From 83a04a8602ca9e741837e171ff71e22408bb0f19 Mon Sep 17 00:00:00 2001 From: LuoYujie Date: Mon, 14 Aug 2023 15:40:14 +0800 Subject: [PATCH 1/2] cvefix:fix CVE-2023-29409 --- ...ict-RSA-keys-in-certificates-to-8192.patch | 236 ++++++++++++++++++ golang.spec | 10 +- 2 files changed, 245 insertions(+), 1 deletion(-) create mode 100644 0048-Backport-crypto-tls-restrict-RSA-keys-in-certificates-to-8192.patch diff --git a/0048-Backport-crypto-tls-restrict-RSA-keys-in-certificates-to-8192.patch b/0048-Backport-crypto-tls-restrict-RSA-keys-in-certificates-to-8192.patch new file mode 100644 index 0000000..2d26ce0 --- /dev/null +++ b/0048-Backport-crypto-tls-restrict-RSA-keys-in-certificates-to-8192.patch @@ -0,0 +1,236 @@ +From aac702c23d02f2e66cab136fd85368a9850bf829 Mon Sep 17 00:00:00 2001 +From: Roland Shoemaker +Date: Wed, 7 Jun 2023 15:27:13 -0700 +Subject: [PATCH] crypto/tls: restrict RSA keys in certificates to <= 8192 bits + +Extremely large RSA keys in certificate chains can cause a client/server +to expend significant CPU time verifying signatures. Limit this by +restricting the size of RSA keys transmitted during handshakes to <= +8192 bits. + +Based on a survey of publicly trusted RSA keys, there are currently only +three certificates in circulation with keys larger than this, and all +three appear to be test certificates that are not actively deployed. It +is possible there are larger keys in use in private PKIs, but we target +the web PKI, so causing breakage here in the interests of increasing the +default safety of users of crypto/tls seems reasonable. + +Thanks to Mateusz Poliwczak for reporting this issue. + +Fixes #61460 +Fixes CVE-2023-29409 + +Change-Id: Ie35038515a649199a36a12fc2c5df3af855dca6c +Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1912161 +Reviewed-by: Damien Neil +Reviewed-by: Tatiana Bradley +Run-TryBot: Roland Shoemaker +Reviewed-on: https://go-review.googlesource.com/c/go/+/515257 +TryBot-Result: Gopher Robot +Auto-Submit: David Chase +Run-TryBot: David Chase + +Reference:https://go-review.googlesource.com/c/go/+/515257 +Conflict:NA +--- + src/crypto/tls/handshake_client.go | 11 +- + src/crypto/tls/handshake_client_test.go | 141 ++++++++++++++++++++++++ + src/crypto/tls/handshake_server.go | 4 + + 3 files changed, 155 insertions(+), 1 deletion(-) + +diff --git a/src/crypto/tls/handshake_client.go b/src/crypto/tls/handshake_client.go +index 85622f159b..708d264ae8 100644 +--- a/src/crypto/tls/handshake_client.go ++++ b/src/crypto/tls/handshake_client.go +@@ -852,6 +852,10 @@ func (hs *clientHandshakeState) sendFinished(out []byte) error { + return nil + } + ++// maxRSAKeySize is the maximum RSA key size in bits that we are willing ++// to verify the signatures of during a TLS handshake. ++const maxRSAKeySize = 8192 ++ + // verifyServerCertificate parses and verifies the provided chain, setting + // c.verifiedChains and c.peerCertificates or sending the appropriate alert. + func (c *Conn) verifyServerCertificate(certificates [][]byte) error { +@@ -862,7 +866,12 @@ func (c *Conn) verifyServerCertificate(certificates [][]byte) error { + c.sendAlert(alertBadCertificate) + return errors.New("tls: failed to parse certificate from server: " + err.Error()) + } +- certs[i] = cert ++ if cert.cert.PublicKeyAlgorithm == x509.RSA && cert.cert.PublicKey.(*rsa.PublicKey).N.BitLen() > maxRSAKeySize { ++ c.sendAlert(alertBadCertificate) ++ return fmt.Errorf("tls: server sent certificate containing RSA key larger than %d bits", maxRSAKeySize) ++ } ++ activeHandles[i] = cert ++ certs[i] = cert.cert + } + + if !c.config.InsecureSkipVerify { +diff --git a/src/crypto/tls/handshake_client_test.go b/src/crypto/tls/handshake_client_test.go +index 0228745155..f92d22ac97 100644 +--- a/src/crypto/tls/handshake_client_test.go ++++ b/src/crypto/tls/handshake_client_test.go +@@ -2595,3 +2595,144 @@ func TestClientHandshakeContextCancellation(t *testing.T) { + t.Error("Client connection was not closed when the context was canceled") + } + } ++ ++// TestTLS13OnlyClientHelloCipherSuite tests that when a client states that ++// it only supports TLS 1.3, it correctly advertises only TLS 1.3 ciphers. ++func TestTLS13OnlyClientHelloCipherSuite(t *testing.T) { ++ tls13Tests := []struct { ++ name string ++ ciphers []uint16 ++ }{ ++ { ++ name: "nil", ++ ciphers: nil, ++ }, ++ { ++ name: "empty", ++ ciphers: []uint16{}, ++ }, ++ { ++ name: "some TLS 1.2 cipher", ++ ciphers: []uint16{TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256}, ++ }, ++ { ++ name: "some TLS 1.3 cipher", ++ ciphers: []uint16{TLS_AES_128_GCM_SHA256}, ++ }, ++ { ++ name: "some TLS 1.2 and 1.3 ciphers", ++ ciphers: []uint16{TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_AES_256_GCM_SHA384}, ++ }, ++ } ++ for _, tt := range tls13Tests { ++ tt := tt ++ t.Run(tt.name, func(t *testing.T) { ++ t.Parallel() ++ testTLS13OnlyClientHelloCipherSuite(t, tt.ciphers) ++ }) ++ } ++} ++ ++func testTLS13OnlyClientHelloCipherSuite(t *testing.T, ciphers []uint16) { ++ serverConfig := &Config{ ++ Certificates: testConfig.Certificates, ++ GetConfigForClient: func(chi *ClientHelloInfo) (*Config, error) { ++ if len(chi.CipherSuites) != len(defaultCipherSuitesTLS13NoAES) { ++ t.Errorf("only TLS 1.3 suites should be advertised, got=%x", chi.CipherSuites) ++ } else { ++ for i := range defaultCipherSuitesTLS13NoAES { ++ if want, got := defaultCipherSuitesTLS13NoAES[i], chi.CipherSuites[i]; want != got { ++ t.Errorf("cipher at index %d does not match, want=%x, got=%x", i, want, got) ++ } ++ } ++ } ++ return nil, nil ++ }, ++ } ++ clientConfig := &Config{ ++ MinVersion: VersionTLS13, // client only supports TLS 1.3 ++ CipherSuites: ciphers, ++ InsecureSkipVerify: true, ++ } ++ if _, _, err := testHandshake(t, clientConfig, serverConfig); err != nil { ++ t.Fatalf("handshake failed: %s", err) ++ } ++} ++ ++// discardConn wraps a net.Conn but discards all writes, but reports that they happened. ++type discardConn struct { ++ net.Conn ++} ++ ++func (dc *discardConn) Write(data []byte) (int, error) { ++ return len(data), nil ++} ++ ++// largeRSAKeyCertPEM contains a 8193 bit RSA key ++const largeRSAKeyCertPEM = `-----BEGIN CERTIFICATE----- ++MIIInjCCBIWgAwIBAgIBAjANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDEwd0ZXN0 ++aW5nMB4XDTIzMDYwNzIxMjMzNloXDTIzMDYwNzIzMjMzNlowEjEQMA4GA1UEAxMH ++dGVzdGluZzCCBCIwDQYJKoZIhvcNAQEBBQADggQPADCCBAoCggQBAWdHsf6Rh2Ca ++n2SQwn4t4OQrOjbLLdGE1pM6TBKKrHUFy62uEL8atNjlcfXIsa4aEu3xNGiqxqur ++ZectlkZbm0FkaaQ1Wr9oikDY3KfjuaXdPdO/XC/h8AKNxlDOylyXwUSK/CuYb+1j ++gy8yF5QFvVfwW/xwTlHmhUeSkVSQPosfQ6yXNNsmMzkd+ZPWLrfq4R+wiNtwYGu0 ++WSBcI/M9o8/vrNLnIppoiBJJ13j9CR1ToEAzOFh9wwRWLY10oZhoh1ONN1KQURx4 ++qedzvvP2DSjZbUccdvl2rBGvZpzfOiFdm1FCnxB0c72Cqx+GTHXBFf8bsa7KHky9 ++sNO1GUanbq17WoDNgwbY6H51bfShqv0CErxatwWox3we4EcAmFHPVTCYL1oWVMGo ++a3Eth91NZj+b/nGhF9lhHKGzXSv9brmLLkfvM1jA6XhNhA7BQ5Vz67lj2j3XfXdh ++t/BU5pBXbL4Ut4mIhT1YnKXAjX2/LF5RHQTE8Vwkx5JAEKZyUEGOReD/B+7GOrLp ++HduMT9vZAc5aR2k9I8qq1zBAzsL69lyQNAPaDYd1BIAjUety9gAYaSQffCgAgpRO ++Gt+DYvxS+7AT/yEd5h74MU2AH7KrAkbXOtlwupiGwhMVTstncDJWXMJqbBhyHPF8 ++3UmZH0hbL4PYmzSj9LDWQQXI2tv6vrCpfts3Cqhqxz9vRpgY7t1Wu6l/r+KxYYz3 ++1pcGpPvRmPh0DJm7cPTiXqPnZcPt+ulSaSdlxmd19OnvG5awp0fXhxryZVwuiT8G ++VDkhyARrxYrdjlINsZJZbQjO0t8ketXAELJOnbFXXzeCOosyOHkLwsqOO96AVJA8 ++45ZVL5m95ClGy0RSrjVIkXsxTAMVG6SPAqKwk6vmTdRGuSPS4rhgckPVDHmccmuq ++dfnT2YkX+wB2/M3oCgU+s30fAHGkbGZ0pCdNbFYFZLiH0iiMbTDl/0L/z7IdK0nH ++GLHVE7apPraKC6xl6rPWsD2iSfrmtIPQa0+rqbIVvKP5JdfJ8J4alI+OxFw/znQe ++V0/Rez0j22Fe119LZFFSXhRv+ZSvcq20xDwh00mzcumPWpYuCVPozA18yIhC9tNn ++ALHndz0tDseIdy9vC71jQWy9iwri3ueN0DekMMF8JGzI1Z6BAFzgyAx3DkHtwHg7 ++B7qD0jPG5hJ5+yt323fYgJsuEAYoZ8/jzZ01pkX8bt+UsVN0DGnSGsI2ktnIIk3J ++l+8krjmUy6EaW79nITwoOqaeHOIp8m3UkjEcoKOYrzHRKqRy+A09rY+m/cAQaafW ++4xp0Zv7qZPLwnu0jsqB4jD8Ll9yPB02ndsoV6U5PeHzTkVhPml19jKUAwFfs7TJg ++kXy+/xFhYVUCAwEAATANBgkqhkiG9w0BAQsFAAOCBAIAAQnZY77pMNeypfpba2WK ++aDasT7dk2JqP0eukJCVPTN24Zca+xJNPdzuBATm/8SdZK9lddIbjSnWRsKvTnO2r ++/rYdlPf3jM5uuJtb8+Uwwe1s+gszelGS9G/lzzq+ehWicRIq2PFcs8o3iQMfENiv ++qILJ+xjcrvms5ZPDNahWkfRx3KCg8Q+/at2n5p7XYjMPYiLKHnDC+RE2b1qT20IZ ++FhuK/fTWLmKbfYFNNga6GC4qcaZJ7x0pbm4SDTYp0tkhzcHzwKhidfNB5J2vNz6l ++Ur6wiYwamFTLqcOwWo7rdvI+sSn05WQBv0QZlzFX+OAu0l7WQ7yU+noOxBhjvHds ++14+r9qcQZg2q9kG+evopYZqYXRUNNlZKo9MRBXhfrISulFAc5lRFQIXMXnglvAu+ ++Ipz2gomEAOcOPNNVldhKAU94GAMJd/KfN0ZP7gX3YvPzuYU6XDhag5RTohXLm18w ++5AF+ES3DOQ6ixu3DTf0D+6qrDuK+prdX8ivcdTQVNOQ+MIZeGSc6NWWOTaMGJ3lg ++aZIxJUGdo6E7GBGiC1YTjgFKFbHzek1LRTh/LX3vbSudxwaG0HQxwsU9T4DWiMqa ++Fkf2KteLEUA6HrR+0XlAZrhwoqAmrJ+8lCFX3V0gE9lpENfVHlFXDGyx10DpTB28 ++DdjnY3F7EPWNzwf9P3oNT69CKW3Bk6VVr3ROOJtDxVu1ioWo3TaXltQ0VOnap2Pu ++sa5wfrpfwBDuAS9JCDg4ttNp2nW3F7tgXC6xPqw5pvGwUppEw9XNrqV8TZrxduuv ++rQ3NyZ7KSzIpmFlD3UwV/fGfz3UQmHS6Ng1evrUID9DjfYNfRqSGIGjDfxGtYD+j ++Z1gLJZuhjJpNtwBkKRtlNtrCWCJK2hidK/foxwD7kwAPo2I9FjpltxCRywZUs07X ++KwXTfBR9v6ij1LV6K58hFS+8ezZyZ05CeVBFkMQdclTOSfuPxlMkQOtjp8QWDj+F ++j/MYziT5KBkHvcbrjdRtUJIAi4N7zCsPZtjik918AK1WBNRVqPbrgq/XSEXMfuvs ++6JbfK0B76vdBDRtJFC1JsvnIrGbUztxXzyQwFLaR/AjVJqpVlysLWzPKWVX6/+SJ ++u1NQOl2E8P6ycyBsuGnO89p0S4F8cMRcI2X1XQsZ7/q0NBrOMaEp5T3SrWo9GiQ3 ++o2SBdbs3Y6MBPBtTu977Z/0RO63J3M5i2tjUiDfrFy7+VRLKr7qQ7JibohyB8QaR ++9tedgjn2f+of7PnP/PEl1cCphUZeHM7QKUMPT8dbqwmKtlYY43EHXcvNOT5IBk3X ++9lwJoZk/B2i+ZMRNSP34ztAwtxmasPt6RAWGQpWCn9qmttAHAnMfDqe7F7jVR6rS ++u58= ++-----END CERTIFICATE-----` ++ ++func TestHandshakeRSATooBig(t *testing.T) { ++ testCert, _ := pem.Decode([]byte(largeRSAKeyCertPEM)) ++ ++ c := &Conn{conn: &discardConn{}, config: testConfig.Clone()} ++ ++ expectedErr := "tls: server sent certificate containing RSA key larger than 8192 bits" ++ err := c.verifyServerCertificate([][]byte{testCert.Bytes}) ++ if err == nil || err.Error() != expectedErr { ++ t.Errorf("Conn.verifyServerCertificate unexpected error: want %q, got %q", expectedErr, err) ++ } ++ ++ expectedErr = "tls: client sent certificate containing RSA key larger than 8192 bits" ++ err = c.processCertsFromClient(Certificate{Certificate: [][]byte{testCert.Bytes}}) ++ if err == nil || err.Error() != expectedErr { ++ t.Errorf("Conn.processCertsFromClient unexpected error: want %q, got %q", expectedErr, err) ++ } ++} +diff --git a/src/crypto/tls/handshake_server.go b/src/crypto/tls/handshake_server.go +index 8d51e7e55f..a5d8f4a9a8 100644 +--- a/src/crypto/tls/handshake_server.go ++++ b/src/crypto/tls/handshake_server.go +@@ -812,6 +812,10 @@ func (c *Conn) processCertsFromClient(certificate Certificate) error { + c.sendAlert(alertBadCertificate) + return errors.New("tls: failed to parse client certificate: " + err.Error()) + } ++ if certs[i].PublicKeyAlgorithm == x509.RSA && certs[i].PublicKey.(*rsa.PublicKey).N.BitLen() > maxRSAKeySize { ++ c.sendAlert(alertBadCertificate) ++ return fmt.Errorf("tls: client sent certificate containing RSA key larger than %d bits", maxRSAKeySize) ++ } + } + + if len(certs) == 0 && requiresClientCert(c.config.ClientAuth) { +-- +2.33.0 + diff --git a/golang.spec b/golang.spec index 123995c..2ca7fd1 100644 --- a/golang.spec +++ b/golang.spec @@ -63,7 +63,7 @@ Name: golang Version: 1.17.3 -Release: 20 +Release: 21 Summary: The Go Programming Language License: BSD and Public Domain URL: https://golang.org/ @@ -197,6 +197,7 @@ Patch6044: 0044-Backport-cmd-go-disallow-package-directories-contain.patch Patch6045: 0045-Backport-cmd-go-enforce-flags-with-non-optional-argu.patch Patch6046: 0046-Backport-cmd-go-cmd-cgo-in-_cgo_flags-use-one-line-p.patch Patch6047: 0047-Backport-net-http-validate-Host-header-before-sendin.patch +Patch6048: 0048-Backport-crypto-tls-restrict-RSA-keys-in-certificates-to-8192.patch ExclusiveArch: %{golang_arches} @@ -435,6 +436,13 @@ fi %files devel -f go-tests.list -f go-misc.list -f go-src.list %changelog +* Mon Aug 14 2023 hanchao - 1.17.3-12.%{subr}8 +- Type:CVE +- CVE:CVE-2023-29409 +- SUG:NA +- DESC:fix CVE-2023-29409 + + * Fri Jul 21 2023 hanchao - 1.17.3-20 - Type:CVE - CVE:CVE-2023-29406 -- Gitee From 015e1aff9bee363ac4d750d47490ec4615e44840 Mon Sep 17 00:00:00 2001 From: LuoYujie Date: Mon, 14 Aug 2023 16:14:06 +0800 Subject: [PATCH 2/2] cvefix:fix CVE-2023-29409 --- golang.spec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/golang.spec b/golang.spec index 2ca7fd1..2f8b34b 100644 --- a/golang.spec +++ b/golang.spec @@ -436,7 +436,7 @@ fi %files devel -f go-tests.list -f go-misc.list -f go-src.list %changelog -* Mon Aug 14 2023 hanchao - 1.17.3-12.%{subr}8 +* Mon Aug 14 2023 hanchao - 1.17.3-21 - Type:CVE - CVE:CVE-2023-29409 - SUG:NA -- Gitee