SHA256
1
0
forked from pool/openssl-1_1

Accepting request 1101915 from home:pmonrealgonzalez:branches:security:tls

- Update to 1.1.1v:
  * Fix excessive time spent checking DH q parameter value
    (bsc#1213853, CVE-2023-3817). The function DH_check() performs
    various checks on DH parameters. After fixing CVE-2023-3446 it
    was discovered that a large q parameter value can also trigger
    an overly long computation during some of these checks. A
    correct q value, if present, cannot be larger than the modulus
    p parameter, thus it is unnecessary to perform these checks if
    q is larger than p. If DH_check() is called with such q parameter
    value, DH_CHECK_INVALID_Q_VALUE return flag is set and the
    computationally intensive checks are skipped.
  * Fix DH_check() excessive time with over sized modulus
    (bsc#1213487, CVE-2023-3446). The function DH_check() performs
    various checks on DH parameters. One of those checks confirms
    that the modulus ("p" parameter) is not too large. Trying to use
    a very large modulus is slow and OpenSSL will not normally use
    a modulus which is over 10,000 bits in length. However the
    DH_check() function checks numerous aspects of the key or
    parameters that have been supplied. Some of those checks use the
    supplied modulus value even if it has already been found to be
    too large. A new limit has been added to DH_check of 32,768 bits.
    Supplying a key/parameters with a modulus over this size will
    simply cause DH_check() to fail.
  * Rebase openssl-1_1-openssl-config.patch
  * Remove security patches fixed upstream:
    - openssl-CVE-2023-3446.patch
    - openssl-CVE-2023-3446-test.patch

OBS-URL: https://build.opensuse.org/request/show/1101915
OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-1_1?expand=0&rev=141
This commit is contained in:
Pedro Monreal Gonzalez 2023-08-02 10:03:45 +00:00 committed by Git OBS Bridge
parent a620e0aeaf
commit f8ec18178a
9 changed files with 147 additions and 236 deletions

View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:e2f8d84b523eecd06c7be7626830370300fbcc15386bf5142d72758f6963ebc6
size 9892176

View File

@ -1,16 +0,0 @@
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEE3HAyZir4heL0fyQ/UnRmohynnm0FAmR171cACgkQUnRmohyn
nm0f7RAAj+ZssEY1hiRWhuLTmmFJIR1vhEpP9addj8oaXvlJSrA6QzHZrUcuzTL0
jtOkS4gTIla8iNNe1alwQdYXnhW46IrQAy2+bYuHCLXJm55/0PKCs2Cdy3naPU3N
9zxo+jAEx3X7hBJAzyLbGwrzpIUe9mbkyheSGxtEpW53ZvX1jo73uxyVYzq6BwJx
ngCeyBDrRrP6GgwMrpR6zExUyOwltBl/Jvx813AvXXbczJgMe3wCeQOa9Y1QWaVA
eTKz2lT7reZ80VzfXNMdPT+33+vABfwGEPsdXy7JIWGJubiC5vkHq2Im/U6wzU9v
9WsKk9MGQ4OV52gcRiYVyb9+nvGWUgfgV8c268nwWHIdYA85FjBb8xGzK1vHgA3o
E4rRT6e94l+NQChjmm7NwALLcQ+oFtqXsK+CiG9Ek6BMXJ/RitmQUHuhnRDyNL2u
OtbF549NrxwPe3CskJzP+tUizcQbM6HJtaKi+U49f1+EYZObxJ57qom34eFgET8N
GvnY6ikBccGEMjphL7dOzEnKYMRBSTCYAQfjBLFvwth2yLjM5f8AC+z6KhGiKnDY
JI+hHdca4rfrsKXxon+62x8gFmP8waHacR6Sh0OqDiYqNYn+G9q3nuLZMGpRJD2M
WgXyeu43LEXwhbCGzxnQH0mxFWSMB/2trWTTFzr5BrS7TmujVCw=
=EBqr
-----END PGP SIGNATURE-----

BIN
openssl-1.1.1v.tar.gz (Stored with Git LFS) Normal file

Binary file not shown.

16
openssl-1.1.1v.tar.gz.asc Normal file
View File

@ -0,0 +1,16 @@
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEE78CkZ9YTy4PH7W0w2JTizos9efUFAmTJDewACgkQ2JTizos9
efVPDBAAjgNq842XSAhmH3CBHHFtMuVlg5RV+tAV7PF7tDm/Bu0VPxZecvDhEHyk
y1bIzYki9kPQrnDc5Cz3UYHjnBp2n2GH+JDShedSJMH3qbsAlSB4j5b15UFjE8b4
yDl4rlcug3SydqEdYJAGnOD3QBghsX7GiS6S9BgnU1D1XDZ1LYF6NumrjeypGm2r
vodcjel0tD+Xu2Du398sGmXLZLfK7eBT8dYtzWHAZubf+dNQmfRRDALo2Q5Xux6p
xIDlEQvTUkt5mF+Rx0CI1boIKeaFoZFOReUW0zkKYfwNkfq1WvGj3sGA+StQsgn1
Dvfx6ONoS9UT+6KTegsLOIX2xOAHa8k4UgtW19eCovYzJNkBwNnq83lrvIEMoLY7
brALTqBmlFq4prPgzpDHlTeC78uDcf/Ao95CeBw5yKVsKAN7W7vA2u6Gr2ZgUWsF
zVnrxJ9difkrvkFxm6uO2qu1qA/84Bow77M6/7FSHFZ+oDB3tjGXtq4Tf6iBkhpf
XIRu79S1LxCY7HxKVHHfpKuGSfefV/tgPeOac8CvucIq6r1Be20h0crRnDEGJt8G
Otznvt04iX+FkSVC7PjiAVZqubQQWjXUZxDngQgUOye/suExGwEoaTMmhj95eiVu
ufee+jDrVGOjhLLoEClP/+zpl2Wplq3KzLVsvvJa8v5KTVot9r4=
=mu7b
-----END PGP SIGNATURE-----

View File

@ -24,8 +24,10 @@
tools/c_rehash.in | 6 ++--
23 files changed, 71 insertions(+), 68 deletions(-)
--- a/Configurations/descrip.mms.tmpl
+++ b/Configurations/descrip.mms.tmpl
Index: openssl-1.1.1v/Configurations/descrip.mms.tmpl
===================================================================
--- openssl-1.1.1v.orig/Configurations/descrip.mms.tmpl
+++ openssl-1.1.1v/Configurations/descrip.mms.tmpl
@@ -142,8 +142,8 @@ INSTALL_SHLIBS={- join(", ", map { "-\n\
INSTALL_ENGINES={- join(", ", map { "-\n\t".$_.".EXE" } @{$unified_info{install}->{engines}}) -}
INSTALL_PROGRAMS={- join(", ", map { "-\n\t".$_.".EXE" } @{$unified_info{install}->{programs}}) -}
@ -37,8 +39,10 @@
{- output_on() if $disabled{apps}; "" -}
APPS_OPENSSL={- use File::Spec::Functions;
--- a/Configurations/unix-Makefile.tmpl
+++ b/Configurations/unix-Makefile.tmpl
Index: openssl-1.1.1v/Configurations/unix-Makefile.tmpl
===================================================================
--- openssl-1.1.1v.orig/Configurations/unix-Makefile.tmpl
+++ openssl-1.1.1v/Configurations/unix-Makefile.tmpl
@@ -140,8 +140,8 @@ INSTALL_SHLIB_INFO={- join(" ", map { "\
INSTALL_ENGINES={- join(" ", map { dso($_) } @{$unified_info{install}->{engines}}) -}
INSTALL_PROGRAMS={- join(" ", map { $_.$exeext } @{$unified_info{install}->{programs}}) -}
@ -82,8 +86,10 @@
generate_crypto_bn:
( cd $(SRCDIR); $(PERL) crypto/bn/bn_prime.pl > crypto/bn/bn_prime.h )
--- a/Configure
+++ b/Configure
Index: openssl-1.1.1v/Configure
===================================================================
--- openssl-1.1.1v.orig/Configure
+++ openssl-1.1.1v/Configure
@@ -35,7 +35,7 @@ my $usage="Usage: Configure [no-<cipher>
# directories bin, lib, include, share/man, share/doc/openssl
# This becomes the value of INSTALLTOP in Makefile
@ -93,8 +99,10 @@
# If it's a relative directory, it will be added on the directory
# given with --prefix.
# This becomes the value of OPENSSLDIR in Makefile and in C.
--- a/INSTALL
+++ b/INSTALL
Index: openssl-1.1.1v/INSTALL
===================================================================
--- openssl-1.1.1v.orig/INSTALL
+++ openssl-1.1.1v/INSTALL
@@ -296,7 +296,7 @@
be undesirable if small executable size is an objective.
@ -104,11 +112,13 @@
Typically OpenSSL will automatically load a system config
file which configures default ssl options.
--- a/NEWS
+++ b/NEWS
@@ -5,6 +5,9 @@
This file gives a brief overview of the major changes between each OpenSSL
release. For more details please read the CHANGES file.
Index: openssl-1.1.1v/NEWS
===================================================================
--- openssl-1.1.1v.orig/NEWS
+++ openssl-1.1.1v/NEWS
@@ -10,6 +10,9 @@
o Fix excessive time spent checking DH q parameter value (CVE-2023-3817)
o Fix DH_check() excessive time with over sized modulus (CVE-2023-3446)
+ IMPORTANT: For compatibility with OpenSSL 3.0, the OpenSSL master
+ configuration file openssl.cnf has been renamed to openssl-1_1.cnf.
@ -116,8 +126,10 @@
Major changes between OpenSSL 1.1.1t and OpenSSL 1.1.1u [30 May 2023]
o Mitigate for very slow `OBJ_obj2txt()` performance with gigantic
--- a/VMS/openssl_utils.com.in
+++ b/VMS/openssl_utils.com.in
Index: openssl-1.1.1v/VMS/openssl_utils.com.in
===================================================================
--- openssl-1.1.1v.orig/VMS/openssl_utils.com.in
+++ openssl-1.1.1v/VMS/openssl_utils.com.in
@@ -8,7 +8,7 @@ $ OPENSSL :== $OSSL$EXE:OPENSSL'v'
$
$ IF F$TYPE(PERL) .EQS. "STRING"
@ -127,8 +139,10 @@
$ ELSE
$ WRITE SYS$ERROR "NOTE: no perl => no C_REHASH"
$ ENDIF
--- a/apps/CA.pl.in
+++ b/apps/CA.pl.in
Index: openssl-1.1.1v/apps/CA.pl.in
===================================================================
--- openssl-1.1.1v.orig/apps/CA.pl.in
+++ openssl-1.1.1v/apps/CA.pl.in
@@ -113,10 +113,10 @@ sub run
@ -144,8 +158,10 @@
exit 0;
}
if ($WHAT eq '-newcert' ) {
--- a/apps/build.info
+++ b/apps/build.info
Index: openssl-1.1.1v/apps/build.info
===================================================================
--- openssl-1.1.1v.orig/apps/build.info
+++ openssl-1.1.1v/apps/build.info
@@ -73,7 +73,7 @@ IF[{- !$disabled{apps} -}]
GENERATE[progs.h]=progs.pl $(APPS_OPENSSL)
DEPEND[progs.h]=../configdata.pm
@ -157,8 +173,10 @@
+ SOURCE[CA-1_1.pl]=CA.pl.in
+ SOURCE[tsget-1_1.pl]=tsget.in
ENDIF
--- a/apps/tsget.in
+++ b/apps/tsget.in
Index: openssl-1.1.1v/apps/tsget.in
===================================================================
--- openssl-1.1.1v.orig/apps/tsget.in
+++ openssl-1.1.1v/apps/tsget.in
@@ -47,7 +47,7 @@ sub create_curl {
$curl->setopt(CURLOPT_VERBOSE, 1) if $options{d};
$curl->setopt(CURLOPT_FAILONERROR, 1);
@ -168,8 +186,10 @@
# Options for POST method.
$curl->setopt(CURLOPT_UPLOAD, 1);
--- a/doc/HOWTO/certificates.txt
+++ b/doc/HOWTO/certificates.txt
Index: openssl-1.1.1v/doc/HOWTO/certificates.txt
===================================================================
--- openssl-1.1.1v.orig/doc/HOWTO/certificates.txt
+++ openssl-1.1.1v/doc/HOWTO/certificates.txt
@@ -16,7 +16,7 @@ Certificate authorities should read http
In all the cases shown below, the standard configuration file, as
compiled into openssl, will be used. You may find it in /etc/,
@ -179,8 +199,10 @@
You can specify a different configuration file using the
'-config {file}' argument with the commands shown below.
--- a/doc/man1/CA.pl.pod
+++ b/doc/man1/CA.pl.pod
Index: openssl-1.1.1v/doc/man1/CA.pl.pod
===================================================================
--- openssl-1.1.1v.orig/doc/man1/CA.pl.pod
+++ openssl-1.1.1v/doc/man1/CA.pl.pod
@@ -2,16 +2,16 @@
=head1 NAME
@ -283,8 +305,10 @@
can be used and the B<OPENSSL_CONF> environment variable changed to point to
the correct path of the configuration file.
--- a/doc/man1/ca.pod
+++ b/doc/man1/ca.pod
Index: openssl-1.1.1v/doc/man1/ca.pod
===================================================================
--- openssl-1.1.1v.orig/doc/man1/ca.pod
+++ openssl-1.1.1v/doc/man1/ca.pod
@@ -698,7 +698,7 @@ the database has to be kept in memory.
The B<ca> command really needs rewriting or the required functionality
exposed at either a command or interface level so a more friendly utility
@ -303,8 +327,10 @@
L<config(5)>, L<x509v3_config(5)>
=head1 COPYRIGHT
--- a/doc/man1/rehash.pod
+++ b/doc/man1/rehash.pod
Index: openssl-1.1.1v/doc/man1/rehash.pod
===================================================================
--- openssl-1.1.1v.orig/doc/man1/rehash.pod
+++ openssl-1.1.1v/doc/man1/rehash.pod
@@ -6,7 +6,7 @@ Original text by James Westby, contribut
=head1 NAME
@ -340,8 +366,10 @@
uses the B<openssl> program to compute the hashes and
fingerprints. If not found in the user's B<PATH>, then set the
B<OPENSSL> environment variable to the full pathname.
--- a/doc/man1/tsget.pod
+++ b/doc/man1/tsget.pod
Index: openssl-1.1.1v/doc/man1/tsget.pod
===================================================================
--- openssl-1.1.1v.orig/doc/man1/tsget.pod
+++ openssl-1.1.1v/doc/man1/tsget.pod
@@ -35,7 +35,7 @@ line.
The tool sends the following HTTP request for each timestamp request:
@ -360,8 +388,10 @@
OpenSSL utility. Either option B<-C> or option B<-P> must be given in case of
HTTPS. (Optional)
--- a/doc/man1/verify.pod
+++ b/doc/man1/verify.pod
Index: openssl-1.1.1v/doc/man1/verify.pod
===================================================================
--- openssl-1.1.1v.orig/doc/man1/verify.pod
+++ openssl-1.1.1v/doc/man1/verify.pod
@@ -75,7 +75,7 @@ The file should contain one or more cert
A directory of trusted certificates. The certificates should have names
of the form: hash.0 or have symbolic links to them of this
@ -371,8 +401,10 @@
create symbolic links to a directory of certificates.
=item B<-no-CAfile>
--- a/doc/man1/x509.pod
+++ b/doc/man1/x509.pod
Index: openssl-1.1.1v/doc/man1/x509.pod
===================================================================
--- openssl-1.1.1v.orig/doc/man1/x509.pod
+++ openssl-1.1.1v/doc/man1/x509.pod
@@ -932,7 +932,7 @@ The hash algorithm used in the B<-subjec
before OpenSSL 1.0.0 was based on the deprecated MD5 algorithm and the encoding
of the distinguished name. In OpenSSL 1.0.0 and later it is based on a
@ -382,8 +414,10 @@
=head1 COPYRIGHT
--- a/doc/man3/OPENSSL_config.pod
+++ b/doc/man3/OPENSSL_config.pod
Index: openssl-1.1.1v/doc/man3/OPENSSL_config.pod
===================================================================
--- openssl-1.1.1v.orig/doc/man3/OPENSSL_config.pod
+++ openssl-1.1.1v/doc/man3/OPENSSL_config.pod
@@ -15,7 +15,7 @@ OPENSSL_config, OPENSSL_no_config - simp
=head1 DESCRIPTION
@ -393,8 +427,10 @@
reads from the application section B<appname>. If B<appname> is NULL then
the default section, B<openssl_conf>, will be used.
Errors are silently ignored.
--- a/doc/man3/SSL_CTX_load_verify_locations.pod
+++ b/doc/man3/SSL_CTX_load_verify_locations.pod
Index: openssl-1.1.1v/doc/man3/SSL_CTX_load_verify_locations.pod
===================================================================
--- openssl-1.1.1v.orig/doc/man3/SSL_CTX_load_verify_locations.pod
+++ openssl-1.1.1v/doc/man3/SSL_CTX_load_verify_locations.pod
@@ -63,7 +63,7 @@ If more than one CA certificate with the
extension must be different (e.g. 9d66eef0.0, 9d66eef0.1 etc). The search
is performed in the ordering of the extension number, regardless of other
@ -413,8 +449,10 @@
=head1 SEE ALSO
--- a/doc/man5/config.pod
+++ b/doc/man5/config.pod
Index: openssl-1.1.1v/doc/man5/config.pod
===================================================================
--- openssl-1.1.1v.orig/doc/man5/config.pod
+++ openssl-1.1.1v/doc/man5/config.pod
@@ -7,7 +7,7 @@ config - OpenSSL CONF library configurat
=head1 DESCRIPTION
@ -424,8 +462,10 @@
and in a few other places like B<SPKAC> files and certificate extension
files for the B<x509> utility. OpenSSL applications can also use the
CONF library for their own purposes.
--- a/include/internal/cryptlib.h
+++ b/include/internal/cryptlib.h
Index: openssl-1.1.1v/include/internal/cryptlib.h
===================================================================
--- openssl-1.1.1v.orig/include/internal/cryptlib.h
+++ openssl-1.1.1v/include/internal/cryptlib.h
@@ -51,7 +51,7 @@ typedef struct app_mem_info_st APP_INFO;
typedef struct mem_st MEM;
DEFINE_LHASH_OF(MEM);
@ -435,8 +475,10 @@
# ifndef OPENSSL_SYS_VMS
# define X509_CERT_AREA OPENSSLDIR
--- a/test/recipes/80-test_ca.t
+++ b/test/recipes/80-test_ca.t
Index: openssl-1.1.1v/test/recipes/80-test_ca.t
===================================================================
--- openssl-1.1.1v.orig/test/recipes/80-test_ca.t
+++ openssl-1.1.1v/test/recipes/80-test_ca.t
@@ -27,27 +27,27 @@ plan tests => 5;
SKIP: {
$ENV{OPENSSL_CONFIG} = '-config "'.srctop_file("test", "CAss.cnf").'"';
@ -470,8 +512,10 @@
'creating new pre-certificate');
}
--- a/tools/build.info
+++ b/tools/build.info
Index: openssl-1.1.1v/tools/build.info
===================================================================
--- openssl-1.1.1v.orig/tools/build.info
+++ openssl-1.1.1v/tools/build.info
@@ -1,5 +1,5 @@
{- our $c_rehash_name =
- $config{target} =~ /^(VC|vms)-/ ? "c_rehash.pl" : "c_rehash";
@ -479,8 +523,10 @@
"" -}
IF[{- !$disabled{apps} -}]
SCRIPTS={- $c_rehash_name -}
--- a/tools/c_rehash.in
+++ b/tools/c_rehash.in
Index: openssl-1.1.1v/tools/c_rehash.in
===================================================================
--- openssl-1.1.1v.orig/tools/c_rehash.in
+++ openssl-1.1.1v/tools/c_rehash.in
@@ -8,7 +8,7 @@
# in the file LICENSE in the source distribution or at
# https://www.openssl.org/source/license.html

View File

@ -1,3 +1,34 @@
-------------------------------------------------------------------
Tue Aug 1 16:12:36 UTC 2023 - Pedro Monreal <pmonreal@suse.com>
- Update to 1.1.1v:
* Fix excessive time spent checking DH q parameter value
(bsc#1213853, CVE-2023-3817). The function DH_check() performs
various checks on DH parameters. After fixing CVE-2023-3446 it
was discovered that a large q parameter value can also trigger
an overly long computation during some of these checks. A
correct q value, if present, cannot be larger than the modulus
p parameter, thus it is unnecessary to perform these checks if
q is larger than p. If DH_check() is called with such q parameter
value, DH_CHECK_INVALID_Q_VALUE return flag is set and the
computationally intensive checks are skipped.
* Fix DH_check() excessive time with over sized modulus
(bsc#1213487, CVE-2023-3446). The function DH_check() performs
various checks on DH parameters. One of those checks confirms
that the modulus ("p" parameter) is not too large. Trying to use
a very large modulus is slow and OpenSSL will not normally use
a modulus which is over 10,000 bits in length. However the
DH_check() function checks numerous aspects of the key or
parameters that have been supplied. Some of those checks use the
supplied modulus value even if it has already been found to be
too large. A new limit has been added to DH_check of 32,768 bits.
Supplying a key/parameters with a modulus over this size will
simply cause DH_check() to fail.
* Rebase openssl-1_1-openssl-config.patch
* Remove security patches fixed upstream:
- openssl-CVE-2023-3446.patch
- openssl-CVE-2023-3446-test.patch
-------------------------------------------------------------------
Mon Jul 24 12:40:38 UTC 2023 - Otto Hollmann <otto.hollmann@suse.com>

View File

@ -41,7 +41,7 @@
%define _rname openssl
Name: openssl-1_1
# Don't forget to update the version in the "openssl" meta-package!
Version: 1.1.1u
Version: 1.1.1v
Release: 0
Summary: Secure Sockets and Transport Layer Security
License: OpenSSL
@ -132,11 +132,8 @@ Patch78: openssl-1_1-Fixed-conditional-statement-testing-64-and-256-bytes
Patch79: openssl-1_1-Fix-AES-GCM-on-Power-8-CPUs.patch
#PATCH-FIX-OPENSUSE bsc#1205042 Set OpenSSL 3.0 as the default openssl
Patch80: openssl-1_1-openssl-config.patch
# PATCH-FIX-UPSTREAM: bsc#1213487 CVE-2023-3446 DH_check() excessive time with over sized modulus
Patch81: openssl-CVE-2023-3446.patch
Patch82: openssl-CVE-2023-3446-test.patch
# PATCH-FIX-SUSE bsc#1213517 Dont pass zero length input to EVP_Cipher
Patch83: openssl-dont-pass-zero-length-input-to-EVP_Cipher.patch
Patch81: openssl-dont-pass-zero-length-input-to-EVP_Cipher.patch
BuildRequires: pkgconfig
BuildRequires: pkgconfig(zlib)
Provides: ssl

View File

@ -1,58 +0,0 @@
From e9ddae17e302a7e6a0daf00f25efed7c70f114d4 Mon Sep 17 00:00:00 2001
From: Matt Caswell <matt@openssl.org>
Date: Fri, 7 Jul 2023 14:39:48 +0100
Subject: [PATCH] Add a test for CVE-2023-3446
Confirm that the only errors DH_check() finds with DH parameters with an
excessively long modulus is that the modulus is too large. We should not
be performing time consuming checks using that modulus.
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21452)
---
test/dhtest.c | 15 +++++++++++++--
1 file changed, 13 insertions(+), 2 deletions(-)
diff --git a/test/dhtest.c b/test/dhtest.c
index 9d5609b943ab..00b3c471015d 100644
--- a/test/dhtest.c
+++ b/test/dhtest.c
@@ -63,7 +63,7 @@ static int dh_test(void)
|| !TEST_true(DH_set0_pqg(dh, p, q, g)))
goto err1;
- if (!DH_check(dh, &i))
+ if (!TEST_true(DH_check(dh, &i)))
goto err2;
if (!TEST_false(i & DH_CHECK_P_NOT_PRIME)
|| !TEST_false(i & DH_CHECK_P_NOT_SAFE_PRIME)
@@ -123,6 +123,17 @@ static int dh_test(void)
/* check whether the public key was calculated correctly */
TEST_uint_eq(BN_get_word(pub_key2), 3331L);
+ /* Modulus of size: dh check max modulus bits + 1 */
+ if (!TEST_true(BN_set_word(p, 1))
+ || !TEST_true(BN_lshift(p, p, OPENSSL_DH_CHECK_MAX_MODULUS_BITS)))
+ goto err3;
+
+ /*
+ * We expect no checks at all for an excessively large modulus
+ */
+ if (!TEST_false(DH_check(dh, &i)))
+ goto err3;
+
/*
* II) key generation
*/
@@ -137,7 +148,7 @@ static int dh_test(void)
goto err3;
/* ... and check whether it is valid */
- if (!DH_check(a, &i))
+ if (!TEST_true(DH_check(a, &i)))
goto err3;
if (!TEST_false(i & DH_CHECK_P_NOT_PRIME)
|| !TEST_false(i & DH_CHECK_P_NOT_SAFE_PRIME)

View File

@ -1,105 +0,0 @@
From 8780a896543a654e757db1b9396383f9d8095528 Mon Sep 17 00:00:00 2001
From: Matt Caswell <matt@openssl.org>
Date: Thu, 6 Jul 2023 16:36:35 +0100
Subject: [PATCH] Fix DH_check() excessive time with over sized modulus
The DH_check() function checks numerous aspects of the key or parameters
that have been supplied. Some of those checks use the supplied modulus
value even if it is excessively large.
There is already a maximum DH modulus size (10,000 bits) over which
OpenSSL will not generate or derive keys. DH_check() will however still
perform various tests for validity on such a large modulus. We introduce a
new maximum (32,768) over which DH_check() will just fail.
An application that calls DH_check() and supplies a key or parameters
obtained from an untrusted source could be vulnerable to a Denial of
Service attack.
The function DH_check() is itself called by a number of other OpenSSL
functions. An application calling any of those other functions may
similarly be affected. The other functions affected by this are
DH_check_ex() and EVP_PKEY_param_check().
CVE-2023-3446
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21452)
---
crypto/dh/dh_check.c | 6 ++++++
crypto/dh/dh_err.c | 3 ++-
crypto/err/openssl.txt | 3 ++-
include/openssl/dh.h | 3 +++
include/openssl/dherr.h | 3 ++-
5 files changed, 15 insertions(+), 3 deletions(-)
Index: openssl-1.1.1u/crypto/dh/dh_check.c
===================================================================
--- openssl-1.1.1u.orig/crypto/dh/dh_check.c
+++ openssl-1.1.1u/crypto/dh/dh_check.c
@@ -101,6 +101,12 @@ int DH_check(const DH *dh, int *ret)
BN_CTX *ctx = NULL;
BIGNUM *t1 = NULL, *t2 = NULL;
+ /* Don't do any checks at all with an excessively large modulus */
+ if (BN_num_bits(dh->p) > OPENSSL_DH_CHECK_MAX_MODULUS_BITS) {
+ DHerr(DH_F_DH_CHECK, DH_R_MODULUS_TOO_LARGE);
+ return 0;
+ }
+
if (!DH_check_params(dh, ret))
return 0;
Index: openssl-1.1.1u/crypto/dh/dh_err.c
===================================================================
--- openssl-1.1.1u.orig/crypto/dh/dh_err.c
+++ openssl-1.1.1u/crypto/dh/dh_err.c
@@ -18,6 +18,7 @@ static const ERR_STRING_DATA DH_str_func
{ERR_PACK(ERR_LIB_DH, DH_F_DHPARAMS_PRINT_FP, 0), "DHparams_print_fp"},
{ERR_PACK(ERR_LIB_DH, DH_F_DH_BUILTIN_GENPARAMS, 0),
"dh_builtin_genparams"},
+ {ERR_PACK(ERR_LIB_DH, DH_F_DH_CHECK, 0), "DH_check"},
{ERR_PACK(ERR_LIB_DH, DH_F_DH_CHECK_EX, 0), "DH_check_ex"},
{ERR_PACK(ERR_LIB_DH, DH_F_DH_CHECK_PARAMS_EX, 0), "DH_check_params_ex"},
{ERR_PACK(ERR_LIB_DH, DH_F_DH_CHECK_PUB_KEY_EX, 0), "DH_check_pub_key_ex"},
Index: openssl-1.1.1u/crypto/err/openssl.txt
===================================================================
--- openssl-1.1.1u.orig/crypto/err/openssl.txt
+++ openssl-1.1.1u/crypto/err/openssl.txt
@@ -401,6 +401,7 @@ CT_F_SCT_SET_VERSION:104:SCT_set_version
DH_F_COMPUTE_KEY:102:compute_key
DH_F_DHPARAMS_PRINT_FP:101:DHparams_print_fp
DH_F_DH_BUILTIN_GENPARAMS:106:dh_builtin_genparams
+DH_F_DH_CHECK:126:DH_check
DH_F_DH_CHECK_EX:121:DH_check_ex
DH_F_DH_CHECK_PARAMS_EX:122:DH_check_params_ex
DH_F_DH_CHECK_PUB_KEY_EX:123:DH_check_pub_key_ex
Index: openssl-1.1.1u/include/openssl/dh.h
===================================================================
--- openssl-1.1.1u.orig/include/openssl/dh.h
+++ openssl-1.1.1u/include/openssl/dh.h
@@ -29,6 +29,9 @@ extern "C" {
# ifndef OPENSSL_DH_MAX_MODULUS_BITS
# define OPENSSL_DH_MAX_MODULUS_BITS 10000
# endif
+# ifndef OPENSSL_DH_CHECK_MAX_MODULUS_BITS
+# define OPENSSL_DH_CHECK_MAX_MODULUS_BITS 32768
+# endif
# define OPENSSL_DH_FIPS_MIN_MODULUS_BITS 1024
# define OPENSSL_DH_FIPS_MIN_MODULUS_BITS_GEN 2048
Index: openssl-1.1.1u/include/openssl/dherr.h
===================================================================
--- openssl-1.1.1u.orig/include/openssl/dherr.h
+++ openssl-1.1.1u/include/openssl/dherr.h
@@ -30,6 +30,7 @@ int ERR_load_DH_strings(void);
# define DH_F_COMPUTE_KEY 102
# define DH_F_DHPARAMS_PRINT_FP 101
# define DH_F_DH_BUILTIN_GENPARAMS 106
+# define DH_F_DH_CHECK 126
# define DH_F_DH_CHECK_EX 121
# define DH_F_DH_CHECK_PARAMS_EX 122
# define DH_F_DH_CHECK_PUB_KEY_EX 123