Skip to content

Commit 1fa20cf

Browse files
mattcaswellt8m
authored andcommitted
Fix DH_check() excessive time with over sized modulus
The DH_check() function checks numerous aspects of the key or parameters that have been supplied. Some of those checks use the supplied modulus value even if it is excessively large. There is already a maximum DH modulus size (10,000 bits) over which OpenSSL will not generate or derive keys. DH_check() will however still perform various tests for validity on such a large modulus. We introduce a new maximum (32,768) over which DH_check() will just fail. An application that calls DH_check() and supplies a key or parameters obtained from an untrusted source could be vulnerable to a Denial of Service attack. The function DH_check() is itself called by a number of other OpenSSL functions. An application calling any of those other functions may similarly be affected. The other functions affected by this are DH_check_ex() and EVP_PKEY_param_check(). CVE-2023-3446 Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from #21451) (cherry picked from commit 9e0094e)
1 parent 6e4aad6 commit 1fa20cf

File tree

2 files changed

+11
-1
lines changed

2 files changed

+11
-1
lines changed

Diff for: crypto/dh/dh_check.c

+6
Original file line numberDiff line numberDiff line change
@@ -152,6 +152,12 @@ int DH_check(const DH *dh, int *ret)
152152
if (nid != NID_undef)
153153
return 1;
154154

155+
/* Don't do any checks at all with an excessively large modulus */
156+
if (BN_num_bits(dh->params.p) > OPENSSL_DH_CHECK_MAX_MODULUS_BITS) {
157+
ERR_raise(ERR_LIB_DH, DH_R_MODULUS_TOO_LARGE);
158+
return 0;
159+
}
160+
155161
if (!DH_check_params(dh, ret))
156162
return 0;
157163

Diff for: include/openssl/dh.h

+5-1
Original file line numberDiff line numberDiff line change
@@ -89,7 +89,11 @@ int EVP_PKEY_CTX_get0_dh_kdf_ukm(EVP_PKEY_CTX *ctx, unsigned char **ukm);
8989
# include <openssl/dherr.h>
9090

9191
# ifndef OPENSSL_DH_MAX_MODULUS_BITS
92-
# define OPENSSL_DH_MAX_MODULUS_BITS 10000
92+
# define OPENSSL_DH_MAX_MODULUS_BITS 10000
93+
# endif
94+
95+
# ifndef OPENSSL_DH_CHECK_MAX_MODULUS_BITS
96+
# define OPENSSL_DH_CHECK_MAX_MODULUS_BITS 32768
9397
# endif
9498

9599
# define OPENSSL_DH_FIPS_MIN_MODULUS_BITS 1024

0 commit comments

Comments
 (0)