Accepting request 1099670 from security:tls

OBS-URL: https://build.opensuse.org/request/show/1099670 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openssl-1_1?expand=0&rev=49
2023-07-24 16:12:06 +00:00 · 2023-07-24 16:12:06 +00:00 · eacff36a04
commit eacff36a04
parent 62282c4f2b 2f6ae03793
4 changed files with 185 additions and 0 deletions
--- a/openssl-1_1.changes
+++ b/openssl-1_1.changes
@ -1,3 +1,22 @@
+-------------------------------------------------------------------
+Thu Jul 20 07:48:20 UTC 2023 - Pedro Monreal <pmonreal@suse.com>
+
+- Security fix: [bsc#1213487, CVE-2023-3446]
+  * Fix DH_check() excessive time with over sized modulus.
+  * The function DH_check() performs various checks on DH parameters.
+    One of those checks confirms that the modulus ("p" parameter) is
+    not too large. Trying to use a very large modulus is slow and
+    OpenSSL will not normally use a modulus which is over 10,000 bits
+    in length.
+    However the DH_check() function checks numerous aspects of the
+    key or parameters that have been supplied. Some of those checks
+    use the supplied modulus value even if it has already been found
+    to be too large.
+    A new limit has been added to DH_check of 32,768 bits. Supplying
+    a key/parameters with a modulus over this size will simply cause
+    DH_check() to fail.
+  * Add openssl-CVE-2023-3446.patch openssl-CVE-2023-3446-test.patch
+
 -------------------------------------------------------------------
 Tue Jun 20 15:18:56 UTC 2023 - Otto Hollmann <otto.hollmann@suse.com>

--- a/openssl-1_1.spec
+++ b/openssl-1_1.spec
@ -132,6 +132,9 @@ Patch78:        openssl-1_1-Fixed-conditional-statement-testing-64-and-256-bytes
 Patch79:        openssl-1_1-Fix-AES-GCM-on-Power-8-CPUs.patch
 #PATCH-FIX-OPENSUSE bsc#1205042 Set OpenSSL 3.0 as the default openssl
 Patch80:        openssl-1_1-openssl-config.patch
+# PATCH-FIX-UPSTREAM: bsc#1213487 CVE-2023-3446 DH_check() excessive time with over sized modulus
+Patch81:        openssl-CVE-2023-3446.patch
+Patch82:        openssl-CVE-2023-3446-test.patch
 BuildRequires:  pkgconfig
 BuildRequires:  pkgconfig(zlib)
 Provides:       ssl
--- a/openssl-CVE-2023-3446-test.patch
+++ b/openssl-CVE-2023-3446-test.patch
@ -0,0 +1,58 @@
+From e9ddae17e302a7e6a0daf00f25efed7c70f114d4 Mon Sep 17 00:00:00 2001
+From: Matt Caswell <matt@openssl.org>
+Date: Fri, 7 Jul 2023 14:39:48 +0100
+Subject: [PATCH] Add a test for CVE-2023-3446
+
+Confirm that the only errors DH_check() finds with DH parameters with an
+excessively long modulus is that the modulus is too large. We should not
+be performing time consuming checks using that modulus.
+
+Reviewed-by: Paul Dale <pauli@openssl.org>
+Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
+Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
+Reviewed-by: Tomas Mraz <tomas@openssl.org>
+(Merged from https://github.com/openssl/openssl/pull/21452)
+---
+ test/dhtest.c | 15 +++++++++++++--
+ 1 file changed, 13 insertions(+), 2 deletions(-)
+
+diff --git a/test/dhtest.c b/test/dhtest.c
+index 9d5609b943ab..00b3c471015d 100644
+--- a/test/dhtest.c
+++ b/test/dhtest.c
+@@ -63,7 +63,7 @@ static int dh_test(void)
+         || !TEST_true(DH_set0_pqg(dh, p, q, g)))
+         goto err1;
+ 
+-    if (!DH_check(dh, &i))
+    if (!TEST_true(DH_check(dh, &i)))
+         goto err2;
+     if (!TEST_false(i & DH_CHECK_P_NOT_PRIME)
+             || !TEST_false(i & DH_CHECK_P_NOT_SAFE_PRIME)
+@@ -123,6 +123,17 @@ static int dh_test(void)
+     /* check whether the public key was calculated correctly */
+     TEST_uint_eq(BN_get_word(pub_key2), 3331L);
+ 
+    /* Modulus of size: dh check max modulus bits + 1 */
+    if (!TEST_true(BN_set_word(p, 1))
+            || !TEST_true(BN_lshift(p, p, OPENSSL_DH_CHECK_MAX_MODULUS_BITS)))
+        goto err3;
+
+    /*
+     * We expect no checks at all for an excessively large modulus
+     */
+    if (!TEST_false(DH_check(dh, &i)))
+        goto err3;
+
+     /*
+      * II) key generation
+      */
+@@ -137,7 +148,7 @@ static int dh_test(void)
+         goto err3;
+ 
+     /* ... and check whether it is valid */
+-    if (!DH_check(a, &i))
+    if (!TEST_true(DH_check(a, &i)))
+         goto err3;
+     if (!TEST_false(i & DH_CHECK_P_NOT_PRIME)
+             || !TEST_false(i & DH_CHECK_P_NOT_SAFE_PRIME)
--- a/openssl-CVE-2023-3446.patch
+++ b/openssl-CVE-2023-3446.patch
@ -0,0 +1,105 @@
+From 8780a896543a654e757db1b9396383f9d8095528 Mon Sep 17 00:00:00 2001
+From: Matt Caswell <matt@openssl.org>
+Date: Thu, 6 Jul 2023 16:36:35 +0100
+Subject: [PATCH] Fix DH_check() excessive time with over sized modulus
+
+The DH_check() function checks numerous aspects of the key or parameters
+that have been supplied. Some of those checks use the supplied modulus
+value even if it is excessively large.
+
+There is already a maximum DH modulus size (10,000 bits) over which
+OpenSSL will not generate or derive keys. DH_check() will however still
+perform various tests for validity on such a large modulus. We introduce a
+new maximum (32,768) over which DH_check() will just fail.
+
+An application that calls DH_check() and supplies a key or parameters
+obtained from an untrusted source could be vulnerable to a Denial of
+Service attack.
+
+The function DH_check() is itself called by a number of other OpenSSL
+functions. An application calling any of those other functions may
+similarly be affected. The other functions affected by this are
+DH_check_ex() and EVP_PKEY_param_check().
+
+CVE-2023-3446
+
+Reviewed-by: Paul Dale <pauli@openssl.org>
+Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
+Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
+Reviewed-by: Tomas Mraz <tomas@openssl.org>
+(Merged from https://github.com/openssl/openssl/pull/21452)
+---
+ crypto/dh/dh_check.c    | 6 ++++++
+ crypto/dh/dh_err.c      | 3 ++-
+ crypto/err/openssl.txt  | 3 ++-
+ include/openssl/dh.h    | 3 +++
+ include/openssl/dherr.h | 3 ++-
+ 5 files changed, 15 insertions(+), 3 deletions(-)
+
+Index: openssl-1.1.1u/crypto/dh/dh_check.c
+===================================================================
+--- openssl-1.1.1u.orig/crypto/dh/dh_check.c
+++ openssl-1.1.1u/crypto/dh/dh_check.c
+@@ -101,6 +101,12 @@ int DH_check(const DH *dh, int *ret)
+     BN_CTX *ctx = NULL;
+     BIGNUM *t1 = NULL, *t2 = NULL;
+ 
+    /* Don't do any checks at all with an excessively large modulus */
+    if (BN_num_bits(dh->p) > OPENSSL_DH_CHECK_MAX_MODULUS_BITS) {
+        DHerr(DH_F_DH_CHECK, DH_R_MODULUS_TOO_LARGE);
+        return 0;
+    }
+
+     if (!DH_check_params(dh, ret))
+         return 0;
+ 
+Index: openssl-1.1.1u/crypto/dh/dh_err.c
+===================================================================
+--- openssl-1.1.1u.orig/crypto/dh/dh_err.c
+++ openssl-1.1.1u/crypto/dh/dh_err.c
+@@ -18,6 +18,7 @@ static const ERR_STRING_DATA DH_str_func
+     {ERR_PACK(ERR_LIB_DH, DH_F_DHPARAMS_PRINT_FP, 0), "DHparams_print_fp"},
+     {ERR_PACK(ERR_LIB_DH, DH_F_DH_BUILTIN_GENPARAMS, 0),
+      "dh_builtin_genparams"},
+    {ERR_PACK(ERR_LIB_DH, DH_F_DH_CHECK, 0), "DH_check"},
+     {ERR_PACK(ERR_LIB_DH, DH_F_DH_CHECK_EX, 0), "DH_check_ex"},
+     {ERR_PACK(ERR_LIB_DH, DH_F_DH_CHECK_PARAMS_EX, 0), "DH_check_params_ex"},
+     {ERR_PACK(ERR_LIB_DH, DH_F_DH_CHECK_PUB_KEY_EX, 0), "DH_check_pub_key_ex"},
+Index: openssl-1.1.1u/crypto/err/openssl.txt
+===================================================================
+--- openssl-1.1.1u.orig/crypto/err/openssl.txt
+++ openssl-1.1.1u/crypto/err/openssl.txt
+@@ -401,6 +401,7 @@ CT_F_SCT_SET_VERSION:104:SCT_set_version
+ DH_F_COMPUTE_KEY:102:compute_key
+ DH_F_DHPARAMS_PRINT_FP:101:DHparams_print_fp
+ DH_F_DH_BUILTIN_GENPARAMS:106:dh_builtin_genparams
+DH_F_DH_CHECK:126:DH_check
+ DH_F_DH_CHECK_EX:121:DH_check_ex
+ DH_F_DH_CHECK_PARAMS_EX:122:DH_check_params_ex
+ DH_F_DH_CHECK_PUB_KEY_EX:123:DH_check_pub_key_ex
+Index: openssl-1.1.1u/include/openssl/dh.h
+===================================================================
+--- openssl-1.1.1u.orig/include/openssl/dh.h
+++ openssl-1.1.1u/include/openssl/dh.h
+@@ -29,6 +29,9 @@ extern "C" {
+ # ifndef OPENSSL_DH_MAX_MODULUS_BITS
+ #  define OPENSSL_DH_MAX_MODULUS_BITS    10000
+ # endif
+# ifndef OPENSSL_DH_CHECK_MAX_MODULUS_BITS
+#  define OPENSSL_DH_CHECK_MAX_MODULUS_BITS  32768
+# endif
+ 
+ # define OPENSSL_DH_FIPS_MIN_MODULUS_BITS 1024
+ # define OPENSSL_DH_FIPS_MIN_MODULUS_BITS_GEN 2048
+Index: openssl-1.1.1u/include/openssl/dherr.h
+===================================================================
+--- openssl-1.1.1u.orig/include/openssl/dherr.h
+++ openssl-1.1.1u/include/openssl/dherr.h
+@@ -30,6 +30,7 @@ int ERR_load_DH_strings(void);
+ #  define DH_F_COMPUTE_KEY                                 102
+ #  define DH_F_DHPARAMS_PRINT_FP                           101
+ #  define DH_F_DH_BUILTIN_GENPARAMS                        106
+#  define DH_F_DH_CHECK                                    126
+ #  define DH_F_DH_CHECK_EX                                 121
+ #  define DH_F_DH_CHECK_PARAMS_EX                          122
+ #  define DH_F_DH_CHECK_PUB_KEY_EX                         123