openssl3: Roll back broken v3.2.0 to v3.1.4 on OS <10.13

Version 3.2.0 has many issues on many older platforms.

Adds -devel version to facilitate testing 3.2.0 in such cases.

Although the epoch bump is only needed for the rollback cases, making
it conditional on the OS version would require that it remain so in
the future, so the unconditional epoch bump is preferable.  The epoch
bump is the only change for macOS >= 10.14.

Revbumps the usual suspects.

Closes: https://trac.macports.org/ticket/68763
Closes: https://trac.macports.org/ticket/68766

TESTED:
Built, tested, and ran "openssl rand -hex 8" on 10.4-10.5 ppc,
10.4-10.6 i386, 10.5-10.15 x86_64, and 11.x-14.x arm64
The 3.1.4 version builds for all relevant platforms, and passes its
tests on all but 10.6-10.8.
The 3.2.0 -devel version builds for all but 10.4, failing its tests on
10.5-10.9 and 10.13 universal.
The 3.2.0 version fails its tests on 10.14 and 14.x.
The non-devel versions all pass "openssl rand".
This commit is contained in:
Fred Wright
2023-11-29 17:28:57 -08:00
committed by Clemens Lang
parent 45c1164c83
commit dbf4acd621
6 changed files with 203 additions and 4 deletions
+1 -1
View File
@@ -6,7 +6,7 @@ PortGroup openssl 1.0
name openssl
epoch 2
version [openssl::default_branch]
revision 15
revision 16
categories devel security
platforms darwin
+25
View File
@@ -10,6 +10,8 @@ legacysupport.newest_darwin_requires_legacy 8
set major_v 3
name openssl$major_v
# For rolling back to 3.1.4 release where needed. Must now stay.
epoch 1
version ${major_v}.2.0
revision 0
@@ -52,6 +54,29 @@ checksums rmd160 88d268dca2256ce7d6db7cd20e54bd936d134dbb \
sha256 14c826f07c7e433706fb5c69fa9e25dab95684844b4c962a2cf1bf183eb4690e \
size 17698352
# 3.2.0 is currently broken for OS < 10.14
if {${os.platform} eq "darwin" && ${os.major} < 18} {
subport ${name}-devel {
conflicts ${name}
}
if {$subport eq $name} {
conflicts ${name}-devel
version ${major_v}.1.4
revision 1
distname openssl-${version}
checksums rmd160 44e8f5368a6f62508b8b83124239bf1ebbba8d18 \
sha256 840af5366ab9b522bde525826be3ef0fb0af81c6a9ebd84caa600fea1731eee3 \
size 15569450
patchfiles ddeb4b6c6d527e54ce9a99cba785c0f7776e54b6.patch
}
}
if {${os.platform} eq "darwin" && ${os.major} < 11} {
# Having the stdlib set to libc++ on 10.6 causes a dependency on a
# macports-clang compiler to be added, which would be a dep cycle.
@@ -0,0 +1,174 @@
From ddeb4b6c6d527e54ce9a99cba785c0f7776e54b6 Mon Sep 17 00:00:00 2001
From: Richard Levitte <levitte@openssl.org>
Date: Fri, 20 Oct 2023 09:18:19 +0200
Subject: [PATCH] Make DH_check_pub_key() and DH_generate_key() safer yet
We already check for an excessively large P in DH_generate_key(), but not in
DH_check_pub_key(), and none of them check for an excessively large Q.
This change adds all the missing excessive size checks of P and Q.
It's to be noted that behaviours surrounding excessively sized P and Q
differ. DH_check() raises an error on the excessively sized P, but only
sets a flag for the excessively sized Q. This behaviour is mimicked in
DH_check_pub_key().
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22518)
Upstream-Stauts: Backport [github.com/openssl/openssl/commit/ddeb4b6c6d527e54ce9a99cba785c0f7776e54b6]
---
crypto/dh/dh_check.c | 12 ++++++++++++
crypto/dh/dh_err.c | 3 ++-
crypto/dh/dh_key.c | 12 ++++++++++++
crypto/err/openssl.txt | 1 +
include/crypto/dherr.h | 2 +-
include/openssl/dh.h | 6 +++---
include/openssl/dherr.h | 3 ++-
7 files changed, 33 insertions(+), 6 deletions(-)
diff --git a/crypto/dh/dh_check.c b/crypto/dh/dh_check.c
index 7ba2beae7fd6b..e20eb62081c5e 100644
--- ./crypto/dh/dh_check.c
+++ ./crypto/dh/dh_check.c
@@ -249,6 +249,18 @@ int DH_check_pub_key_ex(const DH *dh, const BIGNUM *pub_key)
*/
int DH_check_pub_key(const DH *dh, const BIGNUM *pub_key, int *ret)
{
+ /* Don't do any checks at all with an excessively large modulus */
+ if (BN_num_bits(dh->params.p) > OPENSSL_DH_CHECK_MAX_MODULUS_BITS) {
+ ERR_raise(ERR_LIB_DH, DH_R_MODULUS_TOO_LARGE);
+ *ret = DH_MODULUS_TOO_LARGE | DH_CHECK_PUBKEY_INVALID;
+ return 0;
+ }
+
+ if (dh->params.q != NULL && BN_ucmp(dh->params.p, dh->params.q) < 0) {
+ *ret |= DH_CHECK_INVALID_Q_VALUE | DH_CHECK_PUBKEY_INVALID;
+ return 1;
+ }
+
return ossl_ffc_validate_public_key(&dh->params, pub_key, ret);
}
diff --git a/crypto/dh/dh_err.c b/crypto/dh/dh_err.c
index 4152397426cc9..f76ac0dd1463f 100644
--- ./crypto/dh/dh_err.c
+++ ./crypto/dh/dh_err.c
@@ -1,6 +1,6 @@
/*
* Generated by util/mkerr.pl DO NOT EDIT
- * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -54,6 +54,7 @@ static const ERR_STRING_DATA DH_str_reasons[] = {
{ERR_PACK(ERR_LIB_DH, 0, DH_R_PARAMETER_ENCODING_ERROR),
"parameter encoding error"},
{ERR_PACK(ERR_LIB_DH, 0, DH_R_PEER_KEY_ERROR), "peer key error"},
+ {ERR_PACK(ERR_LIB_DH, 0, DH_R_Q_TOO_LARGE), "q too large"},
{ERR_PACK(ERR_LIB_DH, 0, DH_R_SHARED_INFO_ERROR), "shared info error"},
{ERR_PACK(ERR_LIB_DH, 0, DH_R_UNABLE_TO_CHECK_GENERATOR),
"unable to check generator"},
diff --git a/crypto/dh/dh_key.c b/crypto/dh/dh_key.c
index d84ea99241b9e..afc49f5cdc87d 100644
--- ./crypto/dh/dh_key.c
+++ ./crypto/dh/dh_key.c
@@ -49,6 +49,12 @@ int ossl_dh_compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh)
goto err;
}
+ if (dh->params.q != NULL
+ && BN_num_bits(dh->params.q) > OPENSSL_DH_MAX_MODULUS_BITS) {
+ ERR_raise(ERR_LIB_DH, DH_R_Q_TOO_LARGE);
+ goto err;
+ }
+
if (BN_num_bits(dh->params.p) < DH_MIN_MODULUS_BITS) {
ERR_raise(ERR_LIB_DH, DH_R_MODULUS_TOO_SMALL);
return 0;
@@ -267,6 +273,12 @@ static int generate_key(DH *dh)
return 0;
}
+ if (dh->params.q != NULL
+ && BN_num_bits(dh->params.q) > OPENSSL_DH_MAX_MODULUS_BITS) {
+ ERR_raise(ERR_LIB_DH, DH_R_Q_TOO_LARGE);
+ return 0;
+ }
+
if (BN_num_bits(dh->params.p) < DH_MIN_MODULUS_BITS) {
ERR_raise(ERR_LIB_DH, DH_R_MODULUS_TOO_SMALL);
return 0;
diff --git a/crypto/err/openssl.txt b/crypto/err/openssl.txt
index a1e6bbb617fcb..69e4f61aa1801 100644
--- ./crypto/err/openssl.txt
+++ ./crypto/err/openssl.txt
@@ -513,6 +513,7 @@ DH_R_NO_PARAMETERS_SET:107:no parameters set
DH_R_NO_PRIVATE_VALUE:100:no private value
DH_R_PARAMETER_ENCODING_ERROR:105:parameter encoding error
DH_R_PEER_KEY_ERROR:111:peer key error
+DH_R_Q_TOO_LARGE:130:q too large
DH_R_SHARED_INFO_ERROR:113:shared info error
DH_R_UNABLE_TO_CHECK_GENERATOR:121:unable to check generator
DSA_R_BAD_FFC_PARAMETERS:114:bad ffc parameters
diff --git a/include/crypto/dherr.h b/include/crypto/dherr.h
index bb24d131eb887..519327f795742 100644
--- ./include/crypto/dherr.h
+++ ./include/crypto/dherr.h
@@ -1,6 +1,6 @@
/*
* Generated by util/mkerr.pl DO NOT EDIT
- * Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
diff --git a/include/openssl/dh.h b/include/openssl/dh.h
index 8bc17448a0817..f1c0ed06b375a 100644
--- ./include/openssl/dh.h
+++ ./include/openssl/dh.h
@@ -144,7 +144,7 @@ DECLARE_ASN1_ITEM(DHparams)
# define DH_GENERATOR_3 3
# define DH_GENERATOR_5 5
-/* DH_check error codes */
+/* DH_check error codes, some of them shared with DH_check_pub_key */
/*
* NB: These values must align with the equivalently named macros in
* internal/ffc.h.
@@ -154,10 +154,10 @@ DECLARE_ASN1_ITEM(DHparams)
# define DH_UNABLE_TO_CHECK_GENERATOR 0x04
# define DH_NOT_SUITABLE_GENERATOR 0x08
# define DH_CHECK_Q_NOT_PRIME 0x10
-# define DH_CHECK_INVALID_Q_VALUE 0x20
+# define DH_CHECK_INVALID_Q_VALUE 0x20 /* +DH_check_pub_key */
# define DH_CHECK_INVALID_J_VALUE 0x40
# define DH_MODULUS_TOO_SMALL 0x80
-# define DH_MODULUS_TOO_LARGE 0x100
+# define DH_MODULUS_TOO_LARGE 0x100 /* +DH_check_pub_key */
/* DH_check_pub_key error codes */
# define DH_CHECK_PUBKEY_TOO_SMALL 0x01
diff --git a/include/openssl/dherr.h b/include/openssl/dherr.h
index 5d2a762a96f8c..074a70145f9f5 100644
--- ./include/openssl/dherr.h
+++ ./include/openssl/dherr.h
@@ -1,6 +1,6 @@
/*
* Generated by util/mkerr.pl DO NOT EDIT
- * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -50,6 +50,7 @@
# define DH_R_NO_PRIVATE_VALUE 100
# define DH_R_PARAMETER_ENCODING_ERROR 105
# define DH_R_PEER_KEY_ERROR 111
+# define DH_R_Q_TOO_LARGE 130
# define DH_R_SHARED_INFO_ERROR 113
# define DH_R_UNABLE_TO_CHECK_GENERATOR 121
+1 -1
View File
@@ -6,7 +6,7 @@ PortGroup compiler_blacklist_versions 1.0
name openssh
version 9.5p1
revision 2
revision 3
categories net
maintainers {@artkiver gmail.com:artkiver} openmaintainer
license BSD
+1 -1
View File
@@ -5,7 +5,7 @@ PortGroup perl5 1.0
perl5.branches 5.28 5.30 5.32 5.34
perl5.setup Net-SSLeay 1.92
revision 2
revision 3
license Artistic-2
maintainers nomaintainer
description Perl extension for using OpenSSL
+1 -1
View File
@@ -5,7 +5,7 @@ PortGroup muniversal 1.0
name freeradius
version 3.0.21
revision 19
revision 20
checksums rmd160 04a038b701f19d9c598e826a795a0cdaacd3768b \
sha256 c22dad43954b0cbc957564d3f8cbb942ff09853852d2c2155d54e6bd641a4e7d \
size 3184588