Excessive time spent checking DH keys and parameters

Resolves: RHEL-5306
1 year ago · d6248f76c4
parent 6775e82636
commit d6248f76c4
2 changed files with 77 additions and 0 deletions
--- a/0126-CVE-2023-3446.patch
+++ b/0126-CVE-2023-3446.patch
@ -0,0 +1,74 @@
+diff --git a/crypto/dh/dh_check.c b/crypto/dh/dh_check.c
+index 0b391910d6..84a926998e 100644
+--- a/crypto/dh/dh_check.c
+++ b/crypto/dh/dh_check.c
+@@ -152,6 +152,12 @@ int DH_check(const DH *dh, int *ret)
+     if (nid != NID_undef)
+         return 1;
+ 
+    /* Don't do any checks at all with an excessively large modulus */
+    if (BN_num_bits(dh->params.p) > OPENSSL_DH_CHECK_MAX_MODULUS_BITS) {
+        ERR_raise(ERR_LIB_DH, DH_R_MODULUS_TOO_LARGE);
+        return 0;
+    }
+
+     if (!DH_check_params(dh, ret))
+         return 0;
+ 
+diff --git a/include/openssl/dh.h b/include/openssl/dh.h
+index b97871eca7..36420f51d8 100644
+--- a/include/openssl/dh.h
+++ b/include/openssl/dh.h
+@@ -89,7 +89,11 @@ int EVP_PKEY_CTX_get0_dh_kdf_ukm(EVP_PKEY_CTX *ctx, unsigned char **ukm);
+ #  include <openssl/dherr.h>
+ 
+ #  ifndef OPENSSL_DH_MAX_MODULUS_BITS
+-#   define OPENSSL_DH_MAX_MODULUS_BITS    10000
+#   define OPENSSL_DH_MAX_MODULUS_BITS        10000
+#  endif
+
+#  ifndef OPENSSL_DH_CHECK_MAX_MODULUS_BITS
+#   define OPENSSL_DH_CHECK_MAX_MODULUS_BITS  32768
+ #  endif
+ 
+ #  define OPENSSL_DH_FIPS_MIN_MODULUS_BITS 1024
+diff --git a/test/dhtest.c b/test/dhtest.c
+index 7b587f3cfa..f8dd8f3aa7 100644
+--- a/test/dhtest.c
+++ b/test/dhtest.c
+@@ -73,7 +73,7 @@ static int dh_test(void)
+         goto err1;
+ 
+     /* check fails, because p is way too small */
+-    if (!DH_check(dh, &i))
+    if (!TEST_true(DH_check(dh, &i)))
+         goto err2;
+     i ^= DH_MODULUS_TOO_SMALL;
+     if (!TEST_false(i & DH_CHECK_P_NOT_PRIME)
+@@ -124,6 +124,17 @@ static int dh_test(void)
+     /* We'll have a stale error on the queue from the above test so clear it */
+     ERR_clear_error();
+ 
+    /* Modulus of size: dh check max modulus bits + 1 */
+    if (!TEST_true(BN_set_word(p, 1))
+            || !TEST_true(BN_lshift(p, p, OPENSSL_DH_CHECK_MAX_MODULUS_BITS)))
+        goto err3;
+
+    /*
+     * We expect no checks at all for an excessively large modulus
+     */
+    if (!TEST_false(DH_check(dh, &i)))
+        goto err3;
+
+     /*
+      * II) key generation
+      */
+@@ -138,7 +149,7 @@ static int dh_test(void)
+         goto err3;
+ 
+     /* ... and check whether it is valid */
+-    if (!DH_check(a, &i))
+    if (!TEST_true(DH_check(a, &i)))
+         goto err3;
+     if (!TEST_false(i & DH_CHECK_P_NOT_PRIME)
+             || !TEST_false(i & DH_CHECK_P_NOT_SAFE_PRIME)
--- a/openssl.spec
+++ b/openssl.spec
@ -198,6 +198,7 @@ Patch122: 0122-CVE-2023-2650.patch
 # https://github.com/openssl/openssl/pull/19386
 Patch123: 0123-ibmca-atexit-crash.patch
 Patch125: 0125-CVE-2023-2975.patch
+Patch126: 0126-CVE-2023-3446.patch

 License: ASL 2.0
 URL: http://www.openssl.org/
@ -537,6 +538,8 @@ ln -s /etc/crypto-policies/back-ends/openssl_fips.config $RPM_BUILD_ROOT%{_sysco
 - AES-SIV cipher implementation contains a bug that causes it to ignore empty
  associated data entries (CVE-2023-2975)
  Resolves: RHEL-5302
+- Excessive time spent checking DH keys and parameters (CVE-2023-3446)
+  Resolves: RHEL-5306

 * Wed Jul 12 2023 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.0.7-24
 - Make FIPS module configuration more crypto-policies friendly