forked from pool/openssl-1_1
6a02bab132
- Security fix: [bsc#1216922, CVE-2023-5678]
* Fix excessive time spent in DH check / generation with large Q
parameter value.
* Applications that use the functions DH_generate_key() to generate
an X9.42 DH key may experience long delays. Likewise,
applications that use DH_check_pub_key(), DH_check_pub_key_ex
() or EVP_PKEY_public_check() to check an X9.42 DH key or X9.42
DH parameters may experience long delays. Where the key or
parameters that are being checked have been obtained from an
untrusted source this may lead to a Denial of Service.
* Add openssl-CVE-2023-5678.patch
- Remove trailing spaces from changelog
- Remove a hack for bsc#936563
bsc936563_hack.patch (bsc#936563)
- Build with no-ssl3, for details on why this is needed read
require us to patch dependant packages as the relevant
functions are still available (SSLv3_(client|server)_method)
- openssl.keyring: use Matt Caswells current key.
- openSSL 1.0.1j
- openssl.keyring: the 1.0.1i release was done by
- 012-Fix-eckey_priv_encode.patch eckey_priv_encode should
- 0001-Axe-builtin-printf-implementation-use-glibc-instead.patch
it is already in RPM_OPT_FLAGS and is replaced by
- Remove the "gmp" and "capi" shared engines, nobody noticed
but they are just dummies that do nothing.
- Use enable-rfc3779 to allow projects such as rpki.net
- openssl-buffreelistbug-aka-CVE-2010-5298.patch fix
- openssl-gcc-attributes.patch: fix thinko, CRYPTO_realloc_clean does
- openssl-gcc-attributes.patch
OBS-URL: https://build.opensuse.org/request/show/1126087
OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-1_1?expand=0&rev=150
175 lines
7.4 KiB
Diff
175 lines
7.4 KiB
Diff
From db925ae2e65d0d925adef429afc37f75bd1c2017 Mon Sep 17 00:00:00 2001
|
|
From: Richard Levitte <levitte@openssl.org>
|
|
Date: Fri, 20 Oct 2023 09:18:19 +0200
|
|
Subject: [PATCH] Make DH_check_pub_key() and DH_generate_key() safer yet
|
|
|
|
We already check for an excessively large P in DH_generate_key(), but not in
|
|
DH_check_pub_key(), and none of them check for an excessively large Q.
|
|
|
|
This change adds all the missing excessive size checks of P and Q.
|
|
|
|
It's to be noted that behaviours surrounding excessively sized P and Q
|
|
differ. DH_check() raises an error on the excessively sized P, but only
|
|
sets a flag for the excessively sized Q. This behaviour is mimicked in
|
|
DH_check_pub_key().
|
|
|
|
Reviewed-by: Tomas Mraz <tomas@openssl.org>
|
|
Reviewed-by: Matt Caswell <matt@openssl.org>
|
|
Reviewed-by: Hugo Landau <hlandau@openssl.org>
|
|
(Merged from https://github.com/openssl/openssl/pull/22518)
|
|
|
|
(cherry picked from commit ddeb4b6c6d527e54ce9a99cba785c0f7776e54b6)
|
|
---
|
|
crypto/dh/dh_check.c | 12 ++++++++++++
|
|
crypto/dh/dh_err.c | 3 ++-
|
|
crypto/dh/dh_key.c | 12 ++++++++++++
|
|
crypto/err/openssl.txt | 1 +
|
|
include/crypto/dherr.h | 2 +-
|
|
include/openssl/dh.h | 6 +++---
|
|
include/openssl/dherr.h | 3 ++-
|
|
7 files changed, 33 insertions(+), 6 deletions(-)
|
|
|
|
Index: openssl-1.1.1w/crypto/dh/dh_err.c
|
|
===================================================================
|
|
--- openssl-1.1.1w.orig/crypto/dh/dh_err.c
|
|
+++ openssl-1.1.1w/crypto/dh/dh_err.c
|
|
@@ -21,6 +21,7 @@ static const ERR_STRING_DATA DH_str_func
|
|
{ERR_PACK(ERR_LIB_DH, DH_F_DH_CHECK, 0), "DH_check"},
|
|
{ERR_PACK(ERR_LIB_DH, DH_F_DH_CHECK_EX, 0), "DH_check_ex"},
|
|
{ERR_PACK(ERR_LIB_DH, DH_F_DH_CHECK_PARAMS_EX, 0), "DH_check_params_ex"},
|
|
+ {ERR_PACK(ERR_LIB_DH, DH_F_DH_CHECK_PUB_KEY, 0), "DH_check_pub_key"},
|
|
{ERR_PACK(ERR_LIB_DH, DH_F_DH_CHECK_PUB_KEY_EX, 0), "DH_check_pub_key_ex"},
|
|
{ERR_PACK(ERR_LIB_DH, DH_F_DH_CMS_DECRYPT, 0), "dh_cms_decrypt"},
|
|
{ERR_PACK(ERR_LIB_DH, DH_F_DH_CMS_SET_PEERKEY, 0), "dh_cms_set_peerkey"},
|
|
@@ -87,6 +88,7 @@ static const ERR_STRING_DATA DH_str_reas
|
|
{ERR_PACK(ERR_LIB_DH, 0, DH_R_PARAMETER_ENCODING_ERROR),
|
|
"parameter encoding error"},
|
|
{ERR_PACK(ERR_LIB_DH, 0, DH_R_PEER_KEY_ERROR), "peer key error"},
|
|
+ {ERR_PACK(ERR_LIB_DH, 0, DH_R_Q_TOO_LARGE), "q too large"},
|
|
{ERR_PACK(ERR_LIB_DH, 0, DH_R_SHARED_INFO_ERROR), "shared info error"},
|
|
{ERR_PACK(ERR_LIB_DH, 0, DH_R_UNABLE_TO_CHECK_GENERATOR),
|
|
"unable to check generator"},
|
|
Index: openssl-1.1.1w/crypto/err/openssl.txt
|
|
===================================================================
|
|
--- openssl-1.1.1w.orig/crypto/err/openssl.txt
|
|
+++ openssl-1.1.1w/crypto/err/openssl.txt
|
|
@@ -404,6 +404,7 @@ DH_F_DH_BUILTIN_GENPARAMS:106:dh_builtin
|
|
DH_F_DH_CHECK:126:DH_check
|
|
DH_F_DH_CHECK_EX:121:DH_check_ex
|
|
DH_F_DH_CHECK_PARAMS_EX:122:DH_check_params_ex
|
|
+DH_F_DH_CHECK_PUB_KEY:128:DH_check_pub_key
|
|
DH_F_DH_CHECK_PUB_KEY_EX:123:DH_check_pub_key_ex
|
|
DH_F_DH_CMS_DECRYPT:114:dh_cms_decrypt
|
|
DH_F_DH_CMS_SET_PEERKEY:115:dh_cms_set_peerkey
|
|
@@ -2226,6 +2227,7 @@ DH_R_NO_PARAMETERS_SET:107:no parameters
|
|
DH_R_NO_PRIVATE_VALUE:100:no private value
|
|
DH_R_PARAMETER_ENCODING_ERROR:105:parameter encoding error
|
|
DH_R_PEER_KEY_ERROR:111:peer key error
|
|
+DH_R_Q_TOO_LARGE:130:q too large
|
|
DH_R_SHARED_INFO_ERROR:113:shared info error
|
|
DH_R_UNABLE_TO_CHECK_GENERATOR:121:unable to check generator
|
|
DSA_R_BAD_Q_VALUE:102:bad q value
|
|
Index: openssl-1.1.1w/include/openssl/dherr.h
|
|
===================================================================
|
|
--- openssl-1.1.1w.orig/include/openssl/dherr.h
|
|
+++ openssl-1.1.1w/include/openssl/dherr.h
|
|
@@ -31,6 +31,7 @@ int ERR_load_DH_strings(void);
|
|
# define DH_F_DH_CHECK 126
|
|
# define DH_F_DH_CHECK_EX 121
|
|
# define DH_F_DH_CHECK_PARAMS_EX 122
|
|
+# define DH_F_DH_CHECK_PUB_KEY 128
|
|
# define DH_F_DH_CHECK_PUB_KEY_EX 123
|
|
# define DH_F_DH_CMS_DECRYPT 114
|
|
# define DH_F_DH_CMS_SET_PEERKEY 115
|
|
@@ -84,6 +85,7 @@ int ERR_load_DH_strings(void);
|
|
# define DH_R_NO_PRIVATE_VALUE 100
|
|
# define DH_R_PARAMETER_ENCODING_ERROR 105
|
|
# define DH_R_PEER_KEY_ERROR 111
|
|
+# define DH_R_Q_TOO_LARGE 130
|
|
# define DH_R_SHARED_INFO_ERROR 113
|
|
# define DH_R_UNABLE_TO_CHECK_GENERATOR 121
|
|
|
|
Index: openssl-1.1.1w/crypto/dh/dh_check.c
|
|
===================================================================
|
|
--- openssl-1.1.1w.orig/crypto/dh/dh_check.c
|
|
+++ openssl-1.1.1w/crypto/dh/dh_check.c
|
|
@@ -260,6 +260,18 @@ static int dh_check_pub_key_int(const DH
|
|
*/
|
|
int DH_check_pub_key(const DH *dh, const BIGNUM *pub_key, int *ret)
|
|
{
|
|
+ /* Don't do any checks at all with an excessively large modulus */
|
|
+ if (BN_num_bits(dh->p) > OPENSSL_DH_CHECK_MAX_MODULUS_BITS) {
|
|
+ DHerr(DH_F_DH_CHECK_PUB_KEY, DH_R_MODULUS_TOO_LARGE);
|
|
+ *ret = DH_MODULUS_TOO_LARGE | DH_CHECK_PUBKEY_INVALID;
|
|
+ return 0;
|
|
+ }
|
|
+
|
|
+ if (dh->q != NULL && BN_ucmp(dh->p, dh->q) < 0) {
|
|
+ *ret |= DH_CHECK_INVALID_Q_VALUE | DH_CHECK_PUBKEY_INVALID;
|
|
+ return 1;
|
|
+ }
|
|
+
|
|
return dh_check_pub_key_int(dh, dh->q, pub_key, ret);
|
|
}
|
|
|
|
Index: openssl-1.1.1w/crypto/dh/dh_key.c
|
|
===================================================================
|
|
--- openssl-1.1.1w.orig/crypto/dh/dh_key.c
|
|
+++ openssl-1.1.1w/crypto/dh/dh_key.c
|
|
@@ -51,6 +51,12 @@ int DH_compute_key(unsigned char *key, c
|
|
int ret = 0, i;
|
|
volatile size_t npad = 0, mask = 1;
|
|
|
|
+ if (dh->q != NULL
|
|
+ && BN_num_bits(dh->q) > OPENSSL_DH_MAX_MODULUS_BITS) {
|
|
+ DHerr(DH_F_DH_COMPUTE_KEY, DH_R_Q_TOO_LARGE);
|
|
+ return 0;
|
|
+ }
|
|
+
|
|
/* compute the key; ret is constant unless compute_key is external */
|
|
if ((ret = dh->meth->compute_key(key, pub_key, dh)) <= 0)
|
|
return ret;
|
|
@@ -147,6 +153,12 @@ static int generate_key(DH *dh)
|
|
return 0;
|
|
}
|
|
|
|
+ if (dh->q != NULL
|
|
+ && BN_num_bits(dh->q) > OPENSSL_DH_MAX_MODULUS_BITS) {
|
|
+ DHerr(DH_F_GENERATE_KEY, DH_R_Q_TOO_LARGE);
|
|
+ return 0;
|
|
+ }
|
|
+
|
|
ctx = BN_CTX_new();
|
|
if (ctx == NULL)
|
|
goto err;
|
|
Index: openssl-1.1.1w/doc/man3/DH_generate_parameters.pod
|
|
===================================================================
|
|
--- openssl-1.1.1w.orig/doc/man3/DH_generate_parameters.pod
|
|
+++ openssl-1.1.1w/doc/man3/DH_generate_parameters.pod
|
|
@@ -73,6 +73,10 @@ The generator B<g> is not suitable.
|
|
Note that the lack of this bit doesn't guarantee that B<g> is
|
|
suitable, unless B<p> is known to be a strong prime.
|
|
|
|
+=item DH_MODULUS_TOO_LARGE
|
|
+
|
|
+The modulus is too large.
|
|
+
|
|
=back
|
|
|
|
DH_check() confirms that the Diffie-Hellman parameters B<dh> are valid. The
|
|
Index: openssl-1.1.1w/include/openssl/dh.h
|
|
===================================================================
|
|
--- openssl-1.1.1w.orig/include/openssl/dh.h
|
|
+++ openssl-1.1.1w/include/openssl/dh.h
|
|
@@ -78,8 +78,9 @@ DECLARE_ASN1_ITEM(DHparams)
|
|
# define DH_UNABLE_TO_CHECK_GENERATOR 0x04
|
|
# define DH_NOT_SUITABLE_GENERATOR 0x08
|
|
# define DH_CHECK_Q_NOT_PRIME 0x10
|
|
-# define DH_CHECK_INVALID_Q_VALUE 0x20
|
|
+# define DH_CHECK_INVALID_Q_VALUE 0x20 /* +DH_check_pub_key */
|
|
# define DH_CHECK_INVALID_J_VALUE 0x40
|
|
+# define DH_MODULUS_TOO_LARGE 0x100 /* +DH_check_pub_key */
|
|
|
|
/* DH_check_pub_key error codes */
|
|
# define DH_CHECK_PUBKEY_TOO_SMALL 0x01
|