Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Harden asn1 oid loader to invalid inputs [3.0, 3.1] #23034

Closed
wants to merge 1 commit into from
Closed

Harden asn1 oid loader to invalid inputs [3.0, 3.1] #23034

wants to merge 1 commit into from

Conversation

nhorman
Copy link
Contributor

@nhorman nhorman commented Dec 13, 2023
edited by t8m

In the event that a config file contains this sequence:

openssl_conf = openssl_init

config_diagnostics = 1

[openssl_init]
oid_section = oids

[oids]
testoid1 = 1.2.3.4.1
testoid2 = A Very Long OID Name, 1.2.3.4.2
testoid3 = ,1.2.3.4.3

The leading comma in testoid3 can cause a heap buffer overflow, as the parsing code will move the string pointer back 1 character, thereby pointing to an invalid memory space

correct the parser to detect this condition and handle it by treating it as if the comma doesn't exist (i.e. an empty long oid name)

Reviewed-by: Hugo Landau hlandau@openssl.org
Reviewed-by: Tomas Mraz tomas@openssl.org
(Merged from #22957)

(cherry picked from commit a552c23)

Checklist
  • tests are added or updated

@nhorman
Harden asn1 oid loader to invalid inputs
f198e45 
In the event that a config file contains this sequence:
=======
openssl_conf = openssl_init

config_diagnostics = 1

[openssl_init]
oid_section = oids

[oids]
testoid1 = 1.2.3.4.1
testoid2 = A Very Long OID Name, 1.2.3.4.2
testoid3 = ,1.2.3.4.3
======

The leading comma in testoid3 can cause a heap buffer overflow, as the
parsing code will move the string pointer back 1 character, thereby
pointing to an invalid memory space

correct the parser to detect this condition and handle it by treating it
as if the comma doesn't exist (i.e. an empty long oid name)

Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from openssl#22957)

(cherry picked from commit a552c23)
@nhorman nhorman self-assigned this Dec 13, 2023
@t8m t8m added branch: 3.0 Merge to openssl-3.0 branch branch: 3.1 Merge to openssl-3.1 branch: 3.2 Merge to openssl-3.2 approval: review pending This pull request needs review by a committer approval: otc review pending This pull request needs review by an OTC member triaged: bug The issue/pr is/fixes a bug tests: present The PR has suitable tests present labels Dec 13, 2023
@t8m t8m removed approval: otc review pending This pull request needs review by an OTC member branch: 3.2 Merge to openssl-3.2 labels Dec 13, 2023
@t8m t8m changed the title Harden asn1 oid loader to invalid inputs Harden asn1 oid loader to invalid inputs [3.0, 3.1] Dec 13, 2023
tom-cosgrove-arm
tom-cosgrove-arm approved these changes Dec 14, 2023
View reviewed changes
Copy link
Contributor

@tom-cosgrove-arm tom-cosgrove-arm left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM; faithful backport

@tom-cosgrove-arm tom-cosgrove-arm added approval: done This pull request has the required number of approvals and removed approval: review pending This pull request needs review by a committer labels Dec 14, 2023
@nhorman
Copy link
Contributor Author

nhorman commented Dec 14, 2023

Thank you for the reviews, but I'm concerned about the failing CI. It doesn't seem related, but appears consistently

@t8m
Copy link
Member

t8m commented Dec 14, 2023

@nhorman the fix for the failing CI is #23008 (still waiting for 2 approvals) and #23009 (that one is approved)

@openssl-machine
Copy link
Collaborator

24 hours has passed since 'approval: done' was set, but as this PR has been updated in that time the label 'approval: ready to merge' is not being automatically set. Please review the updates and set the label manually.

@t8m
Copy link
Member

t8m commented Dec 15, 2023

Merged to the 3.1 and 3.0 branches. Thank you.

@t8m t8m closed this Dec 15, 2023
openssl-machine pushed a commit that referenced this pull request Dec 15, 2023
@nhorman @t8m
Harden asn1 oid loader to invalid inputs
d802bfb 
In the event that a config file contains this sequence:
=======
openssl_conf = openssl_init

config_diagnostics = 1

[openssl_init]
oid_section = oids

[oids]
testoid1 = 1.2.3.4.1
testoid2 = A Very Long OID Name, 1.2.3.4.2
testoid3 = ,1.2.3.4.3
======

The leading comma in testoid3 can cause a heap buffer overflow, as the
parsing code will move the string pointer back 1 character, thereby
pointing to an invalid memory space

correct the parser to detect this condition and handle it by treating it
as if the comma doesn't exist (i.e. an empty long oid name)

(cherry picked from commit a552c23)

Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from #23034)
openssl-machine pushed a commit that referenced this pull request Dec 15, 2023
@nhorman @t8m
Harden asn1 oid loader to invalid inputs
703e856 
In the event that a config file contains this sequence:
=======
openssl_conf = openssl_init

config_diagnostics = 1

[openssl_init]
oid_section = oids

[oids]
testoid1 = 1.2.3.4.1
testoid2 = A Very Long OID Name, 1.2.3.4.2
testoid3 = ,1.2.3.4.3
======

The leading comma in testoid3 can cause a heap buffer overflow, as the
parsing code will move the string pointer back 1 character, thereby
pointing to an invalid memory space

correct the parser to detect this condition and handle it by treating it
as if the comma doesn't exist (i.e. an empty long oid name)

(cherry picked from commit a552c23)

Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from #23034)

(cherry picked from commit d802bfb)
bernd-edlinger pushed a commit to bernd-edlinger/openssl that referenced this pull request Dec 15, 2023
@nhorman @bernd-edlinger
Harden asn1 oid loader to invalid inputs
e36d647 
In the event that a config file contains this sequence:
=======
openssl_conf = openssl_init

config_diagnostics = 1

[openssl_init]
oid_section = oids

[oids]
testoid1 = 1.2.3.4.1
testoid2 = A Very Long OID Name, 1.2.3.4.2
testoid3 = ,1.2.3.4.3
======

The leading comma in testoid3 can cause a heap buffer overflow, as the
parsing code will move the string pointer back 1 character, thereby
pointing to an invalid memory space

correct the parser to detect this condition and handle it by treating it
as if the comma doesn't exist (i.e. an empty long oid name)

(cherry picked from commit a552c23)

Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from openssl#23034)

(cherry picked from commit d802bfb)
@bernd-edlinger
Copy link
Member

The new test broke ./config no-des

80-test_cms.t .. 5/? 
No cipher selected
../../util/wrap.pl ../../apps/openssl cms -provider-path ../../providers -provider default -encrypt -in ../../test/smcont.txt -out smtst.cms -stream -recip ../../test/smime-certs/smrsa1.pem -keyopt 'rsa_padding_mode:oaep' -recip ../../test/smime-certs/smrsa2.pem -keyopt 'rsa_padding_mode:oaep' -recip ../../test/smime-certs/smrsa3-cert.pem -keyopt 'rsa_padding_mode:oaep' => 2
    not ok 1 - encrypt to three recipients with RSA-OAEP (avoid openssl/project issue\#380)
# ------------------------------------------------------------------------------
    #   Failed test 'encrypt to three recipients with RSA-OAEP (avoid openssl/project issue#380)'
    #   at test/recipes/80-test_cms.t line 1194.
Can't open "smtst.cms" for reading, No such file or directory
406C3465197F0000:error:80000002:system library:BIO_new_file:No such file or directory:crypto/bio/bss_file.c:67:calling fopen(smtst.cms, r)
406C3465197F0000:error:10000080:BIO routines:BIO_new_file:no such file:crypto/bio/bss_file.c:75:
../../util/wrap.pl ../../apps/openssl cms -provider-path ../../providers -provider default -decrypt -in smtst.cms -out smtst.txt -inkey ../../test/smime-certs/smrsa3-key.pem => 2
    not ok 2 - decrypt with key only
# ------------------------------------------------------------------------------
    #   Failed test 'decrypt with key only'
    #   at test/recipes/80-test_cms.t line 1208.
    not ok 3 - compare original message with decrypted ciphertext
# ------------------------------------------------------------------------------
    #   Failed test 'compare original message with decrypted ciphertext'
    #   at test/recipes/80-test_cms.t line 1216.
    #          got: '-1'
    #     expected: '0'
    # Looks like you failed 3 tests of 3.
not ok 23 - encrypt to three recipients with RSA-OAEP, key only decrypt
# ------------------------------------------------------------------------------
#   Failed test 'encrypt to three recipients with RSA-OAEP, key only decrypt'
#   at /home/ed/ossl/openssl/util/perl/OpenSSL/Test.pm line 1322.
80-test_cms.t .. Dubious, test returned 1 (wstat 256, 0x100)

@nhorman
Copy link
Contributor Author

nhorman commented Dec 18, 2023

see comment from @t8m above . Its a separate issues waiting to be merged

@bernd-edlinger
Copy link
Member

No this is yet another issue. Fix is in #23086.

wanghao75 pushed a commit to openeuler-mirror/openssl that referenced this pull request Dec 22, 2023
@nhorman @lan1120
Harden asn1 oid loader to invalid inputs
40e613a 
In the event that a config file contains this sequence:
=======
openssl_conf = openssl_init

config_diagnostics = 1

[openssl_init]
oid_section = oids

[oids]
testoid1 = 1.2.3.4.1
testoid2 = A Very Long OID Name, 1.2.3.4.2
testoid3 = ,1.2.3.4.3
======

The leading comma in testoid3 can cause a heap buffer overflow, as the
parsing code will move the string pointer back 1 character, thereby
pointing to an invalid memory space

correct the parser to detect this condition and handle it by treating it
as if the comma doesn't exist (i.e. an empty long oid name)

(cherry picked from commit a552c23c6502592c1b3c67d93dd7e5ffbe958aa4)

Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from openssl/openssl#23034)

Signed-off-by: lanming1120 <lanming1120@126.com>
wanghao75 pushed a commit to openeuler-mirror/openssl that referenced this pull request Dec 22, 2023
@nhorman @lan1120
Harden asn1 oid loader to invalid inputs
1b8f056 
In the event that a config file contains this sequence:
=======
openssl_conf = openssl_init

config_diagnostics = 1

[openssl_init]
oid_section = oids

[oids]
testoid1 = 1.2.3.4.1
testoid2 = A Very Long OID Name, 1.2.3.4.2
testoid3 = ,1.2.3.4.3
======

The leading comma in testoid3 can cause a heap buffer overflow, as the
parsing code will move the string pointer back 1 character, thereby
pointing to an invalid memory space

correct the parser to detect this condition and handle it by treating it
as if the comma doesn't exist (i.e. an empty long oid name)

(cherry picked from commit a552c23c6502592c1b3c67d93dd7e5ffbe958aa4)

Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from openssl/openssl#23034)

(cherry picked from commit d802bfbf80bab00123a4a6209f255852b3a10207)
Signed-off-by: lanming1120 <lanming1120@126.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@t8m t8m t8m approved these changes

@tom-cosgrove-arm tom-cosgrove-arm tom-cosgrove-arm approved these changes

@levitte levitte Awaiting requested review from levitte

@hlandau hlandau Awaiting requested review from hlandau

@mattcaswell mattcaswell Awaiting requested review from mattcaswell

Assignees

@nhorman nhorman

Labels
approval: done This pull request has the required number of approvals branch: 3.0 Merge to openssl-3.0 branch branch: 3.1 Merge to openssl-3.1 tests: present The PR has suitable tests present triaged: bug The issue/pr is/fixes a bug
Projects
Project Board
Status: Done
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
5 participants
@nhorman @t8m @openssl-machine @bernd-edlinger @tom-cosgrove-arm