!125 CVE-2023-3446

Merge pull request !125 from code4lala/CVE-2023-3446

!125 CVE-2023-3446
Merge pull request !125 from code4lala/CVE-2023-3446
2a14625b · openharmony_ci · Gitee · 566ce903 · 64928fc2 · 2a14625b
隐藏空白更改
内联并排

Showing with 33 addition and 1 deletion

CHANGES.md CHANGES.md +20 -0

NEWS.md NEWS.md +2 -0

crypto/dh/dh_check.c crypto/dh/dh_check.c +6 -0

include/openssl/dh.h include/openssl/dh.h +5 -1

未找到文件。
--- a/CHANGES.md
+++ b/CHANGES.md
@@ -28,6 +28,25 @@ breaking changes, and mappings for the large list of deprecated functions.

 [Migration guide]: https://github.com/openssl/openssl/tree/master/doc/man7/migration_guide.pod

+ * Fix DH_check() excessive time with over sized modulus
+
+   The function DH_check() performs various checks on DH parameters. One of
+   those checks confirms that the modulus ("p" parameter) is not too large.
+   Trying to use a very large modulus is slow and OpenSSL will not normally use
+   a modulus which is over 10,000 bits in length.
+
+   However the DH_check() function checks numerous aspects of the key or
+   parameters that have been supplied. Some of those checks use the supplied
+   modulus value even if it has already been found to be too large.
+
+   A new limit has been added to DH_check of 32,768 bits. Supplying a
+   key/parameters with a modulus over this size will simply cause DH_check() to
+   fail.
+
+   ([CVE-2023-3446])
+
+   *Matt Caswell*
+
 * Do not ignore empty associated data entries with AES-SIV.

   The AES-SIV algorithm allows for authentication of multiple associated
@@ -19495,6 +19514,7 @@ ndif

 <!-- Links -->

+[CVE-2023-3446]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-3446
 [CVE-2023-2975]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-2975
 [CVE-2023-2650]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-2650
 [CVE-2023-0466]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0466

--- a/NEWS.md
+++ b/NEWS.md
@@ -17,6 +17,7 @@ OpenSSL Releases

 OpenSSL 3.0
 -----------
+  * Fix DH_check() excessive time with over sized modulus ([CVE-2023-3446])
  * Do not ignore empty associated data entries with AES-SIV ([CVE-2023-2975])
  * Mitigate for very slow `OBJ_obj2txt()` performance with gigantic OBJECT
    IDENTIFIER sub-identities.  ([CVE-2023-2650])
@@ -1425,6 +1426,7 @@ OpenSSL 0.9.x

 <!-- Links -->

+[CVE-2023-3446]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-3446
 [CVE-2023-2975]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-2975
 [CVE-2023-2650]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-2650
 [CVE-2023-0466]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0466

--- a/crypto/dh/dh_check.c
+++ b/crypto/dh/dh_check.c
@@ -152,6 +152,12 @@ int DH_check(const DH *dh, int *ret)
    if (nid != NID_undef)
        return 1;

+    /* Don't do any checks at all with an excessively large modulus */
+    if (BN_num_bits(dh->params.p) > OPENSSL_DH_CHECK_MAX_MODULUS_BITS) {
+        ERR_raise(ERR_LIB_DH, DH_R_MODULUS_TOO_LARGE);
+        return 0;
+    }
+
    if (!DH_check_params(dh, ret))
        return 0;


--- a/include/openssl/dh.h
+++ b/include/openssl/dh.h
@@ -89,7 +89,11 @@ int EVP_PKEY_CTX_get0_dh_kdf_ukm(EVP_PKEY_CTX *ctx, unsigned char **ukm);
 #  include <openssl/dherr.h>

 #  ifndef OPENSSL_DH_MAX_MODULUS_BITS
-#   define OPENSSL_DH_MAX_MODULUS_BITS    10000
+#   define OPENSSL_DH_MAX_MODULUS_BITS        10000
+#  endif
+
+#  ifndef OPENSSL_DH_CHECK_MAX_MODULUS_BITS
+#   define OPENSSL_DH_CHECK_MAX_MODULUS_BITS  32768
 #  endif

 #  define OPENSSL_DH_FIPS_MIN_MODULUS_BITS 1024