Re: [OE-core] [kirkstone][PATCHv2] openssl: fix CVE-2023-6237 Excessive time spent checking invalid RSA public keys
On 2024-01-17 11:09 a.m., Steve Sakoman via lists.openembedded.org wrote: On Wed, Jan 17, 2024 at 1:47 AM Hitendra Prajapati via lists.openembedded.org wrote: Upstream-Status: Backport fromhttps://github.com/openssl/openssl/commit/e09fc1d746a4fd15bb5c3d7bbbab950aadd005db Signed-off-by: Hitendra Prajapati --- .../openssl/openssl/CVE-2023-6237.patch | 127 ++ .../openssl/openssl_3.0.12.bb | 3 +- 2 files changed, 129 insertions(+), 1 deletion(-) create mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2023-6237.patch diff --git a/meta/recipes-connectivity/openssl/openssl/CVE-2023-6237.patch b/meta/recipes-connectivity/openssl/openssl/CVE-2023-6237.patch new file mode 100644 index 00..621dc6b0ab --- /dev/null +++ b/meta/recipes-connectivity/openssl/openssl/CVE-2023-6237.patch @@ -0,0 +1,127 @@ +rom e09fc1d746a4fd15bb5c3d7bbbab950aadd005db Mon Sep 17 00:00:00 2001 +From: Tomas Mraz +Date: Fri, 22 Dec 2023 16:25:56 +0100 +Subject: [PATCH] Limit the execution time of RSA public key check + +Fixes CVE-2023-6237 + +If a large and incorrect RSA public key is checked with +EVP_PKEY_public_check() the computation could take very long time +due to no limit being applied to the RSA public key size and +unnecessarily high number of Miller-Rabin algorithm rounds +used for non-primality check of the modulus. + +Now the keys larger than 16384 bits (OPENSSL_RSA_MAX_MODULUS_BITS) +will fail the check with RSA_R_MODULUS_TOO_LARGE error reason. +Also the number of Miller-Rabin rounds was set to 5. + +Reviewed-by: Neil Horman +Reviewed-by: Matt Caswell +(Merged fromhttps://github.com/openssl/openssl/pull/23243) + +Upstream-Status: Backport [https://github.com/openssl/openssl/commit/e09fc1d746a4fd15bb5c3d7bbbab950aadd005db] +CVE: CVE-2023-6237 +Signed-off-by: Hitendra Prajapati +--- + crypto/rsa/rsa_sp800_56b_check.c | 8 +++- + test/recipes/91-test_pkey_check.t | 2 +- + .../91-test_pkey_check_data/rsapub_17k.pem| 48 +++ + 3 files changed, 56 insertions(+), 2 deletions(-) + create mode 100644 test/recipes/91-test_pkey_check_data/rsapub_17k.pem + +diff --git a/crypto/rsa/rsa_sp800_56b_check.c b/crypto/rsa/rsa_sp800_56b_check.c +index fc8f19b..bcbdd24 100644 +--- a/crypto/rsa/rsa_sp800_56b_check.c b/crypto/rsa/rsa_sp800_56b_check.c +@@ -289,6 +289,11 @@ int ossl_rsa_sp800_56b_check_public(const RSA *rsa) + return 0; + + nbits = BN_num_bits(rsa->n); ++if (nbits > OPENSSL_RSA_MAX_MODULUS_BITS) { ++ERR_raise(ERR_LIB_RSA, RSA_R_MODULUS_TOO_LARGE); ++return 0; ++} ++ + #ifdef FIPS_MODULE + /* + * (Step a): modulus must be 2048 or 3072 (caveat from SP800-56Br1) +@@ -324,7 +329,8 @@ int ossl_rsa_sp800_56b_check_public(const RSA *rsa) + goto err; + } + +-ret = ossl_bn_miller_rabin_is_prime(rsa->n, 0, ctx, NULL, 1, ); ++/* Highest number of MR rounds from FIPS 186-5 Section B.3 Table B.1 */ ++ret = ossl_bn_miller_rabin_is_prime(rsa->n, 5, ctx, NULL, 1, ); + #ifdef FIPS_MODULE + if (ret != 1 || status != BN_PRIMETEST_COMPOSITE_NOT_POWER_OF_PRIME) { + #else +diff --git a/test/recipes/91-test_pkey_check.t b/test/recipes/91-test_pkey_check.t +index dc7cc64..f8088df 100644 +--- a/test/recipes/91-test_pkey_check.t b/test/recipes/91-test_pkey_check.t +@@ -70,7 +70,7 @@ push(@positive_tests, ( + "dhpkey.pem" + )) unless disabled("dh"); + +-my @negative_pubtests = (); ++my @negative_pubtests = ("rsapub_17k.pem"); # Too big RSA public key + + push(@negative_pubtests, ( + "dsapub_noparam.der" +diff --git a/test/recipes/91-test_pkey_check_data/rsapub_17k.pem b/test/recipes/91-test_pkey_check_data/rsapub_17k.pem +new file mode 100644 +index 000..9a2eaed +--- /dev/null b/test/recipes/91-test_pkey_check_data/rsapub_17k.pem +@@ -0,0 +1,48 @@ ++-BEGIN PUBLIC KEY- ++MIIIbzANBgkqhkiG9w0BAQEFAAOCCFwAMIIIVwKCCE4Ang+cE5H+hg3RbapDAHqR ++B9lUnp2MlAwsZxQ/FhYepaR60bFQeumbu7817Eo5YLMObVI99hF1C4u/qcpD4Jph ++gZt87/JAYDbP+DIh/5gUXCL9m5Fp4u7mvZaZdnlcftBvR1uKUTCAwc9pZ/Cfr8W2 ++GzrRODzsNYnk2DcZMfe2vRDuDZRopE+Y+I72rom2SZLxoN547N1daM/M/CL9KVQ/ ++XMI/YOpJrBI0jI3brMRhLkvLckwies9joufydlGbJkeil9H7/grj3fQZtFkZ2Pkj ++b87XDzRVX7wsEpAgPJxskL3jApokCp1kQYKG+Uc3dKM9Ade6IAPK7VKcmbAQTYw2 ++gZxsc28dtstazmfGz0ACCTSMrmbgWAM3oPL7RRzhrXDWgmYQ0jHefGh8SNTIgtPq ++TuHxPYkDMQNaf0LmDGCxqlnf4b5ld3YaU8zZ/RqIRx5v/+w0rJUvU53qY1bYSnL1 ++vbqKSnN2mip0GYyQ4AUgkS1NBV4rGYU/VTvzEjLfkg02KOtHKandvEoUjmZPzCT0 ++V2ZhGc8K1UJNGYlIiHqCdwCBoghvly/pYajTkDXyd6BsukzA5H3IkZB1xDgl035j ++/0Cr7QeZLEOdi9fPdSSaBT6OmD0WFuZfJF0wMr7ucRhWzPXvSensD9v7MBE7tNfH ++SLeTSx8tLt8UeWriiM+0CnkPR1IOqMOxubOyf1eV8NQqEWm5wEQG/0IskbOKnaHa ++PqLFJZn/bvyL3XK5OxVIJG3z6bnRDOMS9SzkjqgPdIO8tkySEHVSi/6iuGUltx3Y ++Fmq6ye/r34ekyHPbfn6UuTON7joM6SIXb5bHM64x4iMVWx4hMvDjfy0UqfywAUyu ++C1o7BExSMxxFG8GJcqR0K8akpPp7EM588PC+YuItoxzXgfUJnP3BQ1Beev2Ve7/J ++xeGZH0N4ntfr+cuaLAakAER9zDglwChWflw3NNFgIdAgSxXv3XXx5xDXpdP4lxUo
Re: [OE-core] [kirkstone][PATCHv2] openssl: fix CVE-2023-6237 Excessive time spent checking invalid RSA public keys
On Wed, Jan 17, 2024 at 1:47 AM Hitendra Prajapati via lists.openembedded.org wrote: > > Upstream-Status: Backport from > https://github.com/openssl/openssl/commit/e09fc1d746a4fd15bb5c3d7bbbab950aadd005db > > Signed-off-by: Hitendra Prajapati > --- > .../openssl/openssl/CVE-2023-6237.patch | 127 ++ > .../openssl/openssl_3.0.12.bb | 3 +- > 2 files changed, 129 insertions(+), 1 deletion(-) > create mode 100644 > meta/recipes-connectivity/openssl/openssl/CVE-2023-6237.patch > > diff --git a/meta/recipes-connectivity/openssl/openssl/CVE-2023-6237.patch > b/meta/recipes-connectivity/openssl/openssl/CVE-2023-6237.patch > new file mode 100644 > index 00..621dc6b0ab > --- /dev/null > +++ b/meta/recipes-connectivity/openssl/openssl/CVE-2023-6237.patch > @@ -0,0 +1,127 @@ > +rom e09fc1d746a4fd15bb5c3d7bbbab950aadd005db Mon Sep 17 00:00:00 2001 > +From: Tomas Mraz > +Date: Fri, 22 Dec 2023 16:25:56 +0100 > +Subject: [PATCH] Limit the execution time of RSA public key check > + > +Fixes CVE-2023-6237 > + > +If a large and incorrect RSA public key is checked with > +EVP_PKEY_public_check() the computation could take very long time > +due to no limit being applied to the RSA public key size and > +unnecessarily high number of Miller-Rabin algorithm rounds > +used for non-primality check of the modulus. > + > +Now the keys larger than 16384 bits (OPENSSL_RSA_MAX_MODULUS_BITS) > +will fail the check with RSA_R_MODULUS_TOO_LARGE error reason. > +Also the number of Miller-Rabin rounds was set to 5. > + > +Reviewed-by: Neil Horman > +Reviewed-by: Matt Caswell > +(Merged from https://github.com/openssl/openssl/pull/23243) > + > +Upstream-Status: Backport > [https://github.com/openssl/openssl/commit/e09fc1d746a4fd15bb5c3d7bbbab950aadd005db] > +CVE: CVE-2023-6237 > +Signed-off-by: Hitendra Prajapati > +--- > + crypto/rsa/rsa_sp800_56b_check.c | 8 +++- > + test/recipes/91-test_pkey_check.t | 2 +- > + .../91-test_pkey_check_data/rsapub_17k.pem| 48 +++ > + 3 files changed, 56 insertions(+), 2 deletions(-) > + create mode 100644 test/recipes/91-test_pkey_check_data/rsapub_17k.pem > + > +diff --git a/crypto/rsa/rsa_sp800_56b_check.c > b/crypto/rsa/rsa_sp800_56b_check.c > +index fc8f19b..bcbdd24 100644 > +--- a/crypto/rsa/rsa_sp800_56b_check.c > b/crypto/rsa/rsa_sp800_56b_check.c > +@@ -289,6 +289,11 @@ int ossl_rsa_sp800_56b_check_public(const RSA *rsa) > + return 0; > + > + nbits = BN_num_bits(rsa->n); > ++if (nbits > OPENSSL_RSA_MAX_MODULUS_BITS) { > ++ERR_raise(ERR_LIB_RSA, RSA_R_MODULUS_TOO_LARGE); > ++return 0; > ++} > ++ > + #ifdef FIPS_MODULE > + /* > + * (Step a): modulus must be 2048 or 3072 (caveat from SP800-56Br1) > +@@ -324,7 +329,8 @@ int ossl_rsa_sp800_56b_check_public(const RSA *rsa) > + goto err; > + } > + > +-ret = ossl_bn_miller_rabin_is_prime(rsa->n, 0, ctx, NULL, 1, ); > ++/* Highest number of MR rounds from FIPS 186-5 Section B.3 Table B.1 */ > ++ret = ossl_bn_miller_rabin_is_prime(rsa->n, 5, ctx, NULL, 1, ); > + #ifdef FIPS_MODULE > + if (ret != 1 || status != BN_PRIMETEST_COMPOSITE_NOT_POWER_OF_PRIME) { > + #else > +diff --git a/test/recipes/91-test_pkey_check.t > b/test/recipes/91-test_pkey_check.t > +index dc7cc64..f8088df 100644 > +--- a/test/recipes/91-test_pkey_check.t > b/test/recipes/91-test_pkey_check.t > +@@ -70,7 +70,7 @@ push(@positive_tests, ( > + "dhpkey.pem" > + )) unless disabled("dh"); > + > +-my @negative_pubtests = (); > ++my @negative_pubtests = ("rsapub_17k.pem"); # Too big RSA public key > + > + push(@negative_pubtests, ( > + "dsapub_noparam.der" > +diff --git a/test/recipes/91-test_pkey_check_data/rsapub_17k.pem > b/test/recipes/91-test_pkey_check_data/rsapub_17k.pem > +new file mode 100644 > +index 000..9a2eaed > +--- /dev/null > b/test/recipes/91-test_pkey_check_data/rsapub_17k.pem > +@@ -0,0 +1,48 @@ > ++-BEGIN PUBLIC KEY- > ++MIIIbzANBgkqhkiG9w0BAQEFAAOCCFwAMIIIVwKCCE4Ang+cE5H+hg3RbapDAHqR > ++B9lUnp2MlAwsZxQ/FhYepaR60bFQeumbu7817Eo5YLMObVI99hF1C4u/qcpD4Jph > ++gZt87/JAYDbP+DIh/5gUXCL9m5Fp4u7mvZaZdnlcftBvR1uKUTCAwc9pZ/Cfr8W2 > ++GzrRODzsNYnk2DcZMfe2vRDuDZRopE+Y+I72rom2SZLxoN547N1daM/M/CL9KVQ/ > ++XMI/YOpJrBI0jI3brMRhLkvLckwies9joufydlGbJkeil9H7/grj3fQZtFkZ2Pkj > ++b87XDzRVX7wsEpAgPJxskL3jApokCp1kQYKG+Uc3dKM9Ade6IAPK7VKcmbAQTYw2 > ++gZxsc28dtstazmfGz0ACCTSMrmbgWAM3oPL7RRzhrXDWgmYQ0jHefGh8SNTIgtPq > ++TuHxPYkDMQNaf0LmDGCxqlnf4b5ld3YaU8zZ/RqIRx5v/+w0rJUvU53qY1bYSnL1 > ++vbqKSnN2mip0GYyQ4AUgkS1NBV4rGYU/VTvzEjLfkg02KOtHKandvEoUjmZPzCT0 > ++V2ZhGc8K1UJNGYlIiHqCdwCBoghvly/pYajTkDXyd6BsukzA5H3IkZB1xDgl035j > ++/0Cr7QeZLEOdi9fPdSSaBT6OmD0WFuZfJF0wMr7ucRhWzPXvSensD9v7MBE7tNfH > ++SLeTSx8tLt8UeWriiM+0CnkPR1IOqMOxubOyf1eV8NQqEWm5wEQG/0IskbOKnaHa > ++PqLFJZn/bvyL3XK5OxVIJG3z6bnRDOMS9SzkjqgPdIO8tkySEHVSi/6iuGUltx3Y >
[OE-core] [kirkstone][PATCHv2] openssl: fix CVE-2023-6237 Excessive time spent checking invalid RSA public keys
Upstream-Status: Backport from https://github.com/openssl/openssl/commit/e09fc1d746a4fd15bb5c3d7bbbab950aadd005db Signed-off-by: Hitendra Prajapati --- .../openssl/openssl/CVE-2023-6237.patch | 127 ++ .../openssl/openssl_3.0.12.bb | 3 +- 2 files changed, 129 insertions(+), 1 deletion(-) create mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2023-6237.patch diff --git a/meta/recipes-connectivity/openssl/openssl/CVE-2023-6237.patch b/meta/recipes-connectivity/openssl/openssl/CVE-2023-6237.patch new file mode 100644 index 00..621dc6b0ab --- /dev/null +++ b/meta/recipes-connectivity/openssl/openssl/CVE-2023-6237.patch @@ -0,0 +1,127 @@ +rom e09fc1d746a4fd15bb5c3d7bbbab950aadd005db Mon Sep 17 00:00:00 2001 +From: Tomas Mraz +Date: Fri, 22 Dec 2023 16:25:56 +0100 +Subject: [PATCH] Limit the execution time of RSA public key check + +Fixes CVE-2023-6237 + +If a large and incorrect RSA public key is checked with +EVP_PKEY_public_check() the computation could take very long time +due to no limit being applied to the RSA public key size and +unnecessarily high number of Miller-Rabin algorithm rounds +used for non-primality check of the modulus. + +Now the keys larger than 16384 bits (OPENSSL_RSA_MAX_MODULUS_BITS) +will fail the check with RSA_R_MODULUS_TOO_LARGE error reason. +Also the number of Miller-Rabin rounds was set to 5. + +Reviewed-by: Neil Horman +Reviewed-by: Matt Caswell +(Merged from https://github.com/openssl/openssl/pull/23243) + +Upstream-Status: Backport [https://github.com/openssl/openssl/commit/e09fc1d746a4fd15bb5c3d7bbbab950aadd005db] +CVE: CVE-2023-6237 +Signed-off-by: Hitendra Prajapati +--- + crypto/rsa/rsa_sp800_56b_check.c | 8 +++- + test/recipes/91-test_pkey_check.t | 2 +- + .../91-test_pkey_check_data/rsapub_17k.pem| 48 +++ + 3 files changed, 56 insertions(+), 2 deletions(-) + create mode 100644 test/recipes/91-test_pkey_check_data/rsapub_17k.pem + +diff --git a/crypto/rsa/rsa_sp800_56b_check.c b/crypto/rsa/rsa_sp800_56b_check.c +index fc8f19b..bcbdd24 100644 +--- a/crypto/rsa/rsa_sp800_56b_check.c b/crypto/rsa/rsa_sp800_56b_check.c +@@ -289,6 +289,11 @@ int ossl_rsa_sp800_56b_check_public(const RSA *rsa) + return 0; + + nbits = BN_num_bits(rsa->n); ++if (nbits > OPENSSL_RSA_MAX_MODULUS_BITS) { ++ERR_raise(ERR_LIB_RSA, RSA_R_MODULUS_TOO_LARGE); ++return 0; ++} ++ + #ifdef FIPS_MODULE + /* + * (Step a): modulus must be 2048 or 3072 (caveat from SP800-56Br1) +@@ -324,7 +329,8 @@ int ossl_rsa_sp800_56b_check_public(const RSA *rsa) + goto err; + } + +-ret = ossl_bn_miller_rabin_is_prime(rsa->n, 0, ctx, NULL, 1, ); ++/* Highest number of MR rounds from FIPS 186-5 Section B.3 Table B.1 */ ++ret = ossl_bn_miller_rabin_is_prime(rsa->n, 5, ctx, NULL, 1, ); + #ifdef FIPS_MODULE + if (ret != 1 || status != BN_PRIMETEST_COMPOSITE_NOT_POWER_OF_PRIME) { + #else +diff --git a/test/recipes/91-test_pkey_check.t b/test/recipes/91-test_pkey_check.t +index dc7cc64..f8088df 100644 +--- a/test/recipes/91-test_pkey_check.t b/test/recipes/91-test_pkey_check.t +@@ -70,7 +70,7 @@ push(@positive_tests, ( + "dhpkey.pem" + )) unless disabled("dh"); + +-my @negative_pubtests = (); ++my @negative_pubtests = ("rsapub_17k.pem"); # Too big RSA public key + + push(@negative_pubtests, ( + "dsapub_noparam.der" +diff --git a/test/recipes/91-test_pkey_check_data/rsapub_17k.pem b/test/recipes/91-test_pkey_check_data/rsapub_17k.pem +new file mode 100644 +index 000..9a2eaed +--- /dev/null b/test/recipes/91-test_pkey_check_data/rsapub_17k.pem +@@ -0,0 +1,48 @@ ++-BEGIN PUBLIC KEY- ++MIIIbzANBgkqhkiG9w0BAQEFAAOCCFwAMIIIVwKCCE4Ang+cE5H+hg3RbapDAHqR ++B9lUnp2MlAwsZxQ/FhYepaR60bFQeumbu7817Eo5YLMObVI99hF1C4u/qcpD4Jph ++gZt87/JAYDbP+DIh/5gUXCL9m5Fp4u7mvZaZdnlcftBvR1uKUTCAwc9pZ/Cfr8W2 ++GzrRODzsNYnk2DcZMfe2vRDuDZRopE+Y+I72rom2SZLxoN547N1daM/M/CL9KVQ/ ++XMI/YOpJrBI0jI3brMRhLkvLckwies9joufydlGbJkeil9H7/grj3fQZtFkZ2Pkj ++b87XDzRVX7wsEpAgPJxskL3jApokCp1kQYKG+Uc3dKM9Ade6IAPK7VKcmbAQTYw2 ++gZxsc28dtstazmfGz0ACCTSMrmbgWAM3oPL7RRzhrXDWgmYQ0jHefGh8SNTIgtPq ++TuHxPYkDMQNaf0LmDGCxqlnf4b5ld3YaU8zZ/RqIRx5v/+w0rJUvU53qY1bYSnL1 ++vbqKSnN2mip0GYyQ4AUgkS1NBV4rGYU/VTvzEjLfkg02KOtHKandvEoUjmZPzCT0 ++V2ZhGc8K1UJNGYlIiHqCdwCBoghvly/pYajTkDXyd6BsukzA5H3IkZB1xDgl035j ++/0Cr7QeZLEOdi9fPdSSaBT6OmD0WFuZfJF0wMr7ucRhWzPXvSensD9v7MBE7tNfH ++SLeTSx8tLt8UeWriiM+0CnkPR1IOqMOxubOyf1eV8NQqEWm5wEQG/0IskbOKnaHa ++PqLFJZn/bvyL3XK5OxVIJG3z6bnRDOMS9SzkjqgPdIO8tkySEHVSi/6iuGUltx3Y ++Fmq6ye/r34ekyHPbfn6UuTON7joM6SIXb5bHM64x4iMVWx4hMvDjfy0UqfywAUyu ++C1o7BExSMxxFG8GJcqR0K8akpPp7EM588PC+YuItoxzXgfUJnP3BQ1Beev2Ve7/J ++xeGZH0N4ntfr+cuaLAakAER9zDglwChWflw3NNFgIdAgSxXv3XXx5xDXpdP4lxUo ++F5zAN4Mero3yV90FaJl7Vhq/UFVidbwFc15jUDwaE0mKRcsBeVd3GOhoECAgE0id ++aIPT20z8oVY0FyTJlRk7QSjo8WjJSrHY/Fn14gctX07ZdfkufyL6w+NijBdYluvB