diff --git a/CHANGES b/CHANGES index c0a33672370a430cd4497a41c69dcad55b82d131..79a7f04378d1f04f00af063851448ba4afc4906b 100644 --- a/CHANGES +++ b/CHANGES @@ -7,6 +7,32 @@ https://github.com/openssl/openssl/commits/ and pick the appropriate release branch. + *) Mitigate for the time it takes for `OBJ_obj2txt` to translate gigantic + OBJECT IDENTIFIER sub-identifiers to canonical numeric text form. + + OBJ_obj2txt() would translate any size OBJECT IDENTIFIER to canonical + numeric text form. For gigantic sub-identifiers, this would take a very + long time, the time complexity being O(n^2) where n is the size of that + sub-identifier. (CVE-2023-2650) + + To mitigitate this, `OBJ_obj2txt()` will only translate an OBJECT + IDENTIFIER to canonical numeric text form if the size of that OBJECT + IDENTIFIER is 586 bytes or less, and fail otherwise. + + The basis for this restriction is RFC 2578 (STD 58), section 3.5. OBJECT + IDENTIFIER values, which stipulates that OBJECT IDENTIFIERS may have at + most 128 sub-identifiers, and that the maximum value that each sub- + identifier may have is 2^32-1 (4294967295 decimal). + + For each byte of every sub-identifier, only the 7 lower bits are part of + the value, so the maximum amount of bytes that an OBJECT IDENTIFIER with + these restrictions may occupy is 32 * 128 / 7, which is approximately 586 + bytes. + + Ref: https://datatracker.ietf.org/doc/html/rfc2578#section-3.5 + + [Richard Levitte] + Changes between 1.1.1s and 1.1.1t [xx XXX xxxx] *) Corrected documentation of X509_VERIFY_PARAM_add0_policy() to mention diff --git a/NEWS b/NEWS index 0fa0178f8ab957ab7c931568a4f79fe5cd8fedd0..eb2d6f9df9214bab089e62601a027ad3e94987bd 100644 --- a/NEWS +++ b/NEWS @@ -5,6 +5,8 @@ This file gives a brief overview of the major changes between each OpenSSL release. For more details please read the CHANGES file. o Fixed documentation of X509_VERIFY_PARAM_add0_policy() (CVE-2023-0466) + o Mitigate for very slow `OBJ_obj2txt()` performance with gigantic + OBJECT IDENTIFIER sub-identities. (CVE-2023-2650) Major changes between OpenSSL 1.1.1j and OpenSSL 1.1.1k [25 Mar 2021] diff --git a/crypto/objects/obj_dat.c b/crypto/objects/obj_dat.c index 46006fe6cf9c4636645efe5678ac4e012933a01a..1420639017050b1493d66665a0b15d6ffb8a2f82 100644 --- a/crypto/objects/obj_dat.c +++ b/crypto/objects/obj_dat.c @@ -427,6 +427,25 @@ int OBJ_obj2txt(char *buf, int buf_len, const ASN1_OBJECT *a, int no_name) first = 1; bl = NULL; + /* + * RFC 2578 (STD 58) says this about OBJECT IDENTIFIERs: + * + * > 3.5. OBJECT IDENTIFIER values + * > + * > An OBJECT IDENTIFIER value is an ordered list of non-negative + * > numbers. For the SMIv2, each number in the list is referred to as a + * > sub-identifier, there are at most 128 sub-identifiers in a value, + * > and each sub-identifier has a maximum value of 2^32-1 (4294967295 + * > decimal). + * + * So a legitimate OID according to this RFC is at most (32 * 128 / 7), + * i.e. 586 bytes long. + * + * Ref: https://datatracker.ietf.org/doc/html/rfc2578#section-3.5 + */ + if (len > 586) + goto err; + while (len > 0) { l = 0; use_bn = 0;