diff options
| author | Bernard Spil <brnrd@FreeBSD.org> | 2023-08-02 19:27:30 +0000 |
|---|---|---|
| committer | Bernard Spil <brnrd@FreeBSD.org> | 2023-08-02 19:27:30 +0000 |
| commit | 04ffe8fb6bec091ce3a5c20c7ab73bce30d2b333 (patch) | |
| tree | eb6cd668d8b0b171d44671a98592eb5097aa91a1 /security/openssl | |
| parent | c440e5ffffbc759e5ce363414882882105404a55 (diff) | |
| download | ports-04ffe8fb6bec091ce3a5c20c7ab73bce30d2b333.tar.gz ports-04ffe8fb6bec091ce3a5c20c7ab73bce30d2b333.zip | |
Diffstat (limited to 'security/openssl')
| -rw-r--r-- | security/openssl/Makefile | 3 | ||||
| -rw-r--r-- | security/openssl/distinfo | 6 | ||||
| -rw-r--r-- | security/openssl/files/patch-CVE-2023-3817 | 55 |
3 files changed, 4 insertions, 60 deletions
diff --git a/security/openssl/Makefile b/security/openssl/Makefile index d0ffd1cac2a2..886026009708 100644 --- a/security/openssl/Makefile +++ b/security/openssl/Makefile @@ -1,6 +1,5 @@ PORTNAME= openssl -PORTVERSION= 1.1.1u -PORTREVISION= 1 +PORTVERSION= 1.1.1v PORTEPOCH= 1 CATEGORIES= security devel MASTER_SITES= https://www.openssl.org/source/ \ diff --git a/security/openssl/distinfo b/security/openssl/distinfo index a37ebb5597c4..f9b0843950cb 100644 --- a/security/openssl/distinfo +++ b/security/openssl/distinfo @@ -1,3 +1,3 @@ -TIMESTAMP = 1685529813 -SHA256 (openssl-1.1.1u.tar.gz) = e2f8d84b523eecd06c7be7626830370300fbcc15386bf5142d72758f6963ebc6 -SIZE (openssl-1.1.1u.tar.gz) = 9892176 +TIMESTAMP = 1691003970 +SHA256 (openssl-1.1.1v.tar.gz) = d6697e2871e77238460402e9362d47d18382b15ef9f246aba6c7bd780d38a6b0 +SIZE (openssl-1.1.1v.tar.gz) = 9893443 diff --git a/security/openssl/files/patch-CVE-2023-3817 b/security/openssl/files/patch-CVE-2023-3817 deleted file mode 100644 index 3f1d5193c73f..000000000000 --- a/security/openssl/files/patch-CVE-2023-3817 +++ /dev/null @@ -1,55 +0,0 @@ -From 91ddeba0f2269b017dc06c46c993a788974b1aa5 Mon Sep 17 00:00:00 2001 -From: Tomas Mraz <tomas@openssl.org> -Date: Fri, 21 Jul 2023 11:39:41 +0200 -Subject: [PATCH] DH_check(): Do not try checking q properties if it is - obviously invalid - -If |q| >= |p| then the q value is obviously wrong as q -is supposed to be a prime divisor of p-1. - -We check if p is overly large so this added test implies that -q is not large either when performing subsequent tests using that -q value. - -Otherwise if it is too large these additional checks of the q value -such as the primality test can then trigger DoS by doing overly long -computations. - -Fixes CVE-2023-3817 - -Reviewed-by: Paul Dale <pauli@openssl.org> -Reviewed-by: Matt Caswell <matt@openssl.org> -(Merged from https://github.com/openssl/openssl/pull/21551) ---- - crypto/dh/dh_check.c | 11 +++++++++-- - 1 file changed, 9 insertions(+), 2 deletions(-) - -diff --git a/crypto/dh/dh_check.c b/crypto/dh/dh_check.c -index 2001d2e7cb19..9ae96991eb4a 100644 ---- crypto/dh/dh_check.c.orig -+++ crypto/dh/dh_check.c -@@ -97,7 +97,7 @@ int DH_check_ex(const DH *dh) - - int DH_check(const DH *dh, int *ret) - { -- int ok = 0, r; -+ int ok = 0, r, q_good = 0; - BN_CTX *ctx = NULL; - BIGNUM *t1 = NULL, *t2 = NULL; - -@@ -120,7 +120,14 @@ int DH_check(const DH *dh, int *ret) - if (t2 == NULL) - goto err; - -- if (dh->q) { -+ if (dh->q != NULL) { -+ if (BN_ucmp(dh->p, dh->q) > 0) -+ q_good = 1; -+ else -+ *ret |= DH_CHECK_INVALID_Q_VALUE; -+ } -+ -+ if (q_good) { - if (BN_cmp(dh->g, BN_value_one()) <= 0) - *ret |= DH_NOT_SUITABLE_GENERATOR; - else if (BN_cmp(dh->g, dh->p) >= 0) |