OpenSSL published new releases covering security advisories from July 19th and July 31st. Here’s how they affect BoringSSL:
| CVE | Summary | Severity in OpenSSL | Impact to BoringSSL |
|---|---|---|---|
| CVE-2023-3446 | Excessive time spent checking DH keys and parameters | Low | See below |
| CVE-2023-3817 | Excessive time spent checking DH q parameter value | Low | See below |
Defining a cryptographic primitive involves picking “domain parameters”, such as ECC curves or, in the legacy Diffie-Hellman construction, integers p, q, and g that describe a multiplicative group.
Domain parameters are not part of keys. They are part of the algorithm itself and should be fixed, trusted values. However, whereas ECC converged on a small set of named curves (e.g. P-256), legacy Diffie-Hellman parameters vary wildly. As a result, OpenSSL’s and BoringSSL’s Diffie-Hellman APIs must allow arbitrary, caller-supplied domain parameters.
If the caller incorrectly supplies untrusted domain parameters, cryptographic properties of the algorithm may no longer hold. They additionally become an attack surface for further security issues. These advisories cover denial-of-service risks in such callers.
The new OpenSSL releases enforce bounds on domain parameters in DH_check. BoringSSL applied an analogous change on August 14th. Additionally:
DH_check, large groups can impact other functions such as DH_generate_key and DH_check_pub_key. We bound all functions.DH_set_length). Large values can cause DH_generate_key to use excessive CPU. We mitigated this on August 15th.We have reported these two additional cases to OpenSSL.
These issues do not impact our TLS implementation. Although the TLS 1.2 DHE construction did not correctly handle domain parameters, we removed DHE ciphers in 2017 for related reasons. They additionally do not affect callers that correctly use Diffie-Hellman with trusted domain parameters.
As only incorrect uses are impacted, BoringSSL considers these changes to be a hardening measure, rather than a security fix. In particular, these checks do not ensure the group is suitable for use with Diffie-Hellman—they only enforce a DoS bound. Ultimately, callers of legacy Diffie-Hellman are responsible for selecting valid domain parameters. Callers are recommended to migrate to modern primitives, such as X25519 or ECDH with P-256.