diff options
| author | tb <> | 2022-02-24 08:31:11 +0000 |
|---|---|---|
| committer | tb <> | 2022-02-24 08:31:11 +0000 |
| commit | 3e848a5d39e531c0032e55e9a21fa7baca49e241 (patch) | |
| tree | c755575c2146974ab21cf2e63c0f552662fe2d03 /src | |
| parent | a59b14b2d3f8047fe5b687d37304433773603a3f (diff) | |
| download | openbsd-3e848a5d39e531c0032e55e9a21fa7baca49e241.tar.gz openbsd-3e848a5d39e531c0032e55e9a21fa7baca49e241.tar.bz2 openbsd-3e848a5d39e531c0032e55e9a21fa7baca49e241.zip | |
Add sanity checks on p and q in old_dsa_priv_decode()
dsa_do_verify() has checks on dsa->p and dsa->q that ensure that p isn't
overly long and that q has one of the three allowed lengths specified in
FIPS 186-3, namely 160, 224, or 256.
Do these checks on deserialization of DSA keys without parameters. This
means that we will now reject keys we would previously deserialize. Such
keys are useless in that signatures generated by them would be rejected
by both LibreSSL and OpenSSL.
This avoids a timeout flagged in oss-fuzz #26899 due to a ridiculous
DSA key whose q has size 65KiB. The timeout comes from additional checks
on DSA keys added by miod in dsa_ameth.c r1.18, especially checking such
a humungous number for primality is expensive.
ok jsing
Diffstat (limited to 'src')
| -rw-r--r-- | src/lib/libcrypto/dsa/dsa_ameth.c | 16 |
1 files changed, 15 insertions, 1 deletions
diff --git a/src/lib/libcrypto/dsa/dsa_ameth.c b/src/lib/libcrypto/dsa/dsa_ameth.c index 4e8f4ac825..eb4d5d2dcd 100644 --- a/src/lib/libcrypto/dsa/dsa_ameth.c +++ b/src/lib/libcrypto/dsa/dsa_ameth.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: dsa_ameth.c,v 1.32 2022/01/15 04:02:37 tb Exp $ */ | 1 | /* $OpenBSD: dsa_ameth.c,v 1.33 2022/02/24 08:31:11 tb Exp $ */ |
| 2 | /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL | 2 | /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL |
| 3 | * project 2006. | 3 | * project 2006. |
| 4 | */ | 4 | */ |
| @@ -480,12 +480,26 @@ old_dsa_priv_decode(EVP_PKEY *pkey, const unsigned char **pder, int derlen) | |||
| 480 | DSA *dsa; | 480 | DSA *dsa; |
| 481 | BN_CTX *ctx = NULL; | 481 | BN_CTX *ctx = NULL; |
| 482 | BIGNUM *j, *p1, *newp1; | 482 | BIGNUM *j, *p1, *newp1; |
| 483 | int qbits; | ||
| 483 | 484 | ||
| 484 | if (!(dsa = d2i_DSAPrivateKey(NULL, pder, derlen))) { | 485 | if (!(dsa = d2i_DSAPrivateKey(NULL, pder, derlen))) { |
| 485 | DSAerror(ERR_R_DSA_LIB); | 486 | DSAerror(ERR_R_DSA_LIB); |
| 486 | return 0; | 487 | return 0; |
| 487 | } | 488 | } |
| 488 | 489 | ||
| 490 | DSA_print_fp(stdout, dsa, 0); | ||
| 491 | |||
| 492 | /* FIPS 186-3 allows only three different sizes for q. */ | ||
| 493 | qbits = BN_num_bits(dsa->q); | ||
| 494 | if (qbits != 160 && qbits != 224 && qbits != 256) { | ||
| 495 | DSAerror(DSA_R_BAD_Q_VALUE); | ||
| 496 | goto err; | ||
| 497 | } | ||
| 498 | if (BN_num_bits(dsa->p) > OPENSSL_DSA_MAX_MODULUS_BITS) { | ||
| 499 | DSAerror(DSA_R_MODULUS_TOO_LARGE); | ||
| 500 | goto err; | ||
| 501 | } | ||
| 502 | |||
| 489 | ctx = BN_CTX_new(); | 503 | ctx = BN_CTX_new(); |
| 490 | if (ctx == NULL) | 504 | if (ctx == NULL) |
| 491 | goto err; | 505 | goto err; |