• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1From 8780a896543a654e757db1b9396383f9d8095528 Mon Sep 17 00:00:00 2001
2From: Matt Caswell <matt@openssl.org>
3Date: Thu, 6 Jul 2023 16:36:35 +0100
4Subject: [PATCH] Fix DH_check() excessive time with over sized modulus
5
6The DH_check() function checks numerous aspects of the key or parameters
7that have been supplied. Some of those checks use the supplied modulus
8value even if it is excessively large.
9
10There is already a maximum DH modulus size (10,000 bits) over which
11OpenSSL will not generate or derive keys. DH_check() will however still
12perform various tests for validity on such a large modulus. We introduce a
13new maximum (32,768) over which DH_check() will just fail.
14
15An application that calls DH_check() and supplies a key or parameters
16obtained from an untrusted source could be vulnerable to a Denial of
17Service attack.
18
19The function DH_check() is itself called by a number of other OpenSSL
20functions. An application calling any of those other functions may
21similarly be affected. The other functions affected by this are
22DH_check_ex() and EVP_PKEY_param_check().
23
24CVE-2023-3446
25
26Reviewed-by: Paul Dale <pauli@openssl.org>
27Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
28Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
29Reviewed-by: Tomas Mraz <tomas@openssl.org>
30(Merged from https://github.com/openssl/openssl/pull/21452)
31---
32 crypto/dh/dh_check.c    | 6 ++++++
33 crypto/dh/dh_err.c      | 3 ++-
34 crypto/err/openssl.txt  | 1 +
35 include/openssl/dh.h    | 3 +++
36 include/openssl/dherr.h | 3 ++-
37 5 files changed, 15 insertions(+), 3 deletions(-)
38
39diff --git a/crypto/dh/dh_check.c b/crypto/dh/dh_check.c
40index 4ac169e75c..e5f9dd5030 100644
41--- a/crypto/dh/dh_check.c
42+++ b/crypto/dh/dh_check.c
43@@ -101,6 +101,12 @@ int DH_check(const DH *dh, int *ret)
44     BN_CTX *ctx = NULL;
45     BIGNUM *t1 = NULL, *t2 = NULL;
46
47+    /* Don't do any checks at all with an excessively large modulus */
48+    if (BN_num_bits(dh->p) > OPENSSL_DH_CHECK_MAX_MODULUS_BITS) {
49+        DHerr(DH_F_DH_CHECK, DH_R_MODULUS_TOO_LARGE);
50+        return 0;
51+    }
52+
53     if (!DH_check_params(dh, ret))
54         return 0;
55
56diff --git a/crypto/dh/dh_err.c b/crypto/dh/dh_err.c
57index 7285587b4a..92800d3fcc 100644
58--- a/crypto/dh/dh_err.c
59+++ b/crypto/dh/dh_err.c
60@@ -1,6 +1,6 @@
61 /*
62  * Generated by util/mkerr.pl DO NOT EDIT
63- * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
64+ * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved.
65  *
66  * Licensed under the OpenSSL license (the "License").  You may not use
67  * this file except in compliance with the License.  You can obtain a copy
68@@ -18,6 +18,7 @@ static const ERR_STRING_DATA DH_str_functs[] = {
69     {ERR_PACK(ERR_LIB_DH, DH_F_DHPARAMS_PRINT_FP, 0), "DHparams_print_fp"},
70     {ERR_PACK(ERR_LIB_DH, DH_F_DH_BUILTIN_GENPARAMS, 0),
71      "dh_builtin_genparams"},
72+    {ERR_PACK(ERR_LIB_DH, DH_F_DH_CHECK, 0), "DH_check"},
73     {ERR_PACK(ERR_LIB_DH, DH_F_DH_CHECK_EX, 0), "DH_check_ex"},
74     {ERR_PACK(ERR_LIB_DH, DH_F_DH_CHECK_PARAMS_EX, 0), "DH_check_params_ex"},
75     {ERR_PACK(ERR_LIB_DH, DH_F_DH_CHECK_PUB_KEY_EX, 0), "DH_check_pub_key_ex"},
76diff --git a/crypto/err/openssl.txt b/crypto/err/openssl.txt
77index 9f91a4a811..c0a3cd720b 100644
78--- a/crypto/err/openssl.txt
79+++ b/crypto/err/openssl.txt
80@@ -401,6 +401,7 @@ CT_F_SCT_SET_VERSION:104:SCT_set_version
81 DH_F_COMPUTE_KEY:102:compute_key
82 DH_F_DHPARAMS_PRINT_FP:101:DHparams_print_fp
83 DH_F_DH_BUILTIN_GENPARAMS:106:dh_builtin_genparams
84+DH_F_DH_CHECK:126:DH_check
85 DH_F_DH_CHECK_EX:121:DH_check_ex
86 DH_F_DH_CHECK_PARAMS_EX:122:DH_check_params_ex
87 DH_F_DH_CHECK_PUB_KEY_EX:123:DH_check_pub_key_ex
88diff --git a/include/openssl/dh.h b/include/openssl/dh.h
89index 3527540cdd..892e31559d 100644
90--- a/include/openssl/dh.h
91+++ b/include/openssl/dh.h
92@@ -29,6 +29,9 @@ extern "C" {
93 # ifndef OPENSSL_DH_MAX_MODULUS_BITS
94 #  define OPENSSL_DH_MAX_MODULUS_BITS    10000
95 # endif
96+# ifndef OPENSSL_DH_CHECK_MAX_MODULUS_BITS
97+#  define OPENSSL_DH_CHECK_MAX_MODULUS_BITS  32768
98+# endif
99
100 # define OPENSSL_DH_FIPS_MIN_MODULUS_BITS 1024
101
102diff --git a/include/openssl/dherr.h b/include/openssl/dherr.h
103index 916b3bed0b..528c819856 100644
104--- a/include/openssl/dherr.h
105+++ b/include/openssl/dherr.h
106@@ -1,6 +1,6 @@
107 /*
108  * Generated by util/mkerr.pl DO NOT EDIT
109- * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
110+ * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved.
111  *
112  * Licensed under the OpenSSL license (the "License").  You may not use
113  * this file except in compliance with the License.  You can obtain a copy
114@@ -30,6 +30,7 @@ int ERR_load_DH_strings(void);
115 #  define DH_F_COMPUTE_KEY                                 102
116 #  define DH_F_DHPARAMS_PRINT_FP                           101
117 #  define DH_F_DH_BUILTIN_GENPARAMS                        106
118+#  define DH_F_DH_CHECK                                    126
119 #  define DH_F_DH_CHECK_EX                                 121
120 #  define DH_F_DH_CHECK_PARAMS_EX                          122
121 #  define DH_F_DH_CHECK_PUB_KEY_EX                         123
122--
1232.34.1
124
125