File openssl-CVE-2023-0217-1of4.patch of Package openssl-3.28534

Overview Repositories Revisions Requests Users Attributes Meta

File openssl-CVE-2023-0217-1of4.patch of Package openssl-3.28534

commit 1847f547089890a03f4f2548f57929bef8db3647
Author: slontis <shane.lontis@oracle.com>
Date:   Wed Jan 11 11:05:04 2023 +1000

Fix NULL deference when validating FFC public key.
    
    Fixes CVE-2023-0217
    
    When attempting to do a BN_Copy of params->p there was no NULL check.
    Since BN_copy does not check for NULL this is a NULL reference.
    
    As an aside BN_cmp() does do a NULL check, so there are other checks
    that fail because a NULL is passed. A more general check for NULL params
    has been added for both FFC public and private key validation instead.

Index: openssl-3.0.1/crypto/ffc/ffc_key_validate.c
===================================================================
--- openssl-3.0.1.orig/crypto/ffc/ffc_key_validate.c
+++ openssl-3.0.1/crypto/ffc/ffc_key_validate.c
@@ -24,6 +24,11 @@ int ossl_ffc_validate_public_key_partial
     BN_CTX *ctx = NULL;
 
     *ret = 0;
+    if (params == NULL || pub_key == NULL || params->p == NULL) {
+        *ret = FFC_ERROR_PASSED_NULL_PARAM;
+        return 0;
+    }
+
     ctx = BN_CTX_new_ex(NULL);
     if (ctx == NULL)
         goto err;
@@ -107,6 +112,10 @@ int ossl_ffc_validate_private_key(const
 
     *ret = 0;
 
+    if (priv == NULL || upper == NULL) {
+        *ret = FFC_ERROR_PASSED_NULL_PARAM;
+        goto err;
+    }
     if (BN_cmp(priv, BN_value_one()) < 0) {
         *ret |= FFC_ERROR_PRIVKEY_TOO_SMALL;
         goto err;
Index: openssl-3.0.1/include/internal/ffc.h
===================================================================
--- openssl-3.0.1.orig/include/internal/ffc.h
+++ openssl-3.0.1/include/internal/ffc.h
@@ -76,6 +76,7 @@
 # define FFC_ERROR_NOT_SUITABLE_GENERATOR 0x08
 # define FFC_ERROR_PRIVKEY_TOO_SMALL      0x10
 # define FFC_ERROR_PRIVKEY_TOO_LARGE      0x20
+# define FFC_ERROR_PASSED_NULL_PARAM      0x40
 
 /*
  * Finite field cryptography (FFC) domain parameters are used by DH and DSA.
Index: openssl-3.0.1/test/ffc_internal_test.c
===================================================================
--- openssl-3.0.1.orig/test/ffc_internal_test.c
+++ openssl-3.0.1/test/ffc_internal_test.c
@@ -509,6 +509,27 @@ static int ffc_public_validate_test(void
     if (!TEST_true(ossl_ffc_validate_public_key(params, pub, &res)))
         goto err;
 
+    /* Fail if params is NULL */
+    if (!TEST_false(ossl_ffc_validate_public_key(NULL, pub, &res)))
+        goto err;
+    if (!TEST_int_eq(FFC_ERROR_PASSED_NULL_PARAM, res))
+        goto err;
+    res = -1;
+    /* Fail if pubkey is NULL */
+    if (!TEST_false(ossl_ffc_validate_public_key(params, NULL, &res)))
+        goto err;
+    if (!TEST_int_eq(FFC_ERROR_PASSED_NULL_PARAM, res))
+        goto err;
+    res = -1;
+
+    BN_free(params->p);
+    params->p = NULL;
+    /* Fail if params->p is NULL */
+    if (!TEST_false(ossl_ffc_validate_public_key(params, pub, &res)))
+        goto err;
+    if (!TEST_int_eq(FFC_ERROR_PASSED_NULL_PARAM, res))
+        goto err;
+
     ret = 1;
 err:
     DH_free(dh);
@@ -566,6 +587,16 @@ static int ffc_private_validate_test(voi
     if (!TEST_true(ossl_ffc_validate_private_key(params->q, priv, &res)))
         goto err;
 
+    if (!TEST_false(ossl_ffc_validate_private_key(NULL, priv, &res)))
+        goto err;
+    if (!TEST_int_eq(FFC_ERROR_PASSED_NULL_PARAM, res))
+        goto err;
+    res = -1;
+    if (!TEST_false(ossl_ffc_validate_private_key(params->q, NULL, &res)))
+        goto err;
+    if (!TEST_int_eq(FFC_ERROR_PASSED_NULL_PARAM, res))
+        goto err;
+
     ret = 1;
 err:
     DH_free(dh);

Places

File openssl-CVE-2023-0217-1of4.patch of Package openssl-3.28534

Places