Fix out-of-bound memory read in `tor_tls_cert_matches_key()` for NSS. - tor - Transit encryption and privacy out of the box

diff options

author	Alexander Færøy <ahf@torproject.org>	2020-03-31 02:33:54 +0000
committer	Nick Mathewson <nickm@torproject.org>	2020-07-06 16:19:16 -0400
commit	b46984e97ec4064ac8178ea9b3bf6985a4f2f632 (patch)
tree	3da4540f64d22f07bbc350832b54531618e3b3a8 /changes/ticket32086
parent	33e1c2e6fd614f8cb42a6d5758d411d3f8d5411c (diff)
download	tor-b46984e97ec4064ac8178ea9b3bf6985a4f2f632.tar.gz tor-b46984e97ec4064ac8178ea9b3bf6985a4f2f632.zip

Fix out-of-bound memory read in `tor_tls_cert_matches_key()` for NSS.

This patch fixes an out-of-bound memory read in `tor_tls_cert_matches_key()` when Tor is compiled to use Mozilla's NSS instead of OpenSSL. The NSS library stores some length fields in bits instead of bytes, but the comparison function found in `SECITEM_ItemsAreEqual()` needs the length to be encoded in bytes. This means that for a 140-byte, DER-encoded, SubjectPublicKeyInfo struct (with a 1024-bit RSA public key in it), we would ask `SECITEM_ItemsAreEqual()` to compare the first 1120 bytes instead of 140 (140bytes * 8bits = 1120bits). This patch fixes the issue by converting from bits to bytes before calling `SECITEM_ItemsAreEqual()` and convert the `len`-fields back to bits before we leave the function. This patch is part of the fix for TROVE-2020-001. See: https://bugs.torproject.org/33119

Diffstat (limited to 'changes/ticket32086')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: