Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add missing range checks on number of multi primes in rsa_ossl_mod_exp #4862

Closed
wants to merge 1 commit into from
Closed

Add missing range checks on number of multi primes in rsa_ossl_mod_exp #4862

wants to merge 1 commit into from

Conversation

bernd-edlinger
Copy link
Member

I think this could even crash when the imported RSA key has too many primes.

@bernd-edlinger bernd-edlinger mentioned this pull request Dec 7, 2017
Closed
2 tasks
@levitte
Copy link
Member

levitte commented Dec 7, 2017

Why is this needed? I've had the time to check now, and I'm finding checks here (general RSA key checker), here (RSA key generation) and here (RSA security bits). Before rsa_ossl_mod_exp is ever called, I assume one of those already existing checks are already performed (possible via the EVP_PKEY_check) somewhere along the way.

@bernd-edlinger
Copy link
Member Author

It is at least not obvious at all why there is no buffer overrun at

openssl/crypto/rsa/rsa_ossl.c

Line 760 in f47270e

if ((m[i] = BN_CTX_get(ctx)) == NULL) {
.
I may be wrong, but what if a manipulated 19-key prime ASN.1 is read in,
and the app does not call RSA_check_key or RSA_security_bits
and goes directly to RSA_private_decrypt or RSA_sign ?

levitte
levitte reviewed Dec 7, 2017
View reviewed changes
crypto/rsa/rsa_ossl.c
@@ -618,7 +618,8 @@ static int rsa_ossl_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx)
goto err;

if (rsa->version == RSA_ASN1_VERSION_MULTI
&& (ex_primes = sk_RSA_PRIME_INFO_num(rsa->prime_infos)) <= 0)
&& ((ex_primes = sk_RSA_PRIME_INFO_num(rsa->prime_infos)) <= 0
|| ex_primes > RSA_MAX_PRIME_NUM - 2))
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You could make that || ex_primes > sizeof(m))...

@levitte
Copy link
Member

levitte commented Dec 7, 2017

I totally missed the intent with this PR. Sorry 'bout that, brain now awake.

levitte
levitte approved these changes Dec 7, 2017
View reviewed changes
Copy link
Member

@levitte levitte left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks ok to me, regardless of if you heed my last comment or not.

@mattcaswell mattcaswell added the approval: done This pull request has the required number of approvals label Dec 8, 2017
levitte pushed a commit that referenced this pull request Dec 8, 2017
@bernd-edlinger
Add missing range checks on number of multi primes in rsa_ossl_mod_exp
a147158 
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from #4862)
@bernd-edlinger
Copy link
Member Author

Merged. Thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@levitte levitte levitte approved these changes

Assignees
No one assigned
Labels
approval: done This pull request has the required number of approvals
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@bernd-edlinger @levitte @mattcaswell