-
Notifications
You must be signed in to change notification settings - Fork 90
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
main/openssl: also fix CVE-2024-4063
- Loading branch information
1 parent
08172eb
commit 28e4957
Showing
1 changed file
with
174 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,174 @@ | ||
Patch-Source: https://github.com/openssl/openssl/commit/53ea06486d296b890d565fb971b2764fcd826e7e | ||
-- | ||
From 53ea06486d296b890d565fb971b2764fcd826e7e Mon Sep 17 00:00:00 2001 | ||
From: Tomas Mraz <tomas@openssl.org> | ||
Date: Wed, 8 May 2024 15:23:45 +0200 | ||
Subject: [PATCH] Check DSA parameters for excessive sizes before validating | ||
|
||
This avoids overly long computation of various validation | ||
checks. | ||
|
||
Fixes CVE-2024-4603 | ||
|
||
Reviewed-by: Paul Dale <ppzgs1@gmail.com> | ||
Reviewed-by: Matt Caswell <matt@openssl.org> | ||
Reviewed-by: Neil Horman <nhorman@openssl.org> | ||
Reviewed-by: Shane Lontis <shane.lontis@oracle.com> | ||
(Merged from https://github.com/openssl/openssl/pull/24346) | ||
|
||
(cherry picked from commit 85ccbab216da245cf9a6503dd327072f21950d9b) | ||
--- | ||
CHANGES.md | 17 +++++- | ||
crypto/dsa/dsa_check.c | 44 ++++++++++++-- | ||
.../invalid/p10240_q256_too_big.pem | 57 +++++++++++++++++++ | ||
3 files changed, 113 insertions(+), 5 deletions(-) | ||
create mode 100644 test/recipes/15-test_dsaparam_data/invalid/p10240_q256_too_big.pem | ||
|
||
diff --git a/crypto/dsa/dsa_check.c b/crypto/dsa/dsa_check.c | ||
index 7b6d7df88fdb8..e1375dfad9c0f 100644 | ||
--- a/crypto/dsa/dsa_check.c | ||
+++ b/crypto/dsa/dsa_check.c | ||
@@ -19,8 +19,34 @@ | ||
#include "dsa_local.h" | ||
#include "crypto/dsa.h" | ||
|
||
+static int dsa_precheck_params(const DSA *dsa, int *ret) | ||
+{ | ||
+ if (dsa->params.p == NULL || dsa->params.q == NULL) { | ||
+ ERR_raise(ERR_LIB_DSA, DSA_R_BAD_FFC_PARAMETERS); | ||
+ *ret = FFC_CHECK_INVALID_PQ; | ||
+ return 0; | ||
+ } | ||
+ | ||
+ if (BN_num_bits(dsa->params.p) > OPENSSL_DSA_MAX_MODULUS_BITS) { | ||
+ ERR_raise(ERR_LIB_DSA, DSA_R_MODULUS_TOO_LARGE); | ||
+ *ret = FFC_CHECK_INVALID_PQ; | ||
+ return 0; | ||
+ } | ||
+ | ||
+ if (BN_num_bits(dsa->params.q) >= BN_num_bits(dsa->params.p)) { | ||
+ ERR_raise(ERR_LIB_DSA, DSA_R_BAD_Q_VALUE); | ||
+ *ret = FFC_CHECK_INVALID_PQ; | ||
+ return 0; | ||
+ } | ||
+ | ||
+ return 1; | ||
+} | ||
+ | ||
int ossl_dsa_check_params(const DSA *dsa, int checktype, int *ret) | ||
{ | ||
+ if (!dsa_precheck_params(dsa, ret)) | ||
+ return 0; | ||
+ | ||
if (checktype == OSSL_KEYMGMT_VALIDATE_QUICK_CHECK) | ||
return ossl_ffc_params_simple_validate(dsa->libctx, &dsa->params, | ||
FFC_PARAM_TYPE_DSA, ret); | ||
@@ -39,6 +65,9 @@ int ossl_dsa_check_params(const DSA *dsa, int checktype, int *ret) | ||
*/ | ||
int ossl_dsa_check_pub_key(const DSA *dsa, const BIGNUM *pub_key, int *ret) | ||
{ | ||
+ if (!dsa_precheck_params(dsa, ret)) | ||
+ return 0; | ||
+ | ||
return ossl_ffc_validate_public_key(&dsa->params, pub_key, ret) | ||
&& *ret == 0; | ||
} | ||
@@ -50,6 +79,9 @@ int ossl_dsa_check_pub_key(const DSA *dsa, const BIGNUM *pub_key, int *ret) | ||
*/ | ||
int ossl_dsa_check_pub_key_partial(const DSA *dsa, const BIGNUM *pub_key, int *ret) | ||
{ | ||
+ if (!dsa_precheck_params(dsa, ret)) | ||
+ return 0; | ||
+ | ||
return ossl_ffc_validate_public_key_partial(&dsa->params, pub_key, ret) | ||
&& *ret == 0; | ||
} | ||
@@ -58,8 +90,10 @@ int ossl_dsa_check_priv_key(const DSA *dsa, const BIGNUM *priv_key, int *ret) | ||
{ | ||
*ret = 0; | ||
|
||
- return (dsa->params.q != NULL | ||
- && ossl_ffc_validate_private_key(dsa->params.q, priv_key, ret)); | ||
+ if (!dsa_precheck_params(dsa, ret)) | ||
+ return 0; | ||
+ | ||
+ return ossl_ffc_validate_private_key(dsa->params.q, priv_key, ret); | ||
} | ||
|
||
/* | ||
@@ -72,8 +106,10 @@ int ossl_dsa_check_pairwise(const DSA *dsa) | ||
BN_CTX *ctx = NULL; | ||
BIGNUM *pub_key = NULL; | ||
|
||
- if (dsa->params.p == NULL | ||
- || dsa->params.g == NULL | ||
+ if (!dsa_precheck_params(dsa, &ret)) | ||
+ return 0; | ||
+ | ||
+ if (dsa->params.g == NULL | ||
|| dsa->priv_key == NULL | ||
|| dsa->pub_key == NULL) | ||
return 0; | ||
diff --git a/test/recipes/15-test_dsaparam_data/invalid/p10240_q256_too_big.pem b/test/recipes/15-test_dsaparam_data/invalid/p10240_q256_too_big.pem | ||
new file mode 100644 | ||
index 0000000000000..e85e2953b7a24 | ||
--- /dev/null | ||
+++ b/test/recipes/15-test_dsaparam_data/invalid/p10240_q256_too_big.pem | ||
@@ -0,0 +1,57 @@ | ||
+-----BEGIN DSA PARAMETERS----- | ||
+MIIKLAKCBQEAym47LzPFZdbz16WvjczLKuzLtsP8yRk/exxL4bBthJhP1qOwctja | ||
+p1586SF7gDxCMn7yWVEYdfRbFefGoq0gj1XOE917XqlbnkmZhMgxut2KbNJo/xil | ||
+XNFUjGvKs3F413U9rAodC8f07cWHP1iTcWL+vPe6u2yilKWYYfnLWHQH+Z6aPrrF | ||
+x/R08LI6DZ6nEsIo+hxaQnEtx+iqNTJC6Q1RIjWDqxQkFVTkJ0Y7miRDXmRdneWk | ||
+oLrMZRpaXr5l5tSjEghh1pBgJcdyOv0lh4dlDy/alAiqE2Qlb667yHl6A9dDPlpW | ||
+dAntpffy4LwOxfbuEhISvKjjQoBwIvYE4TBPqL0Q6bC6HgQ4+tqd9b44pQjdIQjb | ||
+Xcjc6azheITSnPEex3OdKtKoQeRq01qCeLBpMXu1c+CTf4ApKArZvT3vZSg0hM1O | ||
+pR71bRZrEEegDj0LH2HCgI5W6H3blOS9A0kUTddCoQXr2lsVdiPtRbPKH1gcd9FQ | ||
+P8cGrvbakpTiC0dCczOMDaCteM1QNILlkM7ZoV6VghsKvDnFPxFsiIr5GgjasXP5 | ||
+hhbn3g7sDoq1LiTEo+IKQY28pBWx7etSOSRuXW/spnvCkivZla7lSEGljoy9QlQ2 | ||
+UZmsEQI9G3YyzgpxHvKZBK1CiZVTywdYKTZ4TYCxvqzhYhjv2bqbpjI12HRFLojB | ||
+koyEmMSp53lldCzp158PrIanqSp2rksMR8SmmCL3FwfAp2OjqFMEglG9DT8x0WaN | ||
+TLSkjGC6t2csMte7WyU1ekNoFDKfMjDSAz0+xIx21DEmZtYqFOg1DNPK1xYLS0pl | ||
+RSMRRkJVN2mk/G7/1oxlB8Wb9wgi3GKUqqCYT11SnBjzq0NdoJ3E4GMedp5Lx3AZ | ||
+4mFuRPUd4iV86tE0XDSHSFE7Y3ZkrOjD7Q/26/L53L/UH5z4HW6CHP5os7QERJjg | ||
+c1S3x87wXWo9QXbB9b2xmf+c+aWwAAr1cviw38tru58jF3/IGyduj9H8claKQqBG | ||
+cIOUF4aNe1hK2K3ArAOApUxr4KE+tCvrltRfiTmVFip0g9Jt1CPY3Zu7Bd4Z2ZkE | ||
+DtSztpwa49HrWF5E9xpquvBL2U8jQ68E7Xd8Wp4orI/TIChriamBmdkgRz3H2LvN | ||
+Ozb6+hsnEGrz3sp2RVAToSqA9ysa6nHZdfufPNtMEbQdO/k1ehmGRb0ljBRsO6b2 | ||
+rsG2eYuC8tg8eCrIkua0TGRI7g6a4K32AJdzaX6NsISaaIW+OYJuoDSscvD3oOg8 | ||
+PPEhU+zM7xJskTA+jxvPlikKx8V7MNHOCQECldJlUBwzJvqp40JvwfnDsF+8VYwd | ||
+UaiieR3pzMzyTjpReXRmZbnRPusRcsVzxb2OhB79wmuy4UPjjQBX+7eD0rs8xxvW | ||
+5a5q1Cjq4AvbwmmcA/wDrHDOjcbD/zodad2O1QtBWa/R4xyWea4zKsflgACE1zY9 | ||
+wW2br7+YQFekcrXkkkEzgxd6zxv8KVEDpXRZjmAM1cI5LvkoN64To4GedN8Qe/G7 | ||
+R9SZh9gnS17PTP64hK+aYqhFafMdu87q/+qLfxaSux727qE5hiW01u4nnWhACf9s | ||
+xuOozowKqxZxkolMIyZv6Lddwy1Zv5qjCyd0DvM/1skpXWkb9kfabYC+OhjsjVhs | ||
+0Ktfs6a5B3eixiw5x94hhIcTEcS4hmvhGUL72FiTca6ZeSERTKmNBy8CIQC9/ZUN | ||
+uU/V5JTcnYyUGHzm7+XcZBjyGBagBj9rCmW3SQKCBQAJ/k9rb39f1cO+/3XDEMjy | ||
+9bIEXSuS48g5RAc1UGd5nrrBQwuDxGWFyz0yvAY7LgyidZuJS21+MAp9EY7AOMmx | ||
+TDttifNaBJYt4GZ8of166PcqTKkHQwq5uBpxeSDv/ZE8YbYfaCtLTcUC8KlO+l36 | ||
+gjJHSkdkflSsGy1yObSNDQDfVAAwQs//TjDMnuEtvlNXZllsTvFFBceXVETn10K2 | ||
+ZMmdSIJNfLnjReUKEN6PfeGqv7F4xoyGwUybEfRE4u5RmXrqCODaIjY3SNMrOq8B | ||
+R3Ata/cCozsM1jIdIW2z+OybDJH+BYsYm2nkSZQjZS6javTYClLrntEKG/hAQwL8 | ||
+F16YLOQXpHhgiAaWnTZzANtLppB2+5qCVy5ElzKongOwT8JTjTFXOaRnqe/ngm9W | ||
+SSbrxfDaoWUOyK9XD8Cydzpv3n4Y8nWNGayi7/yAFCU36Ri040ufgv/TZLuKacnl | ||
++3ga3ZUpRlSigzx0kb1+KjTSWeQ8vE/psdWjvBukVEbzdUauMLyRLo/6znSVvvPX | ||
+UGhviThE5uhrsUg+wEPFINriSHfF7JDKVhDcJnLBdaXvfN52pkF/naLBF5Rt3Gvq | ||
+fjCxjx0Sy9Lag1hDN4dor7dzuO7wmwOS01DJW1PtNLuuH0Bbqh1kYSaQkmyXBZWX | ||
+qo8K3nkoDM0niOtJJubOhTNrGmSaZpNXkK3Mcy9rBbdvEs5O0Jmqaax/eOdU0Yot | ||
+B3lX+3ddOseT2ZEFjzObqTtkWuFBeBxuYNcRTsu3qMdIBsEb8URQdsTtjoIja2fK | ||
+hreVgjK36GW70KXEl8V/vq5qjQulmqkBEjmilcDuiREKqQuyeagUOnhQaBplqVco | ||
+4xznh5DMBMRbpGb5lHxKv4cPNi+uNAJ5i98zWUM1JRt6aXnRCuWcll1z8fRZ+5kD | ||
+vK9FaZU3VRMK/eknEG49cGr8OuJ6ZRSaC+tKwV1y+amkSZpKPWnk2bUnQI3ApJv3 | ||
+k1e1EToeECpMUkLMDgNbpKBoz4nqMEvAAlYgw9xKNbLlQlahqTVEAmaJHh4yDMDy | ||
+i7IZ9Wrn47IGoR7s3cvhDHUpRPeW4nsmgzj+tf5EAxemI61STZJTTWo0iaPGJxct | ||
+9nhOOhw1I38Mvm4vkAbFH7YJ0B6QrjjYL2MbOTp5JiIh4vdOeWwNo9/y4ffyaN5+ | ||
+ADpxuuIAmcbdr6GPOhkOFFixRJa0B2eP1i032HESlLs8RB9oYtdTXdXQotnIgJGd | ||
+Y8tSKOa1zjzeLHn3AVpRZTUW++/BxmApV3GKIeG8fsUjg/df0QRrBcdC/1uccdaG | ||
+KKlAOwlywVn5jUlwHkTmDiTM9w5AqVVGHZ2b+4ZgQW8jnPKN0SrKf6U555D+zp7E | ||
+x4uXoE8ojN9y8m8UKf0cTLnujH2XgZorjPfuMOt5VZEhQFMS2QaljSeni5CJJ8gk | ||
+XtztNqfBlAtWR4V5iAHeQOfIB2YaOy8GESda89tyKraKeaez41VblpTVHTeq9IIF | ||
+YB4cQA2PfuNaGVRGLMAgT3Dvl+mxxxeJyxnGAiUcETU/jJJt9QombiuszBlYGQ5d | ||
+ELOSm/eQSRARV9zNSt5jaQlMSjMBqenIEM09BzYqa7jDwqoztFxNdO8bcuQPuKwa | ||
+4z3bBZ1yYm63WFdNbQqqGEwc0OYmqg1raJ0zltgHyjFyw8IGu4g/wETs+nVQcH7D | ||
+vKuje86bePD6kD/LH3wmkA== | ||
+-----END DSA PARAMETERS----- |