Attention is currently required from: plaisthos.
Hello plaisthos,
I'd like you to do a code review.
Please visit
http://gerrit.openvpn.net/c/openvpn/+/1549?usp=email
to review the following change.
Change subject: Avoid unbounded allocations in pkcs11_mbedtls.c
......................................................................
Avoid unbounded allocations in pkcs11_mbedtls.c
The PKCS#11 provider can crash OpenVPN by making it try to allocate
2^64 bytes for a certificate. To avoid this, set a maximum size for
certificates. If the size is exceeded, don't try to allocate memory and
instead exit pkcs11_get_x509_cert with an error.
The chosen maximum size is 100.000 bytes which is twice the size of
a SLH-DSA (aka SPHINCS+) signature.
Found-by: ZeroPath (https://zeropath.com/)
Reported-by: Joshua Rogers <[email protected]>
Github: closes OpenVPN/openvpn-private-issues#42
Change-Id: I53d47e4a0d33c380ee95e0e33aecad3db3197940
Signed-off-by: Max Fillinger <[email protected]>
---
M src/openvpn/pkcs11_mbedtls.c
1 file changed, 16 insertions(+), 0 deletions(-)
git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/49/1549/1
diff --git a/src/openvpn/pkcs11_mbedtls.c b/src/openvpn/pkcs11_mbedtls.c
index 66aefac..bf9d953 100644
--- a/src/openvpn/pkcs11_mbedtls.c
+++ b/src/openvpn/pkcs11_mbedtls.c
@@ -42,6 +42,16 @@
static bool
pkcs11_get_x509_cert(pkcs11h_certificate_t pkcs11_cert, mbedtls_x509_crt *cert)
{
+ /* We set a maximum size for certificates so that the PKCS provider cannot
crash OpenVPN by
+ * making it try to allocate 2^64 bytes. The maximum of 100.000 bytes is
picked as a round
+ * number that easily accomodates the currently standardized quantum-safe
signature algorithms.
+ * It is twice the size of a SLH-DSA (aka SPHINCS+) signature plus public
key.
+ *
+ * However, there are additional digital signature schemes currently on
the NIST on-ramp
+ * (e.g., some parameter settings for LESS) that have even larger public
keys or signatures, so
+ * if those ever see use on smartcards, we will need to increase this
number. */
+ const size_t max_cert_size = 100000;
+
unsigned char *cert_blob = NULL;
size_t cert_blob_size = 0;
bool ret = false;
@@ -52,6 +62,12 @@
goto cleanup;
}
+ if (cert_blob_size > max_cert_size)
+ {
+ msg(M_WARN, "PKCS#11: Certificate too large: %lu bytes, maximum is
%lu", cert_blob_size, max_cert_size);
+ goto cleanup;
+ }
+
check_malloc_return((cert_blob = calloc(1, cert_blob_size)));
if (pkcs11h_certificate_getCertificateBlob(pkcs11_cert, cert_blob,
&cert_blob_size) != CKR_OK)
{
--
To view, visit http://gerrit.openvpn.net/c/openvpn/+/1549?usp=email
To unsubscribe, or for help writing mail filters, visit
http://gerrit.openvpn.net/settings?usp=email
Gerrit-MessageType: newchange
Gerrit-Project: openvpn
Gerrit-Branch: master
Gerrit-Change-Id: I53d47e4a0d33c380ee95e0e33aecad3db3197940
Gerrit-Change-Number: 1549
Gerrit-PatchSet: 1
Gerrit-Owner: MaxF <[email protected]>
Gerrit-Reviewer: plaisthos <[email protected]>
Gerrit-CC: openvpn-devel <[email protected]>
Gerrit-Attention: plaisthos <[email protected]>
_______________________________________________
Openvpn-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
