<pre style='margin:0'>
Clemens Lang (neverpanic) pushed a commit to branch master
in repository macports-ports.

</pre>
<p><a href="https://github.com/macports/macports-ports/commit/a2d813872e61f1e9e894e57aa1419ab2c3730beb">https://github.com/macports/macports-ports/commit/a2d813872e61f1e9e894e57aa1419ab2c3730beb</a></p>
<pre style="white-space: pre; background: #F8F8F8">The following commit(s) were added to refs/heads/master by this push:
<span style='display:block; white-space:pre;color:#404040;'>     new a2d813872e6 openssl3: Fix CVE-2023-6237
</span>a2d813872e6 is described below

<span style='display:block; white-space:pre;color:#808000;'>commit a2d813872e61f1e9e894e57aa1419ab2c3730beb
</span>Author: Clemens Lang <cal@macports.org>
AuthorDate: Mon Jan 15 14:12:44 2024 +0100

<span style='display:block; white-space:pre;color:#404040;'>    openssl3: Fix CVE-2023-6237
</span><span style='display:block; white-space:pre;color:#404040;'>    
</span><span style='display:block; white-space:pre;color:#404040;'>    See https://www.openssl.org/news/secadv/20240115.txt for the upstream
</span><span style='display:block; white-space:pre;color:#404040;'>    advisory. The severity of CVE-2023-6237 is low.
</span><span style='display:block; white-space:pre;color:#404040;'>    
</span><span style='display:block; white-space:pre;color:#404040;'>    CVE: CVE-2023-6237
</span>---
 devel/openssl3/Portfile                            |  12 +-
 .../0b0f7abfb37350794a4b8960fafc292cd5d1b84d.patch | 122 +++++++++++++++++++++
 .../a830f551557d3d66a84bbb18a5b889c640c36294.patch | 122 +++++++++++++++++++++
 3 files changed, 252 insertions(+), 4 deletions(-)

<span style='display:block; white-space:pre;color:#808080;'>diff --git a/devel/openssl3/Portfile b/devel/openssl3/Portfile
</span><span style='display:block; white-space:pre;color:#808080;'>index 159e0cbd3dd..e2d4652b75c 100644
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>--- a/devel/openssl3/Portfile
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>+++ b/devel/openssl3/Portfile
</span><span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -13,7 +13,7 @@ name                openssl$major_v
</span> # For rolling back to 3.1.4 release where needed. Must now stay.
 epoch               1
 version             ${major_v}.2.0
<span style='display:block; white-space:pre;background:#ffe0e0;'>-revision            0
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+revision            1
</span> 
 # Please revbump these ports when updating the openssl3 version/revision
 #  - freeradius (#43461)
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -54,6 +54,8 @@ checksums           rmd160  88d268dca2256ce7d6db7cd20e54bd936d134dbb \
</span>                     sha256  14c826f07c7e433706fb5c69fa9e25dab95684844b4c962a2cf1bf183eb4690e \
                     size    17698352
 
<span style='display:block; white-space:pre;background:#e0ffe0;'>+patchfiles          0b0f7abfb37350794a4b8960fafc292cd5d1b84d.patch
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span> # 3.2.0 is currently broken for OS < 10.14
 if {${os.platform} eq "darwin" && ${os.major} < 18} {
 
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -69,10 +71,12 @@ if {${os.platform} eq "darwin" && ${os.major} < 18} {
</span>             distname            openssl-${version}
 
             checksums           rmd160  44e8f5368a6f62508b8b83124239bf1ebbba8d18 \
<span style='display:block; white-space:pre;background:#ffe0e0;'>-                        sha256  840af5366ab9b522bde525826be3ef0fb0af81c6a9ebd84caa600fea1731eee3 \
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-                        size    15569450
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+                                sha256  840af5366ab9b522bde525826be3ef0fb0af81c6a9ebd84caa600fea1731eee3 \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+                                size    15569450
</span> 
<span style='display:block; white-space:pre;background:#ffe0e0;'>-            patchfiles          ddeb4b6c6d527e54ce9a99cba785c0f7776e54b6.patch
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+            patchfiles-delete   0b0f7abfb37350794a4b8960fafc292cd5d1b84d.patch
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+            patchfiles          ddeb4b6c6d527e54ce9a99cba785c0f7776e54b6.patch \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+                                a830f551557d3d66a84bbb18a5b889c640c36294.patch
</span>     }
 
 }
<span style='display:block; white-space:pre;color:#808080;'>diff --git a/devel/openssl3/files/0b0f7abfb37350794a4b8960fafc292cd5d1b84d.patch b/devel/openssl3/files/0b0f7abfb37350794a4b8960fafc292cd5d1b84d.patch
</span>new file mode 100644
<span style='display:block; white-space:pre;color:#808080;'>index 00000000000..8b0aa9c6155
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>--- /dev/null
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>+++ b/devel/openssl3/files/0b0f7abfb37350794a4b8960fafc292cd5d1b84d.patch
</span><span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -0,0 +1,122 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+From 0b0f7abfb37350794a4b8960fafc292cd5d1b84d Mon Sep 17 00:00:00 2001
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+From: Tomas Mraz <tomas@openssl.org>
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+Date: Fri, 22 Dec 2023 16:25:56 +0100
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+Subject: [PATCH] Limit the execution time of RSA public key check
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+Fixes CVE-2023-6237
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+If a large and incorrect RSA public key is checked with
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+EVP_PKEY_public_check() the computation could take very long time
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+due to no limit being applied to the RSA public key size and
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+unnecessarily high number of Miller-Rabin algorithm rounds
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+used for non-primality check of the modulus.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+Now the keys larger than 16384 bits (OPENSSL_RSA_MAX_MODULUS_BITS)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+will fail the check with RSA_R_MODULUS_TOO_LARGE error reason.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+Also the number of Miller-Rabin rounds was set to 5.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+Reviewed-by: Neil Horman <nhorman@openssl.org>
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+Reviewed-by: Matt Caswell <matt@openssl.org>
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+(Merged from https://github.com/openssl/openssl/pull/23243)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+(cherry picked from commit e09fc1d746a4fd15bb5c3d7bbbab950aadd005db)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+---
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ crypto/rsa/rsa_sp800_56b_check.c              |  8 +++-
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ test/recipes/91-test_pkey_check.t             |  2 +-
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ .../91-test_pkey_check_data/rsapub_17k.pem    | 48 +++++++++++++++++++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ 3 files changed, 56 insertions(+), 2 deletions(-)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ create mode 100644 test/recipes/91-test_pkey_check_data/rsapub_17k.pem
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+diff --git a/crypto/rsa/rsa_sp800_56b_check.c b/crypto/rsa/rsa_sp800_56b_check.c
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+index c585465b32752..3f0a1e0d6b1ee 100644
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- ./crypto/rsa/rsa_sp800_56b_check.c
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ ./crypto/rsa/rsa_sp800_56b_check.c
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -289,6 +289,11 @@ int ossl_rsa_sp800_56b_check_public(const RSA *rsa)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+         return 0;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ 
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+     nbits = BN_num_bits(rsa->n);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++    if (nbits > OPENSSL_RSA_MAX_MODULUS_BITS) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++        ERR_raise(ERR_LIB_RSA, RSA_R_MODULUS_TOO_LARGE);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++        return 0;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++    }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #ifdef FIPS_MODULE
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+     /*
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+      * (Step a): modulus must be 2048 or 3072 (caveat from SP800-56Br1)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -324,7 +329,8 @@ int ossl_rsa_sp800_56b_check_public(const RSA *rsa)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+         goto err;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+     }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ 
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+-    ret = ossl_bn_miller_rabin_is_prime(rsa->n, 0, ctx, NULL, 1, &status);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++    /* Highest number of MR rounds from FIPS 186-5 Section B.3 Table B.1 */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++    ret = ossl_bn_miller_rabin_is_prime(rsa->n, 5, ctx, NULL, 1, &status);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #ifdef FIPS_MODULE
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+     if (ret != 1 || status != BN_PRIMETEST_COMPOSITE_NOT_POWER_OF_PRIME) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #else
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+diff --git a/test/recipes/91-test_pkey_check.t b/test/recipes/91-test_pkey_check.t
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+index dc7cc64533af2..f8088df14d36c 100644
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- ./test/recipes/91-test_pkey_check.t
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ ./test/recipes/91-test_pkey_check.t
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -70,7 +70,7 @@ push(@positive_tests, (
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+     "dhpkey.pem"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+     )) unless disabled("dh");
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ 
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+-my @negative_pubtests = ();
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++my @negative_pubtests = ("rsapub_17k.pem");  # Too big RSA public key
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ 
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ push(@negative_pubtests, (
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+     "dsapub_noparam.der"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+diff --git a/test/recipes/91-test_pkey_check_data/rsapub_17k.pem b/test/recipes/91-test_pkey_check_data/rsapub_17k.pem
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+new file mode 100644
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+index 0000000000000..9a2eaedaf1b22
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- /dev/null
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ ./test/recipes/91-test_pkey_check_data/rsapub_17k.pem
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -0,0 +1,48 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++-----BEGIN PUBLIC KEY-----
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++MIIIbzANBgkqhkiG9w0BAQEFAAOCCFwAMIIIVwKCCE4Ang+cE5H+hg3RbapDAHqR
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++B9lUnp2MlAwsZxQ/FhYepaR60bFQeumbu7817Eo5YLMObVI99hF1C4u/qcpD4Jph
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++gZt87/JAYDbP+DIh/5gUXCL9m5Fp4u7mvZaZdnlcftBvR1uKUTCAwc9pZ/Cfr8W2
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++GzrRODzsNYnk2DcZMfe2vRDuDZRopE+Y+I72rom2SZLxoN547N1daM/M/CL9KVQ/
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++XMI/YOpJrBI0jI3brMRhLkvLckwies9joufydlGbJkeil9H7/grj3fQZtFkZ2Pkj
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++b87XDzRVX7wsEpAgPJxskL3jApokCp1kQYKG+Uc3dKM9Ade6IAPK7VKcmbAQTYw2
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++gZxsc28dtstazmfGz0ACCTSMrmbgWAM3oPL7RRzhrXDWgmYQ0jHefGh8SNTIgtPq
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++TuHxPYkDMQNaf0LmDGCxqlnf4b5ld3YaU8zZ/RqIRx5v/+w0rJUvU53qY1bYSnL1
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++vbqKSnN2mip0GYyQ4AUgkS1NBV4rGYU/VTvzEjLfkg02KOtHKandvEoUjmZPzCT0
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++V2ZhGc8K1UJNGYlIiHqCdwCBoghvly/pYajTkDXyd6BsukzA5H3IkZB1xDgl035j
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++/0Cr7QeZLEOdi9fPdSSaBT6OmD0WFuZfJF0wMr7ucRhWzPXvSensD9v7MBE7tNfH
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++SLeTSx8tLt8UeWriiM+0CnkPR1IOqMOxubOyf1eV8NQqEWm5wEQG/0IskbOKnaHa
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++PqLFJZn/bvyL3XK5OxVIJG3z6bnRDOMS9SzkjqgPdIO8tkySEHVSi/6iuGUltx3Y
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++Fmq6ye/r34ekyHPbfn6UuTON7joM6SIXb5bHM64x4iMVWx4hMvDjfy0UqfywAUyu
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++C1o7BExSMxxFG8GJcqR0K8akpPp7EM588PC+YuItoxzXgfUJnP3BQ1Beev2Ve7/J
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++xeGZH0N4ntfr+cuaLAakAER9zDglwChWflw3NNFgIdAgSxXv3XXx5xDXpdP4lxUo
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++F5zAN4Mero3yV90FaJl7Vhq/UFVidbwFc15jUDwaE0mKRcsBeVd3GOhoECAgE0id
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++aIPT20z8oVY0FyTJlRk7QSjo8WjJSrHY/Fn14gctX07ZdfkufyL6w+NijBdYluvB
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++nIrgHEvpkDEWoIa8qcx0EppoIcmqgMV2mTShfFYSybsO33Pm8WXec2FXjwhzs1Pi
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++R/BuIW8rHPI67xqWm0h8dEw11vtfi9a/BBBikFHe59KBjMTG+lW/gADNvRoTzGh7
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++kN4+UVDS3jlSisRZZOn1XoeQtpubNYWgUsecjKy45IwIj8h1SHgn3wkmUesY0woN
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++mOdoNtq+NezN4RFtbCOHhxFVpKKDi/HQP2ro0ykkXMDjwEIVf2Lii1Mg9UP8m+Ux
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++AOqkTrIkdogkRx+70h7/wUOfDIFUq2JbKzqxJYamyEphcdAko7/B8efQKc61Z93O
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++f2SHa4++4WI7wIIx18v5KV4M/cRmrfc8w9WRkQN3gBT5AJMuqwcSHVXBWvNQeGmi
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ScMh7X6cCZ0daEujqb8svq4WgsJ8UT4GaGBRIYtt7QUKEh+JQwNJzneRYZ3pzpaH
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++UJeeoYobMlkp3rM9cYzdq90nBQiI9Jsbim9m9ggb2dMOS5CsI9S/IuG2O5uTjfxx
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++wkwsd5nLDFtNXHYZ7W6XlVJ1Rc6zShnEmdCn3mmibb6OaMUmun2yl9ryEjVSoXLP
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++fSA8W9K9yNhKTRkzdXJfqlC+s/ovX2xBGxsuOoUDaXhRVz0qmpKIHeSFjIP4iXq4
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++y8gDiwvM3HbZfvVonbg6siPwpn4uvw3hesojk1DKAENS52i6U3uK2fs1ALVxsFNS
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++Yh914rDu0Q3e4RXVhURaYzoEbLCot6WGYeCCfQOK0rkETMv+sTYYscC8/THuW7SL
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++HG5zy9Ed95N1Xmf8J+My7gM7ZFodGdHsWvdzEmqsdOFh6IVx/VfHFX0MDBq0t6lZ
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++eRvVgVCfu3gkYLwPScn/04E02vOom51ISKHsF/I11erC66jjNYV9BSpH8O7sAHxZ
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++EmPT2ZVVRSgivOHdQW/FZ3UZQQhVaVSympo2Eb4yWEMFn84Q8T+9Honj6gnB5PXz
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++chmeCsOMlcg1mwWwhn0k+OAWEZy7VRUk5Ahp0fBAGJgwBdqrZ3kM356DjUkVBiYq
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++4eHyvafNKmjf2mnFsI3g2NKRNyl1Lh63wyCFx60yYvBUfXF/W9PFJbD9CiP83kEW
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++gV36gxTsbOSfhpO1OXR90ODy0kx06XzWmJCUugK8u9bx4F/CjV+LIHExuNJiethC
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++A8sIup/MT0fWp4RO/SsVblGqfoqJTaPnhptQzeH2N07pbWkxeMuL6ppPuwFmfVjK
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++FJndqCVrAukcPEOQ16iVURuloJMudqYRc9QKkJFsnv0W/iMNbqQGmXe8Q/5qFiys
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++26NIQBiE2ad9hNLnoccEnmYSRgnW3ZPSKuq5TDdYyDqTZH2r8cam65pr3beKw2XC
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++xw4cc7VaxiwGC2Mg2wRmwwPaTjrcEt6sMa3RjwFEVBxBFyM26wnTEZsTBquCxV0J
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++pgERaeplkixP2Q0m7XAdlDaob973SM2vOoUgypzDchWmpx7u775bnOfU5CihwXl+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++k0i09WZuT8bPmhEAiGCw5sNzMkz1BC2cCZFfJIkE2vc/wXYOrGxBTJo0EKaUFswa
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++2dnP/u0bn+VksBUM7ywW9LJSXh4mN+tpzdeJtxEObKwX1I0dQxSPWmjd2++wMr9q
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++Unre5fCrDToy2H7C2VKSpuOCT2/Kv4JDQRWwI4KxQOpn0UknAGNmfBoTtpIZ3LEb
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++77oBUJdMQD7tQBBLL0a6f1TdK0dHVprWWawJ+gGFMiMQXqAqblHcxFKWuHv9bQID
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++AQAB
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++-----END PUBLIC KEY-----
</span><span style='display:block; white-space:pre;color:#808080;'>diff --git a/devel/openssl3/files/a830f551557d3d66a84bbb18a5b889c640c36294.patch b/devel/openssl3/files/a830f551557d3d66a84bbb18a5b889c640c36294.patch
</span>new file mode 100644
<span style='display:block; white-space:pre;color:#808080;'>index 00000000000..19f5499f32b
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>--- /dev/null
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>+++ b/devel/openssl3/files/a830f551557d3d66a84bbb18a5b889c640c36294.patch
</span><span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -0,0 +1,122 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+From a830f551557d3d66a84bbb18a5b889c640c36294 Mon Sep 17 00:00:00 2001
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+From: Tomas Mraz <tomas@openssl.org>
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+Date: Fri, 22 Dec 2023 16:25:56 +0100
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+Subject: [PATCH] Limit the execution time of RSA public key check
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+Fixes CVE-2023-6237
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+If a large and incorrect RSA public key is checked with
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+EVP_PKEY_public_check() the computation could take very long time
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+due to no limit being applied to the RSA public key size and
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+unnecessarily high number of Miller-Rabin algorithm rounds
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+used for non-primality check of the modulus.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+Now the keys larger than 16384 bits (OPENSSL_RSA_MAX_MODULUS_BITS)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+will fail the check with RSA_R_MODULUS_TOO_LARGE error reason.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+Also the number of Miller-Rabin rounds was set to 5.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+Reviewed-by: Neil Horman <nhorman@openssl.org>
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+Reviewed-by: Matt Caswell <matt@openssl.org>
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+(Merged from https://github.com/openssl/openssl/pull/23243)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+(cherry picked from commit e09fc1d746a4fd15bb5c3d7bbbab950aadd005db)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+---
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ crypto/rsa/rsa_sp800_56b_check.c              |  8 +++-
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ test/recipes/91-test_pkey_check.t             |  2 +-
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ .../91-test_pkey_check_data/rsapub_17k.pem    | 48 +++++++++++++++++++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ 3 files changed, 56 insertions(+), 2 deletions(-)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ create mode 100644 test/recipes/91-test_pkey_check_data/rsapub_17k.pem
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+diff --git a/crypto/rsa/rsa_sp800_56b_check.c b/crypto/rsa/rsa_sp800_56b_check.c
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+index fc8f19b48770b..bcbdd24fb8199 100644
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- ./crypto/rsa/rsa_sp800_56b_check.c
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ ./crypto/rsa/rsa_sp800_56b_check.c
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -289,6 +289,11 @@ int ossl_rsa_sp800_56b_check_public(const RSA *rsa)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+         return 0;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ 
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+     nbits = BN_num_bits(rsa->n);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++    if (nbits > OPENSSL_RSA_MAX_MODULUS_BITS) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++        ERR_raise(ERR_LIB_RSA, RSA_R_MODULUS_TOO_LARGE);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++        return 0;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++    }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #ifdef FIPS_MODULE
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+     /*
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+      * (Step a): modulus must be 2048 or 3072 (caveat from SP800-56Br1)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -324,7 +329,8 @@ int ossl_rsa_sp800_56b_check_public(const RSA *rsa)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+         goto err;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+     }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ 
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+-    ret = ossl_bn_miller_rabin_is_prime(rsa->n, 0, ctx, NULL, 1, &status);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++    /* Highest number of MR rounds from FIPS 186-5 Section B.3 Table B.1 */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++    ret = ossl_bn_miller_rabin_is_prime(rsa->n, 5, ctx, NULL, 1, &status);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #ifdef FIPS_MODULE
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+     if (ret != 1 || status != BN_PRIMETEST_COMPOSITE_NOT_POWER_OF_PRIME) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #else
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+diff --git a/test/recipes/91-test_pkey_check.t b/test/recipes/91-test_pkey_check.t
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+index dc7cc64533af2..f8088df14d36c 100644
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- ./test/recipes/91-test_pkey_check.t
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ ./test/recipes/91-test_pkey_check.t
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -70,7 +70,7 @@ push(@positive_tests, (
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+     "dhpkey.pem"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+     )) unless disabled("dh");
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ 
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+-my @negative_pubtests = ();
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++my @negative_pubtests = ("rsapub_17k.pem");  # Too big RSA public key
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ 
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ push(@negative_pubtests, (
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+     "dsapub_noparam.der"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+diff --git a/test/recipes/91-test_pkey_check_data/rsapub_17k.pem b/test/recipes/91-test_pkey_check_data/rsapub_17k.pem
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+new file mode 100644
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+index 0000000000000..9a2eaedaf1b22
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- /dev/null
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ ./test/recipes/91-test_pkey_check_data/rsapub_17k.pem
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -0,0 +1,48 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++-----BEGIN PUBLIC KEY-----
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++MIIIbzANBgkqhkiG9w0BAQEFAAOCCFwAMIIIVwKCCE4Ang+cE5H+hg3RbapDAHqR
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++B9lUnp2MlAwsZxQ/FhYepaR60bFQeumbu7817Eo5YLMObVI99hF1C4u/qcpD4Jph
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++gZt87/JAYDbP+DIh/5gUXCL9m5Fp4u7mvZaZdnlcftBvR1uKUTCAwc9pZ/Cfr8W2
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++GzrRODzsNYnk2DcZMfe2vRDuDZRopE+Y+I72rom2SZLxoN547N1daM/M/CL9KVQ/
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++XMI/YOpJrBI0jI3brMRhLkvLckwies9joufydlGbJkeil9H7/grj3fQZtFkZ2Pkj
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++b87XDzRVX7wsEpAgPJxskL3jApokCp1kQYKG+Uc3dKM9Ade6IAPK7VKcmbAQTYw2
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++gZxsc28dtstazmfGz0ACCTSMrmbgWAM3oPL7RRzhrXDWgmYQ0jHefGh8SNTIgtPq
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++TuHxPYkDMQNaf0LmDGCxqlnf4b5ld3YaU8zZ/RqIRx5v/+w0rJUvU53qY1bYSnL1
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++vbqKSnN2mip0GYyQ4AUgkS1NBV4rGYU/VTvzEjLfkg02KOtHKandvEoUjmZPzCT0
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++V2ZhGc8K1UJNGYlIiHqCdwCBoghvly/pYajTkDXyd6BsukzA5H3IkZB1xDgl035j
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++/0Cr7QeZLEOdi9fPdSSaBT6OmD0WFuZfJF0wMr7ucRhWzPXvSensD9v7MBE7tNfH
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++SLeTSx8tLt8UeWriiM+0CnkPR1IOqMOxubOyf1eV8NQqEWm5wEQG/0IskbOKnaHa
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++PqLFJZn/bvyL3XK5OxVIJG3z6bnRDOMS9SzkjqgPdIO8tkySEHVSi/6iuGUltx3Y
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++Fmq6ye/r34ekyHPbfn6UuTON7joM6SIXb5bHM64x4iMVWx4hMvDjfy0UqfywAUyu
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++C1o7BExSMxxFG8GJcqR0K8akpPp7EM588PC+YuItoxzXgfUJnP3BQ1Beev2Ve7/J
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++xeGZH0N4ntfr+cuaLAakAER9zDglwChWflw3NNFgIdAgSxXv3XXx5xDXpdP4lxUo
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++F5zAN4Mero3yV90FaJl7Vhq/UFVidbwFc15jUDwaE0mKRcsBeVd3GOhoECAgE0id
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++aIPT20z8oVY0FyTJlRk7QSjo8WjJSrHY/Fn14gctX07ZdfkufyL6w+NijBdYluvB
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++nIrgHEvpkDEWoIa8qcx0EppoIcmqgMV2mTShfFYSybsO33Pm8WXec2FXjwhzs1Pi
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++R/BuIW8rHPI67xqWm0h8dEw11vtfi9a/BBBikFHe59KBjMTG+lW/gADNvRoTzGh7
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++kN4+UVDS3jlSisRZZOn1XoeQtpubNYWgUsecjKy45IwIj8h1SHgn3wkmUesY0woN
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++mOdoNtq+NezN4RFtbCOHhxFVpKKDi/HQP2ro0ykkXMDjwEIVf2Lii1Mg9UP8m+Ux
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++AOqkTrIkdogkRx+70h7/wUOfDIFUq2JbKzqxJYamyEphcdAko7/B8efQKc61Z93O
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++f2SHa4++4WI7wIIx18v5KV4M/cRmrfc8w9WRkQN3gBT5AJMuqwcSHVXBWvNQeGmi
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ScMh7X6cCZ0daEujqb8svq4WgsJ8UT4GaGBRIYtt7QUKEh+JQwNJzneRYZ3pzpaH
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++UJeeoYobMlkp3rM9cYzdq90nBQiI9Jsbim9m9ggb2dMOS5CsI9S/IuG2O5uTjfxx
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++wkwsd5nLDFtNXHYZ7W6XlVJ1Rc6zShnEmdCn3mmibb6OaMUmun2yl9ryEjVSoXLP
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++fSA8W9K9yNhKTRkzdXJfqlC+s/ovX2xBGxsuOoUDaXhRVz0qmpKIHeSFjIP4iXq4
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++y8gDiwvM3HbZfvVonbg6siPwpn4uvw3hesojk1DKAENS52i6U3uK2fs1ALVxsFNS
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++Yh914rDu0Q3e4RXVhURaYzoEbLCot6WGYeCCfQOK0rkETMv+sTYYscC8/THuW7SL
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++HG5zy9Ed95N1Xmf8J+My7gM7ZFodGdHsWvdzEmqsdOFh6IVx/VfHFX0MDBq0t6lZ
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++eRvVgVCfu3gkYLwPScn/04E02vOom51ISKHsF/I11erC66jjNYV9BSpH8O7sAHxZ
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++EmPT2ZVVRSgivOHdQW/FZ3UZQQhVaVSympo2Eb4yWEMFn84Q8T+9Honj6gnB5PXz
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++chmeCsOMlcg1mwWwhn0k+OAWEZy7VRUk5Ahp0fBAGJgwBdqrZ3kM356DjUkVBiYq
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++4eHyvafNKmjf2mnFsI3g2NKRNyl1Lh63wyCFx60yYvBUfXF/W9PFJbD9CiP83kEW
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++gV36gxTsbOSfhpO1OXR90ODy0kx06XzWmJCUugK8u9bx4F/CjV+LIHExuNJiethC
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++A8sIup/MT0fWp4RO/SsVblGqfoqJTaPnhptQzeH2N07pbWkxeMuL6ppPuwFmfVjK
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++FJndqCVrAukcPEOQ16iVURuloJMudqYRc9QKkJFsnv0W/iMNbqQGmXe8Q/5qFiys
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++26NIQBiE2ad9hNLnoccEnmYSRgnW3ZPSKuq5TDdYyDqTZH2r8cam65pr3beKw2XC
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++xw4cc7VaxiwGC2Mg2wRmwwPaTjrcEt6sMa3RjwFEVBxBFyM26wnTEZsTBquCxV0J
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++pgERaeplkixP2Q0m7XAdlDaob973SM2vOoUgypzDchWmpx7u775bnOfU5CihwXl+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++k0i09WZuT8bPmhEAiGCw5sNzMkz1BC2cCZFfJIkE2vc/wXYOrGxBTJo0EKaUFswa
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++2dnP/u0bn+VksBUM7ywW9LJSXh4mN+tpzdeJtxEObKwX1I0dQxSPWmjd2++wMr9q
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++Unre5fCrDToy2H7C2VKSpuOCT2/Kv4JDQRWwI4KxQOpn0UknAGNmfBoTtpIZ3LEb
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++77oBUJdMQD7tQBBLL0a6f1TdK0dHVprWWawJ+gGFMiMQXqAqblHcxFKWuHv9bQID
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++AQAB
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++-----END PUBLIC KEY-----
</span></pre><pre style='margin:0'>

</pre>