[openssl/openssl] db779b: Restrict the size of OBJECT IDENTIFIERs that OBJ_o...

Tomáš Mráz noreply at github.com
Tue May 30 13:11:09 UTC 2023 

  Branch: refs/heads/openssl-3.1
  Home:   https://github.com/openssl/openssl
  Commit: db779b0e10b047f2585615e0b8f2acdf21f8544a
      https://github.com/openssl/openssl/commit/db779b0e10b047f2585615e0b8f2acdf21f8544a
  Author: Richard Levitte <levitte at openssl.org>
  Date:   2023-05-29 (Mon, 29 May 2023)

  Changed paths:
    M CHANGES.md
    M NEWS.md
    M crypto/objects/obj_dat.c

  Log Message:
  -----------
  Restrict the size of OBJECT IDENTIFIERs that OBJ_obj2txt will translate

OBJ_obj2txt() would translate any size OBJECT IDENTIFIER to canonical
numeric text form.  For gigantic sub-identifiers, this would take a very
long time, the time complexity being O(n^2) where n is the size of that
sub-identifier.

To mitigate this, a restriction on the size that OBJ_obj2txt() will
translate to canonical numeric text form is added, based on RFC 2578
(STD 58), which says this:

> 3.5. OBJECT IDENTIFIER values
>
> An OBJECT IDENTIFIER value is an ordered list of non-negative numbers.
> For the SMIv2, each number in the list is referred to as a sub-identifier,
> there are at most 128 sub-identifiers in a value, and each sub-identifier
> has a maximum value of 2^32-1 (4294967295 decimal).

Fixes otc/security#96
Fixes CVE-2023-2650

Reviewed-by: Matt Caswell <matt at openssl.org>
Reviewed-by: Tomas Mraz <tomas at openssl.org>


  Commit: 597a8a7bcf5f80276fd28df36d39d92d0c3932c0
      https://github.com/openssl/openssl/commit/597a8a7bcf5f80276fd28df36d39d92d0c3932c0
  Author: Tomas Mraz <tomas at openssl.org>
  Date:   2023-05-30 (Tue, 30 May 2023)

  Changed paths:
    M apps/dgst.c
    M apps/enc.c
    M apps/include/cmp_mock_srv.h
    M apps/lib/apps.c
    M apps/lib/cmp_mock_srv.c
    M apps/rehash.c
    M crypto/aes/asm/aesv8-armx.pl
    M crypto/aes/asm/bsaes-armv7.pl
    M crypto/asn1/a_bitstr.c
    M crypto/asn1/d2i_pr.c
    M crypto/bn/asm/rsaz-2k-avx512.pl
    M crypto/bn/asm/rsaz-3k-avx512.pl
    M crypto/bn/asm/rsaz-4k-avx512.pl
    M crypto/bn/bn_asm.c
    M crypto/bn/bn_lib.c
    M crypto/bn/bn_nist.c
    M crypto/chacha/chacha_ppc.c
    M crypto/cmp/cmp_ctx.c
    M crypto/cmp/cmp_local.h
    M crypto/cmp/cmp_msg.c
    M crypto/cmp/cmp_protect.c
    M crypto/cmp/cmp_server.c
    M crypto/cmp/cmp_vfy.c
    M crypto/cms/cms_dh.c
    M crypto/conf/conf_def.c
    M crypto/context.c
    M crypto/dsa/dsa_sign.c
    M crypto/ec/ecx_meth.c
    M crypto/engine/eng_lib.c
    M crypto/evp/ec_ctrl.c
    M crypto/evp/evp_enc.c
    M crypto/evp/evp_pbe.c
    M crypto/evp/keymgmt_meth.c
    M crypto/evp/pmeth_lib.c
    M crypto/http/http_lib.c
    M crypto/md5/asm/md5-aarch64.pl
    M crypto/modes/asm/aes-gcm-armv8_64.pl
    M crypto/modes/asm/aes-gcm-avx512.pl
    M crypto/objects/obj_dat.c
    M crypto/rand/rand_lib.c
    M crypto/rsa/rsa_chk.c
    M crypto/rsa/rsa_sp800_56b_gen.c
    M crypto/sm2/sm2_sign.c
    M crypto/threads_win.c
    M crypto/ui/ui_lib.c
    M crypto/ui/ui_util.c
    M crypto/x509/pcy_local.h
    M crypto/x509/pcy_node.c
    M crypto/x509/pcy_tree.c
    M crypto/x509/x509_vfy.c
    M doc/internal/man3/ossl_cmp_certreq_new.pod
    M doc/internal/man3/ossl_cmp_mock_srv_new.pod
    M doc/internal/man3/ossl_cmp_msg_protect.pod
    M doc/internal/man3/ossl_cmp_pkisi_get_status.pod
    M doc/man1/openssl.pod
    M doc/man3/ASN1_STRING_new.pod
    M doc/man3/EC_KEY_new.pod
    M doc/man3/EC_POINT_add.pod
    M doc/man3/EC_POINT_new.pod
    M doc/man3/EVP_PKEY_set1_RSA.pod
    M doc/man3/EVP_RAND.pod
    M doc/man3/OSSL_CMP_MSG_get0_header.pod
    M doc/man3/OSSL_CRMF_MSG_set0_validity.pod
    M doc/man3/OSSL_PARAM.pod
    M doc/man3/OSSL_PARAM_int.pod
    M doc/man3/PEM_read_CMS.pod
    M doc/man3/PKCS7_sign.pod
    M doc/man3/SSL_CTX_set_options.pod
    M doc/man3/SSL_SESSION_free.pod
    M doc/man7/EVP_RAND-HASH-DRBG.pod
    M doc/man7/EVP_RAND-HMAC-DRBG.pod
    M doc/man7/provider-asym_cipher.pod
    M doc/man7/provider-decoder.pod
    M doc/man7/provider-signature.pod
    M engines/e_padlock.c
    M include/crypto/sm4_platform.h
    M include/openssl/cmp.h.in
    M include/openssl/macros.h
    M providers/implementations/asymciphers/rsa_enc.c
    M providers/implementations/kdfs/hkdf.c
    M providers/implementations/keymgmt/rsa_kmgmt.c
    M providers/implementations/rands/drbg.c
    M providers/implementations/rands/drbg_hash.c
    M providers/implementations/rands/drbg_hmac.c
    M providers/implementations/rands/drbg_local.h
    M ssl/record/rec_layer_d1.c
    M ssl/ssl_sess.c
    M ssl/t1_lib.c
    M test/asn1_internal_test.c
    M test/certs/mkcert.sh
    M test/cmp_msg_test.c
    M test/cmp_protect_test.c
    M test/cmp_vfy_test.c
    M test/dtlstest.c
    M test/ecdsatest.c
    M test/helpers/ssl_test_ctx.c
    M test/helpers/ssl_test_ctx.h
    M test/helpers/ssltestlib.c
    M test/helpers/ssltestlib.h
    M test/recipes/00-prep_fipsmodule_cnf.t
    M test/recipes/15-test_mp_rsa.t
    M test/recipes/30-test_evp_data/evpciph_aes_common.txt
    M test/recipes/30-test_evp_data/evpkdf_tls12_prf.txt
    M test/recipes/30-test_evp_data/evprand.txt
    M test/ssl-tests/30-extended-master-secret.cnf.in
    M test/ssl_test.c
    M test/testutil/provider.c
    M util/check-format-test-negatives.c
    M util/check-format-test-positives.c
    M util/check-format.pl
    M util/mk-fipsmodule-cnf.pl
    M util/perl/OpenSSL/config.pm

  Log Message:
  -----------
  Update copyright year


Reviewed-by: Richard Levitte <levitte at openssl.org>
Release: yes


  Commit: 8bfe8a4f222f36f53745a40651d2586166efac81
      https://github.com/openssl/openssl/commit/8bfe8a4f222f36f53745a40651d2586166efac81
  Author: Tomas Mraz <tomas at openssl.org>
  Date:   2023-05-30 (Tue, 30 May 2023)

  Changed paths:
    M providers/fips-sources.checksums
    M providers/fips.checksum
    M providers/fips.module.sources

  Log Message:
  -----------
  make update


Reviewed-by: Richard Levitte <levitte at openssl.org>

Release: yes


  Commit: 2cf4e90eaaf7402bf038b158dbdacd0a15561fb7
      https://github.com/openssl/openssl/commit/2cf4e90eaaf7402bf038b158dbdacd0a15561fb7
  Author: Tomas Mraz <tomas at openssl.org>
  Date:   2023-05-30 (Tue, 30 May 2023)

  Changed paths:
    M CHANGES.md
    M NEWS.md
    M VERSION.dat

  Log Message:
  -----------
  Prepare for release of 3.1.1


Reviewed-by: Richard Levitte <levitte at openssl.org>

Release: yes


  Commit: fd101bf9ac3416a8fce7009817bc9d7002c93817
      https://github.com/openssl/openssl/commit/fd101bf9ac3416a8fce7009817bc9d7002c93817
  Author: Tomas Mraz <tomas at openssl.org>
  Date:   2023-05-30 (Tue, 30 May 2023)

  Changed paths:
    M CHANGES.md
    M NEWS.md
    M VERSION.dat

  Log Message:
  -----------
  Prepare for 3.1.2


Reviewed-by: Richard Levitte <levitte at openssl.org>

Release: yes


Compare: https://github.com/openssl/openssl/compare/a14ed48e8409...fd101bf9ac34

More information about the openssl-commits mailing list