From c8e7f20819f59b36d2cf729d5e17f5ea94aaa048 Mon Sep 17 00:00:00 2001 From: Saurabh Pandit Date: Mon, 26 Feb 2024 12:39:07 +0530 Subject: [PATCH] Revert "[PA-6132] : Applied CVE patch to openssl-1.1.1" This reverts commit 832549bc09bc046772a27ed3ba4414abba00293e. --- configs/components/openssl-1.1.1.rb | 3 - resources/patches/openssl/CVE-2023-5678.patch | 142 ------------------ resources/patches/openssl/CVE-2024-0727.patch | 116 -------------- 3 files changed, 261 deletions(-) delete mode 100644 resources/patches/openssl/CVE-2023-5678.patch delete mode 100644 resources/patches/openssl/CVE-2024-0727.patch diff --git a/configs/components/openssl-1.1.1.rb b/configs/components/openssl-1.1.1.rb index 3c1080465..232531cec 100644 --- a/configs/components/openssl-1.1.1.rb +++ b/configs/components/openssl-1.1.1.rb @@ -87,9 +87,6 @@ end end - pkg.apply_patch 'resources/patches/openssl/CVE-2023-5678.patch' - pkg.apply_patch 'resources/patches/openssl/CVE-2024-0727.patch' - #################### # BUILD REQUIREMENTS #################### diff --git a/resources/patches/openssl/CVE-2023-5678.patch b/resources/patches/openssl/CVE-2023-5678.patch deleted file mode 100644 index cab8461c2..000000000 --- a/resources/patches/openssl/CVE-2023-5678.patch +++ /dev/null @@ -1,142 +0,0 @@ -Backport of: - -From db925ae2e65d0d925adef429afc37f75bd1c2017 Mon Sep 17 00:00:00 2001 -From: Richard Levitte -Date: Fri, 20 Oct 2023 09:18:19 +0200 -Subject: [PATCH] Make DH_check_pub_key() and DH_generate_key() safer yet - -We already check for an excessively large P in DH_generate_key(), but not in -DH_check_pub_key(), and none of them check for an excessively large Q. - -This change adds all the missing excessive size checks of P and Q. - -It's to be noted that behaviours surrounding excessively sized P and Q -differ. DH_check() raises an error on the excessively sized P, but only -sets a flag for the excessively sized Q. This behaviour is mimicked in -DH_check_pub_key(). - -Reviewed-by: Tomas Mraz -Reviewed-by: Matt Caswell -Reviewed-by: Hugo Landau -(Merged from https://github.com/openssl/openssl/pull/22518) - -(cherry picked from commit ddeb4b6c6d527e54ce9a99cba785c0f7776e54b6) ---- - crypto/dh/dh_check.c | 12 ++++++++++++ - crypto/dh/dh_err.c | 3 ++- - crypto/dh/dh_key.c | 12 ++++++++++++ - crypto/err/openssl.txt | 1 + - include/crypto/dherr.h | 2 +- - include/openssl/dh.h | 6 +++--- - include/openssl/dherr.h | 3 ++- - 7 files changed, 33 insertions(+), 6 deletions(-) - ---- a/crypto/dh/dh_check.c -+++ b/crypto/dh/dh_check.c -@@ -201,6 +201,19 @@ int DH_check_pub_key(const DH *dh, const - if (ctx == NULL) - goto err; - BN_CTX_start(ctx); -+ -+ /* Don't do any checks at all with an excessively large modulus */ -+ if (BN_num_bits(dh->p) > OPENSSL_DH_CHECK_MAX_MODULUS_BITS) { -+ DHerr(DH_F_DH_CHECK, DH_R_MODULUS_TOO_LARGE); -+ *ret = DH_MODULUS_TOO_LARGE | DH_CHECK_PUBKEY_INVALID; -+ goto err; -+ } -+ -+ if (dh->q != NULL && BN_ucmp(dh->p, dh->q) < 0) { -+ *ret |= DH_CHECK_INVALID_Q_VALUE | DH_CHECK_PUBKEY_INVALID; -+ goto out; -+ } -+ - tmp = BN_CTX_get(ctx); - if (tmp == NULL || !BN_set_word(tmp, 1)) - goto err; -@@ -219,6 +232,7 @@ int DH_check_pub_key(const DH *dh, const - *ret |= DH_CHECK_PUBKEY_INVALID; - } - -+ out: - ok = 1; - err: - BN_CTX_end(ctx); ---- a/crypto/dh/dh_err.c -+++ b/crypto/dh/dh_err.c -@@ -82,6 +82,7 @@ static const ERR_STRING_DATA DH_str_reas - {ERR_PACK(ERR_LIB_DH, 0, DH_R_PARAMETER_ENCODING_ERROR), - "parameter encoding error"}, - {ERR_PACK(ERR_LIB_DH, 0, DH_R_PEER_KEY_ERROR), "peer key error"}, -+ {ERR_PACK(ERR_LIB_DH, 0, DH_R_Q_TOO_LARGE), "q too large"}, - {ERR_PACK(ERR_LIB_DH, 0, DH_R_SHARED_INFO_ERROR), "shared info error"}, - {ERR_PACK(ERR_LIB_DH, 0, DH_R_UNABLE_TO_CHECK_GENERATOR), - "unable to check generator"}, ---- a/crypto/dh/dh_key.c -+++ b/crypto/dh/dh_key.c -@@ -87,6 +87,12 @@ static int generate_key(DH *dh) - return 0; - } - -+ if (dh->q != NULL -+ && BN_num_bits(dh->q) > OPENSSL_DH_MAX_MODULUS_BITS) { -+ DHerr(DH_F_GENERATE_KEY, DH_R_Q_TOO_LARGE); -+ return 0; -+ } -+ - ctx = BN_CTX_new(); - if (ctx == NULL) - goto err; -@@ -180,6 +186,12 @@ static int compute_key(unsigned char *ke - goto err; - } - -+ if (dh->q != NULL -+ && BN_num_bits(dh->q) > OPENSSL_DH_MAX_MODULUS_BITS) { -+ DHerr(DH_F_COMPUTE_KEY, DH_R_Q_TOO_LARGE); -+ goto err; -+ } -+ - ctx = BN_CTX_new(); - if (ctx == NULL) - goto err; ---- a/crypto/err/openssl.txt -+++ b/crypto/err/openssl.txt -@@ -2110,6 +2110,7 @@ DH_R_NO_PARAMETERS_SET:107:no parameters - DH_R_NO_PRIVATE_VALUE:100:no private value - DH_R_PARAMETER_ENCODING_ERROR:105:parameter encoding error - DH_R_PEER_KEY_ERROR:111:peer key error -+DH_R_Q_TOO_LARGE:130:q too large - DH_R_SHARED_INFO_ERROR:113:shared info error - DH_R_UNABLE_TO_CHECK_GENERATOR:121:unable to check generator - DSA_R_BAD_Q_VALUE:102:bad q value ---- a/include/openssl/dh.h -+++ b/include/openssl/dh.h -@@ -71,14 +71,16 @@ DECLARE_ASN1_ITEM(DHparams) - /* #define DH_GENERATOR_3 3 */ - # define DH_GENERATOR_5 5 - --/* DH_check error codes */ -+/* DH_check error codes, some of them shared with DH_check_pub_key */ - # define DH_CHECK_P_NOT_PRIME 0x01 - # define DH_CHECK_P_NOT_SAFE_PRIME 0x02 - # define DH_UNABLE_TO_CHECK_GENERATOR 0x04 - # define DH_NOT_SUITABLE_GENERATOR 0x08 - # define DH_CHECK_Q_NOT_PRIME 0x10 --# define DH_CHECK_INVALID_Q_VALUE 0x20 -+# define DH_CHECK_INVALID_Q_VALUE 0x20 /* +DH_check_pub_key */ - # define DH_CHECK_INVALID_J_VALUE 0x40 -+# define DH_MODULUS_TOO_SMALL 0x80 -+# define DH_MODULUS_TOO_LARGE 0x100 /* +DH_check_pub_key */ - - /* DH_check_pub_key error codes */ - # define DH_CHECK_PUBKEY_TOO_SMALL 0x01 ---- a/include/openssl/dherr.h -+++ b/include/openssl/dherr.h -@@ -82,6 +82,7 @@ int ERR_load_DH_strings(void); - # define DH_R_NO_PRIVATE_VALUE 100 - # define DH_R_PARAMETER_ENCODING_ERROR 105 - # define DH_R_PEER_KEY_ERROR 111 -+# define DH_R_Q_TOO_LARGE 130 - # define DH_R_SHARED_INFO_ERROR 113 - # define DH_R_UNABLE_TO_CHECK_GENERATOR 121 - diff --git a/resources/patches/openssl/CVE-2024-0727.patch b/resources/patches/openssl/CVE-2024-0727.patch deleted file mode 100644 index 5a928ea7a..000000000 --- a/resources/patches/openssl/CVE-2024-0727.patch +++ /dev/null @@ -1,116 +0,0 @@ -Backport of: - -From 09df4395b5071217b76dc7d3d2e630eb8c5a79c2 Mon Sep 17 00:00:00 2001 -From: Matt Caswell -Date: Fri, 19 Jan 2024 11:28:58 +0000 -Subject: [PATCH] Add NULL checks where ContentInfo data can be NULL - -PKCS12 structures contain PKCS7 ContentInfo fields. These fields are -optional and can be NULL even if the "type" is a valid value. OpenSSL -was not properly accounting for this and a NULL dereference can occur -causing a crash. - -CVE-2024-0727 - -Reviewed-by: Tomas Mraz -Reviewed-by: Hugo Landau -Reviewed-by: Neil Horman -(Merged from https://github.com/openssl/openssl/pull/23362) - -(cherry picked from commit d135eeab8a5dbf72b3da5240bab9ddb7678dbd2c) ---- - crypto/pkcs12/p12_add.c | 18 ++++++++++++++++++ - crypto/pkcs12/p12_mutl.c | 5 +++++ - crypto/pkcs12/p12_npas.c | 5 +++-- - crypto/pkcs7/pk7_mime.c | 7 +++++-- - 4 files changed, 31 insertions(+), 4 deletions(-) - ---- a/crypto/pkcs12/p12_add.c -+++ b/crypto/pkcs12/p12_add.c -@@ -76,6 +76,13 @@ STACK_OF(PKCS12_SAFEBAG) *PKCS12_unpack_ - PKCS12_R_CONTENT_TYPE_NOT_DATA); - return NULL; - } -+ -+ if (p7->d.data == NULL) { -+ PKCS12err(PKCS12_F_PKCS12_UNPACK_P7DATA, -+ PKCS12_R_DECODE_ERROR); -+ return NULL; -+ } -+ - return ASN1_item_unpack(p7->d.data, ASN1_ITEM_rptr(PKCS12_SAFEBAGS)); - } - -@@ -132,6 +139,12 @@ STACK_OF(PKCS12_SAFEBAG) *PKCS12_unpack_ - { - if (!PKCS7_type_is_encrypted(p7)) - return NULL; -+ -+ if (p7->d.encrypted == NULL) { -+ PKCS12err(PKCS12_F_PKCS12_UNPACK_P7DATA, PKCS12_R_DECODE_ERROR); -+ return NULL; -+ } -+ - return PKCS12_item_decrypt_d2i(p7->d.encrypted->enc_data->algorithm, - ASN1_ITEM_rptr(PKCS12_SAFEBAGS), - pass, passlen, -@@ -159,6 +172,13 @@ STACK_OF(PKCS7) *PKCS12_unpack_authsafes - PKCS12_R_CONTENT_TYPE_NOT_DATA); - return NULL; - } -+ -+ if (p12->authsafes->d.data == NULL) { -+ PKCS12err(PKCS12_F_PKCS12_UNPACK_AUTHSAFES, -+ PKCS12_R_DECODE_ERROR); -+ return NULL; -+ } -+ - return ASN1_item_unpack(p12->authsafes->d.data, - ASN1_ITEM_rptr(PKCS12_AUTHSAFES)); - } ---- a/crypto/pkcs12/p12_mutl.c -+++ b/crypto/pkcs12/p12_mutl.c -@@ -93,6 +93,11 @@ static int pkcs12_gen_mac(PKCS12 *p12, c - return 0; - } - -+ if (p12->authsafes->d.data == NULL) { -+ PKCS12err(PKCS12_F_PKCS12_GEN_MAC, PKCS12_R_DECODE_ERROR); -+ return 0; -+ } -+ - salt = p12->mac->salt->data; - saltlen = p12->mac->salt->length; - if (!p12->mac->iter) ---- a/crypto/pkcs12/p12_npas.c -+++ b/crypto/pkcs12/p12_npas.c -@@ -78,8 +78,9 @@ static int newpass_p12(PKCS12 *p12, cons - bags = PKCS12_unpack_p7data(p7); - } else if (bagnid == NID_pkcs7_encrypted) { - bags = PKCS12_unpack_p7encdata(p7, oldpass, -1); -- if (!alg_get(p7->d.encrypted->enc_data->algorithm, -- &pbe_nid, &pbe_iter, &pbe_saltlen)) -+ if (p7->d.encrypted == NULL -+ || !alg_get(p7->d.encrypted->enc_data->algorithm, -+ &pbe_nid, &pbe_iter, &pbe_saltlen)) - goto err; - } else { - continue; ---- a/crypto/pkcs7/pk7_mime.c -+++ b/crypto/pkcs7/pk7_mime.c -@@ -30,10 +30,13 @@ int SMIME_write_PKCS7(BIO *bio, PKCS7 *p - { - STACK_OF(X509_ALGOR) *mdalgs; - int ctype_nid = OBJ_obj2nid(p7->type); -- if (ctype_nid == NID_pkcs7_signed) -+ if (ctype_nid == NID_pkcs7_signed) { -+ if (p7->d.sign == NULL) -+ return 0; - mdalgs = p7->d.sign->md_algs; -- else -+ } else { - mdalgs = NULL; -+ } - - flags ^= SMIME_OLDMIME; -