From caab4d8406c79e8d542e2439c57ac7551f810a2c Mon Sep 17 00:00:00 2001 From: K1 Date: Tue, 4 Jul 2023 17:30:35 +0200 Subject: [PATCH 1/6] Do not ignore empty associated data with AES-SIV mode The AES-SIV mode allows for multiple associated data items authenticated separately with any of these being 0 length. The provided implementation ignores such empty associated data which is incorrect in regards to the RFC 5297 and is also a security issue because such empty associated data then become unauthenticated if an application expects to authenticate them. Fixes CVE-2023-2975 Reviewed-by: Matt Caswell Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/21384) --- .../implementations/ciphers/cipher_aes_siv.c | 18 +++++++++++------- 1 file changed, 11 insertions(+), 7 deletions(-) diff --git a/providers/implementations/ciphers/cipher_aes_siv.c b/providers/implementations/ciphers/cipher_aes_siv.c index 45010b90d..b396c8651 100644 --- a/providers/implementations/ciphers/cipher_aes_siv.c +++ b/providers/implementations/ciphers/cipher_aes_siv.c @@ -120,14 +120,18 @@ static int siv_cipher(void *vctx, unsigned char *out, size_t *outl, if (!ossl_prov_is_running()) return 0; - if (inl == 0) { - *outl = 0; - return 1; - } + /* Ignore just empty encryption/decryption call and not AAD. */ + if (out != NULL) { + if (inl == 0) { + if (outl != NULL) + *outl = 0; + return 1; + } - if (outsize < inl) { - ERR_raise(ERR_LIB_PROV, PROV_R_OUTPUT_BUFFER_TOO_SMALL); - return 0; + if (outsize < inl) { + ERR_raise(ERR_LIB_PROV, PROV_R_OUTPUT_BUFFER_TOO_SMALL); + return 0; + } } if (ctx->hw->cipher(ctx, out, in, inl) <= 0) From adc9d72b395aad06377a78917c61584edd3bce0a Mon Sep 17 00:00:00 2001 From: K1 Date: Tue, 4 Jul 2023 17:50:37 +0200 Subject: [PATCH 2/6] Add testcases for empty associated data entries with AES-SIV Reviewed-by: Matt Caswell Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/21384) --- .../30-test_evp_data/evpciph_aes_siv.txt | 31 +++++++++++++++++++ 1 file changed, 31 insertions(+) diff --git a/test/recipes/30-test_evp_data/evpciph_aes_siv.txt b/test/recipes/30-test_evp_data/evpciph_aes_siv.txt index a78a49158..e434f13f4 100644 --- a/test/recipes/30-test_evp_data/evpciph_aes_siv.txt +++ b/test/recipes/30-test_evp_data/evpciph_aes_siv.txt @@ -20,6 +20,19 @@ Tag = 85632d07c6e8f37f950acd320a2ecc93 Plaintext = 112233445566778899aabbccddee Ciphertext = 40c02b9690c4dc04daef7f6afe5c +Cipher = aes-128-siv +Key = fffefdfcfbfaf9f8f7f6f5f4f3f2f1f0f0f1f2f3f4f5f6f7f8f9fafbfcfdfeff +Tag = f1c5fdeac1f15a26779c1501f9fb7588 +Plaintext = 112233445566778899aabbccddee +Ciphertext = 27e946c669088ab06da58c5c831c + +Cipher = aes-128-siv +Key = fffefdfcfbfaf9f8f7f6f5f4f3f2f1f0f0f1f2f3f4f5f6f7f8f9fafbfcfdfeff +AAD = +Tag = d1022f5b3664e5a4dfaf90f85be6f28a +Plaintext = 112233445566778899aabbccddee +Ciphertext = b66cff6b8eca0b79f083b39a0901 + Cipher = aes-128-siv Key = 7f7e7d7c7b7a79787776757473727170404142434445464748494a4b4c4d4e4f AAD = 00112233445566778899aabbccddeeffdeaddadadeaddadaffeeddccbbaa99887766554433221100 @@ -29,6 +42,24 @@ Tag = 7bdb6e3b432667eb06f4d14bff2fbd0f Plaintext = 7468697320697320736f6d6520706c61696e7465787420746f20656e6372797074207573696e67205349562d414553 Ciphertext = cb900f2fddbe404326601965c889bf17dba77ceb094fa663b7a3f748ba8af829ea64ad544a272e9c485b62a3fd5c0d +Cipher = aes-128-siv +Key = 7f7e7d7c7b7a79787776757473727170404142434445464748494a4b4c4d4e4f +AAD = 00112233445566778899aabbccddeeffdeaddadadeaddadaffeeddccbbaa99887766554433221100 +AAD = +AAD = 09f911029d74e35bd84156c5635688c0 +Tag = 83ce6593a8fa67eb6fcd2819cedfc011 +Plaintext = 7468697320697320736f6d6520706c61696e7465787420746f20656e6372797074207573696e67205349562d414553 +Ciphertext = 30d937b42f71f71f93fc2d8d702d3eac8dc7651eefcd81120081ff29d626f97f3de17f2969b691c91b69b652bf3a6d + +Cipher = aes-128-siv +Key = 7f7e7d7c7b7a79787776757473727170404142434445464748494a4b4c4d4e4f +AAD = +AAD = 00112233445566778899aabbccddeeffdeaddadadeaddadaffeeddccbbaa99887766554433221100 +AAD = 09f911029d74e35bd84156c5635688c0 +Tag = 77dd4a44f5a6b41302121ee7f378de25 +Plaintext = 7468697320697320736f6d6520706c61696e7465787420746f20656e6372797074207573696e67205349562d414553 +Ciphertext = 0fcd664c922464c88939d71fad7aefb864e501b0848a07d39201c1067a7288f3dadf0131a823a0bc3d588e8564a5fe + Cipher = aes-192-siv Key = fffefdfcfbfaf9f8f7f6f5f4f3f2f1f0f0f1f2f3f4f5f6f7f8f9fafbfcfdfefffffefdfcfbfaf9f8f7f6f5f4f3f2f1f0 AAD = 101112131415161718191a1b1c1d1e1f2021222324252627 From cfba461b360bb125c999922056c1dc3a195ac7fb Mon Sep 17 00:00:00 2001 From: K1 Date: Tue, 15 Aug 2023 16:28:20 +0800 Subject: [PATCH 3/6] Update CHANGES for CVE-2023-2975 --- CHANGES | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/CHANGES b/CHANGES index 94d078fa7..b65b9a94f 100644 --- a/CHANGES +++ b/CHANGES @@ -2,11 +2,16 @@ Tongsuo CHANGES _______________ - Changes between 8.3.0 and 8.4.0 [xx XXX xxxx] + Changes between 8.4.0-pre1 and 8.4.0-pre2 [xx XXX xxxx] + + *) 修复CVE-2023-2975 + *) 实现基于64位平台架构的SM2算法性能优化 *) 实现基于SM2曲线参数特化的快速模约减和快速模逆元算法 + Changes between 8.3.0 and 8.4.0-pre1 [07 Jun 2023] + *) 修复CVE-2023-2650 *) 支持零知识证明算法-bulletproofs (r1cs) From 5fa838c4511fd900d47ba69f940154bcb31e5ebc Mon Sep 17 00:00:00 2001 From: K1 Date: Thu, 6 Jul 2023 16:36:35 +0100 Subject: [PATCH 4/6] Fix DH_check() excessive time with over sized modulus The DH_check() function checks numerous aspects of the key or parameters that have been supplied. Some of those checks use the supplied modulus value even if it is excessively large. There is already a maximum DH modulus size (10,000 bits) over which OpenSSL will not generate or derive keys. DH_check() will however still perform various tests for validity on such a large modulus. We introduce a new maximum (32,768) over which DH_check() will just fail. An application that calls DH_check() and supplies a key or parameters obtained from an untrusted source could be vulnerable to a Denial of Service attack. The function DH_check() is itself called by a number of other OpenSSL functions. An application calling any of those other functions may similarly be affected. The other functions affected by this are DH_check_ex() and EVP_PKEY_param_check(). CVE-2023-3446 Reviewed-by: Paul Dale Reviewed-by: Tom Cosgrove Reviewed-by: Bernd Edlinger Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/21451) (cherry picked from commit 9e0094e2aa1b3428a12d5095132f133c078d3c3d) --- crypto/dh/dh_check.c | 6 ++++++ include/openssl/dh.h | 6 +++++- 2 files changed, 11 insertions(+), 1 deletion(-) diff --git a/crypto/dh/dh_check.c b/crypto/dh/dh_check.c index e75d20d86..c22eba5e1 100644 --- a/crypto/dh/dh_check.c +++ b/crypto/dh/dh_check.c @@ -152,6 +152,12 @@ int DH_check(const DH *dh, int *ret) if (nid != NID_undef) return 1; + /* Don't do any checks at all with an excessively large modulus */ + if (BN_num_bits(dh->params.p) > OPENSSL_DH_CHECK_MAX_MODULUS_BITS) { + ERR_raise(ERR_LIB_DH, DH_R_MODULUS_TOO_LARGE); + return 0; + } + if (!DH_check_params(dh, ret)) return 0; diff --git a/include/openssl/dh.h b/include/openssl/dh.h index b97871eca..36420f51d 100644 --- a/include/openssl/dh.h +++ b/include/openssl/dh.h @@ -89,7 +89,11 @@ int EVP_PKEY_CTX_get0_dh_kdf_ukm(EVP_PKEY_CTX *ctx, unsigned char **ukm); # include # ifndef OPENSSL_DH_MAX_MODULUS_BITS -# define OPENSSL_DH_MAX_MODULUS_BITS 10000 +# define OPENSSL_DH_MAX_MODULUS_BITS 10000 +# endif + +# ifndef OPENSSL_DH_CHECK_MAX_MODULUS_BITS +# define OPENSSL_DH_CHECK_MAX_MODULUS_BITS 32768 # endif # define OPENSSL_DH_FIPS_MIN_MODULUS_BITS 1024 From 7f057b73acdd5af337d943e203989f840625bbd0 Mon Sep 17 00:00:00 2001 From: K1 Date: Fri, 7 Jul 2023 14:39:48 +0100 Subject: [PATCH 5/6] Add a test for CVE-2023-3446 Confirm that the only errors DH_check() finds with DH parameters with an excessively long modulus is that the modulus is too large. We should not be performing time consuming checks using that modulus. Reviewed-by: Paul Dale Reviewed-by: Tom Cosgrove Reviewed-by: Bernd Edlinger Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/21451) --- test/dhtest.c | 15 +++++++++++++-- 1 file changed, 13 insertions(+), 2 deletions(-) diff --git a/test/dhtest.c b/test/dhtest.c index 7b587f3cf..f8dd8f3aa 100644 --- a/test/dhtest.c +++ b/test/dhtest.c @@ -73,7 +73,7 @@ static int dh_test(void) goto err1; /* check fails, because p is way too small */ - if (!DH_check(dh, &i)) + if (!TEST_true(DH_check(dh, &i))) goto err2; i ^= DH_MODULUS_TOO_SMALL; if (!TEST_false(i & DH_CHECK_P_NOT_PRIME) @@ -124,6 +124,17 @@ static int dh_test(void) /* We'll have a stale error on the queue from the above test so clear it */ ERR_clear_error(); + /* Modulus of size: dh check max modulus bits + 1 */ + if (!TEST_true(BN_set_word(p, 1)) + || !TEST_true(BN_lshift(p, p, OPENSSL_DH_CHECK_MAX_MODULUS_BITS))) + goto err3; + + /* + * We expect no checks at all for an excessively large modulus + */ + if (!TEST_false(DH_check(dh, &i))) + goto err3; + /* * II) key generation */ @@ -138,7 +149,7 @@ static int dh_test(void) goto err3; /* ... and check whether it is valid */ - if (!DH_check(a, &i)) + if (!TEST_true(DH_check(a, &i))) goto err3; if (!TEST_false(i & DH_CHECK_P_NOT_PRIME) || !TEST_false(i & DH_CHECK_P_NOT_SAFE_PRIME) From ca70885844176a084657efc57fdd8f4501d69a84 Mon Sep 17 00:00:00 2001 From: K1 Date: Tue, 15 Aug 2023 16:32:07 +0800 Subject: [PATCH 6/6] Update CHANGES for CVE-2023-3446 --- CHANGES | 2 ++ 1 file changed, 2 insertions(+) diff --git a/CHANGES b/CHANGES index b65b9a94f..6bbb7e9ec 100644 --- a/CHANGES +++ b/CHANGES @@ -4,6 +4,8 @@ Changes between 8.4.0-pre1 and 8.4.0-pre2 [xx XXX xxxx] + *) 修复CVE-2023-3446 + *) 修复CVE-2023-2975 *) 实现基于64位平台架构的SM2算法性能优化