Skip to content

Commit 853c5e5

Browse files
levittet8m
authored andcommitted
Restrict the size of OBJECT IDENTIFIERs that OBJ_obj2txt will translate
OBJ_obj2txt() would translate any size OBJECT IDENTIFIER to canonical numeric text form. For gigantic sub-identifiers, this would take a very long time, the time complexity being O(n^2) where n is the size of that sub-identifier. To mitigate this, a restriction on the size that OBJ_obj2txt() will translate to canonical numeric text form is added, based on RFC 2578 (STD 58), which says this: > 3.5. OBJECT IDENTIFIER values > > An OBJECT IDENTIFIER value is an ordered list of non-negative numbers. > For the SMIv2, each number in the list is referred to as a sub-identifier, > there are at most 128 sub-identifiers in a value, and each sub-identifier > has a maximum value of 2^32-1 (4294967295 decimal). Fixes otc/security#96 Fixes CVE-2023-2650 Reviewed-by: Hugo Landau <hlandau@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
1 parent 2897ac0 commit 853c5e5

File tree

3 files changed

+47
-0
lines changed

3 files changed

+47
-0
lines changed

Diff for: CHANGES

+26
Original file line numberDiff line numberDiff line change
@@ -9,6 +9,32 @@
99

1010
Changes between 1.0.2zg and 1.0.2zh [xx XXX xxxx]
1111

12+
*) Mitigate for the time it takes for `OBJ_obj2txt` to translate gigantic
13+
OBJECT IDENTIFIER sub-identifiers to canonical numeric text form.
14+
15+
OBJ_obj2txt() would translate any size OBJECT IDENTIFIER to canonical
16+
numeric text form. For gigantic sub-identifiers, this would take a very
17+
long time, the time complexity being O(n^2) where n is the size of that
18+
sub-identifier. (CVE-2023-2650)
19+
20+
To mitigitate this, `OBJ_obj2txt()` will only translate an OBJECT
21+
IDENTIFIER to canonical numeric text form if the size of that OBJECT
22+
IDENTIFIER is 586 bytes or less, and fail otherwise.
23+
24+
The basis for this restriction is RFC 2578 (STD 58), section 3.5. OBJECT
25+
IDENTIFIER values, which stipulates that OBJECT IDENTIFIERS may have at
26+
most 128 sub-identifiers, and that the maximum value that each sub-
27+
identifier may have is 2^32-1 (4294967295 decimal).
28+
29+
For each byte of every sub-identifier, only the 7 lower bits are part of
30+
the value, so the maximum amount of bytes that an OBJECT IDENTIFIER with
31+
these restrictions may occupy is 32 * 128 / 7, which is approximately 586
32+
bytes.
33+
34+
Ref: https://datatracker.ietf.org/doc/html/rfc2578#section-3.5
35+
36+
[Richard Levitte]
37+
1238
*) Reworked the Fix for the Timing Oracle in RSA Decryption (CVE-2022-4304).
1339
The previous fix for this timing side channel turned out to cause
1440
a severe 2-3x performance regression in the typical use case

Diff for: NEWS

+2
Original file line numberDiff line numberDiff line change
@@ -7,6 +7,8 @@
77

88
Major changes between OpenSSL 1.0.2zg and OpenSSL 1.0.2zh [under development]
99

10+
o Mitigate for very slow `OBJ_obj2txt()` performance with gigantic
11+
OBJECT IDENTIFIER sub-identities. (CVE-2023-2650)
1012
o Fixed documentation of X509_VERIFY_PARAM_add0_policy() (CVE-2023-0466)
1113
o Fixed handling of invalid certificate policies in leaf certificates
1214
(CVE-2023-0465)

Diff for: crypto/objects/obj_dat.c

+19
Original file line numberDiff line numberDiff line change
@@ -515,6 +515,25 @@ int OBJ_obj2txt(char *buf, int buf_len, const ASN1_OBJECT *a, int no_name)
515515
first = 1;
516516
bl = NULL;
517517

518+
/*
519+
* RFC 2578 (STD 58) says this about OBJECT IDENTIFIERs:
520+
*
521+
* > 3.5. OBJECT IDENTIFIER values
522+
* >
523+
* > An OBJECT IDENTIFIER value is an ordered list of non-negative
524+
* > numbers. For the SMIv2, each number in the list is referred to as a
525+
* > sub-identifier, there are at most 128 sub-identifiers in a value,
526+
* > and each sub-identifier has a maximum value of 2^32-1 (4294967295
527+
* > decimal).
528+
*
529+
* So a legitimate OID according to this RFC is at most (32 * 128 / 7),
530+
* i.e. 586 bytes long.
531+
*
532+
* Ref: https://datatracker.ietf.org/doc/html/rfc2578#section-3.5
533+
*/
534+
if (len > 586)
535+
goto err;
536+
518537
while (len > 0) {
519538
l = 0;
520539
use_bn = 0;

0 commit comments

Comments
 (0)