Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Check DSA parameters for excessive sizes before validating #24346

Closed
wants to merge 5 commits into from
Closed

Check DSA parameters for excessive sizes before validating #24346

wants to merge 5 commits into from

Conversation

t8m
Copy link
Member

@t8m t8m commented May 8, 2024

This avoids overly long computation of various validation checks.

Fixes CVE-2024-4603
(Low severity)

t8m added 2 commits May 8, 2024 14:58
@t8m t8m added branch: master Merge to master branch approval: review pending This pull request needs review by a committer approval: otc review pending This pull request needs review by an OTC member triaged: bug The issue/pr is/fixes a bug branch: 3.0 Merge to openssl-3.0 branch branch: 3.1 Merge to openssl-3.1 tests: present The PR has suitable tests present branch: 3.2 Merge to openssl-3.2 branch: 3.3 Merge to openssl-3.3 labels May 8, 2024
@github-actions github-actions bot added the severity: fips change The pull request changes FIPS provider sources label May 8, 2024
@paulidale paulidale removed the approval: otc review pending This pull request needs review by an OTC member label May 8, 2024
@t8m
Copy link
Member Author

t8m commented May 9, 2024

@paulidale please reconfirm, I was too eager with always checking the g value - it cannot be mandatory in the ACVP tests.

@t8m t8m requested a review from a team May 10, 2024 11:49
@t8m t8m requested review from slontis and a team May 14, 2024 07:14
@t8m
Copy link
Member Author

t8m commented May 14, 2024

@paulidale please reconfirm again

nhorman
nhorman requested changes May 14, 2024
View reviewed changes
crypto/dsa/dsa_check.c
return 0;
}

if (BN_num_bits(dsa->params.q) >= BN_num_bits(dsa->params.p)) {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is this the correct check here? considering the situation in which p is fairly small (well below the OPENSSL_DSA_MAX_MODULUS_BITS, and q is only slightly larger, this test will erroneously fail, no?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

q must never be larger or equal to p.

mattcaswell
mattcaswell approved these changes May 14, 2024
View reviewed changes
Copy link
Member

@mattcaswell mattcaswell left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approved subject to the minor nit fix

CHANGES.md Outdated Show resolved Hide resolved
@nhorman nhorman self-requested a review May 14, 2024 14:09
@paulidale paulidale added approval: done This pull request has the required number of approvals and removed approval: review pending This pull request needs review by a committer labels May 15, 2024
@openssl-machine openssl-machine added approval: ready to merge The 24 hour grace period has passed, ready to merge and removed approval: done This pull request has the required number of approvals labels May 16, 2024
@openssl-machine
Copy link
Collaborator

This pull request is ready to merge

openssl-machine pushed a commit that referenced this pull request May 16, 2024
@t8m
Sync up CHANGES.md with 3.3 branch
e91579d 
Reviewed-by: Paul Dale <[email protected]>
Reviewed-by: Matt Caswell <[email protected]>
Reviewed-by: Neil Horman <[email protected]>
Reviewed-by: Shane Lontis <[email protected]>
(Merged from #24346)
openssl-machine pushed a commit that referenced this pull request May 16, 2024
@t8m
Check DSA parameters for excessive sizes before validating
85ccbab 
This avoids overly long computation of various validation
checks.

Fixes CVE-2024-4603

Reviewed-by: Paul Dale <[email protected]>
Reviewed-by: Matt Caswell <[email protected]>
Reviewed-by: Neil Horman <[email protected]>
Reviewed-by: Shane Lontis <[email protected]>
(Merged from #24346)
openssl-machine pushed a commit that referenced this pull request May 16, 2024
@t8m
Check DSA parameters for excessive sizes before validating
53ea064 
This avoids overly long computation of various validation
checks.

Fixes CVE-2024-4603

Reviewed-by: Paul Dale <[email protected]>
Reviewed-by: Matt Caswell <[email protected]>
Reviewed-by: Neil Horman <[email protected]>
Reviewed-by: Shane Lontis <[email protected]>
(Merged from #24346)

(cherry picked from commit 85ccbab)
openssl-machine pushed a commit that referenced this pull request May 16, 2024
@t8m
Check DSA parameters for excessive sizes before validating
da343d0 
This avoids overly long computation of various validation
checks.

Fixes CVE-2024-4603

Reviewed-by: Paul Dale <[email protected]>
Reviewed-by: Matt Caswell <[email protected]>
Reviewed-by: Neil Horman <[email protected]>
Reviewed-by: Shane Lontis <[email protected]>
(Merged from #24346)

(cherry picked from commit 85ccbab)
@t8m
Copy link
Member Author

t8m commented May 16, 2024

Merged to all the active branches. Thank you for the reviews.

@t8m t8m closed this May 16, 2024
openssl-machine pushed a commit that referenced this pull request May 16, 2024
@t8m
Check DSA parameters for excessive sizes before validating
9c39b38 
This avoids overly long computation of various validation
checks.

Fixes CVE-2024-4603

Reviewed-by: Paul Dale <[email protected]>
Reviewed-by: Matt Caswell <[email protected]>
Reviewed-by: Neil Horman <[email protected]>
Reviewed-by: Shane Lontis <[email protected]>
(Merged from #24346)

(cherry picked from commit 85ccbab)
openssl-machine pushed a commit that referenced this pull request May 16, 2024
@t8m
Check DSA parameters for excessive sizes before validating
3559e86 
This avoids overly long computation of various validation
checks.

Fixes CVE-2024-4603

Reviewed-by: Paul Dale <[email protected]>
Reviewed-by: Matt Caswell <[email protected]>
Reviewed-by: Neil Horman <[email protected]>
Reviewed-by: Shane Lontis <[email protected]>
(Merged from #24346)

(cherry picked from commit 85ccbab)
eclipse-oniro-oh-bot pushed a commit to eclipse-oniro-mirrors/third_party_openssl that referenced this pull request May 19, 2024
@t8m
Check DSA parameters for excessive sizes before validating
5478fa4 
This avoids overly long computation of various validation
checks.

Fixes CVE-2024-4603

Reviewed-by: Paul Dale <[email protected]>
Reviewed-by: Matt Caswell <[email protected]>
Reviewed-by: Neil Horman <[email protected]>
Reviewed-by: Shane Lontis <[email protected]>
(Merged from openssl/openssl#24346)

(cherry picked from commit 85ccbab216da245cf9a6503dd327072f21950d9b)
Signed-off-by: hhhFun <[email protected]>
jvdsn pushed a commit to jvdsn/openssl that referenced this pull request Jun 3, 2024
@t8m @jvdsn
Sync up CHANGES.md with 3.3 branch
58c55ca 
Reviewed-by: Paul Dale <[email protected]>
Reviewed-by: Matt Caswell <[email protected]>
Reviewed-by: Neil Horman <[email protected]>
Reviewed-by: Shane Lontis <[email protected]>
(Merged from openssl#24346)
jvdsn pushed a commit to jvdsn/openssl that referenced this pull request Jun 3, 2024
@t8m @jvdsn
Check DSA parameters for excessive sizes before validating
2222bae 
This avoids overly long computation of various validation
checks.

Fixes CVE-2024-4603

Reviewed-by: Paul Dale <[email protected]>
Reviewed-by: Matt Caswell <[email protected]>
Reviewed-by: Neil Horman <[email protected]>
Reviewed-by: Shane Lontis <[email protected]>
(Merged from openssl#24346)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@nhorman nhorman nhorman approved these changes

@mattcaswell mattcaswell mattcaswell approved these changes

@paulidale paulidale paulidale approved these changes

@shahsb shahsb shahsb approved these changes

@slontis slontis slontis approved these changes

Assignees
No one assigned
Labels
approval: ready to merge The 24 hour grace period has passed, ready to merge branch: master Merge to master branch branch: 3.0 Merge to openssl-3.0 branch branch: 3.1 Merge to openssl-3.1 branch: 3.2 Merge to openssl-3.2 branch: 3.3 Merge to openssl-3.3 severity: fips change The pull request changes FIPS provider sources tests: present The PR has suitable tests present triaged: bug The issue/pr is/fixes a bug
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
7 participants
@t8m @openssl-machine @nhorman @mattcaswell @paulidale @shahsb @slontis