docs/advisories/2023-08-01.md - boringssl.git - Git at Google

 # OpenSSL Advisory: August 1st, 2023

 OpenSSL published [new releases](https://mta.openssl.org/pipermail/openssl-announce/2023-August/000268.html) covering security advisories from [July 19th](https://www.openssl.org/news/secadv/20230719.txt) and [July 31st](https://www.openssl.org/news/secadv/20230731.txt). Here’s how they affect BoringSSL:

 CVE | Summary | [Severity] in OpenSSL | Impact to BoringSSL
 ----|---------|-----------------------|---------------------
 CVE-2023-3446 | Excessive time spent checking DH keys and parameters | Low | See below
 CVE-2023-3817 | Excessive time spent checking DH q parameter value | Low | See below

 [Severity]: https://openssl-library.org/policies/general/security-policy/index.html#issue-severity

 ## CVE-2023-3446 and CVE-2023-3817

 Defining a cryptographic primitive involves picking “domain parameters”, such as ECC curves or, in the legacy Diffie-Hellman construction, integers p, q, and g that describe a multiplicative group.

 Domain parameters are not part of keys. They are part of the algorithm itself and should be fixed, trusted values. However, whereas ECC converged on a small set of named curves (e.g. P-256), legacy Diffie-Hellman parameters vary wildly. As a result, OpenSSL’s and BoringSSL’s Diffie-Hellman APIs must allow arbitrary, caller-supplied domain parameters.

 If the caller incorrectly supplies untrusted domain parameters, cryptographic properties of the algorithm may no longer hold. They additionally become an attack surface for further security issues. These advisories cover denial-of-service risks in such callers.

 The new OpenSSL releases enforce bounds on domain parameters in `DH_check`. BoringSSL applied an analogous change on [August 14th](https://boringssl.googlesource.com/boringssl/+/d85444e741b73a77fe4359cd3db189482d4f4806). Additionally:

 * Although OpenSSL’s advisory only discusses `DH_check`, large groups can impact other functions such as `DH_generate_key` and `DH_check_pub_key`. We bound all functions.
 * OpenSSL supports a private key length parameter (`DH_set_length`). Large values can cause `DH_generate_key` to use excessive CPU. We mitigated this on [August 15th](https://boringssl.googlesource.com/boringssl/+/cb583e783500d92bbda9a850e43cd94df0b2d5e1).

 We have reported these two additional cases to OpenSSL.

 These issues do not impact our TLS implementation. Although the TLS 1.2 DHE construction did not correctly handle domain parameters, we removed DHE ciphers in [2017](https://boringssl.googlesource.com/boringssl/+/7e06de5d2d1b53c57c0c81e8d6ba4122b64cf626) for [related reasons](https://groups.google.com/a/chromium.org/g/blink-dev/c/AAdv838-koo/m/bJv17voIBAAJ). They additionally do not affect callers that correctly use Diffie-Hellman with trusted domain parameters.

 As only incorrect uses are impacted, BoringSSL considers these changes to be a hardening measure, rather than a security fix. In particular, these checks do not ensure the group is suitable for use with Diffie-Hellman—they only enforce a DoS bound. Ultimately, callers of legacy Diffie-Hellman are responsible for selecting valid domain parameters. Callers are recommended to migrate to modern primitives, such as X25519 or ECDH with P-256.
	# OpenSSL Advisory: August 1st, 2023

	OpenSSL published [new releases](https://mta.openssl.org/pipermail/openssl-announce/2023-August/000268.html) covering security advisories from [July 19th](https://www.openssl.org/news/secadv/20230719.txt) and [July 31st](https://www.openssl.org/news/secadv/20230731.txt). Here’s how they affect BoringSSL:

	CVE \| Summary \| [Severity] in OpenSSL \| Impact to BoringSSL
	----\|---------\|-----------------------\|---------------------
	CVE-2023-3446 \| Excessive time spent checking DH keys and parameters \| Low \| See below
	CVE-2023-3817 \| Excessive time spent checking DH q parameter value \| Low \| See below

	[Severity]: https://openssl-library.org/policies/general/security-policy/index.html#issue-severity

	## CVE-2023-3446 and CVE-2023-3817

	Defining a cryptographic primitive involves picking “domain parameters”, such as ECC curves or, in the legacy Diffie-Hellman construction, integers p, q, and g that describe a multiplicative group.

	Domain parameters are not part of keys. They are part of the algorithm itself and should be fixed, trusted values. However, whereas ECC converged on a small set of named curves (e.g. P-256), legacy Diffie-Hellman parameters vary wildly. As a result, OpenSSL’s and BoringSSL’s Diffie-Hellman APIs must allow arbitrary, caller-supplied domain parameters.

	If the caller incorrectly supplies untrusted domain parameters, cryptographic properties of the algorithm may no longer hold. They additionally become an attack surface for further security issues. These advisories cover denial-of-service risks in such callers.

	The new OpenSSL releases enforce bounds on domain parameters in `DH_check`. BoringSSL applied an analogous change on [August 14th](https://boringssl.googlesource.com/boringssl/+/d85444e741b73a77fe4359cd3db189482d4f4806). Additionally:

	* Although OpenSSL’s advisory only discusses `DH_check`, large groups can impact other functions such as `DH_generate_key` and `DH_check_pub_key`. We bound all functions.
	* OpenSSL supports a private key length parameter (`DH_set_length`). Large values can cause `DH_generate_key` to use excessive CPU. We mitigated this on [August 15th](https://boringssl.googlesource.com/boringssl/+/cb583e783500d92bbda9a850e43cd94df0b2d5e1).

	We have reported these two additional cases to OpenSSL.

	These issues do not impact our TLS implementation. Although the TLS 1.2 DHE construction did not correctly handle domain parameters, we removed DHE ciphers in [2017](https://boringssl.googlesource.com/boringssl/+/7e06de5d2d1b53c57c0c81e8d6ba4122b64cf626) for [related reasons](https://groups.google.com/a/chromium.org/g/blink-dev/c/AAdv838-koo/m/bJv17voIBAAJ). They additionally do not affect callers that correctly use Diffie-Hellman with trusted domain parameters.

	As only incorrect uses are impacted, BoringSSL considers these changes to be a hardening measure, rather than a security fix. In particular, these checks do not ensure the group is suitable for use with Diffie-Hellman—they only enforce a DoS bound. Ultimately, callers of legacy Diffie-Hellman are responsible for selecting valid domain parameters. Callers are recommended to migrate to modern primitives, such as X25519 or ECDH with P-256.