[openssl/openssl] 423a2b: Restrict the size of OBJECT IDENTIFIERs that OBJ_o...
Tomáš Mráz
noreply at github.com
Tue May 30 13:11:11 UTC 2023
Branch: refs/heads/openssl-3.0
Home: https://github.com/openssl/openssl
Commit: 423a2bc737a908ad0c77bda470b2b59dc879936b
https://github.com/openssl/openssl/commit/423a2bc737a908ad0c77bda470b2b59dc879936b
Author: Richard Levitte <levitte at openssl.org>
Date: 2023-05-29 (Mon, 29 May 2023)
Changed paths:
M CHANGES.md
M NEWS.md
M crypto/objects/obj_dat.c
Log Message:
-----------
Restrict the size of OBJECT IDENTIFIERs that OBJ_obj2txt will translate
OBJ_obj2txt() would translate any size OBJECT IDENTIFIER to canonical
numeric text form. For gigantic sub-identifiers, this would take a very
long time, the time complexity being O(n^2) where n is the size of that
sub-identifier.
To mitigate this, a restriction on the size that OBJ_obj2txt() will
translate to canonical numeric text form is added, based on RFC 2578
(STD 58), which says this:
> 3.5. OBJECT IDENTIFIER values
>
> An OBJECT IDENTIFIER value is an ordered list of non-negative numbers.
> For the SMIv2, each number in the list is referred to as a sub-identifier,
> there are at most 128 sub-identifiers in a value, and each sub-identifier
> has a maximum value of 2^32-1 (4294967295 decimal).
Fixes otc/security#96
Fixes CVE-2023-2650
Reviewed-by: Matt Caswell <matt at openssl.org>
Reviewed-by: Tomas Mraz <tomas at openssl.org>
Commit: 973801c91ae7931d24436f6558cc3c5a7fbd13b0
https://github.com/openssl/openssl/commit/973801c91ae7931d24436f6558cc3c5a7fbd13b0
Author: Tomas Mraz <tomas at openssl.org>
Date: 2023-05-30 (Tue, 30 May 2023)
Changed paths:
M apps/cmp.c
M apps/dgst.c
M apps/enc.c
M apps/include/cmp_mock_srv.h
M apps/lib/apps.c
M apps/lib/cmp_mock_srv.c
M apps/rehash.c
M apps/s_server.c
M crypto/aes/asm/aesv8-armx.pl
M crypto/aes/asm/bsaes-armv7.pl
M crypto/asn1/a_bitstr.c
M crypto/asn1/asn1_parse.c
M crypto/asn1/asn_pack.c
M crypto/bio/bio_lib.c
M crypto/bio/bss_acpt.c
M crypto/bn/bn_asm.c
M crypto/bn/bn_lib.c
M crypto/bn/bn_nist.c
M crypto/bn/bn_rsa_fips186_4.c
M crypto/cmp/cmp_ctx.c
M crypto/cmp/cmp_local.h
M crypto/cmp/cmp_msg.c
M crypto/cmp/cmp_protect.c
M crypto/cmp/cmp_server.c
M crypto/cmp/cmp_vfy.c
M crypto/cms/cms_dh.c
M crypto/cms/cms_ec.c
M crypto/cms/cms_env.c
M crypto/cms/cms_lib.c
M crypto/cms/cms_smime.c
M crypto/conf/conf_def.c
M crypto/dsa/dsa_backend.c
M crypto/dsa/dsa_ossl.c
M crypto/dsa/dsa_sign.c
M crypto/ec/asm/ecp_nistp521-ppc64.pl
M crypto/ec/ecdsa_ossl.c
M crypto/ec/ecx_meth.c
M crypto/engine/eng_lib.c
M crypto/evp/ctrl_params_translate.c
M crypto/evp/digest.c
M crypto/evp/ec_ctrl.c
M crypto/evp/evp_pbe.c
M crypto/evp/keymgmt_meth.c
M crypto/evp/p_lib.c
M crypto/evp/pmeth_lib.c
M crypto/ffc/ffc_backend.c
M crypto/ffc/ffc_params.c
M crypto/http/http_client.c
M crypto/http/http_lib.c
M crypto/modes/asm/aes-gcm-armv8_64.pl
M crypto/objects/obj_dat.c
M crypto/property/property.c
M crypto/rand/rand_lib.c
M crypto/rsa/rsa_chk.c
M crypto/rsa/rsa_sp800_56b_gen.c
M crypto/sm2/sm2_sign.c
M crypto/threads_win.c
M crypto/ui/ui_lib.c
M crypto/ui/ui_util.c
M crypto/x509/pcy_local.h
M crypto/x509/pcy_node.c
M crypto/x509/pcy_tree.c
M crypto/x509/x509_vfy.c
M doc/internal/man3/ossl_cmp_certreq_new.pod
M doc/internal/man3/ossl_cmp_mock_srv_new.pod
M doc/internal/man3/ossl_cmp_msg_protect.pod
M doc/internal/man3/ossl_cmp_pkisi_get_status.pod
M doc/man1/openssl.pod
M doc/man3/ASN1_STRING_new.pod
M doc/man3/CMS_EncryptedData_decrypt.pod
M doc/man3/CMS_add0_cert.pod
M doc/man3/CMS_decrypt.pod
M doc/man3/EC_KEY_new.pod
M doc/man3/EC_POINT_add.pod
M doc/man3/EC_POINT_new.pod
M doc/man3/EVP_PKEY_set1_RSA.pod
M doc/man3/EVP_RAND.pod
M doc/man3/EVP_aes_128_gcm.pod
M doc/man3/EVP_aria_128_gcm.pod
M doc/man3/EVP_bf_cbc.pod
M doc/man3/EVP_blake2b512.pod
M doc/man3/EVP_camellia_128_ecb.pod
M doc/man3/EVP_cast5_cbc.pod
M doc/man3/EVP_chacha20.pod
M doc/man3/EVP_des_cbc.pod
M doc/man3/EVP_desx_cbc.pod
M doc/man3/EVP_idea_cbc.pod
M doc/man3/EVP_md2.pod
M doc/man3/EVP_md4.pod
M doc/man3/EVP_md5.pod
M doc/man3/EVP_mdc2.pod
M doc/man3/EVP_rc2_cbc.pod
M doc/man3/EVP_rc4.pod
M doc/man3/EVP_rc5_32_12_16_cbc.pod
M doc/man3/EVP_ripemd160.pod
M doc/man3/EVP_seed_cbc.pod
M doc/man3/EVP_sha1.pod
M doc/man3/EVP_sha224.pod
M doc/man3/EVP_sha3_224.pod
M doc/man3/EVP_sm3.pod
M doc/man3/EVP_sm4_cbc.pod
M doc/man3/EVP_whirlpool.pod
M doc/man3/OSSL_CMP_MSG_get0_header.pod
M doc/man3/OSSL_CRMF_MSG_set0_validity.pod
M doc/man3/OSSL_DECODER_from_bio.pod
M doc/man3/OSSL_PARAM.pod
M doc/man3/OSSL_PARAM_int.pod
M doc/man3/PEM_read_CMS.pod
M doc/man3/PKCS7_sign.pod
M doc/man3/SSL_CTX_set_options.pod
M doc/man3/SSL_CTX_set_split_send_fragment.pod
M doc/man3/SSL_SESSION_free.pod
M doc/man5/config.pod
M doc/man7/EVP_PKEY-EC.pod
M doc/man7/OSSL_PROVIDER-FIPS.pod
M doc/man7/OSSL_PROVIDER-default.pod
M doc/man7/crypto.pod
M doc/man7/provider-asym_cipher.pod
M doc/man7/provider-base.pod
M doc/man7/provider-cipher.pod
M doc/man7/provider-decoder.pod
M doc/man7/provider-digest.pod
M doc/man7/provider-keymgmt.pod
M doc/man7/provider-signature.pod
M engines/e_padlock.c
M include/internal/refcount.h
M include/openssl/cmp.h.in
M providers/implementations/asymciphers/rsa_enc.c
M providers/implementations/ciphers/cipher_tdes_common.c
M providers/implementations/kdfs/hkdf.c
M providers/implementations/keymgmt/rsa_kmgmt.c
M providers/implementations/rands/drbg.c
M providers/implementations/signature/rsa_sig.c
M ssl/record/rec_layer_d1.c
M ssl/record/rec_layer_s3.c
M ssl/ssl_cert.c
M ssl/ssl_sess.c
M ssl/t1_lib.c
M test/certs/mkcert.sh
M test/cmp_msg_test.c
M test/cmp_protect_test.c
M test/cmp_vfy_test.c
M test/destest.c
M test/dsatest.c
M test/dtlstest.c
M test/ecdsatest.c
M test/evp_extra_test.c
M test/evp_extra_test2.c
M test/helpers/ssltestlib.c
M test/helpers/ssltestlib.h
M test/recipes/15-test_mp_rsa.t
M test/recipes/30-test_evp_data/evpciph_aes_common.txt
M test/testutil/provider.c
M util/check-format-test-negatives.c
M util/check-format-test-positives.c
M util/check-format.pl
M util/find-doc-nits
M util/perl/OpenSSL/Ordinals.pm
M util/perl/OpenSSL/config.pm
Log Message:
-----------
Update copyright year
Reviewed-by: Richard Levitte <levitte at openssl.org>
Release: yes
Commit: e343845918bf624ede07aff4a516901a8dafe43e
https://github.com/openssl/openssl/commit/e343845918bf624ede07aff4a516901a8dafe43e
Author: Tomas Mraz <tomas at openssl.org>
Date: 2023-05-30 (Tue, 30 May 2023)
Changed paths:
M providers/fips-sources.checksums
M providers/fips.checksum
M providers/fips.module.sources
Log Message:
-----------
make update
Reviewed-by: Richard Levitte <levitte at openssl.org>
Release: yes
Commit: de90e54bbe82e5be4fb9608b6f5c308bb837d355
https://github.com/openssl/openssl/commit/de90e54bbe82e5be4fb9608b6f5c308bb837d355
Author: Tomas Mraz <tomas at openssl.org>
Date: 2023-05-30 (Tue, 30 May 2023)
Changed paths:
M CHANGES.md
M NEWS.md
M VERSION.dat
Log Message:
-----------
Prepare for release of 3.0.9
Reviewed-by: Richard Levitte <levitte at openssl.org>
Release: yes
Commit: d830c410988dbe5c76b6c9c83e63c437c78978c9
https://github.com/openssl/openssl/commit/d830c410988dbe5c76b6c9c83e63c437c78978c9
Author: Tomas Mraz <tomas at openssl.org>
Date: 2023-05-30 (Tue, 30 May 2023)
Changed paths:
M CHANGES.md
M NEWS.md
M VERSION.dat
Log Message:
-----------
Prepare for 3.0.10
Reviewed-by: Richard Levitte <levitte at openssl.org>
Release: yes
Compare: https://github.com/openssl/openssl/compare/3ecfc9e6b611...d830c410988d
More information about the openssl-commits
mailing list