Ana Guerrero 2023-07-24 16:12:06 +00:00 committed by Git OBS Bridge
commit eacff36a04
4 changed files with 185 additions and 0 deletions

View File

@ -1,3 +1,22 @@
-------------------------------------------------------------------
Thu Jul 20 07:48:20 UTC 2023 - Pedro Monreal <pmonreal@suse.com>
- Security fix: [bsc#1213487, CVE-2023-3446]
* Fix DH_check() excessive time with over sized modulus.
* The function DH_check() performs various checks on DH parameters.
One of those checks confirms that the modulus ("p" parameter) is
not too large. Trying to use a very large modulus is slow and
OpenSSL will not normally use a modulus which is over 10,000 bits
in length.
However the DH_check() function checks numerous aspects of the
key or parameters that have been supplied. Some of those checks
use the supplied modulus value even if it has already been found
to be too large.
A new limit has been added to DH_check of 32,768 bits. Supplying
a key/parameters with a modulus over this size will simply cause
DH_check() to fail.
* Add openssl-CVE-2023-3446.patch openssl-CVE-2023-3446-test.patch
-------------------------------------------------------------------
Tue Jun 20 15:18:56 UTC 2023 - Otto Hollmann <otto.hollmann@suse.com>

View File

@ -132,6 +132,9 @@ Patch78: openssl-1_1-Fixed-conditional-statement-testing-64-and-256-bytes
Patch79: openssl-1_1-Fix-AES-GCM-on-Power-8-CPUs.patch
#PATCH-FIX-OPENSUSE bsc#1205042 Set OpenSSL 3.0 as the default openssl
Patch80: openssl-1_1-openssl-config.patch
# PATCH-FIX-UPSTREAM: bsc#1213487 CVE-2023-3446 DH_check() excessive time with over sized modulus
Patch81: openssl-CVE-2023-3446.patch
Patch82: openssl-CVE-2023-3446-test.patch
BuildRequires: pkgconfig
BuildRequires: pkgconfig(zlib)
Provides: ssl

View File

@ -0,0 +1,58 @@
From e9ddae17e302a7e6a0daf00f25efed7c70f114d4 Mon Sep 17 00:00:00 2001
From: Matt Caswell <matt@openssl.org>
Date: Fri, 7 Jul 2023 14:39:48 +0100
Subject: [PATCH] Add a test for CVE-2023-3446
Confirm that the only errors DH_check() finds with DH parameters with an
excessively long modulus is that the modulus is too large. We should not
be performing time consuming checks using that modulus.
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21452)
---
test/dhtest.c | 15 +++++++++++++--
1 file changed, 13 insertions(+), 2 deletions(-)
diff --git a/test/dhtest.c b/test/dhtest.c
index 9d5609b943ab..00b3c471015d 100644
--- a/test/dhtest.c
+++ b/test/dhtest.c
@@ -63,7 +63,7 @@ static int dh_test(void)
|| !TEST_true(DH_set0_pqg(dh, p, q, g)))
goto err1;
- if (!DH_check(dh, &i))
+ if (!TEST_true(DH_check(dh, &i)))
goto err2;
if (!TEST_false(i & DH_CHECK_P_NOT_PRIME)
|| !TEST_false(i & DH_CHECK_P_NOT_SAFE_PRIME)
@@ -123,6 +123,17 @@ static int dh_test(void)
/* check whether the public key was calculated correctly */
TEST_uint_eq(BN_get_word(pub_key2), 3331L);
+ /* Modulus of size: dh check max modulus bits + 1 */
+ if (!TEST_true(BN_set_word(p, 1))
+ || !TEST_true(BN_lshift(p, p, OPENSSL_DH_CHECK_MAX_MODULUS_BITS)))
+ goto err3;
+
+ /*
+ * We expect no checks at all for an excessively large modulus
+ */
+ if (!TEST_false(DH_check(dh, &i)))
+ goto err3;
+
/*
* II) key generation
*/
@@ -137,7 +148,7 @@ static int dh_test(void)
goto err3;
/* ... and check whether it is valid */
- if (!DH_check(a, &i))
+ if (!TEST_true(DH_check(a, &i)))
goto err3;
if (!TEST_false(i & DH_CHECK_P_NOT_PRIME)
|| !TEST_false(i & DH_CHECK_P_NOT_SAFE_PRIME)

105
openssl-CVE-2023-3446.patch Normal file
View File

@ -0,0 +1,105 @@
From 8780a896543a654e757db1b9396383f9d8095528 Mon Sep 17 00:00:00 2001
From: Matt Caswell <matt@openssl.org>
Date: Thu, 6 Jul 2023 16:36:35 +0100
Subject: [PATCH] Fix DH_check() excessive time with over sized modulus
The DH_check() function checks numerous aspects of the key or parameters
that have been supplied. Some of those checks use the supplied modulus
value even if it is excessively large.
There is already a maximum DH modulus size (10,000 bits) over which
OpenSSL will not generate or derive keys. DH_check() will however still
perform various tests for validity on such a large modulus. We introduce a
new maximum (32,768) over which DH_check() will just fail.
An application that calls DH_check() and supplies a key or parameters
obtained from an untrusted source could be vulnerable to a Denial of
Service attack.
The function DH_check() is itself called by a number of other OpenSSL
functions. An application calling any of those other functions may
similarly be affected. The other functions affected by this are
DH_check_ex() and EVP_PKEY_param_check().
CVE-2023-3446
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21452)
---
crypto/dh/dh_check.c | 6 ++++++
crypto/dh/dh_err.c | 3 ++-
crypto/err/openssl.txt | 3 ++-
include/openssl/dh.h | 3 +++
include/openssl/dherr.h | 3 ++-
5 files changed, 15 insertions(+), 3 deletions(-)
Index: openssl-1.1.1u/crypto/dh/dh_check.c
===================================================================
--- openssl-1.1.1u.orig/crypto/dh/dh_check.c
+++ openssl-1.1.1u/crypto/dh/dh_check.c
@@ -101,6 +101,12 @@ int DH_check(const DH *dh, int *ret)
BN_CTX *ctx = NULL;
BIGNUM *t1 = NULL, *t2 = NULL;
+ /* Don't do any checks at all with an excessively large modulus */
+ if (BN_num_bits(dh->p) > OPENSSL_DH_CHECK_MAX_MODULUS_BITS) {
+ DHerr(DH_F_DH_CHECK, DH_R_MODULUS_TOO_LARGE);
+ return 0;
+ }
+
if (!DH_check_params(dh, ret))
return 0;
Index: openssl-1.1.1u/crypto/dh/dh_err.c
===================================================================
--- openssl-1.1.1u.orig/crypto/dh/dh_err.c
+++ openssl-1.1.1u/crypto/dh/dh_err.c
@@ -18,6 +18,7 @@ static const ERR_STRING_DATA DH_str_func
{ERR_PACK(ERR_LIB_DH, DH_F_DHPARAMS_PRINT_FP, 0), "DHparams_print_fp"},
{ERR_PACK(ERR_LIB_DH, DH_F_DH_BUILTIN_GENPARAMS, 0),
"dh_builtin_genparams"},
+ {ERR_PACK(ERR_LIB_DH, DH_F_DH_CHECK, 0), "DH_check"},
{ERR_PACK(ERR_LIB_DH, DH_F_DH_CHECK_EX, 0), "DH_check_ex"},
{ERR_PACK(ERR_LIB_DH, DH_F_DH_CHECK_PARAMS_EX, 0), "DH_check_params_ex"},
{ERR_PACK(ERR_LIB_DH, DH_F_DH_CHECK_PUB_KEY_EX, 0), "DH_check_pub_key_ex"},
Index: openssl-1.1.1u/crypto/err/openssl.txt
===================================================================
--- openssl-1.1.1u.orig/crypto/err/openssl.txt
+++ openssl-1.1.1u/crypto/err/openssl.txt
@@ -401,6 +401,7 @@ CT_F_SCT_SET_VERSION:104:SCT_set_version
DH_F_COMPUTE_KEY:102:compute_key
DH_F_DHPARAMS_PRINT_FP:101:DHparams_print_fp
DH_F_DH_BUILTIN_GENPARAMS:106:dh_builtin_genparams
+DH_F_DH_CHECK:126:DH_check
DH_F_DH_CHECK_EX:121:DH_check_ex
DH_F_DH_CHECK_PARAMS_EX:122:DH_check_params_ex
DH_F_DH_CHECK_PUB_KEY_EX:123:DH_check_pub_key_ex
Index: openssl-1.1.1u/include/openssl/dh.h
===================================================================
--- openssl-1.1.1u.orig/include/openssl/dh.h
+++ openssl-1.1.1u/include/openssl/dh.h
@@ -29,6 +29,9 @@ extern "C" {
# ifndef OPENSSL_DH_MAX_MODULUS_BITS
# define OPENSSL_DH_MAX_MODULUS_BITS 10000
# endif
+# ifndef OPENSSL_DH_CHECK_MAX_MODULUS_BITS
+# define OPENSSL_DH_CHECK_MAX_MODULUS_BITS 32768
+# endif
# define OPENSSL_DH_FIPS_MIN_MODULUS_BITS 1024
# define OPENSSL_DH_FIPS_MIN_MODULUS_BITS_GEN 2048
Index: openssl-1.1.1u/include/openssl/dherr.h
===================================================================
--- openssl-1.1.1u.orig/include/openssl/dherr.h
+++ openssl-1.1.1u/include/openssl/dherr.h
@@ -30,6 +30,7 @@ int ERR_load_DH_strings(void);
# define DH_F_COMPUTE_KEY 102
# define DH_F_DHPARAMS_PRINT_FP 101
# define DH_F_DH_BUILTIN_GENPARAMS 106
+# define DH_F_DH_CHECK 126
# define DH_F_DH_CHECK_EX 121
# define DH_F_DH_CHECK_PARAMS_EX 122
# define DH_F_DH_CHECK_PUB_KEY_EX 123