Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

dev-libs/openssl, sys-apps/shadow: Security updates #1037

Merged
merged 5 commits into from
Aug 2, 2023
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions changelog/security/2023-08-01-openssl-shadow.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
- OpenSSL ([CVE-2023-2975](https://nvd.nist.gov/vuln/detail/CVE-2023-2975), [CVE-2023-3446](https://nvd.nist.gov/vuln/detail/CVE-2023-3446))
- shadow ([CVE-2023-29383](https://nvd.nist.gov/vuln/detail/CVE-2023-29383))
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
#!/usr/bin/env bash
# Copyright 1999-2020 Gentoo Authors
# Copyright 1999-2023 Gentoo Authors
# Distributed under the terms of the GNU General Public License v2
#
# Openssl doesn't play along nicely with cross-compiling
Expand Down Expand Up @@ -77,7 +77,9 @@ fi

# Detect target arch
machine=""
submachine=""
chost_machine=${CHOST%%-*}
[[ ${CC} == *clang* ]] && submachine="-clang"
case ${system} in
linux)
case ${chost_machine}:${ABI} in
Expand All @@ -95,7 +97,7 @@ linux)
# hppa64*) machine=parisc64;;
hppa*) machine="generic32 -DB_ENDIAN";;
i[0-9]86*|\
x86_64*:x86) machine=x86;;
x86_64*:x86) machine=x86${submachine};;
ia64*) machine=ia64;;
loongarch64*) machine="loongarch64 -DL_ENDIAN" system=linux64;;
m68*) machine="latomic -DB_ENDIAN";;
Expand All @@ -109,7 +111,9 @@ linux)
powerpc64*) machine=ppc64;;
powerpc*le*) machine="generic32 -DL_ENDIAN";;
powerpc*) machine=ppc;;
riscv32be*) machine="generic32 -DB_ENDIAN";;
riscv32*) machine="generic32 -DL_ENDIAN";;
riscv64be*) machine="riscv64 -DB_ENDIAN" system=linux64;;
riscv64*) machine="riscv64 -DL_ENDIAN" system=linux64;;
# sh64*) machine=elf;;
sh*b*) machine="generic32 -DB_ENDIAN";;
Expand All @@ -125,7 +129,7 @@ linux)
s390x*) machine=s390x system=linux64;;
s390*) machine="generic32 -DB_ENDIAN";;
x86_64*:x32) machine=x32;;
x86_64*) machine=x86_64;;
x86_64*) machine=x86_64${submachine};;
esac
;;
BSD)
Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1,109 @@
https://github.com/openssl/openssl/commit/00e2f5eea29994d19293ec4e8c8775ba73678598
https://github.com/openssl/openssl/commit/96318a8d21bed334d78797eca5b32790775d5f05

From 00e2f5eea29994d19293ec4e8c8775ba73678598 Mon Sep 17 00:00:00 2001
From: Tomas Mraz <[email protected]>
Date: Tue, 4 Jul 2023 17:30:35 +0200
Subject: [PATCH] Do not ignore empty associated data with AES-SIV mode

The AES-SIV mode allows for multiple associated data items
authenticated separately with any of these being 0 length.

The provided implementation ignores such empty associated data
which is incorrect in regards to the RFC 5297 and is also
a security issue because such empty associated data then become
unauthenticated if an application expects to authenticate them.

Fixes CVE-2023-2975

Reviewed-by: Matt Caswell <[email protected]>
Reviewed-by: Paul Dale <[email protected]>
(Merged from https://github.com/openssl/openssl/pull/21384)

(cherry picked from commit c426c281cfc23ab182f7d7d7a35229e7db1494d9)
--- a/providers/implementations/ciphers/cipher_aes_siv.c
+++ b/providers/implementations/ciphers/cipher_aes_siv.c
@@ -120,14 +120,18 @@ static int siv_cipher(void *vctx, unsigned char *out, size_t *outl,
if (!ossl_prov_is_running())
return 0;

- if (inl == 0) {
- *outl = 0;
- return 1;
- }
+ /* Ignore just empty encryption/decryption call and not AAD. */
+ if (out != NULL) {
+ if (inl == 0) {
+ if (outl != NULL)
+ *outl = 0;
+ return 1;
+ }

- if (outsize < inl) {
- ERR_raise(ERR_LIB_PROV, PROV_R_OUTPUT_BUFFER_TOO_SMALL);
- return 0;
+ if (outsize < inl) {
+ ERR_raise(ERR_LIB_PROV, PROV_R_OUTPUT_BUFFER_TOO_SMALL);
+ return 0;
+ }
}

if (ctx->hw->cipher(ctx, out, in, inl) <= 0)

From 96318a8d21bed334d78797eca5b32790775d5f05 Mon Sep 17 00:00:00 2001
From: Tomas Mraz <[email protected]>
Date: Tue, 4 Jul 2023 17:50:37 +0200
Subject: [PATCH] Add testcases for empty associated data entries with AES-SIV

Reviewed-by: Matt Caswell <[email protected]>
Reviewed-by: Paul Dale <[email protected]>
(Merged from https://github.com/openssl/openssl/pull/21384)

(cherry picked from commit 3993bb0c0c87e3ed0ab4274e4688aa814e164cfc)
--- a/test/recipes/30-test_evp_data/evpciph_aes_siv.txt
+++ b/test/recipes/30-test_evp_data/evpciph_aes_siv.txt
@@ -20,6 +20,19 @@ Tag = 85632d07c6e8f37f950acd320a2ecc93
Plaintext = 112233445566778899aabbccddee
Ciphertext = 40c02b9690c4dc04daef7f6afe5c

+Cipher = aes-128-siv
+Key = fffefdfcfbfaf9f8f7f6f5f4f3f2f1f0f0f1f2f3f4f5f6f7f8f9fafbfcfdfeff
+Tag = f1c5fdeac1f15a26779c1501f9fb7588
+Plaintext = 112233445566778899aabbccddee
+Ciphertext = 27e946c669088ab06da58c5c831c
+
+Cipher = aes-128-siv
+Key = fffefdfcfbfaf9f8f7f6f5f4f3f2f1f0f0f1f2f3f4f5f6f7f8f9fafbfcfdfeff
+AAD =
+Tag = d1022f5b3664e5a4dfaf90f85be6f28a
+Plaintext = 112233445566778899aabbccddee
+Ciphertext = b66cff6b8eca0b79f083b39a0901
+
Cipher = aes-128-siv
Key = 7f7e7d7c7b7a79787776757473727170404142434445464748494a4b4c4d4e4f
AAD = 00112233445566778899aabbccddeeffdeaddadadeaddadaffeeddccbbaa99887766554433221100
@@ -29,6 +42,24 @@ Tag = 7bdb6e3b432667eb06f4d14bff2fbd0f
Plaintext = 7468697320697320736f6d6520706c61696e7465787420746f20656e6372797074207573696e67205349562d414553
Ciphertext = cb900f2fddbe404326601965c889bf17dba77ceb094fa663b7a3f748ba8af829ea64ad544a272e9c485b62a3fd5c0d

+Cipher = aes-128-siv
+Key = 7f7e7d7c7b7a79787776757473727170404142434445464748494a4b4c4d4e4f
+AAD = 00112233445566778899aabbccddeeffdeaddadadeaddadaffeeddccbbaa99887766554433221100
+AAD =
+AAD = 09f911029d74e35bd84156c5635688c0
+Tag = 83ce6593a8fa67eb6fcd2819cedfc011
+Plaintext = 7468697320697320736f6d6520706c61696e7465787420746f20656e6372797074207573696e67205349562d414553
+Ciphertext = 30d937b42f71f71f93fc2d8d702d3eac8dc7651eefcd81120081ff29d626f97f3de17f2969b691c91b69b652bf3a6d
+
+Cipher = aes-128-siv
+Key = 7f7e7d7c7b7a79787776757473727170404142434445464748494a4b4c4d4e4f
+AAD =
+AAD = 00112233445566778899aabbccddeeffdeaddadadeaddadaffeeddccbbaa99887766554433221100
+AAD = 09f911029d74e35bd84156c5635688c0
+Tag = 77dd4a44f5a6b41302121ee7f378de25
+Plaintext = 7468697320697320736f6d6520706c61696e7465787420746f20656e6372797074207573696e67205349562d414553
+Ciphertext = 0fcd664c922464c88939d71fad7aefb864e501b0848a07d39201c1067a7288f3dadf0131a823a0bc3d588e8564a5fe
+
Cipher = aes-192-siv
Key = fffefdfcfbfaf9f8f7f6f5f4f3f2f1f0f0f1f2f3f4f5f6f7f8f9fafbfcfdfefffffefdfcfbfaf9f8f7f6f5f4f3f2f1f0
AAD = 101112131415161718191a1b1c1d1e1f2021222324252627
Original file line number Diff line number Diff line change
@@ -0,0 +1,120 @@
https://github.com/openssl/openssl/commit/1fa20cf2f506113c761777127a38bce5068740eb
https://github.com/openssl/openssl/commit/8a62fd996cb1c22383ec75b4155d54dec4a1b0ee

From 1fa20cf2f506113c761777127a38bce5068740eb Mon Sep 17 00:00:00 2001
From: Matt Caswell <[email protected]>
Date: Thu, 6 Jul 2023 16:36:35 +0100
Subject: [PATCH] Fix DH_check() excessive time with over sized modulus

The DH_check() function checks numerous aspects of the key or parameters
that have been supplied. Some of those checks use the supplied modulus
value even if it is excessively large.

There is already a maximum DH modulus size (10,000 bits) over which
OpenSSL will not generate or derive keys. DH_check() will however still
perform various tests for validity on such a large modulus. We introduce a
new maximum (32,768) over which DH_check() will just fail.

An application that calls DH_check() and supplies a key or parameters
obtained from an untrusted source could be vulnerable to a Denial of
Service attack.

The function DH_check() is itself called by a number of other OpenSSL
functions. An application calling any of those other functions may
similarly be affected. The other functions affected by this are
DH_check_ex() and EVP_PKEY_param_check().

CVE-2023-3446

Reviewed-by: Paul Dale <[email protected]>
Reviewed-by: Tom Cosgrove <[email protected]>
Reviewed-by: Bernd Edlinger <[email protected]>
Reviewed-by: Tomas Mraz <[email protected]>
(Merged from https://github.com/openssl/openssl/pull/21451)

(cherry picked from commit 9e0094e2aa1b3428a12d5095132f133c078d3c3d)
--- a/crypto/dh/dh_check.c
+++ b/crypto/dh/dh_check.c
@@ -152,6 +152,12 @@ int DH_check(const DH *dh, int *ret)
if (nid != NID_undef)
return 1;

+ /* Don't do any checks at all with an excessively large modulus */
+ if (BN_num_bits(dh->params.p) > OPENSSL_DH_CHECK_MAX_MODULUS_BITS) {
+ ERR_raise(ERR_LIB_DH, DH_R_MODULUS_TOO_LARGE);
+ return 0;
+ }
+
if (!DH_check_params(dh, ret))
return 0;

--- a/include/openssl/dh.h
+++ b/include/openssl/dh.h
@@ -89,7 +89,11 @@ int EVP_PKEY_CTX_get0_dh_kdf_ukm(EVP_PKEY_CTX *ctx, unsigned char **ukm);
# include <openssl/dherr.h>

# ifndef OPENSSL_DH_MAX_MODULUS_BITS
-# define OPENSSL_DH_MAX_MODULUS_BITS 10000
+# define OPENSSL_DH_MAX_MODULUS_BITS 10000
+# endif
+
+# ifndef OPENSSL_DH_CHECK_MAX_MODULUS_BITS
+# define OPENSSL_DH_CHECK_MAX_MODULUS_BITS 32768
# endif

# define OPENSSL_DH_FIPS_MIN_MODULUS_BITS 1024

From 8a62fd996cb1c22383ec75b4155d54dec4a1b0ee Mon Sep 17 00:00:00 2001
From: Matt Caswell <[email protected]>
Date: Fri, 7 Jul 2023 14:39:48 +0100
Subject: [PATCH] Add a test for CVE-2023-3446

Confirm that the only errors DH_check() finds with DH parameters with an
excessively long modulus is that the modulus is too large. We should not
be performing time consuming checks using that modulus.

Reviewed-by: Paul Dale <[email protected]>
Reviewed-by: Tom Cosgrove <[email protected]>
Reviewed-by: Bernd Edlinger <[email protected]>
Reviewed-by: Tomas Mraz <[email protected]>
(Merged from https://github.com/openssl/openssl/pull/21451)

(cherry picked from commit ede782b4c8868d1f09c9cd237f82b6f35b7dba8b)
--- a/test/dhtest.c
+++ b/test/dhtest.c
@@ -73,7 +73,7 @@ static int dh_test(void)
goto err1;

/* check fails, because p is way too small */
- if (!DH_check(dh, &i))
+ if (!TEST_true(DH_check(dh, &i)))
goto err2;
i ^= DH_MODULUS_TOO_SMALL;
if (!TEST_false(i & DH_CHECK_P_NOT_PRIME)
@@ -124,6 +124,17 @@ static int dh_test(void)
/* We'll have a stale error on the queue from the above test so clear it */
ERR_clear_error();

+ /* Modulus of size: dh check max modulus bits + 1 */
+ if (!TEST_true(BN_set_word(p, 1))
+ || !TEST_true(BN_lshift(p, p, OPENSSL_DH_CHECK_MAX_MODULUS_BITS)))
+ goto err3;
+
+ /*
+ * We expect no checks at all for an excessively large modulus
+ */
+ if (!TEST_false(DH_check(dh, &i)))
+ goto err3;
+
/*
* II) key generation
*/
@@ -138,7 +149,7 @@ static int dh_test(void)
goto err3;

/* ... and check whether it is valid */
- if (!DH_check(a, &i))
+ if (!TEST_true(DH_check(a, &i)))
goto err3;
if (!TEST_false(i & DH_CHECK_P_NOT_PRIME)
|| !TEST_false(i & DH_CHECK_P_NOT_SAFE_PRIME)
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,8 @@ EAPI=8

VERIFY_SIG_OPENPGP_KEY_PATH="${BROOT}"/usr/share/openpgp-keys/openssl.org.asc
TMPFILES_OPTIONAL=1
inherit edo flag-o-matic linux-info toolchain-funcs multilib-minimal multiprocessing verify-sig systemd tmpfiles
inherit edo flag-o-matic linux-info toolchain-funcs
inherit multilib multilib-minimal multiprocessing preserve-libs verify-sig tmpfiles

DESCRIPTION="Robust, full-featured Open Source Toolkit for the Transport Layer Security (TLS)"
HOMEPAGE="https://www.openssl.org/"
Expand All @@ -19,7 +20,7 @@ if [[ ${PV} == 9999 ]] ; then
else
SRC_URI="mirror://openssl/source/${MY_P}.tar.gz
verify-sig? ( mirror://openssl/source/${MY_P}.tar.gz.asc )"
KEYWORDS="~alpha amd64 ~arm arm64 ~hppa ~ia64 ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~arm64-macos"
KEYWORDS="~alpha amd64 arm arm64 hppa ~ia64 ~loong ~m68k ~mips ~ppc ppc64 ~riscv ~s390 sparc x86 ~arm64-macos"
fi

S="${WORKDIR}"/${MY_P}
Expand Down Expand Up @@ -54,6 +55,11 @@ MULTILIB_WRAPPED_HEADERS=(
/usr/include/openssl/configuration.h
)

PATCHES=(
"${FILESDIR}"/${P}-CVE-2023-2975.patch
"${FILESDIR}"/${P}-CVE-2023-3446.patch
)

pkg_setup() {
if use ktls ; then
if kernel_is -lt 4 18 ; then
Expand Down Expand Up @@ -139,6 +145,11 @@ src_configure() {

append-flags $(test-flags-CC -Wa,--noexecstack)

# bug #895308
append-atomic-flags
# Configure doesn't respect LIBS
export LDLIBS="${LIBS}"

# bug #197996
unset APPS
# bug #312551
Expand Down Expand Up @@ -216,7 +227,7 @@ multilib_src_compile() {
multilib_src_test() {
# VFP = show subtests verbosely and show failed tests verbosely
# Normal V=1 would show everything verbosely but this slows things down.
emake HARNESS_JOBS="$(makeopts_jobs)" VFP=1 test
emake HARNESS_JOBS="$(makeopts_jobs)" -Onone VFP=1 test
}

multilib_src_install() {
Expand Down Expand Up @@ -275,5 +286,7 @@ pkg_preinst() {
-module "${ED}/usr/$(get_libdir)/ossl-modules/fips.so"
eend $?
fi
}

preserve_old_lib /usr/$(get_libdir)/lib{crypto,ssl}$(get_libname 1) \
/usr/$(get_libdir)/lib{crypto,ssl}$(get_libname 1.1)
}

This file was deleted.

Loading