openssl-3/openssl-CVE-2023-3446-test.patch

From 4791e79b8803924b28c19af4d4036ad85335110d Mon Sep 17 00:00:00 2001
From: Matt Caswell <matt@openssl.org>
Date: Fri, 7 Jul 2023 14:39:48 +0100
Subject: [PATCH] Add a test for CVE-2023-3446

Confirm that the only errors DH_check() finds with DH parameters with an
excessively long modulus is that the modulus is too large. We should not
be performing time consuming checks using that modulus.

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21451)

(cherry picked from commit ede782b4c8868d1f09c9cd237f82b6f35b7dba8b)
---
 test/dhtest.c | 15 +++++++++++++--
 1 file changed, 13 insertions(+), 2 deletions(-)

diff --git a/test/dhtest.c b/test/dhtest.c
index 7b587f3cfa8f..f8dd8f3aa722 100644
--- a/test/dhtest.c
+++ b/test/dhtest.c
@@ -73,7 +73,7 @@ static int dh_test(void)
         goto err1;
 
     /* check fails, because p is way too small */
-    if (!DH_check(dh, &i))
+    if (!TEST_true(DH_check(dh, &i)))
         goto err2;
     i ^= DH_MODULUS_TOO_SMALL;
     if (!TEST_false(i & DH_CHECK_P_NOT_PRIME)
@@ -124,6 +124,17 @@ static int dh_test(void)
     /* We'll have a stale error on the queue from the above test so clear it */
     ERR_clear_error();
 
+    /* Modulus of size: dh check max modulus bits + 1 */
+    if (!TEST_true(BN_set_word(p, 1))
+            || !TEST_true(BN_lshift(p, p, OPENSSL_DH_CHECK_MAX_MODULUS_BITS)))
+        goto err3;
+
+    /*
+     * We expect no checks at all for an excessively large modulus
+     */
+    if (!TEST_false(DH_check(dh, &i)))
+        goto err3;
+
     /*
      * II) key generation
      */
@@ -138,7 +149,7 @@ static int dh_test(void)
         goto err3;
 
     /* ... and check whether it is valid */
-    if (!DH_check(a, &i))
+    if (!TEST_true(DH_check(a, &i)))
         goto err3;
     if (!TEST_false(i & DH_CHECK_P_NOT_PRIME)
             || !TEST_false(i & DH_CHECK_P_NOT_SAFE_PRIME)
Accepting request 1099662 from home:pmonrealgonzalez:branches:security:tls - Security fix: [bsc#1213487, CVE-2023-3446] * Fix DH_check() excessive time with over sized modulus. * The function DH_check() performs various checks on DH parameters. One of those checks confirms that the modulus ("p" parameter) is not too large. Trying to use a very large modulus is slow and OpenSSL will not normally use a modulus which is over 10,000 bits in length. However the DH_check() function checks numerous aspects of the key or parameters that have been supplied. Some of those checks use the supplied modulus value even if it has already been found to be too large. A new limit has been added to DH_check of 32,768 bits. Supplying a key/parameters with a modulus over this size will simply cause DH_check() to fail. * Add openssl-CVE-2023-3446.patch openssl-CVE-2023-3446-test.patch OBS-URL: https://build.opensuse.org/request/show/1099662 OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-3?expand=0&rev=68 2023-07-20 10:41:29 +02:00			`From 4791e79b8803924b28c19af4d4036ad85335110d Mon Sep 17 00:00:00 2001`
			`From: Matt Caswell <matt@openssl.org>`
			`Date: Fri, 7 Jul 2023 14:39:48 +0100`
			`Subject: [PATCH] Add a test for CVE-2023-3446`

			`Confirm that the only errors DH_check() finds with DH parameters with an`
			`excessively long modulus is that the modulus is too large. We should not`
			`be performing time consuming checks using that modulus.`

			`Reviewed-by: Paul Dale <pauli@openssl.org>`
			`Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>`
			`Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>`
			`Reviewed-by: Tomas Mraz <tomas@openssl.org>`
			`(Merged from https://github.com/openssl/openssl/pull/21451)`

			`(cherry picked from commit ede782b4c8868d1f09c9cd237f82b6f35b7dba8b)`
			`---`
			`test/dhtest.c \| 15 +++++++++++++--`
			`1 file changed, 13 insertions(+), 2 deletions(-)`

			`diff --git a/test/dhtest.c b/test/dhtest.c`
			`index 7b587f3cfa8f..f8dd8f3aa722 100644`
			`--- a/test/dhtest.c`
			`+++ b/test/dhtest.c`
			`@@ -73,7 +73,7 @@ static int dh_test(void)`
			`goto err1;`

			`/* check fails, because p is way too small */`
			`- if (!DH_check(dh, &i))`
			`+ if (!TEST_true(DH_check(dh, &i)))`
			`goto err2;`
			`i ^= DH_MODULUS_TOO_SMALL;`
			`if (!TEST_false(i & DH_CHECK_P_NOT_PRIME)`
			`@@ -124,6 +124,17 @@ static int dh_test(void)`
			`/* We'll have a stale error on the queue from the above test so clear it */`
			`ERR_clear_error();`

			`+ /* Modulus of size: dh check max modulus bits + 1 */`
			`+ if (!TEST_true(BN_set_word(p, 1))`
			`+ \|\| !TEST_true(BN_lshift(p, p, OPENSSL_DH_CHECK_MAX_MODULUS_BITS)))`
			`+ goto err3;`
			`+`
			`+ /*`
			`+ * We expect no checks at all for an excessively large modulus`
			`+ */`
			`+ if (!TEST_false(DH_check(dh, &i)))`
			`+ goto err3;`
			`+`
			`/*`
			`* II) key generation`
			`*/`
			`@@ -138,7 +149,7 @@ static int dh_test(void)`
			`goto err3;`

			`/* ... and check whether it is valid */`
			`- if (!DH_check(a, &i))`
			`+ if (!TEST_true(DH_check(a, &i)))`
			`goto err3;`
			`if (!TEST_false(i & DH_CHECK_P_NOT_PRIME)`
			`\|\| !TEST_false(i & DH_CHECK_P_NOT_SAFE_PRIME)`