diff options
author | Tomas Mraz <tomas@openssl.org> | 2023-12-22 16:25:56 +0100 |
---|---|---|
committer | Tomas Mraz <tomas@openssl.org> | 2024-01-15 10:54:34 +0100 |
commit | e09fc1d746a4fd15bb5c3d7bbbab950aadd005db (patch) | |
tree | a5355086a070e72c0862e296810731a5e924003c /crypto | |
parent | 486ab0fb003d05f89620662260486d31bd3faa8c (diff) | |
download | openssl-e09fc1d746a4fd15bb5c3d7bbbab950aadd005db.tar.gz |
Limit the execution time of RSA public key check
Fixes CVE-2023-6237
If a large and incorrect RSA public key is checked with
EVP_PKEY_public_check() the computation could take very long time
due to no limit being applied to the RSA public key size and
unnecessarily high number of Miller-Rabin algorithm rounds
used for non-primality check of the modulus.
Now the keys larger than 16384 bits (OPENSSL_RSA_MAX_MODULUS_BITS)
will fail the check with RSA_R_MODULUS_TOO_LARGE error reason.
Also the number of Miller-Rabin rounds was set to 5.
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23243)
Diffstat (limited to 'crypto')
-rw-r--r-- | crypto/rsa/rsa_sp800_56b_check.c | 8 |
1 files changed, 7 insertions, 1 deletions
diff --git a/crypto/rsa/rsa_sp800_56b_check.c b/crypto/rsa/rsa_sp800_56b_check.c index e6b79e953d..9c855a7978 100644 --- a/crypto/rsa/rsa_sp800_56b_check.c +++ b/crypto/rsa/rsa_sp800_56b_check.c @@ -289,6 +289,11 @@ int ossl_rsa_sp800_56b_check_public(const RSA *rsa) return 0; nbits = BN_num_bits(rsa->n); + if (nbits > OPENSSL_RSA_MAX_MODULUS_BITS) { + ERR_raise(ERR_LIB_RSA, RSA_R_MODULUS_TOO_LARGE); + return 0; + } + #ifdef FIPS_MODULE /* * (Step a): modulus must be 2048 or 3072 (caveat from SP800-56Br1) @@ -324,7 +329,8 @@ int ossl_rsa_sp800_56b_check_public(const RSA *rsa) goto err; } - ret = ossl_bn_miller_rabin_is_prime(rsa->n, 0, ctx, NULL, 1, &status); + /* Highest number of MR rounds from FIPS 186-5 Section B.3 Table B.1 */ + ret = ossl_bn_miller_rabin_is_prime(rsa->n, 5, ctx, NULL, 1, &status); #ifdef FIPS_MODULE if (ret != 1 || status != BN_PRIMETEST_COMPOSITE_NOT_POWER_OF_PRIME) { #else |