3a2dc260 · 3a2dc260 · 3a2dc260
隐藏空白更改
内联并排

Showing with 30 addition and 3 deletion

CHANGES.md CHANGES.md +20 -2

NEWS.md NEWS.md +2 -0

crypto/dh/dh_check.c crypto/dh/dh_check.c +8 -1

未找到文件。
--- a/CHANGES.md
+++ b/CHANGES.md
@@ -28,7 +28,24 @@ breaking changes, and mappings for the large list of deprecated functions.

 [Migration guide]: https://github.com/openssl/openssl/tree/master/doc/man7/migration_guide.pod

- * Fix DH_check() excessive time with over sized modulus
+ * Fix excessive time spent checking DH q parameter value.
+
+   The function DH_check() performs various checks on DH parameters. After
+   fixing CVE-2023-3446 it was discovered that a large q parameter value can
+   also trigger an overly long computation during some of these checks.
+   A correct q value, if present, cannot be larger than the modulus p
+   parameter, thus it is unnecessary to perform these checks if q is larger
+   than p.
+
+   If DH_check() is called with such q parameter value,
+   DH_CHECK_INVALID_Q_VALUE return flag is set and the computationally
+   intensive checks are skipped.
+
+   ([CVE-2023-3817])
+
+   *Tomáš Mráz*
+
+ * Fix DH_check() excessive time with over sized modulus.

   The function DH_check() performs various checks on DH parameters. One of
   those checks confirms that the modulus ("p" parameter) is not too large.
@@ -65,7 +82,7 @@ breaking changes, and mappings for the large list of deprecated functions.
   has to skip calls to `EVP_DecryptUpdate()` for empty associated data
   entries.

-   *Tomas Mraz*
+   *Tomáš Mráz*

 * Mitigate for the time it takes for `OBJ_obj2txt` to translate gigantic
   OBJECT IDENTIFIER sub-identifiers to canonical numeric text form.
@@ -19514,6 +19531,7 @@ ndif

 <!-- Links -->

+[CVE-2023-3817]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-3817
 [CVE-2023-3446]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-3446
 [CVE-2023-2975]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-2975
 [CVE-2023-2650]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-2650

--- a/NEWS.md
+++ b/NEWS.md
@@ -17,6 +17,7 @@ OpenSSL Releases

 OpenSSL 3.0
 -----------
+  * Fix excessive time spent checking DH q parameter value ([CVE-2023-3817])
  * Fix DH_check() excessive time with over sized modulus ([CVE-2023-3446])
  * Do not ignore empty associated data entries with AES-SIV ([CVE-2023-2975])
  * Mitigate for very slow `OBJ_obj2txt()` performance with gigantic OBJECT
@@ -1426,6 +1427,7 @@ OpenSSL 0.9.x

 <!-- Links -->

+[CVE-2023-3817]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-3817
 [CVE-2023-3446]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-3446
 [CVE-2023-2975]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-2975
 [CVE-2023-2650]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-2650

--- a/crypto/dh/dh_check.c
+++ b/crypto/dh/dh_check.c
@@ -143,7 +143,7 @@ int DH_check(const DH *dh, int *ret)
 #ifdef FIPS_MODULE
    return DH_check_params(dh, ret);
 #else
-    int ok = 0, r;
+    int ok = 0, r, q_good = 0;
    BN_CTX *ctx = NULL;
    BIGNUM *t1 = NULL, *t2 = NULL;
    int nid = DH_get_nid((DH *)dh);
@@ -171,6 +171,13 @@ int DH_check(const DH *dh, int *ret)
        goto err;

    if (dh->params.q != NULL) {
+        if (BN_ucmp(dh->params.p, dh->params.q) > 0)
+            q_good = 1;
+        else
+            *ret |= DH_CHECK_INVALID_Q_VALUE;
+    }
+
+    if (q_good) {
        if (BN_cmp(dh->params.g, BN_value_one()) <= 0)
            *ret |= DH_NOT_SUITABLE_GENERATOR;
        else if (BN_cmp(dh->params.g, dh->params.p) >= 0)