEY                            128
+ #  define DH_F_DH_CHECK_PUB_KEY_EX                         123
+ #  define DH_F_DH_CMS_DECRYPT                              114
+ #  define DH_F_DH_CMS_SET_PEERKEY                          115
+@@ -84,6 +85,7 @@ int ERR_load_DH_strings(void);
+ #  define DH_R_NO_PRIVATE_VALUE                            100
+ #  define DH_R_PARAMETER_ENCODING_ERROR                    105
+ #  define DH_R_PEER_KEY_ERROR                              111
+#  define DH_R_Q_TOO_LARGE                                 130
+ #  define DH_R_SHARED_INFO_ERROR                           113
+ #  define DH_R_UNABLE_TO_CHECK_GENERATOR                   121
+ 
+Index: openssl-1.1.1w/crypto/dh/dh_check.c
+===================================================================
+--- openssl-1.1.1w.orig/crypto/dh/dh_check.c
+++ openssl-1.1.1w/crypto/dh/dh_check.c
+@@ -260,6 +260,18 @@ static int dh_check_pub_key_int(const DH
+  */
+ int DH_check_pub_key(const DH *dh, const BIGNUM *pub_key, int *ret)
+ {
+    /* Don't do any checks at all with an excessively large modulus */
+    if (BN_num_bits(dh->p) > OPENSSL_DH_CHECK_MAX_MODULUS_BITS) {
+        DHerr(DH_F_DH_CHECK_PUB_KEY, DH_R_MODULUS_TOO_LARGE);
+        *ret = DH_MODULUS_TOO_LARGE | DH_CHECK_PUBKEY_INVALID;
+        return 0;
+    }
+
+    if (dh->q != NULL && BN_ucmp(dh->p, dh->q) < 0) {
+        *ret |= DH_CHECK_INVALID_Q_VALUE | DH_CHECK_PUBKEY_INVALID;
+        return 1;
+    }
+
+     return dh_check_pub_key_int(dh, dh->q, pub_key, ret);
+ }
+ 
+Index: openssl-1.1.1w/crypto/dh/dh_key.c
+===================================================================
+--- openssl-1.1.1w.orig/crypto/dh/dh_key.c
+++ openssl-1.1.1w/crypto/dh/dh_key.c
+@@ -51,6 +51,12 @@ int DH_compute_key(unsigned char *key, c
+     int ret = 0, i;
+     volatile size_t npad = 0, mask = 1;
+ 
+    if (dh->q != NULL
+        && BN_num_bits(dh->q) > OPENSSL_DH_MAX_MODULUS_BITS) {
+        DHerr(DH_F_DH_COMPUTE_KEY, DH_R_Q_TOO_LARGE);
+        return 0;
+    }
+
+     /* compute the key; ret is constant unless compute_key is external */
+     if ((ret = dh->meth->compute_key(key, pub_key, dh)) <= 0)
+         return ret;
+@@ -147,6 +153,12 @@ static int generate_key(DH *dh)
+         return 0;
+     }
+ 
+    if (dh->q != NULL
+        && BN_num_bits(dh->q) > OPENSSL_DH_MAX_MODULUS_BITS) {
+        DHerr(DH_F_GENERATE_KEY, DH_R_Q_TOO_LARGE);
+        return 0;
+    }
+
+     ctx = BN_CTX_new();
+     if (ctx == NULL)
+         goto err;
+Index: openssl-1.1.1w/doc/man3/DH_generate_parameters.pod
+===================================================================
+--- openssl-1.1.1w.orig/doc/man3/DH_generate_parameters.pod
+++ openssl-1.1.1w/doc/man3/DH_generate_parameters.pod
+@@ -73,6 +73,10 @@ The generator B<g> is not suitable.
+ Note that the lack of this bit doesn't guarantee that B<g> is
+ suitable, unless B<p> is known to be a strong prime.
+ 
+=item DH_MODULUS_TOO_LARGE
+
+The modulus is too large.
+
+ =back
+ 
+ DH_check() confirms that the Diffie-Hellman parameters B<dh> are valid. The
+Index: openssl-1.1.1w/include/openssl/dh.h
+===================================================================
+--- openssl-1.1.1w.orig/include/openssl/dh.h
+++ openssl-1.1.1w/include/openssl/dh.h
+@@ -78,8 +78,9 @@ DECLARE_ASN1_ITEM(DHparams)
+ # define DH_UNABLE_TO_CHECK_GENERATOR    0x04
+ # define DH_NOT_SUITABLE_GENERATOR       0x08
+ # define DH_CHECK_Q_NOT_PRIME            0x10
+-# define DH_CHECK_INVALID_Q_VALUE        0x20
+# define DH_CHECK_INVALID_Q_VALUE        0x20 /* +DH_check_pub_key */
+ # define DH_CHECK_INVALID_J_VALUE        0x40
+# define DH_MODULUS_TOO_LARGE            0x100 /* +DH_check_pub_key */
+ 
+ /* DH_check_pub_key error codes */
+ # define DH_CHECK_PUBKEY_TOO_SMALL       0x01