diff --git a/CHANGES.md b/CHANGES.md index 0ba6e2f68ba1164e050bad9cfd02787328b19b5b..d7c0c9c93e4dd445434ba5508cf55ebe9ebda1a5 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -28,7 +28,24 @@ breaking changes, and mappings for the large list of deprecated functions. [Migration guide]: https://github.com/openssl/openssl/tree/master/doc/man7/migration_guide.pod - * Fix DH_check() excessive time with over sized modulus + * Fix excessive time spent checking DH q parameter value. + + The function DH_check() performs various checks on DH parameters. After + fixing CVE-2023-3446 it was discovered that a large q parameter value can + also trigger an overly long computation during some of these checks. + A correct q value, if present, cannot be larger than the modulus p + parameter, thus it is unnecessary to perform these checks if q is larger + than p. + + If DH_check() is called with such q parameter value, + DH_CHECK_INVALID_Q_VALUE return flag is set and the computationally + intensive checks are skipped. + + ([CVE-2023-3817]) + + *Tomáš Mráz* + + * Fix DH_check() excessive time with over sized modulus. The function DH_check() performs various checks on DH parameters. One of those checks confirms that the modulus ("p" parameter) is not too large. @@ -65,7 +82,7 @@ breaking changes, and mappings for the large list of deprecated functions. has to skip calls to `EVP_DecryptUpdate()` for empty associated data entries. - *Tomas Mraz* + *Tomáš Mráz* * Mitigate for the time it takes for `OBJ_obj2txt` to translate gigantic OBJECT IDENTIFIER sub-identifiers to canonical numeric text form. @@ -19514,6 +19531,7 @@ ndif +[CVE-2023-3817]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-3817 [CVE-2023-3446]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-3446 [CVE-2023-2975]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-2975 [CVE-2023-2650]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-2650 diff --git a/NEWS.md b/NEWS.md index a2701df15efc5ae55cda652135a1834b75af8782..71611e437b153f46e79087018c38132f8763738d 100644 --- a/NEWS.md +++ b/NEWS.md @@ -17,6 +17,7 @@ OpenSSL Releases OpenSSL 3.0 ----------- + * Fix excessive time spent checking DH q parameter value ([CVE-2023-3817]) * Fix DH_check() excessive time with over sized modulus ([CVE-2023-3446]) * Do not ignore empty associated data entries with AES-SIV ([CVE-2023-2975]) * Mitigate for very slow `OBJ_obj2txt()` performance with gigantic OBJECT @@ -1426,6 +1427,7 @@ OpenSSL 0.9.x +[CVE-2023-3817]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-3817 [CVE-2023-3446]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-3446 [CVE-2023-2975]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-2975 [CVE-2023-2650]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-2650 diff --git a/crypto/dh/dh_check.c b/crypto/dh/dh_check.c index 4a452ebc0a6678f689cfb7871ffe9562fd31b484..d0e6cfdf86f87060bc1784fce44558c66288c0ba 100644 --- a/crypto/dh/dh_check.c +++ b/crypto/dh/dh_check.c @@ -143,7 +143,7 @@ int DH_check(const DH *dh, int *ret) #ifdef FIPS_MODULE return DH_check_params(dh, ret); #else - int ok = 0, r; + int ok = 0, r, q_good = 0; BN_CTX *ctx = NULL; BIGNUM *t1 = NULL, *t2 = NULL; int nid = DH_get_nid((DH *)dh); @@ -171,6 +171,13 @@ int DH_check(const DH *dh, int *ret) goto err; if (dh->params.q != NULL) { + if (BN_ucmp(dh->params.p, dh->params.q) > 0) + q_good = 1; + else + *ret |= DH_CHECK_INVALID_Q_VALUE; + } + + if (q_good) { if (BN_cmp(dh->params.g, BN_value_one()) <= 0) *ret |= DH_NOT_SUITABLE_GENERATOR; else if (BN_cmp(dh->params.g, dh->params.p) >= 0)