Dr S N Henson of the OpenSSL core team and Open Network Security recently developed an ASN1 test suite for NISCC (www.niscc.gov.uk). When the test suite was run against OpenSSL two denial of service vulnerabilities were discovered. Certain types of public key can take disproportionate amounts of time to process. This could be used by an attacker in a denial of service attack. CVE-2006-2940 Any code which uses OpenSSL to parse ASN1 data from untrusted sources is affected. This includes SSL servers which enable client authentication, and S/MIME applications. diff -u -r1.37.2.2 dh.h --- crypto/dh/dh.h 9 Jan 2006 16:05:22 -0000 1.37.2.2 +++ crypto/dh/dh.h 15 Sep 2006 13:59:47 -0000 @@ -73,6 +73,8 @@ #include #endif +#define OPENSSL_DH_MAX_MODULUS_BITS 3072 + #define DH_FLAG_CACHE_MONT_P 0x01 #define DH_FLAG_NO_EXP_CONSTTIME 0x02 /* new with 0.9.7h; the built-in DH * implementation now uses constant time @@ -214,6 +216,7 @@ #define DH_F_DHPARAMS_PRINT 100 #define DH_F_DHPARAMS_PRINT_FP 101 #define DH_F_DH_BUILTIN_GENPARAMS 106 +#define DH_F_DH_COMPUTE_KEY 107 #define DH_F_DH_NEW_METHOD 105 #define DH_F_GENERATE_KEY 103 #define DH_F_GENERATE_PARAMETERS 104 @@ -221,6 +224,7 @@ /* Reason codes. */ #define DH_R_BAD_GENERATOR 101 #define DH_R_INVALID_PUBKEY 102 +#define DH_R_MODULUS_TOO_LARGE 103 #define DH_R_NO_PRIVATE_VALUE 100 #ifdef __cplusplus diff -u -r1.11.2.2 dh_err.c --- crypto/dh/dh_err.c 9 Jan 2006 16:05:22 -0000 1.11.2.2 +++ crypto/dh/dh_err.c 15 Sep 2006 13:59:47 -0000 @@ -74,6 +74,7 @@ {ERR_FUNC(DH_F_DHPARAMS_PRINT), "DHparams_print"}, {ERR_FUNC(DH_F_DHPARAMS_PRINT_FP), "DHparams_print_fp"}, {ERR_FUNC(DH_F_DH_BUILTIN_GENPARAMS), "DH_BUILTIN_GENPARAMS"}, +{ERR_FUNC(DH_F_DH_COMPUTE_KEY), "DH_compute_key"}, {ERR_FUNC(DH_F_DH_NEW_METHOD), "DH_new_method"}, {ERR_FUNC(DH_F_GENERATE_KEY), "GENERATE_KEY"}, {ERR_FUNC(DH_F_GENERATE_PARAMETERS), "GENERATE_PARAMETERS"}, @@ -84,6 +85,7 @@ { {ERR_REASON(DH_R_BAD_GENERATOR) ,"bad generator"}, {ERR_REASON(DH_R_INVALID_PUBKEY) ,"invalid public key"}, +{ERR_REASON(DH_R_MODULUS_TOO_LARGE) ,"modulus too large"}, {ERR_REASON(DH_R_NO_PRIVATE_VALUE) ,"no private value"}, {0,NULL} }; diff -u -r1.24.2.3 dh_key.c --- crypto/dh/dh_key.c 13 Mar 2006 23:12:06 -0000 1.24.2.3 +++ crypto/dh/dh_key.c 15 Sep 2006 13:59:47 -0000 @@ -179,6 +179,12 @@ int ret= -1; int check_result; + if (BN_num_bits(dh->p) > OPENSSL_DH_MAX_MODULUS_BITS) + { + DHerr(DH_F_COMPUTE_KEY,DH_R_MODULUS_TOO_LARGE); + goto err; + } + ctx = BN_CTX_new(); if (ctx == NULL) goto err; BN_CTX_start(ctx); diff -u -r1.39 dsa.h --- crypto/dsa/dsa.h 16 May 2005 01:43:30 -0000 1.39 +++ crypto/dsa/dsa.h 15 Sep 2006 13:59:47 -0000 @@ -84,6 +84,8 @@ #endif #endif +#define OPENSSL_DSA_MAX_MODULUS_BITS 3072 + #define DSA_FLAG_CACHE_MONT_P 0x01 #define DSA_FLAG_NO_EXP_CONSTTIME 0x02 /* new with 0.9.7h; the built-in DSA * implementation now uses constant time @@ -270,8 +272,10 @@ #define DSA_F_SIG_CB 114 /* Reason codes. */ +#define DSA_R_BAD_Q_VALUE 102 #define DSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE 100 #define DSA_R_MISSING_PARAMETERS 101 +#define DSA_R_MODULUS_TOO_LARGE 103 #ifdef __cplusplus } diff -u -r1.13 dsa_err.c --- crypto/dsa/dsa_err.c 12 Apr 2005 16:15:12 -0000 1.13 +++ crypto/dsa/dsa_err.c 15 Sep 2006 13:59:47 -0000 @@ -89,8 +89,10 @@ static ERR_STRING_DATA DSA_str_reasons[]= { +{ERR_REASON(DSA_R_BAD_Q_VALUE) ,"bad q value"}, {ERR_REASON(DSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE),"data too large for key size"}, {ERR_REASON(DSA_R_MISSING_PARAMETERS) ,"missing parameters"}, +{ERR_REASON(DSA_R_MODULUS_TOO_LARGE) ,"modulus too large"}, {0,NULL} }; diff -u -r1.24.2.1 dsa_ossl.c --- crypto/dsa/dsa_ossl.c 26 May 2005 04:40:57 -0000 1.24.2.1 +++ crypto/dsa/dsa_ossl.c 15 Sep 2006 13:59:47 -0000 @@ -304,6 +304,18 @@ return -1; } + if (BN_num_bits(dsa->q) != 160) + { + DSAerr(DSA_F_DSA_DO_VERIFY,DSA_R_BAD_Q_VALUE); + return -1; + } + + if (BN_num_bits(dsa->p) > OPENSSL_DSA_MAX_MODULUS_BITS) + { + DSAerr(DSA_F_DSA_DO_VERIFY,DSA_R_MODULUS_TOO_LARGE); + return -1; + } + BN_init(&u1); BN_init(&u2); BN_init(&t1); diff -u -r1.77.2.2 ec.h --- crypto/ec/ec.h 8 Jan 2006 21:52:43 -0000 1.77.2.2 +++ crypto/ec/ec.h 15 Sep 2006 13:59:47 -0000 @@ -93,6 +93,9 @@ #endif +#define OPENSSL_ECC_MAX_FIELD_BITS 661 + + typedef enum { /* values as defined in X9.62 (ECDSA) and elsewhere */ POINT_CONVERSION_COMPRESSED = 2, @@ -482,6 +485,7 @@ #define EC_R_D2I_ECPKPARAMETERS_FAILURE 117 #define EC_R_DISCRIMINANT_IS_ZERO 118 #define EC_R_EC_GROUP_NEW_BY_NAME_FAILURE 119 +#define EC_R_FIELD_TOO_LARGE 138 #define EC_R_GROUP2PKPARAMETERS_FAILURE 120 #define EC_R_I2D_ECPKPARAMETERS_FAILURE 121 #define EC_R_INCOMPATIBLE_OBJECTS 101 @@ -492,7 +496,9 @@ #define EC_R_INVALID_FIELD 103 #define EC_R_INVALID_FORM 104 #define EC_R_INVALID_GROUP_ORDER 122 +#define EC_R_INVALID_PENTANOMIAL_BASIS 132 #define EC_R_INVALID_PRIVATE_KEY 123 +#define EC_R_INVALID_TRINOMIAL_BASIS 137 #define EC_R_MISSING_PARAMETERS 124 #define EC_R_MISSING_PRIVATE_KEY 125 #define EC_R_NOT_A_NIST_PRIME 135 diff -u -r1.19.2.1 ec_asn1.c --- crypto/ec/ec_asn1.c 8 Feb 2006 19:16:13 -0000 1.19.2.1 +++ crypto/ec/ec_asn1.c 15 Sep 2006 14:05:39 -0000 @@ -741,6 +741,7 @@ EC_GROUP *ret = NULL; BIGNUM *p = NULL, *a = NULL, *b = NULL; EC_POINT *point=NULL; + long field_bits; if (!params->fieldID || !params->fieldID->fieldType || !params->fieldID->p.ptr) @@ -779,6 +780,13 @@ char_two = params->fieldID->p.char_two; + field_bits = char_two->m; + if (field_bits > OPENSSL_ECC_MAX_FIELD_BITS) + { + ECerr(EC_F_EC_ASN1_PARAMETERS2GROUP, EC_R_FIELD_TOO_LARGE); + goto err; + } + if ((p = BN_new()) == NULL) { ECerr(EC_F_EC_ASN1_PARAMETERS2GROUP, ERR_R_MALLOC_FAILURE); @@ -799,6 +807,13 @@ } tmp_long = ASN1_INTEGER_get(char_two->p.tpBasis); + + if (!(char_two->m > tmp_long && tmp_long > 0)) + { + ECerr(EC_F_EC_ASN1_PARAMETERS2GROUP, EC_R_INVALID_TRINOMIAL_BASIS); + goto err; + } + /* create the polynomial */ if (!BN_set_bit(p, (int)char_two->m)) goto err; @@ -817,6 +832,13 @@ ECerr(EC_F_EC_ASN1_PARAMETERS2GROUP, EC_R_ASN1_ERROR); goto err; } + + if (!(char_two->m > penta->k3 && penta->k3 > penta->k2 && penta->k2 > penta->k1 && penta->k1 > 0)) + { + ECerr(EC_F_EC_ASN1_PARAMETERS2GROUP, EC_R_INVALID_PENTANOMIAL_BASIS); + goto err; + } + /* create the polynomial */ if (!BN_set_bit(p, (int)char_two->m)) goto err; if (!BN_set_bit(p, (int)penta->k1)) goto err; @@ -853,6 +875,20 @@ ECerr(EC_F_EC_ASN1_PARAMETERS2GROUP, ERR_R_ASN1_LIB); goto err; } + + if (BN_is_negative(p) || BN_is_zero(p)) + { + ECerr(EC_F_EC_ASN1_PARAMETERS2GROUP, EC_R_INVALID_FIELD); + goto err; + } + + field_bits = BN_num_bits(p); + if (field_bits > OPENSSL_ECC_MAX_FIELD_BITS) + { + ECerr(EC_F_EC_ASN1_PARAMETERS2GROUP, EC_R_FIELD_TOO_LARGE); + goto err; + } + /* create the EC_GROUP structure */ ret = EC_GROUP_new_curve_GFp(p, a, b, NULL); } @@ -910,6 +946,16 @@ ECerr(EC_F_EC_ASN1_PARAMETERS2GROUP, ERR_R_ASN1_LIB); goto err; } + if (BN_is_negative(a) || BN_is_zero(a)) + { + ECerr(EC_F_EC_ASN1_PARAMETERS2GROUP, EC_R_INVALID_GROUP_ORDER); + goto err; + } + if (BN_num_bits(a) > (int)field_bits + 1) /* Hasse bound */ + { + ECerr(EC_F_EC_ASN1_PARAMETERS2GROUP, EC_R_INVALID_GROUP_ORDER); + goto err; + } /* extract the cofactor (optional) */ if (params->cofactor == NULL) diff -u -r1.36.2.2 ec_err.c --- crypto/ec/ec_err.c 9 Jan 2006 16:05:20 -0000 1.36.2.2 +++ crypto/ec/ec_err.c 15 Sep 2006 13:59:47 -0000 @@ -188,6 +188,7 @@ {ERR_REASON(EC_R_D2I_ECPKPARAMETERS_FAILURE),"d2i ecpkparameters failure"}, {ERR_REASON(EC_R_DISCRIMINANT_IS_ZERO) ,"discriminant is zero"}, {ERR_REASON(EC_R_EC_GROUP_NEW_BY_NAME_FAILURE),"ec group new by name failure"}, +{ERR_REASON(EC_R_FIELD_TOO_LARGE) ,"field too large"}, {ERR_REASON(EC_R_GROUP2PKPARAMETERS_FAILURE),"group2pkparameters failure"}, {ERR_REASON(EC_R_I2D_ECPKPARAMETERS_FAILURE),"i2d ecpkparameters failure"}, {ERR_REASON(EC_R_INCOMPATIBLE_OBJECTS) ,"incompatible objects"}, @@ -198,7 +199,9 @@ {ERR_REASON(EC_R_INVALID_FIELD) ,"invalid field"}, {ERR_REASON(EC_R_INVALID_FORM) ,"invalid form"}, {ERR_REASON(EC_R_INVALID_GROUP_ORDER) ,"invalid group order"}, +{ERR_REASON(EC_R_INVALID_PENTANOMIAL_BASIS),"invalid pentanomial basis"}, {ERR_REASON(EC_R_INVALID_PRIVATE_KEY) ,"invalid private key"}, +{ERR_REASON(EC_R_INVALID_TRINOMIAL_BASIS),"invalid trinomial basis"}, {ERR_REASON(EC_R_MISSING_PARAMETERS) ,"missing parameters"}, {ERR_REASON(EC_R_MISSING_PRIVATE_KEY) ,"missing private key"}, {ERR_REASON(EC_R_NOT_A_NIST_PRIME) ,"not a NIST prime"}, diff -u -r1.55.2.6 rsa.h --- crypto/rsa/rsa.h 6 Sep 2006 06:43:25 -0000 1.55.2.6 +++ crypto/rsa/rsa.h 15 Sep 2006 13:59:48 -0000 @@ -159,6 +159,11 @@ BN_BLINDING *mt_blinding; }; +#define OPENSSL_RSA_MAX_MODULUS_BITS 16384 + +#define OPENSSL_RSA_SMALL_MODULUS_BITS 3072 +#define OPENSSL_RSA_MAX_PUBEXP_BITS 64 /* exponent limit enforced for "small" modulus only */ + #define RSA_3 0x3L #define RSA_F4 0x10001L @@ -407,6 +412,7 @@ #define RSA_R_IQMP_NOT_INVERSE_OF_Q 126 #define RSA_R_KEY_SIZE_TOO_SMALL 120 #define RSA_R_LAST_OCTET_INVALID 134 +#define RSA_R_MODULUS_TOO_LARGE 105 #define RSA_R_NO_PUBLIC_EXPONENT 140 #define RSA_R_NULL_BEFORE_BLOCK_MISSING 113 #define RSA_R_N_DOES_NOT_EQUAL_P_Q 127 diff -u -r1.46.2.6 rsa_eay.c --- crypto/rsa/rsa_eay.c 6 Sep 2006 06:43:25 -0000 1.46.2.6 +++ crypto/rsa/rsa_eay.c 15 Sep 2006 13:59:48 -0000 @@ -168,6 +168,28 @@ unsigned char *buf=NULL; BN_CTX *ctx=NULL; + if (BN_num_bits(rsa->n) > OPENSSL_RSA_MAX_MODULUS_BITS) + { + RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT, RSA_R_MODULUS_TOO_LARGE); + return -1; + } + + if (BN_ucmp(rsa->n, rsa->e) <= 0) + { + RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT, RSA_R_BAD_E_VALUE); + return -1; + } + + /* for large moduli, enforce exponent limit */ + if (BN_num_bits(rsa->n) > OPENSSL_RSA_SMALL_MODULUS_BITS) + { + if (BN_num_bits(rsa->e) > OPENSSL_RSA_MAX_PUBEXP_BITS) + { + RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT, RSA_R_BAD_E_VALUE); + return -1; + } + } + if ((ctx=BN_CTX_new()) == NULL) goto err; BN_CTX_start(ctx); f = BN_CTX_get(ctx); @@ -597,6 +619,28 @@ unsigned char *buf=NULL; BN_CTX *ctx=NULL; + if (BN_num_bits(rsa->n) > OPENSSL_RSA_MAX_MODULUS_BITS) + { + RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT, RSA_R_MODULUS_TOO_LARGE); + return -1; + } + + if (BN_ucmp(rsa->n, rsa->e) <= 0) + { + RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT, RSA_R_BAD_E_VALUE); + return -1; + } + + /* for large moduli, enforce exponent limit */ + if (BN_num_bits(rsa->n) > OPENSSL_RSA_SMALL_MODULUS_BITS) + { + if (BN_num_bits(rsa->e) > OPENSSL_RSA_MAX_PUBEXP_BITS) + { + RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT, RSA_R_BAD_E_VALUE); + return -1; + } + } + if((ctx = BN_CTX_new()) == NULL) goto err; BN_CTX_start(ctx); f = BN_CTX_get(ctx); diff -u -r1.17.2.5 rsa_err.c --- crypto/rsa/rsa_err.c 6 Sep 2006 06:43:26 -0000 1.17.2.5 +++ crypto/rsa/rsa_err.c 15 Sep 2006 13:59:48 -0000 @@ -137,6 +137,7 @@ {ERR_REASON(RSA_R_IQMP_NOT_INVERSE_OF_Q) ,"iqmp not inverse of q"}, {ERR_REASON(RSA_R_KEY_SIZE_TOO_SMALL) ,"key size too small"}, {ERR_REASON(RSA_R_LAST_OCTET_INVALID) ,"last octet invalid"}, +{ERR_REASON(RSA_R_MODULUS_TOO_LARGE) ,"modulus too large"}, {ERR_REASON(RSA_R_NO_PUBLIC_EXPONENT) ,"no public exponent"}, {ERR_REASON(RSA_R_NULL_BEFORE_BLOCK_MISSING),"null before block missing"}, {ERR_REASON(RSA_R_N_DOES_NOT_EQUAL_P_Q) ,"n does not equal p q"},