1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
|
From 9e209944b35cf82368071f160a744b6178f9b098 Mon Sep 17 00:00:00 2001
From: Richard Levitte <levitte@openssl.org>
Date: Fri, 12 May 2023 10:00:13 +0200
Subject: [PATCH] Restrict the size of OBJECT IDENTIFIERs that OBJ_obj2txt will
translate
OBJ_obj2txt() would translate any size OBJECT IDENTIFIER to canonical
numeric text form. For gigantic sub-identifiers, this would take a very
long time, the time complexity being O(n^2) where n is the size of that
sub-identifier.
To mitigate this, a restriction on the size that OBJ_obj2txt() will
translate to canonical numeric text form is added, based on RFC 2578
(STD 58), which says this:
> 3.5. OBJECT IDENTIFIER values
>
> An OBJECT IDENTIFIER value is an ordered list of non-negative numbers.
> For the SMIv2, each number in the list is referred to as a sub-identifier,
> there are at most 128 sub-identifiers in a value, and each sub-identifier
> has a maximum value of 2^32-1 (4294967295 decimal).
Fixes otc/security#96
Fixes CVE-2023-2650
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Upstream-Status: Backport [https://github.com/openssl/openssl/commit/9e209944b35cf82368071f160a744b6178f9b098]
CVE: CVE-2023-2650
Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
---
CHANGES | 28 +++++++++++++++++++++++++++-
NEWS | 2 ++
crypto/objects/obj_dat.c | 19 +++++++++++++++++++
3 files changed, 48 insertions(+), 1 deletion(-)
diff --git a/CHANGES b/CHANGES
index 1eaaf4e..f2cf38f 100644
--- a/CHANGES
+++ b/CHANGES
@@ -7,7 +7,33 @@
https://github.com/openssl/openssl/commits/ and pick the appropriate
release branch.
- Changes between 1.1.1s and 1.1.1t [7 Feb 2023]
+ Changes between 1.1.1t and 1.1.1u [xx XXX xxxx]
+
+ *) Mitigate for the time it takes for `OBJ_obj2txt` to translate gigantic
+ OBJECT IDENTIFIER sub-identifiers to canonical numeric text form.
+
+ OBJ_obj2txt() would translate any size OBJECT IDENTIFIER to canonical
+ numeric text form. For gigantic sub-identifiers, this would take a very
+ long time, the time complexity being O(n^2) where n is the size of that
+ sub-identifier. (CVE-2023-2650)
+
+ To mitigitate this, `OBJ_obj2txt()` will only translate an OBJECT
+ IDENTIFIER to canonical numeric text form if the size of that OBJECT
+ IDENTIFIER is 586 bytes or less, and fail otherwise.
+
+ The basis for this restriction is RFC 2578 (STD 58), section 3.5. OBJECT
+ IDENTIFIER values, which stipulates that OBJECT IDENTIFIERS may have at
+ most 128 sub-identifiers, and that the maximum value that each sub-
+ identifier may have is 2^32-1 (4294967295 decimal).
+
+ For each byte of every sub-identifier, only the 7 lower bits are part of
+ the value, so the maximum amount of bytes that an OBJECT IDENTIFIER with
+ these restrictions may occupy is 32 * 128 / 7, which is approximately 586
+ bytes.
+
+ Ref: https://datatracker.ietf.org/doc/html/rfc2578#section-3.5
+
+Changes between 1.1.1s and 1.1.1t [7 Feb 2023]
*) Corrected documentation of X509_VERIFY_PARAM_add0_policy() to mention
that it does not enable policy checking. Thanks to
diff --git a/NEWS b/NEWS
index a86220a..41922c4 100644
--- a/NEWS
+++ b/NEWS
@@ -7,6 +7,8 @@
Major changes between OpenSSL 1.1.1s and OpenSSL 1.1.1t [7 Feb 2023]
+ o Mitigate for very slow `OBJ_obj2txt()` performance with gigantic
+ OBJECT IDENTIFIER sub-identities. (CVE-2023-2650)
o Fixed documentation of X509_VERIFY_PARAM_add0_policy() (CVE-2023-0466)
o Fixed X.400 address type confusion in X.509 GeneralName (CVE-2023-0286)
o Fixed Use-after-free following BIO_new_NDEF (CVE-2023-0215)
diff --git a/crypto/objects/obj_dat.c b/crypto/objects/obj_dat.c
index 7e8de72..d699915 100644
--- a/crypto/objects/obj_dat.c
+++ b/crypto/objects/obj_dat.c
@@ -428,6 +428,25 @@ int OBJ_obj2txt(char *buf, int buf_len, const ASN1_OBJECT *a, int no_name)
first = 1;
bl = NULL;
+ /*
+ * RFC 2578 (STD 58) says this about OBJECT IDENTIFIERs:
+ *
+ * > 3.5. OBJECT IDENTIFIER values
+ * >
+ * > An OBJECT IDENTIFIER value is an ordered list of non-negative
+ * > numbers. For the SMIv2, each number in the list is referred to as a
+ * > sub-identifier, there are at most 128 sub-identifiers in a value,
+ * > and each sub-identifier has a maximum value of 2^32-1 (4294967295
+ * > decimal).
+ *
+ * So a legitimate OID according to this RFC is at most (32 * 128 / 7),
+ * i.e. 586 bytes long.
+ *
+ * Ref: https://datatracker.ietf.org/doc/html/rfc2578#section-3.5
+ */
+ if (len > 586)
+ goto err;
+
while (len > 0) {
l = 0;
use_bn = 0;
--
2.25.1
|