On Fri, Feb 25, 2022 at 08:11:47AM +0100, Anton Lindqvist wrote: > On Thu, Feb 24, 2022 at 01:31:12AM -0700, Theo Buehler wrote: > > CVSROOT: /cvs > > Module name: src > > Changes by: t...@cvs.openbsd.org 2022/02/24 01:31:12 > > > > Modified files: > > lib/libcrypto/dsa: dsa_ameth.c > > > > Log message: > > Add sanity checks on p and q in old_dsa_priv_decode() > > > > dsa_do_verify() has checks on dsa->p and dsa->q that ensure that p isn't > > overly long and that q has one of the three allowed lengths specified in > > FIPS 186-3, namely 160, 224, or 256. > > > > Do these checks on deserialization of DSA keys without parameters. This > > means that we will now reject keys we would previously deserialize. Such > > keys are useless in that signatures generated by them would be rejected > > by both LibreSSL and OpenSSL. > > > > This avoids a timeout flagged in oss-fuzz #26899 due to a ridiculous > > DSA key whose q has size 65KiB. The timeout comes from additional checks > > on DSA keys added by miod in dsa_ameth.c r1.18, especially checking such > > a humungous number for primality is expensive. > > > > ok jsing > > This broke ssh regress.
Should be fixed by dsa_ameth.c r1.34. I accidentally left in a debug printf in there which is what generated the extra output. > > > usr.bin/ssh: > Exit: 1 > Duration: 00:00:04 > Log: 230-usr.bin-ssh.log > > ==== t6 ==== > ssh-keygen -if /home/src/regress/usr.bin/ssh/dsa_ssh2.prv > t6.out1 > ssh-keygen -if /home/src/regress/usr.bin/ssh/dsa_ssh2.pub > t6.out2 > chmod 600 t6.out1 > ssh-keygen -yf t6.out1 | diff - t6.out2 > 1,37d0 > < Private-Key: (1024 bit) > < priv: > < 00:c7:16:fa:28:46:76:97:75:96:de:58:64:d3:aa: > < 68:07:07:51:94:f4 > < pub: > < 5a:8f:b6:39:8a:47:a1:ca:02:78:a9:30:d2:95:5c: > < a9:b0:fb:95:fa:7e:7d:b4:c4:b4:7b:6a:5f:ad:21: > < bc:ef:27:f9:af:de:00:28:19:89:7a:1a:39:38:ee: > < b0:61:a5:c2:c6:c5:41:ec:01:5b:49:40:fa:ef:90: > < 0a:f2:61:c5:e2:fd:7f:fb:b4:96:2a:4e:5f:f3:19: > < 4c:08:c4:8f:67:d2:b4:fa:3f:d6:d5:df:ea:da:a9: > < 21:9e:70:d9:a2:53:87:0e:89:8b:03:e5:34:d2:2e: > < 72:6b:f8:e7:4d:5c:f2:0c:f5:8b:16:95:8a:f2:ed: > < f1:18:13:c0:61:7d:f6:e2 > < P: > < 00:b0:51:f9:b7:03:16:53:ba:dd:e2:70:19:b0:09: > < c0:f8:f2:76:3a:e0:7c:ee:10:b9:50:fa:f1:2a:8c: > < 87:11:2e:8e:3d:7a:cf:c3:41:37:8b:35:0f:a4:74: > < a4:42:7e:8b:a8:b0:63:6f:d1:6a:b1:46:d1:74:b5: > < 4b:16:75:7c:52:df:ba:07:19:ae:10:3e:e8:01:74: > < 74:5d:ed:89:59:19:9b:fc:92:0c:7b:16:ca:1e:a5: > < 8e:ef:ec:4e:bc:df:ff:7b:76:fd:b3:c4:bd:c0:19: > < a8:13:13:35:ab:ed:f9:74:c8:f7:b1:01:a6:68:0e: > < fb:50:ae:b8:d7:e3:80:4b:9b > < Q: > < 00:de:0b:4e:37:61:5a:3d:66:8d:33:00:47:88:03: > < 8b:99:87:82:c1:09 > < G: > < 00:96:42:4b:ef:33:19:c3:f1:e1:64:4b:59:28:9c: > < 57:cc:27:50:a4:b9:17:d3:37:7e:02:05:9e:9d:63: > < b5:53:48:67:a6:cb:84:30:b4:57:4c:2a:6a:2e:7c: > < 3d:1e:2a:0c:b7:a7:95:8e:79:60:98:2a:d1:78:16: > < 18:c7:29:99:3f:69:ac:45:8e:32:1b:b6:4a:e7:96: > < f5:e0:eb:84:08:d7:57:52:67:20:4d:eb:f5:62:42: > < 41:cf:4a:45:03:17:e0:3a:00:01:21:ac:d6:d0:6c: > < 01:52:bd:aa:35:91:3b:cd:b4:f0:ad:2f:40:24:50: > < 87:6e:10:cc:c6:41:f2:c2:4c > *** Error 1 in . (Makefile:168 't6') > FAILED > > *** Error 1 in /home/src/regress/usr.bin/ssh (<bsd.regress.mk>:97 'regress': > if make -C /home/src/regress/usr.bin/ssh t6; then echo -n "SUC...) > robsd-regress-exec: process group exited 2
