From b90ac4489d4c40efa46e83ae6f0b213e77fe7fe8 Mon Sep 17 00:00:00 2001 From: qsw33 Date: Tue, 19 Dec 2023 14:56:18 +0800 Subject: [PATCH] backport patch and cve (cherry picked from commit 9b289d43017a0c920105bc586d6d370719a55165) --- ...rt-Alternative-fix-for-CVE-2022-4304.patch | 461 ++++++++++++++++++ ...trs-in-header-and-data-params-for-PE.patch | 45 ++ ...resulting-from-a-bug-in-BIO_new_NDEF.patch | 110 +++++ ...x-GENERAL_NAME_cmp-for-x400Address-1.patch | 65 +++ ...esource-use-verifying-policy-constra.patch | 226 +++++++++ ...AG_INVALID_POLICY-is-checked-even-in.patch | 58 +++ ...ion-of-X509_VERIFY_PARAM_add0_policy.patch | 50 ++ ...e-of-OBJECT-IDENTIFIERs-that-OBJ_obj.patch | 68 +++ ...cessive-time-with-over-sized-modulus.patch | 134 +++++ ...try-checking-q-properties-if-it-is-o.patch | 62 +++ ...ub_key-and-DH_generate_key-safer-yet.patch | 134 +++++ linux-sgx.spec | 16 +- 12 files changed, 1428 insertions(+), 1 deletion(-) create mode 100644 backport-Alternative-fix-for-CVE-2022-4304.patch create mode 100644 backport-CVE-2022-4450-Avoid-dangling-ptrs-in-header-and-data-params-for-PE.patch create mode 100644 backport-CVE-2023-0215-Fix-a-UAF-resulting-from-a-bug-in-BIO_new_NDEF.patch create mode 100644 backport-CVE-2023-0286-Fix-GENERAL_NAME_cmp-for-x400Address-1.patch create mode 100644 backport-CVE-2023-0464-x509-excessive-resource-use-verifying-policy-constra.patch create mode 100644 backport-CVE-2023-0465-Ensure-that-EXFLAG_INVALID_POLICY-is-checked-even-in.patch create mode 100644 backport-CVE-2023-0466-Fix-documentation-of-X509_VERIFY_PARAM_add0_policy.patch create mode 100644 backport-CVE-2023-2650-Restrict-the-size-of-OBJECT-IDENTIFIERs-that-OBJ_obj.patch create mode 100644 backport-CVE-2023-3446-Fix-DH_check-excessive-time-with-over-sized-modulus.patch create mode 100644 backport-CVE-2023-3817-DH_check-Do-not-try-checking-q-properties-if-it-is-o.patch create mode 100644 backport-CVE-2023-5678-Make-DH_check_pub_key-and-DH_generate_key-safer-yet.patch diff --git a/backport-Alternative-fix-for-CVE-2022-4304.patch b/backport-Alternative-fix-for-CVE-2022-4304.patch new file mode 100644 index 0000000..6c8389a --- /dev/null +++ b/backport-Alternative-fix-for-CVE-2022-4304.patch @@ -0,0 +1,461 @@ +From 3f499b24f3bcd66db022074f7e8b4f6ee266a3ae Mon Sep 17 00:00:00 2001 +From: Bernd Edlinger +Date: Mon, 13 Feb 2023 17:46:41 +0100 +Subject: [PATCH] Alternative fix for CVE-2022-4304 + +This is about a timing leak in the topmost limb +of the internal result of RSA_private_decrypt, +before the padding check. + +There are in fact at least three bugs together that +caused the timing leak: + +First and probably most important is the fact that +the blinding did not use the constant time code path +at all when the RSA object was used for a private +decrypt, due to the fact that the Montgomery context +rsa->_method_mod_n was not set up early enough in +rsa_ossl_private_decrypt, when BN_BLINDING_create_param +needed it, and that was persisted as blinding->m_ctx, +although the RSA object creates the Montgomery context +just a bit later. + +Then the infamous bn_correct_top was used on the +secret value right after the blinding was removed. + +And finally the function BN_bn2binpad did not use +the constant-time code path since the BN_FLG_CONSTTIME +was not set on the secret value. + +In order to address the first problem, this patch +makes sure that the rsa->_method_mod_n is initialized +right before the blinding context. + +And to fix the second problem, we add a new utility +function bn_correct_top_consttime, a const-time +variant of bn_correct_top. + +Together with the fact, that BN_bn2binpad is already +constant time if the flag BN_FLG_CONSTTIME is set, +this should eliminate the timing oracle completely. + +In addition the no-asm variant may also have +branches that depend on secret values, because the last +invocation of bn_sub_words in bn_from_montgomery_word +had branches when the function is compiled by certain +gcc compiler versions, due to the clumsy coding style. + +So additionally this patch stream-lined the no-asm +C-code in order to avoid branches where possible and +improve the resulting code quality. + +Reviewed-by: Paul Dale +Reviewed-by: Tomas Mraz +(Merged from https://github.com/openssl/openssl/pull/20284) + +Reference:https://github.com/openssl/openssl/commit/3f499b24f3bcd66db022074f7e8b4f6ee266a3ae +Confilts:CHANGES +--- + crypto/bn/bn_asm.c | 106 +++++++++++++++++++++++------------------- + crypto/bn/bn_blind.c | 3 +- + crypto/bn/bn_lib.c | 22 +++++++++ + crypto/bn/bn_local.h | 26 +++++------ + crypto/rsa/rsa_ossl.c | 13 +++--- + 5 files changed, 101 insertions(+), 69 deletions(-) + +diff --git a/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.12.1/QuoteVerification/intel-sgx-ssl-lin_2.15.1_1.1.1l/openssl_source/openssl-1.1.1l/crypto/bn/bn_asm.c b/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.12.1/QuoteVerification/intel-sgx-ssl-lin_2.15.1_1.1.1l/openssl_source/openssl-1.1.1l/crypto/bn/bn_asm.c +index 4d83a8cf11..177558c647 100644 +--- a/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.12.1/QuoteVerification/intel-sgx-ssl-lin_2.15.1_1.1.1l/openssl_source/openssl-1.1.1l/crypto/bn/bn_asm.c ++++ b/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.12.1/QuoteVerification/intel-sgx-ssl-lin_2.15.1_1.1.1l/openssl_source/openssl-1.1.1l/crypto/bn/bn_asm.c +@@ -381,25 +381,33 @@ BN_ULONG bn_sub_words(BN_ULONG *r, const BN_ULONG *a, const BN_ULONG *b, + #ifndef OPENSSL_SMALL_FOOTPRINT + while (n & ~3) { + t1 = a[0]; +- t2 = b[0]; +- r[0] = (t1 - t2 - c) & BN_MASK2; +- if (t1 != t2) +- c = (t1 < t2); ++ t2 = (t1 - c) & BN_MASK2; ++ c = (t2 > t1); ++ t1 = b[0]; ++ t1 = (t2 - t1) & BN_MASK2; ++ r[0] = t1; ++ c += (t1 > t2); + t1 = a[1]; +- t2 = b[1]; +- r[1] = (t1 - t2 - c) & BN_MASK2; +- if (t1 != t2) +- c = (t1 < t2); ++ t2 = (t1 - c) & BN_MASK2; ++ c = (t2 > t1); ++ t1 = b[1]; ++ t1 = (t2 - t1) & BN_MASK2; ++ r[1] = t1; ++ c += (t1 > t2); + t1 = a[2]; +- t2 = b[2]; +- r[2] = (t1 - t2 - c) & BN_MASK2; +- if (t1 != t2) +- c = (t1 < t2); ++ t2 = (t1 - c) & BN_MASK2; ++ c = (t2 > t1); ++ t1 = b[2]; ++ t1 = (t2 - t1) & BN_MASK2; ++ r[2] = t1; ++ c += (t1 > t2); + t1 = a[3]; +- t2 = b[3]; +- r[3] = (t1 - t2 - c) & BN_MASK2; +- if (t1 != t2) +- c = (t1 < t2); ++ t2 = (t1 - c) & BN_MASK2; ++ c = (t2 > t1); ++ t1 = b[3]; ++ t1 = (t2 - t1) & BN_MASK2; ++ r[3] = t1; ++ c += (t1 > t2); + a += 4; + b += 4; + r += 4; +@@ -408,10 +416,12 @@ BN_ULONG bn_sub_words(BN_ULONG *r, const BN_ULONG *a, const BN_ULONG *b, + #endif + while (n) { + t1 = a[0]; +- t2 = b[0]; +- r[0] = (t1 - t2 - c) & BN_MASK2; +- if (t1 != t2) +- c = (t1 < t2); ++ t2 = (t1 - c) & BN_MASK2; ++ c = (t2 > t1); ++ t1 = b[0]; ++ t1 = (t2 - t1) & BN_MASK2; ++ r[0] = t1; ++ c += (t1 > t2); + a++; + b++; + r++; +@@ -446,7 +456,7 @@ BN_ULONG bn_sub_words(BN_ULONG *r, const BN_ULONG *a, const BN_ULONG *b, + t += c0; /* no carry */ \ + c0 = (BN_ULONG)Lw(t); \ + hi = (BN_ULONG)Hw(t); \ +- c1 = (c1+hi)&BN_MASK2; if (c1top = (int)(rtop & ~mask) | (ntop & mask); + n->flags |= (BN_FLG_FIXED_TOP & ~mask); + } +- ret = BN_mod_mul_montgomery(n, n, r, b->m_ctx, ctx); ++ ret = bn_mul_mont_fixed_top(n, n, r, b->m_ctx, ctx); ++ bn_correct_top_consttime(n); + } else { + ret = BN_mod_mul(n, n, r, b->mod, ctx); + } +diff --git a/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.12.1/QuoteVerification/intel-sgx-ssl-lin_2.15.1_1.1.1l/openssl_source/openssl-1.1.1l/crypto/bn/bn_lib.c b/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.12.1/QuoteVerification/intel-sgx-ssl-lin_2.15.1_1.1.1l/openssl_source/openssl-1.1.1l/crypto/bn/bn_lib.c +index eb4a31849b..fe6fb0e40f 100644 +--- a/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.12.1/QuoteVerification/intel-sgx-ssl-lin_2.15.1_1.1.1l/openssl_source/openssl-1.1.1l/crypto/bn/bn_lib.c ++++ b/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.12.1/QuoteVerification/intel-sgx-ssl-lin_2.15.1_1.1.1l/openssl_source/openssl-1.1.1l/crypto/bn/bn_lib.c +@@ -1001,6 +1001,28 @@ BIGNUM *bn_wexpand(BIGNUM *a, int words) + return (words <= a->dmax) ? a : bn_expand2(a, words); + } + ++void bn_correct_top_consttime(BIGNUM *a) ++{ ++ int j, atop; ++ BN_ULONG limb; ++ unsigned int mask; ++ ++ for (j = 0, atop = 0; j < a->dmax; j++) { ++ limb = a->d[j]; ++ limb |= 0 - limb; ++ limb >>= BN_BITS2 - 1; ++ limb = 0 - limb; ++ mask = (unsigned int)limb; ++ mask &= constant_time_msb(j - a->top); ++ atop = constant_time_select_int(mask, j + 1, atop); ++ } ++ ++ mask = constant_time_eq_int(atop, 0); ++ a->top = atop; ++ a->neg = constant_time_select_int(mask, 0, a->neg); ++ a->flags &= ~BN_FLG_FIXED_TOP; ++} ++ + void bn_correct_top(BIGNUM *a) + { + BN_ULONG *ftl; +diff --git a/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.12.1/QuoteVerification/intel-sgx-ssl-lin_2.15.1_1.1.1l/openssl_source/openssl-1.1.1l/crypto/bn/bn_local.h b/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.12.1/QuoteVerification/intel-sgx-ssl-lin_2.15.1_1.1.1l/openssl_source/openssl-1.1.1l/crypto/bn/bn_local.h +index ee6342b60c..818e34348e 100644 +--- a/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.12.1/QuoteVerification/intel-sgx-ssl-lin_2.15.1_1.1.1l/openssl_source/openssl-1.1.1l/crypto/bn/bn_local.h ++++ b/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.12.1/QuoteVerification/intel-sgx-ssl-lin_2.15.1_1.1.1l/openssl_source/openssl-1.1.1l/crypto/bn/bn_local.h +@@ -515,10 +515,10 @@ unsigned __int64 _umul128(unsigned __int64 a, unsigned __int64 b, + ret = (r); \ + BN_UMULT_LOHI(low,high,w,tmp); \ + ret += (c); \ +- (c) = (ret<(c))?1:0; \ ++ (c) = (ret<(c)); \ + (c) += high; \ + ret += low; \ +- (c) += (ret>(BN_BITS4-1); \ + m =(m&BN_MASK2l)<<(BN_BITS4+1); \ +- l=(l+m)&BN_MASK2; if (l < m) h++; \ ++ l=(l+m)&BN_MASK2; h += (l < m); \ + (lo)=l; \ + (ho)=h; \ + } +@@ -623,9 +623,9 @@ unsigned __int64 _umul128(unsigned __int64 a, unsigned __int64 b, + mul64(l,h,(bl),(bh)); \ + \ + /* non-multiply part */ \ +- l=(l+(c))&BN_MASK2; if (l < (c)) h++; \ ++ l=(l+(c))&BN_MASK2; h += (l < (c)); \ + (c)=(r); \ +- l=(l+(c))&BN_MASK2; if (l < (c)) h++; \ ++ l=(l+(c))&BN_MASK2; h += (l < (c)); \ + (c)=h&BN_MASK2; \ + (r)=l; \ + } +@@ -639,7 +639,7 @@ unsigned __int64 _umul128(unsigned __int64 a, unsigned __int64 b, + mul64(l,h,(bl),(bh)); \ + \ + /* non-multiply part */ \ +- l+=(c); if ((l&BN_MASK2) < (c)) h++; \ ++ l+=(c); h += ((l&BN_MASK2) < (c)); \ + (c)=h&BN_MASK2; \ + (r)=l&BN_MASK2; \ + } +@@ -669,7 +669,7 @@ BN_ULONG bn_sub_part_words(BN_ULONG *r, const BN_ULONG *a, const BN_ULONG *b, + int cl, int dl); + int bn_mul_mont(BN_ULONG *rp, const BN_ULONG *ap, const BN_ULONG *bp, + const BN_ULONG *np, const BN_ULONG *n0, int num); +- ++void bn_correct_top_consttime(BIGNUM *a); + BIGNUM *int_bn_mod_inverse(BIGNUM *in, + const BIGNUM *a, const BIGNUM *n, BN_CTX *ctx, + int *noinv); +diff --git a/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.12.1/QuoteVerification/intel-sgx-ssl-lin_2.15.1_1.1.1l/openssl_source/openssl-1.1.1l/crypto/rsa/rsa_ossl.c b/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.12.1/QuoteVerification/intel-sgx-ssl-lin_2.15.1_1.1.1l/openssl_source/openssl-1.1.1l/crypto/rsa/rsa_ossl.c +index 53cf2d03c9..cf5a10ab43 100644 +--- a/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.12.1/QuoteVerification/intel-sgx-ssl-lin_2.15.1_1.1.1l/openssl_source/openssl-1.1.1l/crypto/rsa/rsa_ossl.c ++++ b/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.12.1/QuoteVerification/intel-sgx-ssl-lin_2.15.1_1.1.1l/openssl_source/openssl-1.1.1l/crypto/rsa/rsa_ossl.c +@@ -226,6 +226,7 @@ static int rsa_blinding_invert(BN_BLINDING *b, BIGNUM *f, BIGNUM *unblind, + * will only read the modulus from BN_BLINDING. In both cases it's safe + * to access the blinding without a lock. + */ ++ BN_set_flags(f, BN_FLG_CONSTTIME); + return BN_BLINDING_invert_ex(f, unblind, b, ctx); + } + +@@ -412,6 +413,11 @@ static int rsa_ossl_private_decrypt(int flen, const unsigned char *from, + goto err; + } + ++ if (rsa->flags & RSA_FLAG_CACHE_PUBLIC) ++ if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, rsa->lock, ++ rsa->n, ctx)) ++ goto err; ++ + if (!(rsa->flags & RSA_FLAG_NO_BLINDING)) { + blinding = rsa_get_blinding(rsa, &local_blinding, ctx); + if (blinding == NULL) { +@@ -449,13 +455,6 @@ static int rsa_ossl_private_decrypt(int flen, const unsigned char *from, + goto err; + } + BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME); +- +- if (rsa->flags & RSA_FLAG_CACHE_PUBLIC) +- if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, rsa->lock, +- rsa->n, ctx)) { +- BN_free(d); +- goto err; +- } + if (!rsa->meth->bn_mod_exp(ret, f, d, rsa->n, ctx, + rsa->_method_mod_n)) { + BN_free(d); +-- +2.27.0 + diff --git a/backport-CVE-2022-4450-Avoid-dangling-ptrs-in-header-and-data-params-for-PE.patch b/backport-CVE-2022-4450-Avoid-dangling-ptrs-in-header-and-data-params-for-PE.patch new file mode 100644 index 0000000..d14f688 --- /dev/null +++ b/backport-CVE-2022-4450-Avoid-dangling-ptrs-in-header-and-data-params-for-PE.patch @@ -0,0 +1,45 @@ +From bbcf509bd046b34cca19c766bbddc31683d0858b Mon Sep 17 00:00:00 2001 +From: Matt Caswell +Date: Tue, 13 Dec 2022 14:54:55 +0000 +Subject: [PATCH] Avoid dangling ptrs in header and data params for + PEM_read_bio_ex + +In the event of a failure in PEM_read_bio_ex() we free the buffers we +allocated for the header and data buffers. However we were not clearing +the ptrs stored in *header and *data. Since, on success, the caller is +responsible for freeing these ptrs this can potentially lead to a double +free if the caller frees them even on failure. + +Thanks to Dawei Wang for reporting this issue. + +Based on a proposed patch by Kurt Roeckx. + +CVE-2022-4450 + +Reviewed-by: Paul Dale +Reviewed-by: Hugo Landau + +Reference:https://github.com/openssl/openssl/commit/bbcf509bd046b34cca19c766bbddc31683d0858b +Confilts:CHANGES + +--- + crypto/pem/pem_lib.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.12.1/QuoteVerification/intel-sgx-ssl-lin_2.15.1_1.1.1l/openssl_source/openssl-1.1.1l/crypto/pem/pem_lib.c b/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.12.1/QuoteVerification/intel-sgx-ssl-lin_2.15.1_1.1.1l/openssl_source/openssl-1.1.1l/crypto/pem/pem_lib.c +index d416d939ea..328c30cdbb 100644 +--- a/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.12.1/QuoteVerification/intel-sgx-ssl-lin_2.15.1_1.1.1l/openssl_source/openssl-1.1.1l/crypto/pem/pem_lib.c ++++ b/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.12.1/QuoteVerification/intel-sgx-ssl-lin_2.15.1_1.1.1l/openssl_source/openssl-1.1.1l/crypto/pem/pem_lib.c +@@ -957,7 +957,9 @@ int PEM_read_bio_ex(BIO *bp, char **name_out, char **header, + *data = pem_malloc(len, flags); + if (*header == NULL || *data == NULL) { + pem_free(*header, flags, 0); ++ *header = NULL; + pem_free(*data, flags, 0); ++ *data = NULL; + goto end; + } + BIO_read(headerB, *header, headerlen); +-- +2.27.0 + diff --git a/backport-CVE-2023-0215-Fix-a-UAF-resulting-from-a-bug-in-BIO_new_NDEF.patch b/backport-CVE-2023-0215-Fix-a-UAF-resulting-from-a-bug-in-BIO_new_NDEF.patch new file mode 100644 index 0000000..687441f --- /dev/null +++ b/backport-CVE-2023-0215-Fix-a-UAF-resulting-from-a-bug-in-BIO_new_NDEF.patch @@ -0,0 +1,110 @@ +From c3829dd8825c654652201e16f8a0a0c46ee3f344 Mon Sep 17 00:00:00 2001 +From: Matt Caswell +Date: Wed, 14 Dec 2022 16:18:14 +0000 +Subject: [PATCH] Fix a UAF resulting from a bug in BIO_new_NDEF + +If the aux->asn1_cb() call fails in BIO_new_NDEF then the "out" BIO will +be part of an invalid BIO chain. This causes a "use after free" when the +BIO is eventually freed. + +Based on an original patch by Viktor Dukhovni and an idea from Theo +Buehler. + +Thanks to Octavio Galland for reporting this issue. + +Reviewed-by: Paul Dale +Reviewed-by: Tomas Mraz + +Reference:https://github.com/openssl/openssl/commit/c3829dd8825c654652201e16f8a0a0c46ee3f344 +Conflict: NA + +--- + crypto/asn1/bio_ndef.c | 39 ++++++++++++++++++++++++++++++++------- + 1 file changed, 32 insertions(+), 7 deletions(-) + +diff --git a/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.12.1/QuoteVerification/intel-sgx-ssl-lin_2.15.1_1.1.1l/openssl_source/openssl-1.1.1l/crypto/asn1/bio_ndef.c b/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.12.1/QuoteVerification/intel-sgx-ssl-lin_2.15.1_1.1.1l/openssl_source/openssl-1.1.1l/crypto/asn1/bio_ndef.c +index 760e4846a4..f8d4b1b9aa 100644 +--- a/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.12.1/QuoteVerification/intel-sgx-ssl-lin_2.15.1_1.1.1l/openssl_source/openssl-1.1.1l/crypto/asn1/bio_ndef.c ++++ b/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.12.1/QuoteVerification/intel-sgx-ssl-lin_2.15.1_1.1.1l/openssl_source/openssl-1.1.1l/crypto/asn1/bio_ndef.c +@@ -49,12 +49,19 @@ static int ndef_suffix(BIO *b, unsigned char **pbuf, int *plen, void *parg); + static int ndef_suffix_free(BIO *b, unsigned char **pbuf, int *plen, + void *parg); + ++/* ++ * On success, the returned BIO owns the input BIO as part of its BIO chain. ++ * On failure, NULL is returned and the input BIO is owned by the caller. ++ * ++ * Unfortunately cannot constify this due to CMS_stream() and PKCS7_stream() ++ */ + BIO *BIO_new_NDEF(BIO *out, ASN1_VALUE *val, const ASN1_ITEM *it) + { + NDEF_SUPPORT *ndef_aux = NULL; + BIO *asn_bio = NULL; + const ASN1_AUX *aux = it->funcs; + ASN1_STREAM_ARG sarg; ++ BIO *pop_bio = NULL; + + if (!aux || !aux->asn1_cb) { + ASN1err(ASN1_F_BIO_NEW_NDEF, ASN1_R_STREAMING_NOT_SUPPORTED); +@@ -69,21 +76,39 @@ BIO *BIO_new_NDEF(BIO *out, ASN1_VALUE *val, const ASN1_ITEM *it) + out = BIO_push(asn_bio, out); + if (out == NULL) + goto err; ++ pop_bio = asn_bio; + +- BIO_asn1_set_prefix(asn_bio, ndef_prefix, ndef_prefix_free); +- BIO_asn1_set_suffix(asn_bio, ndef_suffix, ndef_suffix_free); ++ if (BIO_asn1_set_prefix(asn_bio, ndef_prefix, ndef_prefix_free) <= 0 ++ || BIO_asn1_set_suffix(asn_bio, ndef_suffix, ndef_suffix_free) <= 0 ++ || BIO_ctrl(asn_bio, BIO_C_SET_EX_ARG, 0, ndef_aux) <= 0) ++ goto err; + + /* +- * Now let callback prepends any digest, cipher etc BIOs ASN1 structure +- * needs. ++ * Now let the callback prepend any digest, cipher, etc., that the BIO's ++ * ASN1 structure needs. + */ + + sarg.out = out; + sarg.ndef_bio = NULL; + sarg.boundary = NULL; + +- if (aux->asn1_cb(ASN1_OP_STREAM_PRE, &val, it, &sarg) <= 0) ++ /* ++ * The asn1_cb(), must not have mutated asn_bio on error, leaving it in the ++ * middle of some partially built, but not returned BIO chain. ++ */ ++ if (aux->asn1_cb(ASN1_OP_STREAM_PRE, &val, it, &sarg) <= 0) { ++ /* ++ * ndef_aux is now owned by asn_bio so we must not free it in the err ++ * clean up block ++ */ ++ ndef_aux = NULL; + goto err; ++ } ++ ++ /* ++ * We must not fail now because the callback has prepended additional ++ * BIOs to the chain ++ */ + + ndef_aux->val = val; + ndef_aux->it = it; +@@ -91,11 +116,11 @@ BIO *BIO_new_NDEF(BIO *out, ASN1_VALUE *val, const ASN1_ITEM *it) + ndef_aux->boundary = sarg.boundary; + ndef_aux->out = out; + +- BIO_ctrl(asn_bio, BIO_C_SET_EX_ARG, 0, ndef_aux); +- + return sarg.ndef_bio; + + err: ++ /* BIO_pop() is NULL safe */ ++ (void)BIO_pop(pop_bio); + BIO_free(asn_bio); + OPENSSL_free(ndef_aux); + return NULL; +-- +2.27.0 + diff --git a/backport-CVE-2023-0286-Fix-GENERAL_NAME_cmp-for-x400Address-1.patch b/backport-CVE-2023-0286-Fix-GENERAL_NAME_cmp-for-x400Address-1.patch new file mode 100644 index 0000000..0500241 --- /dev/null +++ b/backport-CVE-2023-0286-Fix-GENERAL_NAME_cmp-for-x400Address-1.patch @@ -0,0 +1,65 @@ +From 2c6c9d439b484e1ba9830d8454a34fa4f80fdfe9 Mon Sep 17 00:00:00 2001 +From: Hugo Landau +Date: Tue, 17 Jan 2023 17:45:42 +0000 +Subject: [PATCH] CVE-2023-0286: Fix GENERAL_NAME_cmp for x400Address (1.1.1) + +Reviewed-by: Paul Dale +Reviewed-by: Tomas Mraz + +Reference:https://github.com/openssl/openssl/commit/2c6c9d439b484e1ba9830d8454a34fa4f80fdfe9 +Confilts:CHANGES + +--- + crypto/x509v3/v3_genn.c | 2 +- + include/openssl/x509v3.h | 2 +- + test/v3nametest.c | 8 ++++++++ + 3 files changed, 12 insertions(+), 2 deletions(-) + +diff --git a/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.12.1/QuoteVerification/intel-sgx-ssl-lin_2.15.1_1.1.1l/openssl_source/openssl-1.1.1l/crypto/x509v3/v3_genn.c b/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.12.1/QuoteVerification/intel-sgx-ssl-lin_2.15.1_1.1.1l/openssl_source/openssl-1.1.1l/crypto/x509v3/v3_genn.c +index 87a5eff47c..e54ddc55c9 100644 +--- a/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.12.1/QuoteVerification/intel-sgx-ssl-lin_2.15.1_1.1.1l/openssl_source/openssl-1.1.1l/crypto/x509v3/v3_genn.c ++++ b/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.12.1/QuoteVerification/intel-sgx-ssl-lin_2.15.1_1.1.1l/openssl_source/openssl-1.1.1l/crypto/x509v3/v3_genn.c +@@ -98,7 +98,7 @@ int GENERAL_NAME_cmp(GENERAL_NAME *a, GENERAL_NAME *b) + return -1; + switch (a->type) { + case GEN_X400: +- result = ASN1_TYPE_cmp(a->d.x400Address, b->d.x400Address); ++ result = ASN1_STRING_cmp(a->d.x400Address, b->d.x400Address); + break; + + case GEN_EDIPARTY: +diff --git a/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.12.1/QuoteVerification/intel-sgx-ssl-lin_2.15.1_1.1.1l/openssl_source/openssl-1.1.1l/include/openssl/x509v3.h b/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.12.1/QuoteVerification/intel-sgx-ssl-lin_2.15.1_1.1.1l/openssl_source/openssl-1.1.1l/include/openssl/x509v3.h +index 90fa3592ce..e61c0f29d4 100644 +--- a/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.12.1/QuoteVerification/intel-sgx-ssl-lin_2.15.1_1.1.1l/openssl_source/openssl-1.1.1l/include/openssl/x509v3.h ++++ b/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.12.1/QuoteVerification/intel-sgx-ssl-lin_2.15.1_1.1.1l/openssl_source/openssl-1.1.1l/include/openssl/x509v3.h +@@ -136,7 +136,7 @@ typedef struct GENERAL_NAME_st { + OTHERNAME *otherName; /* otherName */ + ASN1_IA5STRING *rfc822Name; + ASN1_IA5STRING *dNSName; +- ASN1_TYPE *x400Address; ++ ASN1_STRING *x400Address; + X509_NAME *directoryName; + EDIPARTYNAME *ediPartyName; + ASN1_IA5STRING *uniformResourceIdentifier; +diff --git a/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.12.1/QuoteVerification/intel-sgx-ssl-lin_2.15.1_1.1.1l/openssl_source/openssl-1.1.1l/test/v3nametest.c b/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.12.1/QuoteVerification/intel-sgx-ssl-lin_2.15.1_1.1.1l/openssl_source/openssl-1.1.1l/test/v3nametest.c +index d1852190b8..37819da8fd 100644 +--- a/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.12.1/QuoteVerification/intel-sgx-ssl-lin_2.15.1_1.1.1l/openssl_source/openssl-1.1.1l/test/v3nametest.c ++++ b/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.12.1/QuoteVerification/intel-sgx-ssl-lin_2.15.1_1.1.1l/openssl_source/openssl-1.1.1l/test/v3nametest.c +@@ -646,6 +646,14 @@ static struct gennamedata { + 0xb7, 0x09, 0x02, 0x02 + }, + 15 ++ }, { ++ /* ++ * Regression test for CVE-2023-0286. ++ */ ++ { ++ 0xa3, 0x00 ++ }, ++ 2 + } + }; + +-- +2.27.0 + diff --git a/backport-CVE-2023-0464-x509-excessive-resource-use-verifying-policy-constra.patch b/backport-CVE-2023-0464-x509-excessive-resource-use-verifying-policy-constra.patch new file mode 100644 index 0000000..954034b --- /dev/null +++ b/backport-CVE-2023-0464-x509-excessive-resource-use-verifying-policy-constra.patch @@ -0,0 +1,226 @@ +From 879f7080d7e141f415c79eaa3a8ac4a3dad0348b Mon Sep 17 00:00:00 2001 +From: Pauli +Date: Wed, 8 Mar 2023 15:28:20 +1100 +Subject: [PATCH] x509: excessive resource use verifying policy constraints + +A security vulnerability has been identified in all supported versions +of OpenSSL related to the verification of X.509 certificate chains +that include policy constraints. Attackers may be able to exploit this +vulnerability by creating a malicious certificate chain that triggers +exponential use of computational resources, leading to a denial-of-service +(DoS) attack on affected systems. + +Fixes CVE-2023-0464 + +Reviewed-by: Tomas Mraz +Reviewed-by: Shane Lontis +(Merged from https://github.com/openssl/openssl/pull/20569) + +Reference:https://github.com/openssl/openssl/commit/879f7080d7e141f415c79eaa3a8ac4a3dad0348b +Confilts:NA + +--- + crypto/x509v3/pcy_local.h | 8 +++++++- + crypto/x509v3/pcy_node.c | 12 +++++++++--- + crypto/x509v3/pcy_tree.c | 37 +++++++++++++++++++++++++++---------- + 3 files changed, 43 insertions(+), 14 deletions(-) + +diff --git a/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.12.1/QuoteVerification/intel-sgx-ssl-lin_2.15.1_1.1.1l/openssl_source/openssl-1.1.1l/crypto/x509v3/pcy_local.h b/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.12.1/QuoteVerification/intel-sgx-ssl-lin_2.15.1_1.1.1l/openssl_source/openssl-1.1.1l/crypto/x509v3/pcy_local.h +index 5daf78de45..344aa06765 100644 +--- a/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.12.1/QuoteVerification/intel-sgx-ssl-lin_2.15.1_1.1.1l/openssl_source/openssl-1.1.1l/crypto/x509v3/pcy_local.h ++++ b/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.12.1/QuoteVerification/intel-sgx-ssl-lin_2.15.1_1.1.1l/openssl_source/openssl-1.1.1l/crypto/x509v3/pcy_local.h +@@ -111,6 +111,11 @@ struct X509_POLICY_LEVEL_st { + }; + + struct X509_POLICY_TREE_st { ++ /* The number of nodes in the tree */ ++ size_t node_count; ++ /* The maximum number of nodes in the tree */ ++ size_t node_maximum; ++ + /* This is the tree 'level' data */ + X509_POLICY_LEVEL *levels; + int nlevel; +@@ -159,7 +164,8 @@ X509_POLICY_NODE *tree_find_sk(STACK_OF(X509_POLICY_NODE) *sk, + X509_POLICY_NODE *level_add_node(X509_POLICY_LEVEL *level, + X509_POLICY_DATA *data, + X509_POLICY_NODE *parent, +- X509_POLICY_TREE *tree); ++ X509_POLICY_TREE *tree, ++ int extra_data); + void policy_node_free(X509_POLICY_NODE *node); + int policy_node_match(const X509_POLICY_LEVEL *lvl, + const X509_POLICY_NODE *node, const ASN1_OBJECT *oid); +diff --git a/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.12.1/QuoteVerification/intel-sgx-ssl-lin_2.15.1_1.1.1l/openssl_source/openssl-1.1.1l/crypto/x509v3/pcy_node.c b/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.12.1/QuoteVerification/intel-sgx-ssl-lin_2.15.1_1.1.1l/openssl_source/openssl-1.1.1l/crypto/x509v3/pcy_node.c +index e2d7b15322..d574fb9d66 100644 +--- a/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.12.1/QuoteVerification/intel-sgx-ssl-lin_2.15.1_1.1.1l/openssl_source/openssl-1.1.1l/crypto/x509v3/pcy_node.c ++++ b/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.12.1/QuoteVerification/intel-sgx-ssl-lin_2.15.1_1.1.1l/openssl_source/openssl-1.1.1l/crypto/x509v3/pcy_node.c +@@ -59,10 +59,15 @@ X509_POLICY_NODE *level_find_node(const X509_POLICY_LEVEL *level, + X509_POLICY_NODE *level_add_node(X509_POLICY_LEVEL *level, + X509_POLICY_DATA *data, + X509_POLICY_NODE *parent, +- X509_POLICY_TREE *tree) ++ X509_POLICY_TREE *tree, ++ int extra_data) + { + X509_POLICY_NODE *node; + ++ /* Verify that the tree isn't too large. This mitigates CVE-2023-0464 */ ++ if (tree->node_maximum > 0 && tree->node_count >= tree->node_maximum) ++ return NULL; ++ + node = OPENSSL_zalloc(sizeof(*node)); + if (node == NULL) { + X509V3err(X509V3_F_LEVEL_ADD_NODE, ERR_R_MALLOC_FAILURE); +@@ -70,7 +75,7 @@ X509_POLICY_NODE *level_add_node(X509_POLICY_LEVEL *level, + } + node->data = data; + node->parent = parent; +- if (level) { ++ if (level != NULL) { + if (OBJ_obj2nid(data->valid_policy) == NID_any_policy) { + if (level->anyPolicy) + goto node_error; +@@ -90,7 +95,7 @@ X509_POLICY_NODE *level_add_node(X509_POLICY_LEVEL *level, + } + } + +- if (tree) { ++ if (extra_data) { + if (tree->extra_data == NULL) + tree->extra_data = sk_X509_POLICY_DATA_new_null(); + if (tree->extra_data == NULL){ +@@ -103,6 +108,7 @@ X509_POLICY_NODE *level_add_node(X509_POLICY_LEVEL *level, + } + } + ++ tree->node_count++; + if (parent) + parent->nchild++; + +diff --git a/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.12.1/QuoteVerification/intel-sgx-ssl-lin_2.15.1_1.1.1l/openssl_source/openssl-1.1.1l/crypto/x509v3/pcy_tree.c b/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.12.1/QuoteVerification/intel-sgx-ssl-lin_2.15.1_1.1.1l/openssl_source/openssl-1.1.1l/crypto/x509v3/pcy_tree.c +index 6e8322cbc5..6c7fd35405 100644 +--- a/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.12.1/QuoteVerification/intel-sgx-ssl-lin_2.15.1_1.1.1l/openssl_source/openssl-1.1.1l/crypto/x509v3/pcy_tree.c ++++ b/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.12.1/QuoteVerification/intel-sgx-ssl-lin_2.15.1_1.1.1l/openssl_source/openssl-1.1.1l/crypto/x509v3/pcy_tree.c +@@ -13,6 +13,18 @@ + + #include "pcy_local.h" + ++/* ++ * If the maximum number of nodes in the policy tree isn't defined, set it to ++ * a generous default of 1000 nodes. ++ * ++ * Defining this to be zero means unlimited policy tree growth which opens the ++ * door on CVE-2023-0464. ++ */ ++ ++#ifndef OPENSSL_POLICY_TREE_NODES_MAX ++# define OPENSSL_POLICY_TREE_NODES_MAX 1000 ++#endif ++ + /* + * Enable this to print out the complete policy tree at various point during + * evaluation. +@@ -168,6 +180,9 @@ static int tree_init(X509_POLICY_TREE **ptree, STACK_OF(X509) *certs, + return X509_PCY_TREE_INTERNAL; + } + ++ /* Limit the growth of the tree to mitigate CVE-2023-0464 */ ++ tree->node_maximum = OPENSSL_POLICY_TREE_NODES_MAX; ++ + /* + * http://tools.ietf.org/html/rfc5280#section-6.1.2, figure 3. + * +@@ -184,7 +199,7 @@ static int tree_init(X509_POLICY_TREE **ptree, STACK_OF(X509) *certs, + level = tree->levels; + if ((data = policy_data_new(NULL, OBJ_nid2obj(NID_any_policy), 0)) == NULL) + goto bad_tree; +- if (level_add_node(level, data, NULL, tree) == NULL) { ++ if (level_add_node(level, data, NULL, tree, 1) == NULL) { + policy_data_free(data); + goto bad_tree; + } +@@ -243,7 +258,8 @@ static int tree_init(X509_POLICY_TREE **ptree, STACK_OF(X509) *certs, + * Return value: 1 on success, 0 otherwise + */ + static int tree_link_matching_nodes(X509_POLICY_LEVEL *curr, +- X509_POLICY_DATA *data) ++ X509_POLICY_DATA *data, ++ X509_POLICY_TREE *tree) + { + X509_POLICY_LEVEL *last = curr - 1; + int i, matched = 0; +@@ -253,13 +269,13 @@ static int tree_link_matching_nodes(X509_POLICY_LEVEL *curr, + X509_POLICY_NODE *node = sk_X509_POLICY_NODE_value(last->nodes, i); + + if (policy_node_match(last, node, data->valid_policy)) { +- if (level_add_node(curr, data, node, NULL) == NULL) ++ if (level_add_node(curr, data, node, tree, 0) == NULL) + return 0; + matched = 1; + } + } + if (!matched && last->anyPolicy) { +- if (level_add_node(curr, data, last->anyPolicy, NULL) == NULL) ++ if (level_add_node(curr, data, last->anyPolicy, tree, 0) == NULL) + return 0; + } + return 1; +@@ -272,7 +288,8 @@ static int tree_link_matching_nodes(X509_POLICY_LEVEL *curr, + * Return value: 1 on success, 0 otherwise. + */ + static int tree_link_nodes(X509_POLICY_LEVEL *curr, +- const X509_POLICY_CACHE *cache) ++ const X509_POLICY_CACHE *cache, ++ X509_POLICY_TREE *tree) + { + int i; + +@@ -280,7 +297,7 @@ static int tree_link_nodes(X509_POLICY_LEVEL *curr, + X509_POLICY_DATA *data = sk_X509_POLICY_DATA_value(cache->data, i); + + /* Look for matching nodes in previous level */ +- if (!tree_link_matching_nodes(curr, data)) ++ if (!tree_link_matching_nodes(curr, data, tree)) + return 0; + } + return 1; +@@ -311,7 +328,7 @@ static int tree_add_unmatched(X509_POLICY_LEVEL *curr, + /* Curr may not have anyPolicy */ + data->qualifier_set = cache->anyPolicy->qualifier_set; + data->flags |= POLICY_DATA_FLAG_SHARED_QUALIFIERS; +- if (level_add_node(curr, data, node, tree) == NULL) { ++ if (level_add_node(curr, data, node, tree, 1) == NULL) { + policy_data_free(data); + return 0; + } +@@ -373,7 +390,7 @@ static int tree_link_any(X509_POLICY_LEVEL *curr, + } + /* Finally add link to anyPolicy */ + if (last->anyPolicy && +- level_add_node(curr, cache->anyPolicy, last->anyPolicy, NULL) == NULL) ++ level_add_node(curr, cache->anyPolicy, last->anyPolicy, tree, 0) == NULL) + return 0; + return 1; + } +@@ -555,7 +572,7 @@ static int tree_calculate_user_set(X509_POLICY_TREE *tree, + extra->qualifier_set = anyPolicy->data->qualifier_set; + extra->flags = POLICY_DATA_FLAG_SHARED_QUALIFIERS + | POLICY_DATA_FLAG_EXTRA_NODE; +- node = level_add_node(NULL, extra, anyPolicy->parent, tree); ++ node = level_add_node(NULL, extra, anyPolicy->parent, tree, 1); + } + if (!tree->user_policies) { + tree->user_policies = sk_X509_POLICY_NODE_new_null(); +@@ -582,7 +599,7 @@ static int tree_evaluate(X509_POLICY_TREE *tree) + + for (i = 1; i < tree->nlevel; i++, curr++) { + cache = policy_cache_set(curr->cert); +- if (!tree_link_nodes(curr, cache)) ++ if (!tree_link_nodes(curr, cache, tree)) + return X509_PCY_TREE_INTERNAL; + + if (!(curr->flags & X509_V_FLAG_INHIBIT_ANY) +-- +2.27.0 + diff --git a/backport-CVE-2023-0465-Ensure-that-EXFLAG_INVALID_POLICY-is-checked-even-in.patch b/backport-CVE-2023-0465-Ensure-that-EXFLAG_INVALID_POLICY-is-checked-even-in.patch new file mode 100644 index 0000000..6de2e69 --- /dev/null +++ b/backport-CVE-2023-0465-Ensure-that-EXFLAG_INVALID_POLICY-is-checked-even-in.patch @@ -0,0 +1,58 @@ +From b013765abfa80036dc779dd0e50602c57bb3bf95 Mon Sep 17 00:00:00 2001 +From: Matt Caswell +Date: Tue, 7 Mar 2023 16:52:55 +0000 +Subject: [PATCH] Ensure that EXFLAG_INVALID_POLICY is checked even in leaf + certs + +Even though we check the leaf cert to confirm it is valid, we +later ignored the invalid flag and did not notice that the leaf +cert was bad. + +Fixes: CVE-2023-0465 + +Reviewed-by: Hugo Landau +Reviewed-by: Tomas Mraz +(Merged from https://github.com/openssl/openssl/pull/20588) + +Reference:https://github.com/openssl/openssl/commit/b013765abfa80036dc779dd0e50602c57bb3bf95 +Confilts:NA + +--- + crypto/x509/x509_vfy.c | 11 +++++++++-- + 1 file changed, 9 insertions(+), 2 deletions(-) + +diff --git a/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.12.1/QuoteVerification/intel-sgx-ssl-lin_2.15.1_1.1.1l/openssl_source/openssl-1.1.1l/crypto/x509/x509_vfy.c b/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.12.1/QuoteVerification/intel-sgx-ssl-lin_2.15.1_1.1.1l/openssl_source/openssl-1.1.1l/crypto/x509/x509_vfy.c +index 925fbb5412..1dfe4f9f31 100644 +--- a/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.12.1/QuoteVerification/intel-sgx-ssl-lin_2.15.1_1.1.1l/openssl_source/openssl-1.1.1l/crypto/x509/x509_vfy.c ++++ b/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.12.1/QuoteVerification/intel-sgx-ssl-lin_2.15.1_1.1.1l/openssl_source/openssl-1.1.1l/crypto/x509/x509_vfy.c +@@ -1649,18 +1649,25 @@ static int check_policy(X509_STORE_CTX *ctx) + } + /* Invalid or inconsistent extensions */ + if (ret == X509_PCY_TREE_INVALID) { +- int i; ++ int i, cbcalled = 0; + + /* Locate certificates with bad extensions and notify callback. */ +- for (i = 1; i < sk_X509_num(ctx->chain); i++) { ++ for (i = 0; i < sk_X509_num(ctx->chain); i++) { + X509 *x = sk_X509_value(ctx->chain, i); + + if (!(x->ex_flags & EXFLAG_INVALID_POLICY)) + continue; ++ cbcalled = 1; + if (!verify_cb_cert(ctx, x, i, + X509_V_ERR_INVALID_POLICY_EXTENSION)) + return 0; + } ++ if (!cbcalled) { ++ /* Should not be able to get here */ ++ X509err(X509_F_CHECK_POLICY, ERR_R_INTERNAL_ERROR); ++ return 0; ++ } ++ /* The callback ignored the error so we return success */ + return 1; + } + if (ret == X509_PCY_TREE_FAILURE) { +-- +2.27.0 + diff --git a/backport-CVE-2023-0466-Fix-documentation-of-X509_VERIFY_PARAM_add0_policy.patch b/backport-CVE-2023-0466-Fix-documentation-of-X509_VERIFY_PARAM_add0_policy.patch new file mode 100644 index 0000000..b96d626 --- /dev/null +++ b/backport-CVE-2023-0466-Fix-documentation-of-X509_VERIFY_PARAM_add0_policy.patch @@ -0,0 +1,50 @@ +From 0d16b7e99aafc0b4a6d729eec65a411a7e025f0a Mon Sep 17 00:00:00 2001 +From: Tomas Mraz +Date: Tue, 21 Mar 2023 16:15:47 +0100 +Subject: [PATCH] Fix documentation of X509_VERIFY_PARAM_add0_policy() + +The function was incorrectly documented as enabling policy checking. + +Fixes: CVE-2023-0466 + +Reviewed-by: Matt Caswell +Reviewed-by: Paul Dale +(Merged from https://github.com/openssl/openssl/pull/20564) + +Reference:https://github.com/openssl/openssl/commit/0d16b7e99aafc0b4a6d729eec65a411a7e025f0a +Confilts:CHANGES,NEWS + +--- + doc/man3/X509_VERIFY_PARAM_set_flags.pod | 9 +++++++-- + 1 files changed, 7 insertions(+), 2 deletions(-) + +diff --git a/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.12.1/QuoteVerification/intel-sgx-ssl-lin_2.15.1_1.1.1l/openssl_source/openssl-1.1.1l/doc/man3/X509_VERIFY_PARAM_set_flags.pod b/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.12.1/QuoteVerification/intel-sgx-ssl-lin_2.15.1_1.1.1l/openssl_source/openssl-1.1.1l/doc/man3/X509_VERIFY_PARAM_set_flags.pod +index f6f304bf7b..aa292f9336 100644 +--- a/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.12.1/QuoteVerification/intel-sgx-ssl-lin_2.15.1_1.1.1l/openssl_source/openssl-1.1.1l/doc/man3/X509_VERIFY_PARAM_set_flags.pod ++++ b/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.12.1/QuoteVerification/intel-sgx-ssl-lin_2.15.1_1.1.1l/openssl_source/openssl-1.1.1l/doc/man3/X509_VERIFY_PARAM_set_flags.pod +@@ -92,8 +92,9 @@ B. + X509_VERIFY_PARAM_set_time() sets the verification time in B to + B. Normally the current time is used. + +-X509_VERIFY_PARAM_add0_policy() enables policy checking (it is disabled +-by default) and adds B to the acceptable policy set. ++X509_VERIFY_PARAM_add0_policy() adds B to the acceptable policy set. ++Contrary to preexisting documentation of this function it does not enable ++policy checking. + + X509_VERIFY_PARAM_set1_policies() enables policy checking (it is disabled + by default) and sets the acceptable policy set to B. Any existing +@@ -377,6 +378,10 @@ and has no effect. + + The X509_VERIFY_PARAM_get_hostflags() function was added in OpenSSL 1.1.0i. + ++The function X509_VERIFY_PARAM_add0_policy() was historically documented as ++enabling policy checking however the implementation has never done this. ++The documentation was changed to align with the implementation. ++ + =head1 COPYRIGHT + + Copyright 2009-2020 The OpenSSL Project Authors. All Rights Reserved. +-- +2.27.0 + diff --git a/backport-CVE-2023-2650-Restrict-the-size-of-OBJECT-IDENTIFIERs-that-OBJ_obj.patch b/backport-CVE-2023-2650-Restrict-the-size-of-OBJECT-IDENTIFIERs-that-OBJ_obj.patch new file mode 100644 index 0000000..918a2dd --- /dev/null +++ b/backport-CVE-2023-2650-Restrict-the-size-of-OBJECT-IDENTIFIERs-that-OBJ_obj.patch @@ -0,0 +1,68 @@ +From 9e209944b35cf82368071f160a744b6178f9b098 Mon Sep 17 00:00:00 2001 +From: Richard Levitte +Date: Fri, 12 May 2023 10:00:13 +0200 +Subject: [PATCH] Restrict the size of OBJECT IDENTIFIERs that OBJ_obj2txt will + translate + +OBJ_obj2txt() would translate any size OBJECT IDENTIFIER to canonical +numeric text form. For gigantic sub-identifiers, this would take a very +long time, the time complexity being O(n^2) where n is the size of that +sub-identifier. + +To mitigate this, a restriction on the size that OBJ_obj2txt() will +translate to canonical numeric text form is added, based on RFC 2578 +(STD 58), which says this: + +> 3.5. OBJECT IDENTIFIER values +> +> An OBJECT IDENTIFIER value is an ordered list of non-negative numbers. +> For the SMIv2, each number in the list is referred to as a sub-identifier, +> there are at most 128 sub-identifiers in a value, and each sub-identifier +> has a maximum value of 2^32-1 (4294967295 decimal). + +Fixes otc/security#96 +Fixes CVE-2023-2650 + +Reviewed-by: Matt Caswell +Reviewed-by: Tomas Mraz + +Reference:https://github.com/openssl/openssl/commit/9e209944b35cf82368071f160a744b6178f9b098 +Confilts:CHANGES,NEWS + +--- + crypto/objects/obj_dat.c | 19 +++++++++++++++++++ + 1 files changed, 19 insertions(+) + +diff --git a/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.12.1/QuoteVerification/intel-sgx-ssl-lin_2.15.1_1.1.1l/openssl_source/openssl-1.1.1l/crypto/objects/obj_dat.c b/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.12.1/QuoteVerification/intel-sgx-ssl-lin_2.15.1_1.1.1l/openssl_source/openssl-1.1.1l/crypto/objects/obj_dat.c +index 7e8de727f3..d699915b20 100644 +--- a/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.12.1/QuoteVerification/intel-sgx-ssl-lin_2.15.1_1.1.1l/openssl_source/openssl-1.1.1l/crypto/objects/obj_dat.c ++++ b/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.12.1/QuoteVerification/intel-sgx-ssl-lin_2.15.1_1.1.1l/openssl_source/openssl-1.1.1l/crypto/objects/obj_dat.c +@@ -428,6 +428,25 @@ int OBJ_obj2txt(char *buf, int buf_len, const ASN1_OBJECT *a, int no_name) + first = 1; + bl = NULL; + ++ /* ++ * RFC 2578 (STD 58) says this about OBJECT IDENTIFIERs: ++ * ++ * > 3.5. OBJECT IDENTIFIER values ++ * > ++ * > An OBJECT IDENTIFIER value is an ordered list of non-negative ++ * > numbers. For the SMIv2, each number in the list is referred to as a ++ * > sub-identifier, there are at most 128 sub-identifiers in a value, ++ * > and each sub-identifier has a maximum value of 2^32-1 (4294967295 ++ * > decimal). ++ * ++ * So a legitimate OID according to this RFC is at most (32 * 128 / 7), ++ * i.e. 586 bytes long. ++ * ++ * Ref: https://datatracker.ietf.org/doc/html/rfc2578#section-3.5 ++ */ ++ if (len > 586) ++ goto err; ++ + while (len > 0) { + l = 0; + use_bn = 0; +-- +2.27.0 + diff --git a/backport-CVE-2023-3446-Fix-DH_check-excessive-time-with-over-sized-modulus.patch b/backport-CVE-2023-3446-Fix-DH_check-excessive-time-with-over-sized-modulus.patch new file mode 100644 index 0000000..0c19e75 --- /dev/null +++ b/backport-CVE-2023-3446-Fix-DH_check-excessive-time-with-over-sized-modulus.patch @@ -0,0 +1,134 @@ +From 8780a896543a654e757db1b9396383f9d8095528 Mon Sep 17 00:00:00 2001 +From: Matt Caswell +Date: Thu, 6 Jul 2023 16:36:35 +0100 +Subject: [PATCH] Fix DH_check() excessive time with over sized modulus + +The DH_check() function checks numerous aspects of the key or parameters +that have been supplied. Some of those checks use the supplied modulus +value even if it is excessively large. + +There is already a maximum DH modulus size (10,000 bits) over which +OpenSSL will not generate or derive keys. DH_check() will however still +perform various tests for validity on such a large modulus. We introduce a +new maximum (32,768) over which DH_check() will just fail. + +An application that calls DH_check() and supplies a key or parameters +obtained from an untrusted source could be vulnerable to a Denial of +Service attack. + +The function DH_check() is itself called by a number of other OpenSSL +functions. An application calling any of those other functions may +similarly be affected. The other functions affected by this are +DH_check_ex() and EVP_PKEY_param_check(). + +CVE-2023-3446 + +Reviewed-by: Paul Dale +Reviewed-by: Tom Cosgrove +Reviewed-by: Bernd Edlinger +Reviewed-by: Tomas Mraz +(Merged from https://github.com/openssl/openssl/pull/21452) + +Reference:https://github.com/openssl/openssl/commit/8780a896543a654e757db1b9396383f9d8095528 +Confilts:Change the Source File Patch + +--- + crypto/dh/dh_check.c | 6 ++++++ + crypto/dh/dh_err.c | 3 ++- + crypto/err/openssl.txt | 3 ++- + include/openssl/dh.h | 3 +++ + include/openssl/dherr.h | 3 ++- + 5 files changed, 15 insertions(+), 3 deletions(-) + +diff --git a/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.12.1/QuoteVerification/intel-sgx-ssl-lin_2.15.1_1.1.1l/openssl_source/openssl-1.1.1l/crypto/dh/dh_check.c b/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.12.1/QuoteVerification/intel-sgx-ssl-lin_2.15.1_1.1.1l/openssl_source/openssl-1.1.1l/crypto/dh/dh_check.c +index 4ac169e75c..e5f9dd5030 100644 +--- a/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.12.1/QuoteVerification/intel-sgx-ssl-lin_2.15.1_1.1.1l/openssl_source/openssl-1.1.1l/crypto/dh/dh_check.c ++++ b/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.12.1/QuoteVerification/intel-sgx-ssl-lin_2.15.1_1.1.1l/openssl_source/openssl-1.1.1l/crypto/dh/dh_check.c +@@ -101,6 +101,12 @@ int DH_check(const DH *dh, int *ret) + BN_CTX *ctx = NULL; + BIGNUM *t1 = NULL, *t2 = NULL; + ++ /* Don't do any checks at all with an excessively large modulus */ ++ if (BN_num_bits(dh->p) > OPENSSL_DH_CHECK_MAX_MODULUS_BITS) { ++ DHerr(DH_F_DH_CHECK, DH_R_MODULUS_TOO_LARGE); ++ return 0; ++ } ++ + if (!DH_check_params(dh, ret)) + return 0; + +diff --git a/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.12.1/QuoteVerification/intel-sgx-ssl-lin_2.15.1_1.1.1l/openssl_source/openssl-1.1.1l/crypto/dh/dh_err.c b/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.12.1/QuoteVerification/intel-sgx-ssl-lin_2.15.1_1.1.1l/openssl_source/openssl-1.1.1l/crypto/dh/dh_err.c +index 7285587b4a..92800d3fcc 100644 +--- a/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.12.1/QuoteVerification/intel-sgx-ssl-lin_2.15.1_1.1.1l/openssl_source/openssl-1.1.1l/crypto/dh/dh_err.c ++++ b/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.12.1/QuoteVerification/intel-sgx-ssl-lin_2.15.1_1.1.1l/openssl_source/openssl-1.1.1l/crypto/dh/dh_err.c +@@ -1,6 +1,6 @@ + /* + * Generated by util/mkerr.pl DO NOT EDIT +- * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. ++ * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the OpenSSL license (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy +@@ -18,6 +18,7 @@ static const ERR_STRING_DATA DH_str_functs[] = { + {ERR_PACK(ERR_LIB_DH, DH_F_DHPARAMS_PRINT_FP, 0), "DHparams_print_fp"}, + {ERR_PACK(ERR_LIB_DH, DH_F_DH_BUILTIN_GENPARAMS, 0), + "dh_builtin_genparams"}, ++ {ERR_PACK(ERR_LIB_DH, DH_F_DH_CHECK, 0), "DH_check"}, + {ERR_PACK(ERR_LIB_DH, DH_F_DH_CHECK_EX, 0), "DH_check_ex"}, + {ERR_PACK(ERR_LIB_DH, DH_F_DH_CHECK_PARAMS_EX, 0), "DH_check_params_ex"}, + {ERR_PACK(ERR_LIB_DH, DH_F_DH_CHECK_PUB_KEY_EX, 0), "DH_check_pub_key_ex"}, +diff --git a/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.12.1/QuoteVerification/intel-sgx-ssl-lin_2.15.1_1.1.1l/openssl_source/openssl-1.1.1l/crypto/err/openssl.txt b/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.12.1/QuoteVerification/intel-sgx-ssl-lin_2.15.1_1.1.1l/openssl_source/openssl-1.1.1l/crypto/err/openssl.txt +index 9f91a4a811..c0a3cd720b 100644 +--- a/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.12.1/QuoteVerification/intel-sgx-ssl-lin_2.15.1_1.1.1l/openssl_source/openssl-1.1.1l/crypto/err/openssl.txt ++++ b/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.12.1/QuoteVerification/intel-sgx-ssl-lin_2.15.1_1.1.1l/openssl_source/openssl-1.1.1l/crypto/err/openssl.txt +@@ -1,4 +1,4 @@ +-# Copyright 1999-2021 The OpenSSL Project Authors. All Rights Reserved. ++# Copyright 1999-2023 The OpenSSL Project Authors. All Rights Reserved. + # + # Licensed under the OpenSSL license (the "License"). You may not use + # this file except in compliance with the License. You can obtain a copy +@@ -401,6 +401,7 @@ CT_F_SCT_SET_VERSION:104:SCT_set_version + DH_F_COMPUTE_KEY:102:compute_key + DH_F_DHPARAMS_PRINT_FP:101:DHparams_print_fp + DH_F_DH_BUILTIN_GENPARAMS:106:dh_builtin_genparams ++DH_F_DH_CHECK:126:DH_check + DH_F_DH_CHECK_EX:121:DH_check_ex + DH_F_DH_CHECK_PARAMS_EX:122:DH_check_params_ex + DH_F_DH_CHECK_PUB_KEY_EX:123:DH_check_pub_key_ex +diff --git a/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.12.1/QuoteVerification/intel-sgx-ssl-lin_2.15.1_1.1.1l/openssl_source/openssl-1.1.1l/include/openssl/dh.h b/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.12.1/QuoteVerification/intel-sgx-ssl-lin_2.15.1_1.1.1l/openssl_source/openssl-1.1.1l/include/openssl/dh.h +index 3527540cdd..892e31559d 100644 +--- a/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.12.1/QuoteVerification/intel-sgx-ssl-lin_2.15.1_1.1.1l/openssl_source/openssl-1.1.1l/include/openssl/dh.h ++++ b/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.12.1/QuoteVerification/intel-sgx-ssl-lin_2.15.1_1.1.1l/openssl_source/openssl-1.1.1l/include/openssl/dh.h +@@ -29,6 +29,9 @@ extern "C" { + # ifndef OPENSSL_DH_MAX_MODULUS_BITS + # define OPENSSL_DH_MAX_MODULUS_BITS 10000 + # endif ++# ifndef OPENSSL_DH_CHECK_MAX_MODULUS_BITS ++# define OPENSSL_DH_CHECK_MAX_MODULUS_BITS 32768 ++# endif + + # define OPENSSL_DH_FIPS_MIN_MODULUS_BITS 1024 + +diff --git a/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.12.1/QuoteVerification/intel-sgx-ssl-lin_2.15.1_1.1.1l/openssl_source/openssl-1.1.1l/include/openssl/dherr.h b/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.12.1/QuoteVerification/intel-sgx-ssl-lin_2.15.1_1.1.1l/openssl_source/openssl-1.1.1l/include/openssl/dherr.h +index 916b3bed0b..528c819856 100644 +--- a/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.12.1/QuoteVerification/intel-sgx-ssl-lin_2.15.1_1.1.1l/openssl_source/openssl-1.1.1l/include/openssl/dherr.h ++++ b/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.12.1/QuoteVerification/intel-sgx-ssl-lin_2.15.1_1.1.1l/openssl_source/openssl-1.1.1l/include/openssl/dherr.h +@@ -1,6 +1,6 @@ + /* + * Generated by util/mkerr.pl DO NOT EDIT +- * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved. ++ * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the OpenSSL license (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy +@@ -30,6 +30,7 @@ int ERR_load_DH_strings(void); + # define DH_F_COMPUTE_KEY 102 + # define DH_F_DHPARAMS_PRINT_FP 101 + # define DH_F_DH_BUILTIN_GENPARAMS 106 ++# define DH_F_DH_CHECK 126 + # define DH_F_DH_CHECK_EX 121 + # define DH_F_DH_CHECK_PARAMS_EX 122 + # define DH_F_DH_CHECK_PUB_KEY_EX 123 +-- +2.27.0 + diff --git a/backport-CVE-2023-3817-DH_check-Do-not-try-checking-q-properties-if-it-is-o.patch b/backport-CVE-2023-3817-DH_check-Do-not-try-checking-q-properties-if-it-is-o.patch new file mode 100644 index 0000000..948b0e3 --- /dev/null +++ b/backport-CVE-2023-3817-DH_check-Do-not-try-checking-q-properties-if-it-is-o.patch @@ -0,0 +1,62 @@ +From 91ddeba0f2269b017dc06c46c993a788974b1aa5 Mon Sep 17 00:00:00 2001 +From: Tomas Mraz +Date: Fri, 21 Jul 2023 11:39:41 +0200 +Subject: [PATCH] DH_check(): Do not try checking q properties if it is + obviously invalid + +If |q| >= |p| then the q value is obviously wrong as q +is supposed to be a prime divisor of p-1. + +We check if p is overly large so this added test implies that +q is not large either when performing subsequent tests using that +q value. + +Otherwise if it is too large these additional checks of the q value +such as the primality test can then trigger DoS by doing overly long +computations. + +Fixes CVE-2023-3817 + +Reviewed-by: Paul Dale +Reviewed-by: Matt Caswell +(Merged from https://github.com/openssl/openssl/pull/21551) + +Reference:https://github.com/openssl/openssl/commit/91ddeba0f2269b017dc06c46c993a788974b1aa5 +Confilts:Change the Source File Patch + +--- + crypto/dh/dh_check.c | 11 +++++++++-- + 1 file changed, 9 insertions(+), 2 deletions(-) + +diff --git a/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.12.1/QuoteVerification/intel-sgx-ssl-lin_2.15.1_1.1.1l/openssl_source/openssl-1.1.1l/crypto/dh/dh_check.c b/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.12.1/QuoteVerification/intel-sgx-ssl-lin_2.15.1_1.1.1l/openssl_source/openssl-1.1.1l/crypto/dh/dh_check.c +index 2001d2e7cb..9ae96991eb 100644 +--- a/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.12.1/QuoteVerification/intel-sgx-ssl-lin_2.15.1_1.1.1l/openssl_source/openssl-1.1.1l/crypto/dh/dh_check.c ++++ b/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.12.1/QuoteVerification/intel-sgx-ssl-lin_2.15.1_1.1.1l/openssl_source/openssl-1.1.1l/crypto/dh/dh_check.c +@@ -97,7 +97,7 @@ int DH_check_ex(const DH *dh) + + int DH_check(const DH *dh, int *ret) + { +- int ok = 0, r; ++ int ok = 0, r, q_good = 0; + BN_CTX *ctx = NULL; + BIGNUM *t1 = NULL, *t2 = NULL; + +@@ -120,7 +120,14 @@ int DH_check(const DH *dh, int *ret) + if (t2 == NULL) + goto err; + +- if (dh->q) { ++ if (dh->q != NULL) { ++ if (BN_ucmp(dh->p, dh->q) > 0) ++ q_good = 1; ++ else ++ *ret |= DH_CHECK_INVALID_Q_VALUE; ++ } ++ ++ if (q_good) { + if (BN_cmp(dh->g, BN_value_one()) <= 0) + *ret |= DH_NOT_SUITABLE_GENERATOR; + else if (BN_cmp(dh->g, dh->p) >= 0) +-- +2.27.0 + diff --git a/backport-CVE-2023-5678-Make-DH_check_pub_key-and-DH_generate_key-safer-yet.patch b/backport-CVE-2023-5678-Make-DH_check_pub_key-and-DH_generate_key-safer-yet.patch new file mode 100644 index 0000000..5703469 --- /dev/null +++ b/backport-CVE-2023-5678-Make-DH_check_pub_key-and-DH_generate_key-safer-yet.patch @@ -0,0 +1,134 @@ +From 58589a46204c0dfca58906d6e66cf610caa11d88 Mon Sep 17 00:00:00 2001 +From: lanming1120 +Date: Tue, 7 Nov 2023 14:42:28 +0800 +Subject: [PATCH] Make DH_check_pub_key() and DH_generate_key() safer yet + +Signed-off-by: lanming1120 + +Reference:https://gitee.com/openeuler/openssl/commit/58589a46204c0dfca58906d6e66cf610caa11d88 +Confilts:NA + +--- + crypto/dh/dh_check.c | 13 +++++++++++++ + crypto/dh/dh_err.c | 1 + + crypto/dh/dh_key.c | 12 ++++++++++++ + crypto/err/openssl.txt | 1 + + include/openssl/dh.h | 5 +++-- + include/openssl/dherr.h | 1 + + 6 files changed, 31 insertions(+), 2 deletions(-) + +diff --git a/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.12.1/QuoteVerification/intel-sgx-ssl-lin_2.15.1_1.1.1l/openssl_source/openssl-1.1.1l/crypto/dh/dh_check.c b/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.12.1/QuoteVerification/intel-sgx-ssl-lin_2.15.1_1.1.1l/openssl_source/openssl-1.1.1l/crypto/dh/dh_check.c +index ae1b03bc92..779cfbcd91 100644 +--- a/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.12.1/QuoteVerification/intel-sgx-ssl-lin_2.15.1_1.1.1l/openssl_source/openssl-1.1.1l/crypto/dh/dh_check.c ++++ b/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.12.1/QuoteVerification/intel-sgx-ssl-lin_2.15.1_1.1.1l/openssl_source/openssl-1.1.1l/crypto/dh/dh_check.c +@@ -198,6 +198,19 @@ int DH_check_pub_key(const DH *dh, const BIGNUM *pub_key, int *ret) + BN_CTX *ctx = NULL; + + *ret = 0; ++ ++ /* Don't do any checks at all with an excessively large modulus */ ++ if (BN_num_bits(dh->p) > OPENSSL_DH_CHECK_MAX_MODULUS_BITS) { ++ DHerr(DH_F_DH_CHECK_EX, DH_R_MODULUS_TOO_LARGE); ++ *ret = DH_MODULUS_TOO_LARGE | DH_CHECK_PUBKEY_INVALID; ++ return 0; ++ } ++ ++ if (dh->q != NULL && BN_ucmp(dh->p, dh->q) < 0) { ++ *ret |= DH_CHECK_INVALID_Q_VALUE | DH_CHECK_PUBKEY_INVALID; ++ return 1; ++ } ++ + ctx = BN_CTX_new(); + if (ctx == NULL) + goto err; +diff --git a/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.12.1/QuoteVerification/intel-sgx-ssl-lin_2.15.1_1.1.1l/openssl_source/openssl-1.1.1l/crypto/dh/dh_err.c b/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.12.1/QuoteVerification/intel-sgx-ssl-lin_2.15.1_1.1.1l/openssl_source/openssl-1.1.1l/crypto/dh/dh_err.c +index 92800d3fcc..b3b1e7a706 100644 +--- a/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.12.1/QuoteVerification/intel-sgx-ssl-lin_2.15.1_1.1.1l/openssl_source/openssl-1.1.1l/crypto/dh/dh_err.c ++++ b/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.12.1/QuoteVerification/intel-sgx-ssl-lin_2.15.1_1.1.1l/openssl_source/openssl-1.1.1l/crypto/dh/dh_err.c +@@ -82,6 +82,7 @@ static const ERR_STRING_DATA DH_str_reasons[] = { + {ERR_PACK(ERR_LIB_DH, 0, DH_R_PARAMETER_ENCODING_ERROR), + "parameter encoding error"}, + {ERR_PACK(ERR_LIB_DH, 0, DH_R_PEER_KEY_ERROR), "peer key error"}, ++ {ERR_PACK(ERR_LIB_DH, 0, DH_R_Q_TOO_LARGE), "q too large"}, + {ERR_PACK(ERR_LIB_DH, 0, DH_R_SHARED_INFO_ERROR), "shared info error"}, + {ERR_PACK(ERR_LIB_DH, 0, DH_R_UNABLE_TO_CHECK_GENERATOR), + "unable to check generator"}, +diff --git a/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.12.1/QuoteVerification/intel-sgx-ssl-lin_2.15.1_1.1.1l/openssl_source/openssl-1.1.1l/crypto/dh/dh_key.c b/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.12.1/QuoteVerification/intel-sgx-ssl-lin_2.15.1_1.1.1l/openssl_source/openssl-1.1.1l/crypto/dh/dh_key.c +index 117f2fa883..4c4c4b9874 100644 +--- a/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.12.1/QuoteVerification/intel-sgx-ssl-lin_2.15.1_1.1.1l/openssl_source/openssl-1.1.1l/crypto/dh/dh_key.c ++++ b/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.12.1/QuoteVerification/intel-sgx-ssl-lin_2.15.1_1.1.1l/openssl_source/openssl-1.1.1l/crypto/dh/dh_key.c +@@ -109,6 +109,12 @@ static int generate_key(DH *dh) + BN_MONT_CTX *mont = NULL; + BIGNUM *pub_key = NULL, *priv_key = NULL; + ++ if (dh->q != NULL ++ && BN_num_bits(dh->q) > OPENSSL_DH_MAX_MODULUS_BITS) { ++ DHerr(DH_F_GENERATE_KEY, DH_R_Q_TOO_LARGE); ++ return 0; ++ } ++ + if (BN_num_bits(dh->p) > OPENSSL_DH_MAX_MODULUS_BITS) { + DHerr(DH_F_GENERATE_KEY, DH_R_MODULUS_TOO_LARGE); + return 0; +@@ -202,6 +208,12 @@ static int compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh) + int ret = -1; + int check_result; + ++ if (dh->q != NULL ++ && BN_num_bits(dh->q) > OPENSSL_DH_MAX_MODULUS_BITS) { ++ DHerr(DH_F_COMPUTE_KEY, DH_R_Q_TOO_LARGE); ++ goto err; ++ } ++ + if (BN_num_bits(dh->p) > OPENSSL_DH_MAX_MODULUS_BITS) { + DHerr(DH_F_COMPUTE_KEY, DH_R_MODULUS_TOO_LARGE); + goto err; +diff --git a/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.12.1/QuoteVerification/intel-sgx-ssl-lin_2.15.1_1.1.1l/openssl_source/openssl-1.1.1l/crypto/err/openssl.txt b/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.12.1/QuoteVerification/intel-sgx-ssl-lin_2.15.1_1.1.1l/openssl_source/openssl-1.1.1l/crypto/err/openssl.txt +index c111822eac..56d4093ada 100644 +--- a/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.12.1/QuoteVerification/intel-sgx-ssl-lin_2.15.1_1.1.1l/openssl_source/openssl-1.1.1l/crypto/err/openssl.txt ++++ b/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.12.1/QuoteVerification/intel-sgx-ssl-lin_2.15.1_1.1.1l/openssl_source/openssl-1.1.1l/crypto/err/openssl.txt +@@ -2139,6 +2139,7 @@ DH_R_NO_PARAMETERS_SET:107:no parameters set + DH_R_NO_PRIVATE_VALUE:100:no private value + DH_R_PARAMETER_ENCODING_ERROR:105:parameter encoding error + DH_R_PEER_KEY_ERROR:111:peer key error ++DH_R_Q_TOO_LARGE:130:q too large + DH_R_SHARED_INFO_ERROR:113:shared info error + DH_R_UNABLE_TO_CHECK_GENERATOR:121:unable to check generator + DSA_R_BAD_Q_VALUE:102:bad q value +diff --git a/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.12.1/QuoteVerification/intel-sgx-ssl-lin_2.15.1_1.1.1l/openssl_source/openssl-1.1.1l/include/openssl/dh.h b/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.12.1/QuoteVerification/intel-sgx-ssl-lin_2.15.1_1.1.1l/openssl_source/openssl-1.1.1l/include/openssl/dh.h +index 6c6ff3636a..7509f4fc3e 100644 +--- a/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.12.1/QuoteVerification/intel-sgx-ssl-lin_2.15.1_1.1.1l/openssl_source/openssl-1.1.1l/include/openssl/dh.h ++++ b/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.12.1/QuoteVerification/intel-sgx-ssl-lin_2.15.1_1.1.1l/openssl_source/openssl-1.1.1l/include/openssl/dh.h +@@ -71,14 +71,15 @@ DECLARE_ASN1_ITEM(DHparams) + /* #define DH_GENERATOR_3 3 */ + # define DH_GENERATOR_5 5 + +-/* DH_check error codes */ ++/* DH_check error codes, some of them shared with DH_check_pub_key */ + # define DH_CHECK_P_NOT_PRIME 0x01 + # define DH_CHECK_P_NOT_SAFE_PRIME 0x02 + # define DH_UNABLE_TO_CHECK_GENERATOR 0x04 + # define DH_NOT_SUITABLE_GENERATOR 0x08 + # define DH_CHECK_Q_NOT_PRIME 0x10 +-# define DH_CHECK_INVALID_Q_VALUE 0x20 ++# define DH_CHECK_INVALID_Q_VALUE 0x20 /* +DH_check_pub_key */ + # define DH_CHECK_INVALID_J_VALUE 0x40 ++# define DH_MODULUS_TOO_LARGE 0x100 + + /* DH_check_pub_key error codes */ + # define DH_CHECK_PUBKEY_TOO_SMALL 0x01 +diff --git a/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.12.1/QuoteVerification/intel-sgx-ssl-lin_2.15.1_1.1.1l/openssl_source/openssl-1.1.1l/include/openssl/dherr.h b/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.12.1/QuoteVerification/intel-sgx-ssl-lin_2.15.1_1.1.1l/openssl_source/openssl-1.1.1l/include/openssl/dherr.h +index 528c819856..d66c35aa8e 100644 +--- a/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.12.1/QuoteVerification/intel-sgx-ssl-lin_2.15.1_1.1.1l/openssl_source/openssl-1.1.1l/include/openssl/dherr.h ++++ b/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.12.1/QuoteVerification/intel-sgx-ssl-lin_2.15.1_1.1.1l/openssl_source/openssl-1.1.1l/include/openssl/dherr.h +@@ -82,6 +82,7 @@ int ERR_load_DH_strings(void); + # define DH_R_NO_PRIVATE_VALUE 100 + # define DH_R_PARAMETER_ENCODING_ERROR 105 + # define DH_R_PEER_KEY_ERROR 111 ++# define DH_R_Q_TOO_LARGE 130 + # define DH_R_SHARED_INFO_ERROR 113 + # define DH_R_UNABLE_TO_CHECK_GENERATOR 121 + +-- +2.27.0 + diff --git a/linux-sgx.spec b/linux-sgx.spec index 65b4b2a..a9804b5 100644 --- a/linux-sgx.spec +++ b/linux-sgx.spec @@ -1,6 +1,6 @@ Name: linux-sgx Version: 2.15.1 -Release: 8 +Release: 10 Summary: Intel(R) Software Guard Extensions for Linux* OS ExclusiveArch: x86_64 License: BSD-3-Clause @@ -32,6 +32,17 @@ Patch10: DCAP-disabling-the-rpatch-option.patch Patch11: add-strip-compilation-option-for-pck-id-retrieval-tool.patch Patch12: backport-Fix-sgx_create_enclave-retry-mechanism.patch Patch13: backport-CVE-2022-1941-Fix-parsing-vulnerability-for-MessageSet-type.patch +Patch14: backport-Alternative-fix-for-CVE-2022-4304.patch +Patch15: backport-CVE-2022-4450-Avoid-dangling-ptrs-in-header-and-data-params-for-PE.patch +Patch16: backport-CVE-2023-0215-Fix-a-UAF-resulting-from-a-bug-in-BIO_new_NDEF.patch +Patch17: backport-CVE-2023-0286-Fix-GENERAL_NAME_cmp-for-x400Address-1.patch +Patch18: backport-CVE-2023-0464-x509-excessive-resource-use-verifying-policy-constra.patch +Patch19: backport-CVE-2023-0465-Ensure-that-EXFLAG_INVALID_POLICY-is-checked-even-in.patch +Patch20: backport-CVE-2023-0466-Fix-documentation-of-X509_VERIFY_PARAM_add0_policy.patch +Patch21: backport-CVE-2023-2650-Restrict-the-size-of-OBJECT-IDENTIFIERs-that-OBJ_obj.patch +Patch22: backport-CVE-2023-3446-Fix-DH_check-excessive-time-with-over-sized-modulus.patch +Patch23: backport-CVE-2023-3817-DH_check-Do-not-try-checking-q-properties-if-it-is-o.patch +Patch24: backport-CVE-2023-5678-Make-DH_check_pub_key-and-DH_generate_key-safer-yet.patch BuildRequires: gcc-c++ protobuf-devel libtool ocaml-ocamlbuild openssl openssl-devel cmake python curl-devel createrepo_c git nasm @@ -1034,6 +1045,9 @@ fi %files -n libsgx-headers -f %{LINUX_INSTALLER_RPM_DIR}/libsgx-headers/build/list-libsgx-headers %changelog +* Tue Dec 19 2023 wangqingsan - 2.15.1-10 +- backport patch and cve + * Sat Oct 28 2023 houmingyong - 2.15.1-9 - backport patch and cve -- Gitee