diff --git a/CHANGES.md b/CHANGES.md index b3ee913c8ad4735434581c1f9c6b709e7cd24571..0ba6e2f68ba1164e050bad9cfd02787328b19b5b 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -28,6 +28,25 @@ breaking changes, and mappings for the large list of deprecated functions. [Migration guide]: https://github.com/openssl/openssl/tree/master/doc/man7/migration_guide.pod + * Fix DH_check() excessive time with over sized modulus + + The function DH_check() performs various checks on DH parameters. One of + those checks confirms that the modulus ("p" parameter) is not too large. + Trying to use a very large modulus is slow and OpenSSL will not normally use + a modulus which is over 10,000 bits in length. + + However the DH_check() function checks numerous aspects of the key or + parameters that have been supplied. Some of those checks use the supplied + modulus value even if it has already been found to be too large. + + A new limit has been added to DH_check of 32,768 bits. Supplying a + key/parameters with a modulus over this size will simply cause DH_check() to + fail. + + ([CVE-2023-3446]) + + *Matt Caswell* + * Do not ignore empty associated data entries with AES-SIV. The AES-SIV algorithm allows for authentication of multiple associated @@ -19495,6 +19514,7 @@ ndif +[CVE-2023-3446]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-3446 [CVE-2023-2975]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-2975 [CVE-2023-2650]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-2650 [CVE-2023-0466]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0466 diff --git a/NEWS.md b/NEWS.md index d69402562c144c2b9621874270ac8e0ebda59b16..a2701df15efc5ae55cda652135a1834b75af8782 100644 --- a/NEWS.md +++ b/NEWS.md @@ -17,6 +17,7 @@ OpenSSL Releases OpenSSL 3.0 ----------- + * Fix DH_check() excessive time with over sized modulus ([CVE-2023-3446]) * Do not ignore empty associated data entries with AES-SIV ([CVE-2023-2975]) * Mitigate for very slow `OBJ_obj2txt()` performance with gigantic OBJECT IDENTIFIER sub-identities. ([CVE-2023-2650]) @@ -1425,6 +1426,7 @@ OpenSSL 0.9.x +[CVE-2023-3446]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-3446 [CVE-2023-2975]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-2975 [CVE-2023-2650]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-2650 [CVE-2023-0466]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0466 diff --git a/crypto/dh/dh_check.c b/crypto/dh/dh_check.c index c4b4ee8ff0e69fccbd06428dedfa324c8306d8b2..4a452ebc0a6678f689cfb7871ffe9562fd31b484 100644 --- a/crypto/dh/dh_check.c +++ b/crypto/dh/dh_check.c @@ -152,6 +152,12 @@ int DH_check(const DH *dh, int *ret) if (nid != NID_undef) return 1; + /* Don't do any checks at all with an excessively large modulus */ + if (BN_num_bits(dh->params.p) > OPENSSL_DH_CHECK_MAX_MODULUS_BITS) { + ERR_raise(ERR_LIB_DH, DH_R_MODULUS_TOO_LARGE); + return 0; + } + if (!DH_check_params(dh, ret)) return 0; diff --git a/include/openssl/dh.h b/include/openssl/dh.h index b97871eca7faa56cd33c1ff757f18fb758d90eec..36420f51d89ed07b8b024a4542689205f3662de4 100644 --- a/include/openssl/dh.h +++ b/include/openssl/dh.h @@ -89,7 +89,11 @@ int EVP_PKEY_CTX_get0_dh_kdf_ukm(EVP_PKEY_CTX *ctx, unsigned char **ukm); # include # ifndef OPENSSL_DH_MAX_MODULUS_BITS -# define OPENSSL_DH_MAX_MODULUS_BITS 10000 +# define OPENSSL_DH_MAX_MODULUS_BITS 10000 +# endif + +# ifndef OPENSSL_DH_CHECK_MAX_MODULUS_BITS +# define OPENSSL_DH_CHECK_MAX_MODULUS_BITS 32768 # endif # define OPENSSL_DH_FIPS_MIN_MODULUS_BITS 1024