Fix occasional internal error in TLS when DHE is used

Resolves: rhbz#2004915 Signed-off-by: Clemens Lang <cllang@redhat.com>
2022-03-22 13:04:16 +01:00 · 2022-03-22 13:04:16 +01:00 · 93ff3f8fe5
commit 93ff3f8fe5
parent 153f593fa6
2 changed files with 60 additions and 1 deletions
--- a/0054-Replace-size-check-with-more-meaningful-pubkey-check.patch
+++ b/0054-Replace-size-check-with-more-meaningful-pubkey-check.patch
@ -0,0 +1,53 @@
+From 2c0f7d46b8449423446cfe1e52fc1e1ecd506b62 Mon Sep 17 00:00:00 2001
+From: Tomas Mraz <tomas@openssl.org>
+Date: Wed, 2 Feb 2022 17:47:26 +0100
+Subject: [PATCH] Replace size check with more meaningful pubkey check
+
+It does not make sense to check the size because this
+function can be used in other contexts than in TLS-1.3 and
+the value might not be padded to the size of p.
+
+However it makes sense to do the partial pubkey check because
+there is no valid reason having the pubkey value outside the
+1 < pubkey < p-1 bounds.
+
+Fixes #15465
+
+Reviewed-by: Paul Dale <pauli@openssl.org>
+(Merged from https://github.com/openssl/openssl/pull/17630)
+---
+ crypto/dh/dh_key.c | 11 ++++-------
+ 1 file changed, 4 insertions(+), 7 deletions(-)
+
+diff --git a/crypto/dh/dh_key.c b/crypto/dh/dh_key.c
+index 6b8cd550f2..c78ed618bf 100644
+--- a/crypto/dh/dh_key.c
+++ b/crypto/dh/dh_key.c
+@@ -375,20 +375,17 @@ int ossl_dh_buf2key(DH *dh, const unsigned char *buf, size_t len)
+     int err_reason = DH_R_BN_ERROR;
+     BIGNUM *pubkey = NULL;
+     const BIGNUM *p;
+-    size_t p_size;
+    int ret;
+ 
+     if ((pubkey = BN_bin2bn(buf, len, NULL)) == NULL)
+         goto err;
+     DH_get0_pqg(dh, &p, NULL, NULL);
+-    if (p == NULL || (p_size = BN_num_bytes(p)) == 0) {
+    if (p == NULL || BN_num_bytes(p) == 0) {
+         err_reason = DH_R_NO_PARAMETERS_SET;
+         goto err;
+     }
+-    /*
+-     * As per Section 4.2.8.1 of RFC 8446 fail if DHE's
+-     * public key is of size not equal to size of p
+-     */
+-    if (BN_is_zero(pubkey) || p_size != len) {
+    /* Prevent small subgroup attacks per RFC 8446 Section 4.2.8.1 */
+    if (!ossl_dh_check_pub_key_partial(dh, pubkey, &ret)) {
+         err_reason = DH_R_INVALID_PUBKEY;
+         goto err;
+     }
+-- 
+2.35.1
+
--- a/openssl.spec
+++ b/openssl.spec
@ -15,7 +15,7 @@
 Summary: Utilities from the general purpose cryptography library with TLS implementation
 Name: openssl
 Version: 3.0.1
-Release: 20%{?dist}
+Release: 21%{?dist}
 Epoch: 1
 # We have to remove certain patented algorithms from the openssl source
 # tarball with the hobble-openssl script which is included below.
@ -86,6 +86,8 @@ Patch51: 0051-Support-different-R_BITS-lengths-for-KBKDF.patch
 Patch52: 0052-Allow-SHA1-in-seclevel-2-if-rh-allow-sha1-signatures.patch
 # CVE 2022-0778
 Patch53: 0053-CVE-2022-0778.patch
+# https://bugzilla.redhat.com/show_bug.cgi?id=2004915, backport of 2c0f7d46b8449423446cfe1e52fc1e1ecd506b62
+Patch54: 0054-Replace-size-check-with-more-meaningful-pubkey-check.patch

 License: ASL 2.0
 URL: http://www.openssl.org/
@ -416,6 +418,10 @@ install -m644 %{SOURCE9} \
 %ldconfig_scriptlets libs

 %changelog
+* Tue Mar 22 2022 Clemens Lang <cllang@redhat.com> - 1:3.0.1-21
+- Fix occasional internal error in TLS when DHE is used
+- Resolves: rhbz#2004915
+
 * Fri Mar 18 2022 Clemens Lang <cllang@redhat.com> - 1:3.0.1-20
 - Fix acceptance of SHA-1 certificates with rh-allow-sha1-signatures = yes when
  no OpenSSL library context is set