Skip to content
体验新版
项目
组织
正在加载...
登录
切换导航
打开侧边栏
OpenHarmony
Third Party Openssl
比较版本
2a14625b9e4189aca6b75ddc740b6d31a738820c...3a2dc26099c1caab425b97b33df6b7c768e1737a
T
Third Party Openssl
项目概览
OpenHarmony
/
Third Party Openssl
8 个月 前同步成功
通知
8
Star
18
Fork
1
代码
文件
提交
分支
Tags
贡献者
分支图
Diff
Issue
0
列表
看板
标记
里程碑
合并请求
0
Wiki
0
Wiki
分析
仓库
DevOps
项目成员
Pages
T
Third Party Openssl
项目概览
项目概览
详情
发布
仓库
仓库
文件
提交
分支
标签
贡献者
分支图
比较
Issue
0
Issue
0
列表
看板
标记
里程碑
合并请求
0
合并请求
0
Pages
分析
分析
仓库分析
DevOps
Wiki
0
Wiki
成员
成员
收起侧边栏
关闭侧边栏
动态
分支图
创建新Issue
提交
Issue看板
前往新版Gitcode,体验更适合开发者的 AI 搜索 >>
源分支
3a2dc26099c1caab425b97b33df6b7c768e1737a
选择Git版本
...
目标分支
2a14625b9e4189aca6b75ddc740b6d31a738820c
选择Git版本
比较
Commits (3)
https://gitcode.net/openharmony/third_party_openssl/-/commit/60caac1c7b8f82c6c80c028ba94ea13e0ad77a34
DH_check(): Do not try checking q properties if it is obviously invalid
2023-08-02T10:34:04+08:00
Tomas Mraz
tomas@openssl.org
If |q| >= |p| then the q value is obviously wrong as q is supposed to be a prime divisor of p-1. We check if p is overly large so this added test implies that q is not large either when performing subsequent tests using that q value. Otherwise if it is too large these additional checks of the q value such as the primality test can then trigger DoS by doing overly long computations. Fixes CVE-2023-3817 Reviewed-by: <span data-trailer="Reviewed-by:"><a href="mailto:matt@openssl.org" title="matt@openssl.org"></a><a href="javascript:void(0)" class="avatar s16 avatar-inline identicon bg5" style="text-decoration: none">N</a><a href="mailto:matt@openssl.org" title="matt@openssl.org">Matt Caswell</a> <<a href="mailto:matt@openssl.org" title="matt@openssl.org">matt@openssl.org</a>></span> Reviewed-by: <span data-trailer="Reviewed-by:"><a href="mailto:pauli@openssl.org" title="pauli@openssl.org"></a><a href="javascript:void(0)" class="avatar s16 avatar-inline identicon bg2" style="text-decoration: none">N</a><a href="mailto:pauli@openssl.org" title="pauli@openssl.org">Paul Dale</a> <<a href="mailto:pauli@openssl.org" title="pauli@openssl.org">pauli@openssl.org</a>></span> Reviewed-by: <span data-trailer="Reviewed-by:"><a href="mailto:tom.cosgrove@arm.com" title="tom.cosgrove@arm.com"></a><a href="javascript:void(0)" class="avatar s16 avatar-inline identicon bg1" style="text-decoration: none">N</a><a href="mailto:tom.cosgrove@arm.com" title="tom.cosgrove@arm.com">Tom Cosgrove</a> <<a href="mailto:tom.cosgrove@arm.com" title="tom.cosgrove@arm.com">tom.cosgrove@arm.com</a>></span> Reviewed-by: <span data-trailer="Reviewed-by:"><a href="mailto:todd.short@me.com" title="todd.short@me.com"></a><a href="javascript:void(0)" class="avatar s16 avatar-inline identicon bg1" style="text-decoration: none">N</a><a href="mailto:todd.short@me.com" title="todd.short@me.com">Todd Short</a> <<a href="mailto:todd.short@me.com" title="todd.short@me.com">todd.short@me.com</a>></span> (Merged from <a href="https://github.com/openssl/openssl/pull/21550" rel="nofollow noreferrer noopener" target="_blank">https://github.com/openssl/openssl/pull/21550</a>) (cherry picked from commit 1c16253f3c3a8d1e25918c3f404aae6a5b0893de) (cherry picked from commit 6a1eb62c29db6cb5eec707f9338aee00f44e26f5) Signed-off-by: <span data-trailer="Signed-off-by:"><a href="mailto:fengziteng2@huawei.com" title="fengziteng2@huawei.com"></a><a href="javascript:void(0)" class="avatar s16 avatar-inline identicon bg3" style="text-decoration: none">N</a><a href="mailto:fengziteng2@huawei.com" title="fengziteng2@huawei.com">code4lala</a> <<a href="mailto:fengziteng2@huawei.com" title="fengziteng2@huawei.com">fengziteng2@huawei.com</a>></span>
https://gitcode.net/openharmony/third_party_openssl/-/commit/ceb53c985075afa2291e3768da43a924fc5f2f40
Add CHANGES.md and NEWS.md entries for CVE-2023-3817
2023-08-02T10:38:14+08:00
Tomas Mraz
tomas@openssl.org
Reviewed-by: <span data-trailer="Reviewed-by:"><a href="mailto:matt@openssl.org" title="matt@openssl.org"></a><a href="javascript:void(0)" class="avatar s16 avatar-inline identicon bg6" style="text-decoration: none">N</a><a href="mailto:matt@openssl.org" title="matt@openssl.org">Matt Caswell</a> <<a href="mailto:matt@openssl.org" title="matt@openssl.org">matt@openssl.org</a>></span> Reviewed-by: <span data-trailer="Reviewed-by:"><a href="mailto:pauli@openssl.org" title="pauli@openssl.org"></a><a href="javascript:void(0)" class="avatar s16 avatar-inline identicon bg3" style="text-decoration: none">N</a><a href="mailto:pauli@openssl.org" title="pauli@openssl.org">Paul Dale</a> <<a href="mailto:pauli@openssl.org" title="pauli@openssl.org">pauli@openssl.org</a>></span> Reviewed-by: <span data-trailer="Reviewed-by:"><a href="mailto:tom.cosgrove@arm.com" title="tom.cosgrove@arm.com"></a><a href="javascript:void(0)" class="avatar s16 avatar-inline identicon bg6" style="text-decoration: none">N</a><a href="mailto:tom.cosgrove@arm.com" title="tom.cosgrove@arm.com">Tom Cosgrove</a> <<a href="mailto:tom.cosgrove@arm.com" title="tom.cosgrove@arm.com">tom.cosgrove@arm.com</a>></span> Reviewed-by: <span data-trailer="Reviewed-by:"><a href="mailto:todd.short@me.com" title="todd.short@me.com"></a><a href="javascript:void(0)" class="avatar s16 avatar-inline identicon bg3" style="text-decoration: none">N</a><a href="mailto:todd.short@me.com" title="todd.short@me.com">Todd Short</a> <<a href="mailto:todd.short@me.com" title="todd.short@me.com">todd.short@me.com</a>></span> (Merged from <a href="https://github.com/openssl/openssl/pull/21550" rel="nofollow noreferrer noopener" target="_blank">https://github.com/openssl/openssl/pull/21550</a>) (cherry picked from commit 4b29762802c05fa871f0e1efcf804e86db0ddaa2) (cherry picked from commit fb54f415b9981adebb03997304ac77d4d0cc520a) Signed-off-by: <span data-trailer="Signed-off-by:"><a href="mailto:fengziteng2@huawei.com" title="fengziteng2@huawei.com"></a><a href="javascript:void(0)" class="avatar s16 avatar-inline identicon bg4" style="text-decoration: none">N</a><a href="mailto:fengziteng2@huawei.com" title="fengziteng2@huawei.com">code4lala</a> <<a href="mailto:fengziteng2@huawei.com" title="fengziteng2@huawei.com">fengziteng2@huawei.com</a>></span>
https://gitcode.net/openharmony/third_party_openssl/-/commit/3a2dc26099c1caab425b97b33df6b7c768e1737a
!129 fix-CVE-2023-3817
2023-08-02T09:50:23+00:00
openharmony_ci
120357966@qq.com
Merge pull request !129 from code4lala/fix-CVE-2023-3817
隐藏空白更改
内联
并排
Showing
3 changed file
with
30 addition
and
3 deletion
+30
-3
CHANGES.md
CHANGES.md
+20
-2
NEWS.md
NEWS.md
+2
-0
crypto/dh/dh_check.c
crypto/dh/dh_check.c
+8
-1
未找到文件。
CHANGES.md
浏览文件 @
3a2dc260
...
...
@@ -28,7 +28,24 @@ breaking changes, and mappings for the large list of deprecated functions.
[Migration guide]: https://github.com/openssl/openssl/tree/master/doc/man7/migration_guide.pod
* Fix DH_check() excessive time with over sized modulus
* Fix excessive time spent checking DH q parameter value.
The function DH_check() performs various checks on DH parameters. After
fixing CVE-2023-3446 it was discovered that a large q parameter value can
also trigger an overly long computation during some of these checks.
A correct q value, if present, cannot be larger than the modulus p
parameter, thus it is unnecessary to perform these checks if q is larger
than p.
If DH_check() is called with such q parameter value,
DH_CHECK_INVALID_Q_VALUE return flag is set and the computationally
intensive checks are skipped.
([CVE-2023-3817])
*Tomáš Mráz*
* Fix DH_check() excessive time with over sized modulus.
The function DH_check() performs various checks on DH parameters. One of
those checks confirms that the modulus ("p" parameter) is not too large.
...
...
@@ -65,7 +82,7 @@ breaking changes, and mappings for the large list of deprecated functions.
has to skip calls to `EVP_DecryptUpdate()` for empty associated data
entries.
*Tom
as Mra
z*
*Tom
áš Mrá
z*
* Mitigate for the time it takes for `OBJ_obj2txt` to translate gigantic
OBJECT IDENTIFIER sub-identifiers to canonical numeric text form.
...
...
@@ -19514,6 +19531,7 @@ ndif
<!-- Links -->
[CVE-2023-3817]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-3817
[CVE-2023-3446]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-3446
[CVE-2023-2975]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-2975
[CVE-2023-2650]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-2650
...
...
NEWS.md
浏览文件 @
3a2dc260
...
...
@@ -17,6 +17,7 @@ OpenSSL Releases
OpenSSL 3.0
-----------
*
Fix excessive time spent checking DH q parameter value ([CVE-2023-3817])
*
Fix DH_check() excessive time with over sized modulus ([CVE-2023-3446])
*
Do not ignore empty associated data entries with AES-SIV ([CVE-2023-2975])
*
Mitigate for very slow
`OBJ_obj2txt()`
performance with gigantic OBJECT
...
...
@@ -1426,6 +1427,7 @@ OpenSSL 0.9.x
<!-- Links -->
[
CVE-2023-3817
]:
https://www.openssl.org/news/vulnerabilities.html#CVE-2023-3817
[
CVE-2023-3446
]:
https://www.openssl.org/news/vulnerabilities.html#CVE-2023-3446
[
CVE-2023-2975
]:
https://www.openssl.org/news/vulnerabilities.html#CVE-2023-2975
[
CVE-2023-2650
]:
https://www.openssl.org/news/vulnerabilities.html#CVE-2023-2650
...
...
crypto/dh/dh_check.c
浏览文件 @
3a2dc260
...
...
@@ -143,7 +143,7 @@ int DH_check(const DH *dh, int *ret)
#ifdef FIPS_MODULE
return
DH_check_params
(
dh
,
ret
);
#else
int
ok
=
0
,
r
;
int
ok
=
0
,
r
,
q_good
=
0
;
BN_CTX
*
ctx
=
NULL
;
BIGNUM
*
t1
=
NULL
,
*
t2
=
NULL
;
int
nid
=
DH_get_nid
((
DH
*
)
dh
);
...
...
@@ -171,6 +171,13 @@ int DH_check(const DH *dh, int *ret)
goto
err
;
if
(
dh
->
params
.
q
!=
NULL
)
{
if
(
BN_ucmp
(
dh
->
params
.
p
,
dh
->
params
.
q
)
>
0
)
q_good
=
1
;
else
*
ret
|=
DH_CHECK_INVALID_Q_VALUE
;
}
if
(
q_good
)
{
if
(
BN_cmp
(
dh
->
params
.
g
,
BN_value_one
())
<=
0
)
*
ret
|=
DH_NOT_SUITABLE_GENERATOR
;
else
if
(
BN_cmp
(
dh
->
params
.
g
,
dh
->
params
.
p
)
>=
0
)
...
...