-
-
Notifications
You must be signed in to change notification settings - Fork 9.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Check DSA parameters for excessive sizes before validating #24346
Conversation
This avoids overly long computation of various validation checks. Fixes CVE-2024-4603
@paulidale please reconfirm, I was too eager with always checking the g value - it cannot be mandatory in the ACVP tests. |
@paulidale please reconfirm again |
return 0; | ||
} | ||
|
||
if (BN_num_bits(dsa->params.q) >= BN_num_bits(dsa->params.p)) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is this the correct check here? considering the situation in which p is fairly small (well below the OPENSSL_DSA_MAX_MODULUS_BITS, and q is only slightly larger, this test will erroneously fail, no?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
q must never be larger or equal to p.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Approved subject to the minor nit fix
This pull request is ready to merge |
Reviewed-by: Paul Dale <[email protected]> Reviewed-by: Matt Caswell <[email protected]> Reviewed-by: Neil Horman <[email protected]> Reviewed-by: Shane Lontis <[email protected]> (Merged from #24346)
This avoids overly long computation of various validation checks. Fixes CVE-2024-4603 Reviewed-by: Paul Dale <[email protected]> Reviewed-by: Matt Caswell <[email protected]> Reviewed-by: Neil Horman <[email protected]> Reviewed-by: Shane Lontis <[email protected]> (Merged from #24346)
This avoids overly long computation of various validation checks. Fixes CVE-2024-4603 Reviewed-by: Paul Dale <[email protected]> Reviewed-by: Matt Caswell <[email protected]> Reviewed-by: Neil Horman <[email protected]> Reviewed-by: Shane Lontis <[email protected]> (Merged from #24346) (cherry picked from commit 85ccbab)
This avoids overly long computation of various validation checks. Fixes CVE-2024-4603 Reviewed-by: Paul Dale <[email protected]> Reviewed-by: Matt Caswell <[email protected]> Reviewed-by: Neil Horman <[email protected]> Reviewed-by: Shane Lontis <[email protected]> (Merged from #24346) (cherry picked from commit 85ccbab)
Merged to all the active branches. Thank you for the reviews. |
This avoids overly long computation of various validation checks. Fixes CVE-2024-4603 Reviewed-by: Paul Dale <[email protected]> Reviewed-by: Matt Caswell <[email protected]> Reviewed-by: Neil Horman <[email protected]> Reviewed-by: Shane Lontis <[email protected]> (Merged from #24346) (cherry picked from commit 85ccbab)
This avoids overly long computation of various validation checks. Fixes CVE-2024-4603 Reviewed-by: Paul Dale <[email protected]> Reviewed-by: Matt Caswell <[email protected]> Reviewed-by: Neil Horman <[email protected]> Reviewed-by: Shane Lontis <[email protected]> (Merged from #24346) (cherry picked from commit 85ccbab)
This avoids overly long computation of various validation checks. Fixes CVE-2024-4603 Reviewed-by: Paul Dale <[email protected]> Reviewed-by: Matt Caswell <[email protected]> Reviewed-by: Neil Horman <[email protected]> Reviewed-by: Shane Lontis <[email protected]> (Merged from openssl/openssl#24346) (cherry picked from commit 85ccbab216da245cf9a6503dd327072f21950d9b) Signed-off-by: hhhFun <[email protected]>
Reviewed-by: Paul Dale <[email protected]> Reviewed-by: Matt Caswell <[email protected]> Reviewed-by: Neil Horman <[email protected]> Reviewed-by: Shane Lontis <[email protected]> (Merged from openssl#24346)
This avoids overly long computation of various validation checks. Fixes CVE-2024-4603 Reviewed-by: Paul Dale <[email protected]> Reviewed-by: Matt Caswell <[email protected]> Reviewed-by: Neil Horman <[email protected]> Reviewed-by: Shane Lontis <[email protected]> (Merged from openssl#24346)
This avoids overly long computation of various validation checks.
Fixes CVE-2024-4603
(Low severity)