Merge pull request #475 from dongbeiouba/fix84/CVE-2023-2975

Fix CVE-2023-2975 and CVE-2023-3446
Tongsuo-Project · Aug 15, 2023 · c604174 · c604174
2 parents 936d098 + ca70885
commit c604174
Show file tree

Hide file tree

Showing 6 changed files with 74 additions and 11 deletions.
diff --git a/CHANGES b/CHANGES
@@ -2,11 +2,18 @@
  Tongsuo CHANGES
  _______________
 
- Changes between 8.3.0 and 8.4.0 [xx XXX xxxx]
+ Changes between 8.4.0-pre1 and 8.4.0-pre2 [xx XXX xxxx]
+
+ *) 修复CVE-2023-3446
+
+ *) 修复CVE-2023-2975
+
   *) 实现基于64位平台架构的SM2算法性能优化
 
   *) 实现基于SM2曲线参数特化的快速模约减和快速模逆元算法
 
+ Changes between 8.3.0 and 8.4.0-pre1 [07 Jun 2023]
+
   *) 修复CVE-2023-2650
 
   *) 支持零知识证明算法-bulletproofs (r1cs)

diff --git a/crypto/dh/dh_check.c b/crypto/dh/dh_check.c
@@ -152,6 +152,12 @@ int DH_check(const DH *dh, int *ret)
     if (nid != NID_undef)
         return 1;
 
+    /* Don't do any checks at all with an excessively large modulus */
+    if (BN_num_bits(dh->params.p) > OPENSSL_DH_CHECK_MAX_MODULUS_BITS) {
+        ERR_raise(ERR_LIB_DH, DH_R_MODULUS_TOO_LARGE);
+        return 0;
+    }
+
     if (!DH_check_params(dh, ret))
         return 0;
 

diff --git a/include/openssl/dh.h b/include/openssl/dh.h
@@ -89,7 +89,11 @@ int EVP_PKEY_CTX_get0_dh_kdf_ukm(EVP_PKEY_CTX *ctx, unsigned char **ukm);
 #  include <openssl/dherr.h>
 
 #  ifndef OPENSSL_DH_MAX_MODULUS_BITS
-#   define OPENSSL_DH_MAX_MODULUS_BITS    10000
+#   define OPENSSL_DH_MAX_MODULUS_BITS        10000
+#  endif
+
+#  ifndef OPENSSL_DH_CHECK_MAX_MODULUS_BITS
+#   define OPENSSL_DH_CHECK_MAX_MODULUS_BITS  32768
 #  endif
 
 #  define OPENSSL_DH_FIPS_MIN_MODULUS_BITS 1024

diff --git a/providers/implementations/ciphers/cipher_aes_siv.c b/providers/implementations/ciphers/cipher_aes_siv.c
@@ -120,14 +120,18 @@ static int siv_cipher(void *vctx, unsigned char *out, size_t *outl,
     if (!ossl_prov_is_running())
         return 0;
 
-    if (inl == 0) {
-        *outl = 0;
-        return 1;
-    }
+    /* Ignore just empty encryption/decryption call and not AAD. */
+    if (out != NULL) {
+        if (inl == 0) {
+            if (outl != NULL)
+                *outl = 0;
+            return 1;
+        }
 
-    if (outsize < inl) {
-        ERR_raise(ERR_LIB_PROV, PROV_R_OUTPUT_BUFFER_TOO_SMALL);
-        return 0;
+        if (outsize < inl) {
+            ERR_raise(ERR_LIB_PROV, PROV_R_OUTPUT_BUFFER_TOO_SMALL);
+            return 0;
+        }
     }
 
     if (ctx->hw->cipher(ctx, out, in, inl) <= 0)

diff --git a/test/dhtest.c b/test/dhtest.c
@@ -73,7 +73,7 @@ static int dh_test(void)
         goto err1;
 
     /* check fails, because p is way too small */
-    if (!DH_check(dh, &i))
+    if (!TEST_true(DH_check(dh, &i)))
         goto err2;
     i ^= DH_MODULUS_TOO_SMALL;
     if (!TEST_false(i & DH_CHECK_P_NOT_PRIME)
@@ -124,6 +124,17 @@ static int dh_test(void)
     /* We'll have a stale error on the queue from the above test so clear it */
     ERR_clear_error();
 
+    /* Modulus of size: dh check max modulus bits + 1 */
+    if (!TEST_true(BN_set_word(p, 1))
+            || !TEST_true(BN_lshift(p, p, OPENSSL_DH_CHECK_MAX_MODULUS_BITS)))
+        goto err3;
+
+    /*
+     * We expect no checks at all for an excessively large modulus
+     */
+    if (!TEST_false(DH_check(dh, &i)))
+        goto err3;
+
     /*
      * II) key generation
      */
@@ -138,7 +149,7 @@ static int dh_test(void)
         goto err3;
 
     /* ... and check whether it is valid */
-    if (!DH_check(a, &i))
+    if (!TEST_true(DH_check(a, &i)))
         goto err3;
     if (!TEST_false(i & DH_CHECK_P_NOT_PRIME)
             || !TEST_false(i & DH_CHECK_P_NOT_SAFE_PRIME)

diff --git a/test/recipes/30-test_evp_data/evpciph_aes_siv.txt b/test/recipes/30-test_evp_data/evpciph_aes_siv.txt
@@ -20,6 +20,19 @@ Tag = 85632d07c6e8f37f950acd320a2ecc93
 Plaintext =  112233445566778899aabbccddee
 Ciphertext = 40c02b9690c4dc04daef7f6afe5c
 
+Cipher = aes-128-siv
+Key = fffefdfcfbfaf9f8f7f6f5f4f3f2f1f0f0f1f2f3f4f5f6f7f8f9fafbfcfdfeff
+Tag = f1c5fdeac1f15a26779c1501f9fb7588
+Plaintext =  112233445566778899aabbccddee
+Ciphertext = 27e946c669088ab06da58c5c831c
+
+Cipher = aes-128-siv
+Key = fffefdfcfbfaf9f8f7f6f5f4f3f2f1f0f0f1f2f3f4f5f6f7f8f9fafbfcfdfeff
+AAD =
+Tag = d1022f5b3664e5a4dfaf90f85be6f28a
+Plaintext =  112233445566778899aabbccddee
+Ciphertext = b66cff6b8eca0b79f083b39a0901
+
 Cipher = aes-128-siv
 Key = 7f7e7d7c7b7a79787776757473727170404142434445464748494a4b4c4d4e4f
 AAD = 00112233445566778899aabbccddeeffdeaddadadeaddadaffeeddccbbaa99887766554433221100
@@ -29,6 +42,24 @@ Tag = 7bdb6e3b432667eb06f4d14bff2fbd0f
 Plaintext =  7468697320697320736f6d6520706c61696e7465787420746f20656e6372797074207573696e67205349562d414553
 Ciphertext = cb900f2fddbe404326601965c889bf17dba77ceb094fa663b7a3f748ba8af829ea64ad544a272e9c485b62a3fd5c0d
 
+Cipher = aes-128-siv
+Key = 7f7e7d7c7b7a79787776757473727170404142434445464748494a4b4c4d4e4f
+AAD = 00112233445566778899aabbccddeeffdeaddadadeaddadaffeeddccbbaa99887766554433221100
+AAD =
+AAD = 09f911029d74e35bd84156c5635688c0
+Tag = 83ce6593a8fa67eb6fcd2819cedfc011
+Plaintext =  7468697320697320736f6d6520706c61696e7465787420746f20656e6372797074207573696e67205349562d414553
+Ciphertext = 30d937b42f71f71f93fc2d8d702d3eac8dc7651eefcd81120081ff29d626f97f3de17f2969b691c91b69b652bf3a6d
+
+Cipher = aes-128-siv
+Key = 7f7e7d7c7b7a79787776757473727170404142434445464748494a4b4c4d4e4f
+AAD =
+AAD = 00112233445566778899aabbccddeeffdeaddadadeaddadaffeeddccbbaa99887766554433221100
+AAD = 09f911029d74e35bd84156c5635688c0
+Tag = 77dd4a44f5a6b41302121ee7f378de25
+Plaintext =  7468697320697320736f6d6520706c61696e7465787420746f20656e6372797074207573696e67205349562d414553
+Ciphertext = 0fcd664c922464c88939d71fad7aefb864e501b0848a07d39201c1067a7288f3dadf0131a823a0bc3d588e8564a5fe
+
 Cipher = aes-192-siv
 Key = fffefdfcfbfaf9f8f7f6f5f4f3f2f1f0f0f1f2f3f4f5f6f7f8f9fafbfcfdfefffffefdfcfbfaf9f8f7f6f5f4f3f2f1f0
 AAD = 101112131415161718191a1b1c1d1e1f2021222324252627