openssl-1_1/openssl-CVE-2023-5678.patch

From db925ae2e65d0d925adef429afc37f75bd1c2017 Mon Sep 17 00:00:00 2001
From: Richard Levitte <levitte@openssl.org>
Date: Fri, 20 Oct 2023 09:18:19 +0200
Subject: [PATCH] Make DH_check_pub_key() and DH_generate_key() safer yet

We already check for an excessively large P in DH_generate_key(), but not in
DH_check_pub_key(), and none of them check for an excessively large Q.

This change adds all the missing excessive size checks of P and Q.

It's to be noted that behaviours surrounding excessively sized P and Q
differ.  DH_check() raises an error on the excessively sized P, but only
sets a flag for the excessively sized Q.  This behaviour is mimicked in
DH_check_pub_key().

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22518)

(cherry picked from commit ddeb4b6c6d527e54ce9a99cba785c0f7776e54b6)
---
 crypto/dh/dh_check.c    | 12 ++++++++++++
 crypto/dh/dh_err.c      |  3 ++-
 crypto/dh/dh_key.c      | 12 ++++++++++++
 crypto/err/openssl.txt  |  1 +
 include/crypto/dherr.h  |  2 +-
 include/openssl/dh.h    |  6 +++---
 include/openssl/dherr.h |  3 ++-
 7 files changed, 33 insertions(+), 6 deletions(-)

Index: openssl-1.1.1w/crypto/dh/dh_err.c
===================================================================
--- openssl-1.1.1w.orig/crypto/dh/dh_err.c
+++ openssl-1.1.1w/crypto/dh/dh_err.c
@@ -21,6 +21,7 @@ static const ERR_STRING_DATA DH_str_func
     {ERR_PACK(ERR_LIB_DH, DH_F_DH_CHECK, 0), "DH_check"},
     {ERR_PACK(ERR_LIB_DH, DH_F_DH_CHECK_EX, 0), "DH_check_ex"},
     {ERR_PACK(ERR_LIB_DH, DH_F_DH_CHECK_PARAMS_EX, 0), "DH_check_params_ex"},
+    {ERR_PACK(ERR_LIB_DH, DH_F_DH_CHECK_PUB_KEY, 0), "DH_check_pub_key"},
     {ERR_PACK(ERR_LIB_DH, DH_F_DH_CHECK_PUB_KEY_EX, 0), "DH_check_pub_key_ex"},
     {ERR_PACK(ERR_LIB_DH, DH_F_DH_CMS_DECRYPT, 0), "dh_cms_decrypt"},
     {ERR_PACK(ERR_LIB_DH, DH_F_DH_CMS_SET_PEERKEY, 0), "dh_cms_set_peerkey"},
@@ -87,6 +88,7 @@ static const ERR_STRING_DATA DH_str_reas
     {ERR_PACK(ERR_LIB_DH, 0, DH_R_PARAMETER_ENCODING_ERROR),
     "parameter encoding error"},
     {ERR_PACK(ERR_LIB_DH, 0, DH_R_PEER_KEY_ERROR), "peer key error"},
+    {ERR_PACK(ERR_LIB_DH, 0, DH_R_Q_TOO_LARGE), "q too large"},
     {ERR_PACK(ERR_LIB_DH, 0, DH_R_SHARED_INFO_ERROR), "shared info error"},
     {ERR_PACK(ERR_LIB_DH, 0, DH_R_UNABLE_TO_CHECK_GENERATOR),
     "unable to check generator"},
Index: openssl-1.1.1w/crypto/err/openssl.txt
===================================================================
--- openssl-1.1.1w.orig/crypto/err/openssl.txt
+++ openssl-1.1.1w/crypto/err/openssl.txt
@@ -404,6 +404,7 @@ DH_F_DH_BUILTIN_GENPARAMS:106:dh_builtin
 DH_F_DH_CHECK:126:DH_check
 DH_F_DH_CHECK_EX:121:DH_check_ex
 DH_F_DH_CHECK_PARAMS_EX:122:DH_check_params_ex
+DH_F_DH_CHECK_PUB_KEY:128:DH_check_pub_key
 DH_F_DH_CHECK_PUB_KEY_EX:123:DH_check_pub_key_ex
 DH_F_DH_CMS_DECRYPT:114:dh_cms_decrypt
 DH_F_DH_CMS_SET_PEERKEY:115:dh_cms_set_peerkey
@@ -2226,6 +2227,7 @@ DH_R_NO_PARAMETERS_SET:107:no parameters
 DH_R_NO_PRIVATE_VALUE:100:no private value
 DH_R_PARAMETER_ENCODING_ERROR:105:parameter encoding error
 DH_R_PEER_KEY_ERROR:111:peer key error
+DH_R_Q_TOO_LARGE:130:q too large
 DH_R_SHARED_INFO_ERROR:113:shared info error
 DH_R_UNABLE_TO_CHECK_GENERATOR:121:unable to check generator
 DSA_R_BAD_Q_VALUE:102:bad q value
Index: openssl-1.1.1w/include/openssl/dherr.h
===================================================================
--- openssl-1.1.1w.orig/include/openssl/dherr.h
+++ openssl-1.1.1w/include/openssl/dherr.h
@@ -31,6 +31,7 @@ int ERR_load_DH_strings(void);
 #  define DH_F_DH_CHECK                                    126
 #  define DH_F_DH_CHECK_EX                                 121
 #  define DH_F_DH_CHECK_PARAMS_EX                          122
+#  define DH_F_DH_CHECK_PUB_KEY                            128
 #  define DH_F_DH_CHECK_PUB_KEY_EX                         123
 #  define DH_F_DH_CMS_DECRYPT                              114
 #  define DH_F_DH_CMS_SET_PEERKEY                          115
@@ -84,6 +85,7 @@ int ERR_load_DH_strings(void);
 #  define DH_R_NO_PRIVATE_VALUE                            100
 #  define DH_R_PARAMETER_ENCODING_ERROR                    105
 #  define DH_R_PEER_KEY_ERROR                              111
+#  define DH_R_Q_TOO_LARGE                                 130
 #  define DH_R_SHARED_INFO_ERROR                           113
 #  define DH_R_UNABLE_TO_CHECK_GENERATOR                   121
 
Index: openssl-1.1.1w/crypto/dh/dh_check.c
===================================================================
--- openssl-1.1.1w.orig/crypto/dh/dh_check.c
+++ openssl-1.1.1w/crypto/dh/dh_check.c
@@ -260,6 +260,18 @@ static int dh_check_pub_key_int(const DH
  */
 int DH_check_pub_key(const DH *dh, const BIGNUM *pub_key, int *ret)
 {
+    /* Don't do any checks at all with an excessively large modulus */
+    if (BN_num_bits(dh->p) > OPENSSL_DH_CHECK_MAX_MODULUS_BITS) {
+        DHerr(DH_F_DH_CHECK_PUB_KEY, DH_R_MODULUS_TOO_LARGE);
+        *ret = DH_MODULUS_TOO_LARGE | DH_CHECK_PUBKEY_INVALID;
+        return 0;
+    }
+
+    if (dh->q != NULL && BN_ucmp(dh->p, dh->q) < 0) {
+        *ret |= DH_CHECK_INVALID_Q_VALUE | DH_CHECK_PUBKEY_INVALID;
+        return 1;
+    }
+
     return dh_check_pub_key_int(dh, dh->q, pub_key, ret);
 }
 
Index: openssl-1.1.1w/crypto/dh/dh_key.c
===================================================================
--- openssl-1.1.1w.orig/crypto/dh/dh_key.c
+++ openssl-1.1.1w/crypto/dh/dh_key.c
@@ -51,6 +51,12 @@ int DH_compute_key(unsigned char *key, c
     int ret = 0, i;
     volatile size_t npad = 0, mask = 1;
 
+    if (dh->q != NULL
+        && BN_num_bits(dh->q) > OPENSSL_DH_MAX_MODULUS_BITS) {
+        DHerr(DH_F_DH_COMPUTE_KEY, DH_R_Q_TOO_LARGE);
+        return 0;
+    }
+
     /* compute the key; ret is constant unless compute_key is external */
     if ((ret = dh->meth->compute_key(key, pub_key, dh)) <= 0)
         return ret;
@@ -147,6 +153,12 @@ static int generate_key(DH *dh)
         return 0;
     }
 
+    if (dh->q != NULL
+        && BN_num_bits(dh->q) > OPENSSL_DH_MAX_MODULUS_BITS) {
+        DHerr(DH_F_GENERATE_KEY, DH_R_Q_TOO_LARGE);
+        return 0;
+    }
+
     ctx = BN_CTX_new();
     if (ctx == NULL)
         goto err;
Index: openssl-1.1.1w/doc/man3/DH_generate_parameters.pod
===================================================================
--- openssl-1.1.1w.orig/doc/man3/DH_generate_parameters.pod
+++ openssl-1.1.1w/doc/man3/DH_generate_parameters.pod
@@ -73,6 +73,10 @@ The generator B<g> is not suitable.
 Note that the lack of this bit doesn't guarantee that B<g> is
 suitable, unless B<p> is known to be a strong prime.
 
+=item DH_MODULUS_TOO_LARGE
+
+The modulus is too large.
+
 =back
 
 DH_check() confirms that the Diffie-Hellman parameters B<dh> are valid. The
Index: openssl-1.1.1w/include/openssl/dh.h
===================================================================
--- openssl-1.1.1w.orig/include/openssl/dh.h
+++ openssl-1.1.1w/include/openssl/dh.h
@@ -78,8 +78,9 @@ DECLARE_ASN1_ITEM(DHparams)
 # define DH_UNABLE_TO_CHECK_GENERATOR    0x04
 # define DH_NOT_SUITABLE_GENERATOR       0x08
 # define DH_CHECK_Q_NOT_PRIME            0x10
-# define DH_CHECK_INVALID_Q_VALUE        0x20
+# define DH_CHECK_INVALID_Q_VALUE        0x20 /* +DH_check_pub_key */
 # define DH_CHECK_INVALID_J_VALUE        0x40
+# define DH_MODULUS_TOO_LARGE            0x100 /* +DH_check_pub_key */
 
 /* DH_check_pub_key error codes */
 # define DH_CHECK_PUBKEY_TOO_SMALL       0x01
Accepting request 1126087 from home:ohollmann:branches:security:tls - Security fix: [bsc#1216922, CVE-2023-5678] * Fix excessive time spent in DH check / generation with large Q parameter value. * Applications that use the functions DH_generate_key() to generate an X9.42 DH key may experience long delays. Likewise, applications that use DH_check_pub_key(), DH_check_pub_key_ex () or EVP_PKEY_public_check() to check an X9.42 DH key or X9.42 DH parameters may experience long delays. Where the key or parameters that are being checked have been obtained from an untrusted source this may lead to a Denial of Service. * Add openssl-CVE-2023-5678.patch - Remove trailing spaces from changelog - Remove a hack for bsc#936563 bsc936563_hack.patch (bsc#936563) - Build with no-ssl3, for details on why this is needed read require us to patch dependant packages as the relevant functions are still available (SSLv3_(client\|server)_method) - openssl.keyring: use Matt Caswells current key. - openSSL 1.0.1j - openssl.keyring: the 1.0.1i release was done by - 012-Fix-eckey_priv_encode.patch eckey_priv_encode should - 0001-Axe-builtin-printf-implementation-use-glibc-instead.patch it is already in RPM_OPT_FLAGS and is replaced by - Remove the "gmp" and "capi" shared engines, nobody noticed but they are just dummies that do nothing. - Use enable-rfc3779 to allow projects such as rpki.net - openssl-buffreelistbug-aka-CVE-2010-5298.patch fix - openssl-gcc-attributes.patch: fix thinko, CRYPTO_realloc_clean does - openssl-gcc-attributes.patch OBS-URL: https://build.opensuse.org/request/show/1126087 OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-1_1?expand=0&rev=150 2023-11-15 10:54:14 +01:00			`From db925ae2e65d0d925adef429afc37f75bd1c2017 Mon Sep 17 00:00:00 2001`
			`From: Richard Levitte <levitte@openssl.org>`
			`Date: Fri, 20 Oct 2023 09:18:19 +0200`
			`Subject: [PATCH] Make DH_check_pub_key() and DH_generate_key() safer yet`

			`We already check for an excessively large P in DH_generate_key(), but not in`
			`DH_check_pub_key(), and none of them check for an excessively large Q.`

			`This change adds all the missing excessive size checks of P and Q.`

			`It's to be noted that behaviours surrounding excessively sized P and Q`
			`differ. DH_check() raises an error on the excessively sized P, but only`
			`sets a flag for the excessively sized Q. This behaviour is mimicked in`
			`DH_check_pub_key().`

			`Reviewed-by: Tomas Mraz <tomas@openssl.org>`
			`Reviewed-by: Matt Caswell <matt@openssl.org>`
			`Reviewed-by: Hugo Landau <hlandau@openssl.org>`
			`(Merged from https://github.com/openssl/openssl/pull/22518)`

			`(cherry picked from commit ddeb4b6c6d527e54ce9a99cba785c0f7776e54b6)`
			`---`
			`crypto/dh/dh_check.c \| 12 ++++++++++++`
			`crypto/dh/dh_err.c \| 3 ++-`
			`crypto/dh/dh_key.c \| 12 ++++++++++++`
			`crypto/err/openssl.txt \| 1 +`
			`include/crypto/dherr.h \| 2 +-`
			`include/openssl/dh.h \| 6 +++---`
			`include/openssl/dherr.h \| 3 ++-`
			`7 files changed, 33 insertions(+), 6 deletions(-)`

			`Index: openssl-1.1.1w/crypto/dh/dh_err.c`
			`===================================================================`
			`--- openssl-1.1.1w.orig/crypto/dh/dh_err.c`
			`+++ openssl-1.1.1w/crypto/dh/dh_err.c`
			`@@ -21,6 +21,7 @@ static const ERR_STRING_DATA DH_str_func`
			`{ERR_PACK(ERR_LIB_DH, DH_F_DH_CHECK, 0), "DH_check"},`
			`{ERR_PACK(ERR_LIB_DH, DH_F_DH_CHECK_EX, 0), "DH_check_ex"},`
			`{ERR_PACK(ERR_LIB_DH, DH_F_DH_CHECK_PARAMS_EX, 0), "DH_check_params_ex"},`
			`+ {ERR_PACK(ERR_LIB_DH, DH_F_DH_CHECK_PUB_KEY, 0), "DH_check_pub_key"},`
			`{ERR_PACK(ERR_LIB_DH, DH_F_DH_CHECK_PUB_KEY_EX, 0), "DH_check_pub_key_ex"},`
			`{ERR_PACK(ERR_LIB_DH, DH_F_DH_CMS_DECRYPT, 0), "dh_cms_decrypt"},`
			`{ERR_PACK(ERR_LIB_DH, DH_F_DH_CMS_SET_PEERKEY, 0), "dh_cms_set_peerkey"},`
			`@@ -87,6 +88,7 @@ static const ERR_STRING_DATA DH_str_reas`
			`{ERR_PACK(ERR_LIB_DH, 0, DH_R_PARAMETER_ENCODING_ERROR),`
			`"parameter encoding error"},`
			`{ERR_PACK(ERR_LIB_DH, 0, DH_R_PEER_KEY_ERROR), "peer key error"},`
			`+ {ERR_PACK(ERR_LIB_DH, 0, DH_R_Q_TOO_LARGE), "q too large"},`
			`{ERR_PACK(ERR_LIB_DH, 0, DH_R_SHARED_INFO_ERROR), "shared info error"},`
			`{ERR_PACK(ERR_LIB_DH, 0, DH_R_UNABLE_TO_CHECK_GENERATOR),`
			`"unable to check generator"},`
			`Index: openssl-1.1.1w/crypto/err/openssl.txt`
			`===================================================================`
			`--- openssl-1.1.1w.orig/crypto/err/openssl.txt`
			`+++ openssl-1.1.1w/crypto/err/openssl.txt`
			`@@ -404,6 +404,7 @@ DH_F_DH_BUILTIN_GENPARAMS:106:dh_builtin`
			`DH_F_DH_CHECK:126:DH_check`
			`DH_F_DH_CHECK_EX:121:DH_check_ex`
			`DH_F_DH_CHECK_PARAMS_EX:122:DH_check_params_ex`
			`+DH_F_DH_CHECK_PUB_KEY:128:DH_check_pub_key`
			`DH_F_DH_CHECK_PUB_KEY_EX:123:DH_check_pub_key_ex`
			`DH_F_DH_CMS_DECRYPT:114:dh_cms_decrypt`
			`DH_F_DH_CMS_SET_PEERKEY:115:dh_cms_set_peerkey`
			`@@ -2226,6 +2227,7 @@ DH_R_NO_PARAMETERS_SET:107:no parameters`
			`DH_R_NO_PRIVATE_VALUE:100:no private value`
			`DH_R_PARAMETER_ENCODING_ERROR:105:parameter encoding error`
			`DH_R_PEER_KEY_ERROR:111:peer key error`
			`+DH_R_Q_TOO_LARGE:130:q too large`
			`DH_R_SHARED_INFO_ERROR:113:shared info error`
			`DH_R_UNABLE_TO_CHECK_GENERATOR:121:unable to check generator`
			`DSA_R_BAD_Q_VALUE:102:bad q value`
			`Index: openssl-1.1.1w/include/openssl/dherr.h`
			`===================================================================`
			`--- openssl-1.1.1w.orig/include/openssl/dherr.h`
			`+++ openssl-1.1.1w/include/openssl/dherr.h`
			`@@ -31,6 +31,7 @@ int ERR_load_DH_strings(void);`
			`# define DH_F_DH_CHECK 126`
			`# define DH_F_DH_CHECK_EX 121`
			`# define DH_F_DH_CHECK_PARAMS_EX 122`
			`+# define DH_F_DH_CHECK_PUB_KEY 128`
			`# define DH_F_DH_CHECK_PUB_KEY_EX 123`
			`# define DH_F_DH_CMS_DECRYPT 114`
			`# define DH_F_DH_CMS_SET_PEERKEY 115`
			`@@ -84,6 +85,7 @@ int ERR_load_DH_strings(void);`
			`# define DH_R_NO_PRIVATE_VALUE 100`
			`# define DH_R_PARAMETER_ENCODING_ERROR 105`
			`# define DH_R_PEER_KEY_ERROR 111`
			`+# define DH_R_Q_TOO_LARGE 130`
			`# define DH_R_SHARED_INFO_ERROR 113`
			`# define DH_R_UNABLE_TO_CHECK_GENERATOR 121`

			`Index: openssl-1.1.1w/crypto/dh/dh_check.c`
			`===================================================================`
			`--- openssl-1.1.1w.orig/crypto/dh/dh_check.c`
			`+++ openssl-1.1.1w/crypto/dh/dh_check.c`
			`@@ -260,6 +260,18 @@ static int dh_check_pub_key_int(const DH`
			`*/`
			`int DH_check_pub_key(const DH dh, const BIGNUM pub_key, int *ret)`
			`{`
			`+ /* Don't do any checks at all with an excessively large modulus */`
			`+ if (BN_num_bits(dh->p) > OPENSSL_DH_CHECK_MAX_MODULUS_BITS) {`
			`+ DHerr(DH_F_DH_CHECK_PUB_KEY, DH_R_MODULUS_TOO_LARGE);`
			`+ *ret = DH_MODULUS_TOO_LARGE \| DH_CHECK_PUBKEY_INVALID;`
			`+ return 0;`
			`+ }`
			`+`
			`+ if (dh->q != NULL && BN_ucmp(dh->p, dh->q) < 0) {`
			`+ *ret \|= DH_CHECK_INVALID_Q_VALUE \| DH_CHECK_PUBKEY_INVALID;`
			`+ return 1;`
			`+ }`
			`+`
			`return dh_check_pub_key_int(dh, dh->q, pub_key, ret);`
			`}`

			`Index: openssl-1.1.1w/crypto/dh/dh_key.c`
			`===================================================================`
			`--- openssl-1.1.1w.orig/crypto/dh/dh_key.c`
			`+++ openssl-1.1.1w/crypto/dh/dh_key.c`
			`@@ -51,6 +51,12 @@ int DH_compute_key(unsigned char *key, c`
			`int ret = 0, i;`
			`volatile size_t npad = 0, mask = 1;`

			`+ if (dh->q != NULL`
			`+ && BN_num_bits(dh->q) > OPENSSL_DH_MAX_MODULUS_BITS) {`
			`+ DHerr(DH_F_DH_COMPUTE_KEY, DH_R_Q_TOO_LARGE);`
			`+ return 0;`
			`+ }`
			`+`
			`/* compute the key; ret is constant unless compute_key is external */`
			`if ((ret = dh->meth->compute_key(key, pub_key, dh)) <= 0)`
			`return ret;`
			`@@ -147,6 +153,12 @@ static int generate_key(DH *dh)`
			`return 0;`
			`}`

			`+ if (dh->q != NULL`
			`+ && BN_num_bits(dh->q) > OPENSSL_DH_MAX_MODULUS_BITS) {`
			`+ DHerr(DH_F_GENERATE_KEY, DH_R_Q_TOO_LARGE);`
			`+ return 0;`
			`+ }`
			`+`
			`ctx = BN_CTX_new();`
			`if (ctx == NULL)`
			`goto err;`
			`Index: openssl-1.1.1w/doc/man3/DH_generate_parameters.pod`
			`===================================================================`
			`--- openssl-1.1.1w.orig/doc/man3/DH_generate_parameters.pod`
			`+++ openssl-1.1.1w/doc/man3/DH_generate_parameters.pod`
			`@@ -73,6 +73,10 @@ The generator B<g> is not suitable.`
			`Note that the lack of this bit doesn't guarantee that B<g> is`
			`suitable, unless B<p> is known to be a strong prime.`

			`+=item DH_MODULUS_TOO_LARGE`
			`+`
			`+The modulus is too large.`
			`+`
			`=back`

			`DH_check() confirms that the Diffie-Hellman parameters B<dh> are valid. The`
			`Index: openssl-1.1.1w/include/openssl/dh.h`
			`===================================================================`
			`--- openssl-1.1.1w.orig/include/openssl/dh.h`
			`+++ openssl-1.1.1w/include/openssl/dh.h`
			`@@ -78,8 +78,9 @@ DECLARE_ASN1_ITEM(DHparams)`
			`# define DH_UNABLE_TO_CHECK_GENERATOR 0x04`
			`# define DH_NOT_SUITABLE_GENERATOR 0x08`
			`# define DH_CHECK_Q_NOT_PRIME 0x10`
			`-# define DH_CHECK_INVALID_Q_VALUE 0x20`
			`+# define DH_CHECK_INVALID_Q_VALUE 0x20 /* +DH_check_pub_key */`
			`# define DH_CHECK_INVALID_J_VALUE 0x40`
			`+# define DH_MODULUS_TOO_LARGE 0x100 /* +DH_check_pub_key */`

			`/* DH_check_pub_key error codes */`
			`# define DH_CHECK_PUBKEY_TOO_SMALL 0x01`