Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package openssl-3 for openSUSE:Factory
checked in at 2023-07-24 18:11:36
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/openssl-3 (Old)
and /work/SRC/openSUSE:Factory/.openssl-3.new.1467 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "openssl-3"
Mon Jul 24 18:11:36 2023 rev:13 rq:1099669 version:3.1.1
Changes:
--------
--- /work/SRC/openSUSE:Factory/openssl-3/openssl-3.changes 2023-06-29
17:28:10.518205519 +0200
+++ /work/SRC/openSUSE:Factory/.openssl-3.new.1467/openssl-3.changes
2023-07-24 18:11:36.825086846 +0200
@@ -1,0 +2,26 @@
+Thu Jul 20 07:48:20 UTC 2023 - Pedro Monreal <pmonr...@suse.com>
+
+- Security fix: [bsc#1213487, CVE-2023-3446]
+ * Fix DH_check() excessive time with over sized modulus.
+ * The function DH_check() performs various checks on DH parameters.
+ One of those checks confirms that the modulus ("p" parameter) is
+ not too large. Trying to use a very large modulus is slow and
+ OpenSSL will not normally use a modulus which is over 10,000 bits
+ in length.
+ However the DH_check() function checks numerous aspects of the
+ key or parameters that have been supplied. Some of those checks
+ use the supplied modulus value even if it has already been found
+ to be too large.
+ A new limit has been added to DH_check of 32,768 bits. Supplying
+ a key/parameters with a modulus over this size will simply cause
+ DH_check() to fail.
+ * Add openssl-CVE-2023-3446.patch openssl-CVE-2023-3446-test.patch
+
+-------------------------------------------------------------------
+Tue Jul 18 07:32:49 UTC 2023 - Pedro Monreal <pmonr...@suse.com>
+
+- Security fix: [bsc#1213383, CVE-2023-2975]
+ * AES-SIV implementation ignores empty associated data entries
+ * Add openssl-CVE-2023-2975.patch
+
+-------------------------------------------------------------------
New:
----
openssl-CVE-2023-2975.patch
openssl-CVE-2023-3446-test.patch
openssl-CVE-2023-3446.patch
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ openssl-3.spec ++++++
--- /var/tmp/diff_new_pack.rQhYeR/_old 2023-07-24 18:11:38.105094378 +0200
+++ /var/tmp/diff_new_pack.rQhYeR/_new 2023-07-24 18:11:38.109094402 +0200
@@ -50,7 +50,11 @@
Patch9: openssl-z16-s390x.patch
# PATCH-FIX-UPSTREAM: bsc#1209430 Upgrade OpenSSL from 3.0.8 to 3.1.0 in TW
Patch10: openssl-Add_support_for_Windows_CA_certificate_store.patch
-
+# PATCH-FIX-UPSTREAM: bsc#1213383 CVE-2023-2975 AES-SIV ignores empty data
entries
+Patch11: openssl-CVE-2023-2975.patch
+# PATCH-FIX-UPSTREAM: bsc#1213487 CVE-2023-3446 DH_check() excessive time with
over sized modulus
+Patch12: openssl-CVE-2023-3446.patch
+Patch13: openssl-CVE-2023-3446-test.patch
BuildRequires: pkgconfig
BuildRequires: pkgconfig(zlib)
Requires: libopenssl3 = %{version}-%{release}
++++++ openssl-CVE-2023-2975.patch ++++++
>From 6a83f0c958811f07e0d11dfc6b5a6a98edfd5bdc Mon Sep 17 00:00:00 2001
From: Tomas Mraz <to...@openssl.org>
Date: Tue, 4 Jul 2023 17:30:35 +0200
Subject: [PATCH] Do not ignore empty associated data with AES-SIV mode
The AES-SIV mode allows for multiple associated data items
authenticated separately with any of these being 0 length.
The provided implementation ignores such empty associated data
which is incorrect in regards to the RFC 5297 and is also
a security issue because such empty associated data then become
unauthenticated if an application expects to authenticate them.
Fixes CVE-2023-2975
Reviewed-by: Matt Caswell <m...@openssl.org>
Reviewed-by: Paul Dale <pa...@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21384)
(cherry picked from commit c426c281cfc23ab182f7d7d7a35229e7db1494d9)
---
.../implementations/ciphers/cipher_aes_siv.c | 18 +++++++++++-------
1 file changed, 11 insertions(+), 7 deletions(-)
diff --git a/providers/implementations/ciphers/cipher_aes_siv.c
b/providers/implementations/ciphers/cipher_aes_siv.c
index 45010b90db..b396c8651a 100644
--- a/providers/implementations/ciphers/cipher_aes_siv.c
+++ b/providers/implementations/ciphers/cipher_aes_siv.c
@@ -120,14 +120,18 @@ static int siv_cipher(void *vctx, unsigned char *out,
size_t *outl,
if (!ossl_prov_is_running())
return 0;
- if (inl == 0) {
- *outl = 0;
- return 1;
- }
+ /* Ignore just empty encryption/decryption call and not AAD. */
+ if (out != NULL) {
+ if (inl == 0) {
+ if (outl != NULL)
+ *outl = 0;
+ return 1;
+ }
- if (outsize < inl) {
- ERR_raise(ERR_LIB_PROV, PROV_R_OUTPUT_BUFFER_TOO_SMALL);
- return 0;
+ if (outsize < inl) {
+ ERR_raise(ERR_LIB_PROV, PROV_R_OUTPUT_BUFFER_TOO_SMALL);
+ return 0;
+ }
}
if (ctx->hw->cipher(ctx, out, in, inl) <= 0)
--
2.34.1
++++++ openssl-CVE-2023-3446-test.patch ++++++
>From 4791e79b8803924b28c19af4d4036ad85335110d Mon Sep 17 00:00:00 2001
From: Matt Caswell <m...@openssl.org>
Date: Fri, 7 Jul 2023 14:39:48 +0100
Subject: [PATCH] Add a test for CVE-2023-3446
Confirm that the only errors DH_check() finds with DH parameters with an
excessively long modulus is that the modulus is too large. We should not
be performing time consuming checks using that modulus.
Reviewed-by: Paul Dale <pa...@openssl.org>
Reviewed-by: Tom Cosgrove <tom.cosgr...@arm.com>
Reviewed-by: Bernd Edlinger <bernd.edlin...@hotmail.de>
Reviewed-by: Tomas Mraz <to...@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21451)
(cherry picked from commit ede782b4c8868d1f09c9cd237f82b6f35b7dba8b)
---
test/dhtest.c | 15 +++++++++++++--
1 file changed, 13 insertions(+), 2 deletions(-)
diff --git a/test/dhtest.c b/test/dhtest.c
index 7b587f3cfa8f..f8dd8f3aa722 100644
--- a/test/dhtest.c
+++ b/test/dhtest.c
@@ -73,7 +73,7 @@ static int dh_test(void)
goto err1;
/* check fails, because p is way too small */
- if (!DH_check(dh, &i))
+ if (!TEST_true(DH_check(dh, &i)))
goto err2;
i ^= DH_MODULUS_TOO_SMALL;
if (!TEST_false(i & DH_CHECK_P_NOT_PRIME)
@@ -124,6 +124,17 @@ static int dh_test(void)
/* We'll have a stale error on the queue from the above test so clear it */
ERR_clear_error();
+ /* Modulus of size: dh check max modulus bits + 1 */
+ if (!TEST_true(BN_set_word(p, 1))
+ || !TEST_true(BN_lshift(p, p, OPENSSL_DH_CHECK_MAX_MODULUS_BITS)))
+ goto err3;
+
+ /*
+ * We expect no checks at all for an excessively large modulus
+ */
+ if (!TEST_false(DH_check(dh, &i)))
+ goto err3;
+
/*
* II) key generation
*/
@@ -138,7 +149,7 @@ static int dh_test(void)
goto err3;
/* ... and check whether it is valid */
- if (!DH_check(a, &i))
+ if (!TEST_true(DH_check(a, &i)))
goto err3;
if (!TEST_false(i & DH_CHECK_P_NOT_PRIME)
|| !TEST_false(i & DH_CHECK_P_NOT_SAFE_PRIME)
++++++ openssl-CVE-2023-3446.patch ++++++
>From fc9867c1e03c22ebf56943be205202e576aabf23 Mon Sep 17 00:00:00 2001
From: Matt Caswell <m...@openssl.org>
Date: Thu, 6 Jul 2023 16:36:35 +0100
Subject: [PATCH] Fix DH_check() excessive time with over sized modulus
The DH_check() function checks numerous aspects of the key or parameters
that have been supplied. Some of those checks use the supplied modulus
value even if it is excessively large.
There is already a maximum DH modulus size (10,000 bits) over which
OpenSSL will not generate or derive keys. DH_check() will however still
perform various tests for validity on such a large modulus. We introduce a
new maximum (32,768) over which DH_check() will just fail.
An application that calls DH_check() and supplies a key or parameters
obtained from an untrusted source could be vulnerable to a Denial of
Service attack.
The function DH_check() is itself called by a number of other OpenSSL
functions. An application calling any of those other functions may
similarly be affected. The other functions affected by this are
DH_check_ex() and EVP_PKEY_param_check().
CVE-2023-3446
Reviewed-by: Paul Dale <pa...@openssl.org>
Reviewed-by: Tom Cosgrove <tom.cosgr...@arm.com>
Reviewed-by: Bernd Edlinger <bernd.edlin...@hotmail.de>
Reviewed-by: Tomas Mraz <to...@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21451)
(cherry picked from commit 9e0094e2aa1b3428a12d5095132f133c078d3c3d)
---
crypto/dh/dh_check.c | 6 ++++++
include/openssl/dh.h | 6 +++++-
2 files changed, 11 insertions(+), 1 deletion(-)
diff --git a/crypto/dh/dh_check.c b/crypto/dh/dh_check.c
index 0b391910d6b3..84a926998e9b 100644
--- a/crypto/dh/dh_check.c
+++ b/crypto/dh/dh_check.c
@@ -152,6 +152,12 @@ int DH_check(const DH *dh, int *ret)
if (nid != NID_undef)
return 1;
+ /* Don't do any checks at all with an excessively large modulus */
+ if (BN_num_bits(dh->params.p) > OPENSSL_DH_CHECK_MAX_MODULUS_BITS) {
+ ERR_raise(ERR_LIB_DH, DH_R_MODULUS_TOO_LARGE);
+ return 0;
+ }
+
if (!DH_check_params(dh, ret))
return 0;
diff --git a/include/openssl/dh.h b/include/openssl/dh.h
index ec5a493da129..499f9f7109dd 100644
--- a/include/openssl/dh.h
+++ b/include/openssl/dh.h
@@ -92,7 +92,11 @@ int EVP_PKEY_CTX_get0_dh_kdf_ukm(EVP_PKEY_CTX *ctx, unsigned
char **ukm);
# include <openssl/dherr.h>
# ifndef OPENSSL_DH_MAX_MODULUS_BITS
-# define OPENSSL_DH_MAX_MODULUS_BITS 10000
+# define OPENSSL_DH_MAX_MODULUS_BITS 10000
+# endif
+
+# ifndef OPENSSL_DH_CHECK_MAX_MODULUS_BITS
+# define OPENSSL_DH_CHECK_MAX_MODULUS_BITS 32768
# endif
# define OPENSSL_DH_FIPS_MIN_MODULUS_BITS 1024
