Re: [OE-core] [kirkstone][PATCHv2] openssl: fix CVE-2023-6237 Excessive time spent checking invalid RSA public keys
On 2024-01-17 11:09 a.m., Steve Sakoman via lists.openembedded.org wrote:
On Wed, Jan 17, 2024 at 1:47 AM Hitendra Prajapati via
lists.openembedded.org
wrote:
Upstream-Status: Backport
fromhttps://github.com/openssl/openssl/commit/e09fc1d746a4fd15bb5c3d7bbbab950aadd005db
Signed-off-by: Hitendra Prajapati
---
.../openssl/openssl/CVE-2023-6237.patch | 127 ++
.../openssl/openssl_3.0.12.bb | 3 +-
2 files changed, 129 insertions(+), 1 deletion(-)
create mode 100644
meta/recipes-connectivity/openssl/openssl/CVE-2023-6237.patch
diff --git a/meta/recipes-connectivity/openssl/openssl/CVE-2023-6237.patch
b/meta/recipes-connectivity/openssl/openssl/CVE-2023-6237.patch
new file mode 100644
index 00..621dc6b0ab
--- /dev/null
+++ b/meta/recipes-connectivity/openssl/openssl/CVE-2023-6237.patch
@@ -0,0 +1,127 @@
+rom e09fc1d746a4fd15bb5c3d7bbbab950aadd005db Mon Sep 17 00:00:00 2001
+From: Tomas Mraz
+Date: Fri, 22 Dec 2023 16:25:56 +0100
+Subject: [PATCH] Limit the execution time of RSA public key check
+
+Fixes CVE-2023-6237
+
+If a large and incorrect RSA public key is checked with
+EVP_PKEY_public_check() the computation could take very long time
+due to no limit being applied to the RSA public key size and
+unnecessarily high number of Miller-Rabin algorithm rounds
+used for non-primality check of the modulus.
+
+Now the keys larger than 16384 bits (OPENSSL_RSA_MAX_MODULUS_BITS)
+will fail the check with RSA_R_MODULUS_TOO_LARGE error reason.
+Also the number of Miller-Rabin rounds was set to 5.
+
+Reviewed-by: Neil Horman
+Reviewed-by: Matt Caswell
+(Merged fromhttps://github.com/openssl/openssl/pull/23243)
+
+Upstream-Status: Backport
[https://github.com/openssl/openssl/commit/e09fc1d746a4fd15bb5c3d7bbbab950aadd005db]
+CVE: CVE-2023-6237
+Signed-off-by: Hitendra Prajapati
+---
+ crypto/rsa/rsa_sp800_56b_check.c | 8 +++-
+ test/recipes/91-test_pkey_check.t | 2 +-
+ .../91-test_pkey_check_data/rsapub_17k.pem| 48 +++
+ 3 files changed, 56 insertions(+), 2 deletions(-)
+ create mode 100644 test/recipes/91-test_pkey_check_data/rsapub_17k.pem
+
+diff --git a/crypto/rsa/rsa_sp800_56b_check.c
b/crypto/rsa/rsa_sp800_56b_check.c
+index fc8f19b..bcbdd24 100644
+--- a/crypto/rsa/rsa_sp800_56b_check.c
b/crypto/rsa/rsa_sp800_56b_check.c
+@@ -289,6 +289,11 @@ int ossl_rsa_sp800_56b_check_public(const RSA *rsa)
+ return 0;
+
+ nbits = BN_num_bits(rsa->n);
++if (nbits > OPENSSL_RSA_MAX_MODULUS_BITS) {
++ERR_raise(ERR_LIB_RSA, RSA_R_MODULUS_TOO_LARGE);
++return 0;
++}
++
+ #ifdef FIPS_MODULE
+ /*
+ * (Step a): modulus must be 2048 or 3072 (caveat from SP800-56Br1)
+@@ -324,7 +329,8 @@ int ossl_rsa_sp800_56b_check_public(const RSA *rsa)
+ goto err;
+ }
+
+-ret = ossl_bn_miller_rabin_is_prime(rsa->n, 0, ctx, NULL, 1, );
++/* Highest number of MR rounds from FIPS 186-5 Section B.3 Table B.1 */
++ret = ossl_bn_miller_rabin_is_prime(rsa->n, 5, ctx, NULL, 1, );
+ #ifdef FIPS_MODULE
+ if (ret != 1 || status != BN_PRIMETEST_COMPOSITE_NOT_POWER_OF_PRIME) {
+ #else
+diff --git a/test/recipes/91-test_pkey_check.t
b/test/recipes/91-test_pkey_check.t
+index dc7cc64..f8088df 100644
+--- a/test/recipes/91-test_pkey_check.t
b/test/recipes/91-test_pkey_check.t
+@@ -70,7 +70,7 @@ push(@positive_tests, (
+ "dhpkey.pem"
+ )) unless disabled("dh");
+
+-my @negative_pubtests = ();
++my @negative_pubtests = ("rsapub_17k.pem"); # Too big RSA public key
+
+ push(@negative_pubtests, (
+ "dsapub_noparam.der"
+diff --git a/test/recipes/91-test_pkey_check_data/rsapub_17k.pem
b/test/recipes/91-test_pkey_check_data/rsapub_17k.pem
+new file mode 100644
+index 000..9a2eaed
+--- /dev/null
b/test/recipes/91-test_pkey_check_data/rsapub_17k.pem
+@@ -0,0 +1,48 @@
++-BEGIN PUBLIC KEY-
++MIIIbzANBgkqhkiG9w0BAQEFAAOCCFwAMIIIVwKCCE4Ang+cE5H+hg3RbapDAHqR
++B9lUnp2MlAwsZxQ/FhYepaR60bFQeumbu7817Eo5YLMObVI99hF1C4u/qcpD4Jph
++gZt87/JAYDbP+DIh/5gUXCL9m5Fp4u7mvZaZdnlcftBvR1uKUTCAwc9pZ/Cfr8W2
++GzrRODzsNYnk2DcZMfe2vRDuDZRopE+Y+I72rom2SZLxoN547N1daM/M/CL9KVQ/
++XMI/YOpJrBI0jI3brMRhLkvLckwies9joufydlGbJkeil9H7/grj3fQZtFkZ2Pkj
++b87XDzRVX7wsEpAgPJxskL3jApokCp1kQYKG+Uc3dKM9Ade6IAPK7VKcmbAQTYw2
++gZxsc28dtstazmfGz0ACCTSMrmbgWAM3oPL7RRzhrXDWgmYQ0jHefGh8SNTIgtPq
++TuHxPYkDMQNaf0LmDGCxqlnf4b5ld3YaU8zZ/RqIRx5v/+w0rJUvU53qY1bYSnL1
++vbqKSnN2mip0GYyQ4AUgkS1NBV4rGYU/VTvzEjLfkg02KOtHKandvEoUjmZPzCT0
++V2ZhGc8K1UJNGYlIiHqCdwCBoghvly/pYajTkDXyd6BsukzA5H3IkZB1xDgl035j
++/0Cr7QeZLEOdi9fPdSSaBT6OmD0WFuZfJF0wMr7ucRhWzPXvSensD9v7MBE7tNfH
++SLeTSx8tLt8UeWriiM+0CnkPR1IOqMOxubOyf1eV8NQqEWm5wEQG/0IskbOKnaHa
++PqLFJZn/bvyL3XK5OxVIJG3z6bnRDOMS9SzkjqgPdIO8tkySEHVSi/6iuGUltx3Y
++Fmq6ye/r34ekyHPbfn6UuTON7joM6SIXb5bHM64x4iMVWx4hMvDjfy0UqfywAUyu
++C1o7BExSMxxFG8GJcqR0K8akpPp7EM588PC+YuItoxzXgfUJnP3BQ1Beev2Ve7/J
++xeGZH0N4ntfr+cuaLAakAER9zDglwChWflw3NNFgIdAgSxXv3XXx5xDXpdP4lxUo
Re: [OE-core] [kirkstone][PATCHv2] openssl: fix CVE-2023-6237 Excessive time spent checking invalid RSA public keys
On Wed, Jan 17, 2024 at 1:47 AM Hitendra Prajapati via
lists.openembedded.org
wrote:
>
> Upstream-Status: Backport from
> https://github.com/openssl/openssl/commit/e09fc1d746a4fd15bb5c3d7bbbab950aadd005db
>
> Signed-off-by: Hitendra Prajapati
> ---
> .../openssl/openssl/CVE-2023-6237.patch | 127 ++
> .../openssl/openssl_3.0.12.bb | 3 +-
> 2 files changed, 129 insertions(+), 1 deletion(-)
> create mode 100644
> meta/recipes-connectivity/openssl/openssl/CVE-2023-6237.patch
>
> diff --git a/meta/recipes-connectivity/openssl/openssl/CVE-2023-6237.patch
> b/meta/recipes-connectivity/openssl/openssl/CVE-2023-6237.patch
> new file mode 100644
> index 00..621dc6b0ab
> --- /dev/null
> +++ b/meta/recipes-connectivity/openssl/openssl/CVE-2023-6237.patch
> @@ -0,0 +1,127 @@
> +rom e09fc1d746a4fd15bb5c3d7bbbab950aadd005db Mon Sep 17 00:00:00 2001
> +From: Tomas Mraz
> +Date: Fri, 22 Dec 2023 16:25:56 +0100
> +Subject: [PATCH] Limit the execution time of RSA public key check
> +
> +Fixes CVE-2023-6237
> +
> +If a large and incorrect RSA public key is checked with
> +EVP_PKEY_public_check() the computation could take very long time
> +due to no limit being applied to the RSA public key size and
> +unnecessarily high number of Miller-Rabin algorithm rounds
> +used for non-primality check of the modulus.
> +
> +Now the keys larger than 16384 bits (OPENSSL_RSA_MAX_MODULUS_BITS)
> +will fail the check with RSA_R_MODULUS_TOO_LARGE error reason.
> +Also the number of Miller-Rabin rounds was set to 5.
> +
> +Reviewed-by: Neil Horman
> +Reviewed-by: Matt Caswell
> +(Merged from https://github.com/openssl/openssl/pull/23243)
> +
> +Upstream-Status: Backport
> [https://github.com/openssl/openssl/commit/e09fc1d746a4fd15bb5c3d7bbbab950aadd005db]
> +CVE: CVE-2023-6237
> +Signed-off-by: Hitendra Prajapati
> +---
> + crypto/rsa/rsa_sp800_56b_check.c | 8 +++-
> + test/recipes/91-test_pkey_check.t | 2 +-
> + .../91-test_pkey_check_data/rsapub_17k.pem| 48 +++
> + 3 files changed, 56 insertions(+), 2 deletions(-)
> + create mode 100644 test/recipes/91-test_pkey_check_data/rsapub_17k.pem
> +
> +diff --git a/crypto/rsa/rsa_sp800_56b_check.c
> b/crypto/rsa/rsa_sp800_56b_check.c
> +index fc8f19b..bcbdd24 100644
> +--- a/crypto/rsa/rsa_sp800_56b_check.c
> b/crypto/rsa/rsa_sp800_56b_check.c
> +@@ -289,6 +289,11 @@ int ossl_rsa_sp800_56b_check_public(const RSA *rsa)
> + return 0;
> +
> + nbits = BN_num_bits(rsa->n);
> ++if (nbits > OPENSSL_RSA_MAX_MODULUS_BITS) {
> ++ERR_raise(ERR_LIB_RSA, RSA_R_MODULUS_TOO_LARGE);
> ++return 0;
> ++}
> ++
> + #ifdef FIPS_MODULE
> + /*
> + * (Step a): modulus must be 2048 or 3072 (caveat from SP800-56Br1)
> +@@ -324,7 +329,8 @@ int ossl_rsa_sp800_56b_check_public(const RSA *rsa)
> + goto err;
> + }
> +
> +-ret = ossl_bn_miller_rabin_is_prime(rsa->n, 0, ctx, NULL, 1, );
> ++/* Highest number of MR rounds from FIPS 186-5 Section B.3 Table B.1 */
> ++ret = ossl_bn_miller_rabin_is_prime(rsa->n, 5, ctx, NULL, 1, );
> + #ifdef FIPS_MODULE
> + if (ret != 1 || status != BN_PRIMETEST_COMPOSITE_NOT_POWER_OF_PRIME) {
> + #else
> +diff --git a/test/recipes/91-test_pkey_check.t
> b/test/recipes/91-test_pkey_check.t
> +index dc7cc64..f8088df 100644
> +--- a/test/recipes/91-test_pkey_check.t
> b/test/recipes/91-test_pkey_check.t
> +@@ -70,7 +70,7 @@ push(@positive_tests, (
> + "dhpkey.pem"
> + )) unless disabled("dh");
> +
> +-my @negative_pubtests = ();
> ++my @negative_pubtests = ("rsapub_17k.pem"); # Too big RSA public key
> +
> + push(@negative_pubtests, (
> + "dsapub_noparam.der"
> +diff --git a/test/recipes/91-test_pkey_check_data/rsapub_17k.pem
> b/test/recipes/91-test_pkey_check_data/rsapub_17k.pem
> +new file mode 100644
> +index 000..9a2eaed
> +--- /dev/null
> b/test/recipes/91-test_pkey_check_data/rsapub_17k.pem
> +@@ -0,0 +1,48 @@
> ++-BEGIN PUBLIC KEY-
> ++MIIIbzANBgkqhkiG9w0BAQEFAAOCCFwAMIIIVwKCCE4Ang+cE5H+hg3RbapDAHqR
> ++B9lUnp2MlAwsZxQ/FhYepaR60bFQeumbu7817Eo5YLMObVI99hF1C4u/qcpD4Jph
> ++gZt87/JAYDbP+DIh/5gUXCL9m5Fp4u7mvZaZdnlcftBvR1uKUTCAwc9pZ/Cfr8W2
> ++GzrRODzsNYnk2DcZMfe2vRDuDZRopE+Y+I72rom2SZLxoN547N1daM/M/CL9KVQ/
> ++XMI/YOpJrBI0jI3brMRhLkvLckwies9joufydlGbJkeil9H7/grj3fQZtFkZ2Pkj
> ++b87XDzRVX7wsEpAgPJxskL3jApokCp1kQYKG+Uc3dKM9Ade6IAPK7VKcmbAQTYw2
> ++gZxsc28dtstazmfGz0ACCTSMrmbgWAM3oPL7RRzhrXDWgmYQ0jHefGh8SNTIgtPq
> ++TuHxPYkDMQNaf0LmDGCxqlnf4b5ld3YaU8zZ/RqIRx5v/+w0rJUvU53qY1bYSnL1
> ++vbqKSnN2mip0GYyQ4AUgkS1NBV4rGYU/VTvzEjLfkg02KOtHKandvEoUjmZPzCT0
> ++V2ZhGc8K1UJNGYlIiHqCdwCBoghvly/pYajTkDXyd6BsukzA5H3IkZB1xDgl035j
> ++/0Cr7QeZLEOdi9fPdSSaBT6OmD0WFuZfJF0wMr7ucRhWzPXvSensD9v7MBE7tNfH
> ++SLeTSx8tLt8UeWriiM+0CnkPR1IOqMOxubOyf1eV8NQqEWm5wEQG/0IskbOKnaHa
> ++PqLFJZn/bvyL3XK5OxVIJG3z6bnRDOMS9SzkjqgPdIO8tkySEHVSi/6iuGUltx3Y
>
[OE-core] [kirkstone][PATCHv2] openssl: fix CVE-2023-6237 Excessive time spent checking invalid RSA public keys
Upstream-Status: Backport from
https://github.com/openssl/openssl/commit/e09fc1d746a4fd15bb5c3d7bbbab950aadd005db
Signed-off-by: Hitendra Prajapati
---
.../openssl/openssl/CVE-2023-6237.patch | 127 ++
.../openssl/openssl_3.0.12.bb | 3 +-
2 files changed, 129 insertions(+), 1 deletion(-)
create mode 100644
meta/recipes-connectivity/openssl/openssl/CVE-2023-6237.patch
diff --git a/meta/recipes-connectivity/openssl/openssl/CVE-2023-6237.patch
b/meta/recipes-connectivity/openssl/openssl/CVE-2023-6237.patch
new file mode 100644
index 00..621dc6b0ab
--- /dev/null
+++ b/meta/recipes-connectivity/openssl/openssl/CVE-2023-6237.patch
@@ -0,0 +1,127 @@
+rom e09fc1d746a4fd15bb5c3d7bbbab950aadd005db Mon Sep 17 00:00:00 2001
+From: Tomas Mraz
+Date: Fri, 22 Dec 2023 16:25:56 +0100
+Subject: [PATCH] Limit the execution time of RSA public key check
+
+Fixes CVE-2023-6237
+
+If a large and incorrect RSA public key is checked with
+EVP_PKEY_public_check() the computation could take very long time
+due to no limit being applied to the RSA public key size and
+unnecessarily high number of Miller-Rabin algorithm rounds
+used for non-primality check of the modulus.
+
+Now the keys larger than 16384 bits (OPENSSL_RSA_MAX_MODULUS_BITS)
+will fail the check with RSA_R_MODULUS_TOO_LARGE error reason.
+Also the number of Miller-Rabin rounds was set to 5.
+
+Reviewed-by: Neil Horman
+Reviewed-by: Matt Caswell
+(Merged from https://github.com/openssl/openssl/pull/23243)
+
+Upstream-Status: Backport
[https://github.com/openssl/openssl/commit/e09fc1d746a4fd15bb5c3d7bbbab950aadd005db]
+CVE: CVE-2023-6237
+Signed-off-by: Hitendra Prajapati
+---
+ crypto/rsa/rsa_sp800_56b_check.c | 8 +++-
+ test/recipes/91-test_pkey_check.t | 2 +-
+ .../91-test_pkey_check_data/rsapub_17k.pem| 48 +++
+ 3 files changed, 56 insertions(+), 2 deletions(-)
+ create mode 100644 test/recipes/91-test_pkey_check_data/rsapub_17k.pem
+
+diff --git a/crypto/rsa/rsa_sp800_56b_check.c
b/crypto/rsa/rsa_sp800_56b_check.c
+index fc8f19b..bcbdd24 100644
+--- a/crypto/rsa/rsa_sp800_56b_check.c
b/crypto/rsa/rsa_sp800_56b_check.c
+@@ -289,6 +289,11 @@ int ossl_rsa_sp800_56b_check_public(const RSA *rsa)
+ return 0;
+
+ nbits = BN_num_bits(rsa->n);
++if (nbits > OPENSSL_RSA_MAX_MODULUS_BITS) {
++ERR_raise(ERR_LIB_RSA, RSA_R_MODULUS_TOO_LARGE);
++return 0;
++}
++
+ #ifdef FIPS_MODULE
+ /*
+ * (Step a): modulus must be 2048 or 3072 (caveat from SP800-56Br1)
+@@ -324,7 +329,8 @@ int ossl_rsa_sp800_56b_check_public(const RSA *rsa)
+ goto err;
+ }
+
+-ret = ossl_bn_miller_rabin_is_prime(rsa->n, 0, ctx, NULL, 1, );
++/* Highest number of MR rounds from FIPS 186-5 Section B.3 Table B.1 */
++ret = ossl_bn_miller_rabin_is_prime(rsa->n, 5, ctx, NULL, 1, );
+ #ifdef FIPS_MODULE
+ if (ret != 1 || status != BN_PRIMETEST_COMPOSITE_NOT_POWER_OF_PRIME) {
+ #else
+diff --git a/test/recipes/91-test_pkey_check.t
b/test/recipes/91-test_pkey_check.t
+index dc7cc64..f8088df 100644
+--- a/test/recipes/91-test_pkey_check.t
b/test/recipes/91-test_pkey_check.t
+@@ -70,7 +70,7 @@ push(@positive_tests, (
+ "dhpkey.pem"
+ )) unless disabled("dh");
+
+-my @negative_pubtests = ();
++my @negative_pubtests = ("rsapub_17k.pem"); # Too big RSA public key
+
+ push(@negative_pubtests, (
+ "dsapub_noparam.der"
+diff --git a/test/recipes/91-test_pkey_check_data/rsapub_17k.pem
b/test/recipes/91-test_pkey_check_data/rsapub_17k.pem
+new file mode 100644
+index 000..9a2eaed
+--- /dev/null
b/test/recipes/91-test_pkey_check_data/rsapub_17k.pem
+@@ -0,0 +1,48 @@
++-BEGIN PUBLIC KEY-
++MIIIbzANBgkqhkiG9w0BAQEFAAOCCFwAMIIIVwKCCE4Ang+cE5H+hg3RbapDAHqR
++B9lUnp2MlAwsZxQ/FhYepaR60bFQeumbu7817Eo5YLMObVI99hF1C4u/qcpD4Jph
++gZt87/JAYDbP+DIh/5gUXCL9m5Fp4u7mvZaZdnlcftBvR1uKUTCAwc9pZ/Cfr8W2
++GzrRODzsNYnk2DcZMfe2vRDuDZRopE+Y+I72rom2SZLxoN547N1daM/M/CL9KVQ/
++XMI/YOpJrBI0jI3brMRhLkvLckwies9joufydlGbJkeil9H7/grj3fQZtFkZ2Pkj
++b87XDzRVX7wsEpAgPJxskL3jApokCp1kQYKG+Uc3dKM9Ade6IAPK7VKcmbAQTYw2
++gZxsc28dtstazmfGz0ACCTSMrmbgWAM3oPL7RRzhrXDWgmYQ0jHefGh8SNTIgtPq
++TuHxPYkDMQNaf0LmDGCxqlnf4b5ld3YaU8zZ/RqIRx5v/+w0rJUvU53qY1bYSnL1
++vbqKSnN2mip0GYyQ4AUgkS1NBV4rGYU/VTvzEjLfkg02KOtHKandvEoUjmZPzCT0
++V2ZhGc8K1UJNGYlIiHqCdwCBoghvly/pYajTkDXyd6BsukzA5H3IkZB1xDgl035j
++/0Cr7QeZLEOdi9fPdSSaBT6OmD0WFuZfJF0wMr7ucRhWzPXvSensD9v7MBE7tNfH
++SLeTSx8tLt8UeWriiM+0CnkPR1IOqMOxubOyf1eV8NQqEWm5wEQG/0IskbOKnaHa
++PqLFJZn/bvyL3XK5OxVIJG3z6bnRDOMS9SzkjqgPdIO8tkySEHVSi/6iuGUltx3Y
++Fmq6ye/r34ekyHPbfn6UuTON7joM6SIXb5bHM64x4iMVWx4hMvDjfy0UqfywAUyu
++C1o7BExSMxxFG8GJcqR0K8akpPp7EM588PC+YuItoxzXgfUJnP3BQ1Beev2Ve7/J
++xeGZH0N4ntfr+cuaLAakAER9zDglwChWflw3NNFgIdAgSxXv3XXx5xDXpdP4lxUo
++F5zAN4Mero3yV90FaJl7Vhq/UFVidbwFc15jUDwaE0mKRcsBeVd3GOhoECAgE0id
++aIPT20z8oVY0FyTJlRk7QSjo8WjJSrHY/Fn14gctX07ZdfkufyL6w+NijBdYluvB
