Merge branch 'maint-0.4.2' into maint-0.4.3

author: Nick Mathewson <nickm@torproject.org> 2020-03-17 15:22:36 -0400
committer: Nick Mathewson <nickm@torproject.org> 2020-03-17 15:22:36 -0400
commit: e0d68ce84fe4536142d7f5e8987a08d9e93ac626 (patch)
tree: 2bfedd2a179682aeecd3281f4eec71cff58cfaab /src/lib/crypt_ops
parent: 6803373aab2292fe7286d1e19e25d5016b6ac9b8 (diff)
parent: 85141a3a74efb0db29ff98667e83b06208d1c926 (diff)
download: tor-e0d68ce84fe4536142d7f5e8987a08d9e93ac626.tar.gz
tor-e0d68ce84fe4536142d7f5e8987a08d9e93ac626.zip
4 files changed, 99 insertions, 10 deletions
diff --git a/src/lib/crypt_ops/crypto_rsa.c b/src/lib/crypt_ops/crypto_rsa.c
index 4b33ed98e5..195e4bbaf9 100644
--- a/src/lib/crypt_ops/crypto_rsa.c
+++ b/src/lib/crypt_ops/crypto_rsa.c
@@ -490,7 +490,7 @@ crypto_pk_write_private_key_to_string(crypto_pk_t *env,
 static int
 crypto_pk_read_from_string_generic(crypto_pk_t *env, const char *src,
                                    size_t len, int severity,
-                                   bool private_key)
+                                   bool private_key, int max_bits)
 {
   if (len == (size_t)-1) // "-1" indicates "use the length of the string."
     len = strlen(src);
@@ -510,7 +510,7 @@ crypto_pk_read_from_string_generic(crypto_pk_t *env, const char *src,
   }
 
   crypto_pk_t *pk = private_key
-    ? crypto_pk_asn1_decode_private((const char*)buf, n)
+    ? crypto_pk_asn1_decode_private((const char*)buf, n, max_bits)
     : crypto_pk_asn1_decode((const char*)buf, n);
   if (! pk) {
     log_fn(severity, LD_CRYPTO,
@@ -539,7 +539,8 @@ int
 crypto_pk_read_public_key_from_string(crypto_pk_t *env,
                                       const char *src, size_t len)
 {
-  return crypto_pk_read_from_string_generic(env, src, len, LOG_INFO, false);
+  return crypto_pk_read_from_string_generic(env, src, len, LOG_INFO, false,
+                                            -1);
 }
 
 /** Read a PEM-encoded private key from the <b>len</b>-byte string <b>src</b>
@@ -550,7 +551,21 @@ int
 crypto_pk_read_private_key_from_string(crypto_pk_t *env,
                                        const char *src, ssize_t len)
 {
-  return crypto_pk_read_from_string_generic(env, src, len, LOG_INFO, true);
+  return crypto_pk_read_from_string_generic(env, src, len, LOG_INFO, true,
+                                            -1);
+}
+
+/**
+ * As crypto_pk_read_private_key_from_string(), but reject any key
+ * with a modulus longer than 1024 bits before doing any expensive
+ * validation on it.
+ */
+int
+crypto_pk_read_private_key1024_from_string(crypto_pk_t *env,
+                                           const char *src, ssize_t len)
+{
+  return crypto_pk_read_from_string_generic(env, src, len, LOG_INFO, true,
+                                            1024);
 }
 
 /** If a file is longer than this, we won't try to decode its private key */
@@ -578,7 +593,7 @@ crypto_pk_read_private_key_from_filename(crypto_pk_t *env,
   }
 
   int rv = crypto_pk_read_from_string_generic(env, buf, (ssize_t)st.st_size,
-                                              LOG_WARN, true);
+                                              LOG_WARN, true, -1);
   if (rv < 0) {
     log_warn(LD_CRYPTO, "Unable to decode private key from file %s",
              escaped(keyfile));
@@ -662,7 +677,7 @@ crypto_pk_base64_decode_private(const char *str, size_t len)
     goto out;
   }
 
-  pk = crypto_pk_asn1_decode_private(der, der_len);
+  pk = crypto_pk_asn1_decode_private(der, der_len, -1);
 
  out:
   memwipe(der, 0, len+1);
diff --git a/src/lib/crypt_ops/crypto_rsa.h b/src/lib/crypt_ops/crypto_rsa.h
index 38934e7f32..ab2e9db80d 100644
--- a/src/lib/crypt_ops/crypto_rsa.h
+++ b/src/lib/crypt_ops/crypto_rsa.h
@@ -61,6 +61,8 @@ int crypto_pk_read_public_key_from_string(crypto_pk_t *env,
                                           const char *src, size_t len);
 int crypto_pk_read_private_key_from_string(crypto_pk_t *env,
                                            const char *s, ssize_t len);
+int crypto_pk_read_private_key1024_from_string(crypto_pk_t *env,
+                                               const char *src, ssize_t len);
 int crypto_pk_write_private_key_to_filename(crypto_pk_t *env,
                                             const char *fname);
 
@@ -95,7 +97,8 @@ int crypto_pk_asn1_encode(const crypto_pk_t *pk, char *dest, size_t dest_len);
 crypto_pk_t *crypto_pk_asn1_decode(const char *str, size_t len);
 int crypto_pk_asn1_encode_private(const crypto_pk_t *pk,
                                   char *dest, size_t dest_len);
-crypto_pk_t *crypto_pk_asn1_decode_private(const char *str, size_t len);
+crypto_pk_t *crypto_pk_asn1_decode_private(const char *str, size_t len,
+                                           int max_bits);
 int crypto_pk_get_fingerprint(crypto_pk_t *pk, char *fp_out,int add_space);
 int crypto_pk_get_hashed_fingerprint(crypto_pk_t *pk, char *fp_out);
 void crypto_add_spaces_to_fp(char *out, size_t outlen, const char *in);
diff --git a/src/lib/crypt_ops/crypto_rsa_nss.c b/src/lib/crypt_ops/crypto_rsa_nss.c
index 0a5041aad4..66f325e868 100644
--- a/src/lib/crypt_ops/crypto_rsa_nss.c
+++ b/src/lib/crypt_ops/crypto_rsa_nss.c
@@ -679,9 +679,12 @@ crypto_pk_asn1_encode_private(const crypto_pk_t *pk,
 /** Given a buffer containing the DER representation of the
  * private key <b>str</b>, decode and return the result on success, or NULL
  * on failure.
+ *
+ * If <b>max_bits</b> is nonnegative, reject any key longer than max_bits
+ * without performing any expensive validation on it.
  */
 crypto_pk_t *
-crypto_pk_asn1_decode_private(const char *str, size_t len)
+crypto_pk_asn1_decode_private(const char *str, size_t len, int max_bits)
 {
   tor_assert(str);
   tor_assert(len < INT_MAX);
@@ -731,6 +734,15 @@ crypto_pk_asn1_decode_private(const char *str, size_t len)
     output = NULL;
   }
 
+  if (output) {
+    const int bits = SECKEY_PublicKeyStrengthInBits(output->pubkey);
+    if (max_bits >= 0 && bits > max_bits) {
+      log_info(LD_CRYPTO, "Private key longer than expected.");
+      crypto_pk_free(output);
+      output = NULL;
+    }
+  }
+
   if (slot)
     PK11_FreeSlot(slot);
 
diff --git a/src/lib/crypt_ops/crypto_rsa_openssl.c b/src/lib/crypt_ops/crypto_rsa_openssl.c
index e5025108ae..9d674fa883 100644
--- a/src/lib/crypt_ops/crypto_rsa_openssl.c
+++ b/src/lib/crypt_ops/crypto_rsa_openssl.c
@@ -33,6 +33,7 @@ ENABLE_GCC_WARNING("-Wredundant-decls")
 #include "lib/encoding/binascii.h"
 
 #include <string.h>
+#include <stdbool.h>
 
 /** Declaration for crypto_pk_t structure. */
 struct crypto_pk_t
@@ -564,11 +565,64 @@ crypto_pk_asn1_encode_private(const crypto_pk_t *pk, char *dest,
   return len;
 }
 
+/** Check whether any component of a private key is too large in a way that
+ * seems likely to make verification too expensive. Return true if it's too
+ * long, and false otherwise. */
+static bool
+rsa_private_key_too_long(RSA *rsa, int max_bits)
+{
+  const BIGNUM *n, *e, *p, *q, *d, *dmp1, *dmq1, *iqmp;
+#ifdef OPENSSL_1_1_API
+  n = RSA_get0_n(rsa);
+  e = RSA_get0_e(rsa);
+  p = RSA_get0_p(rsa);
+  q = RSA_get0_q(rsa);
+  d = RSA_get0_d(rsa);
+  dmp1 = RSA_get0_dmp1(rsa);
+  dmq1 = RSA_get0_dmq1(rsa);
+  iqmp = RSA_get0_iqmp(rsa);
+
+  if (RSA_bits(rsa) > max_bits)
+    return true;
+#else
+  n = rsa->n;
+  e = rsa->e;
+  p = rsa->p;
+  q = rsa->q;
+  d = rsa->d;
+  dmp1 = rsa->dmp1;
+  dmq1 = rsa->dmq1;
+  iqmp = rsa->iqmp;
+#endif
+
+  if (n && BN_num_bits(n) > max_bits)
+    return true;
+  if (e && BN_num_bits(e) > max_bits)
+    return true;
+  if (p && BN_num_bits(p) > max_bits)
+    return true;
+  if (q && BN_num_bits(q) > max_bits)
+    return true;
+  if (d && BN_num_bits(d) > max_bits)
+    return true;
+  if (dmp1 && BN_num_bits(dmp1) > max_bits)
+    return true;
+  if (dmq1 && BN_num_bits(dmq1) > max_bits)
+    return true;
+  if (iqmp && BN_num_bits(iqmp) > max_bits)
+    return true;
+
+  return false;
+}
+
 /** Decode an ASN.1-encoded private key from <b>str</b>; return the result on
  * success and NULL on failure.
+ *
+ * If <b>max_bits</b> is nonnegative, reject any key longer than max_bits
+ * without performing any expensive validation on it.
  */
 crypto_pk_t *
-crypto_pk_asn1_decode_private(const char *str, size_t len)
+crypto_pk_asn1_decode_private(const char *str, size_t len, int max_bits)
 {
   RSA *rsa;
   unsigned char *buf;
@@ -578,7 +632,12 @@ crypto_pk_asn1_decode_private(const char *str, size_t len)
   rsa = d2i_RSAPrivateKey(NULL, &cp, len);
   tor_free(buf);
   if (!rsa) {
-    crypto_openssl_log_errors(LOG_WARN,"decoding public key");
+    crypto_openssl_log_errors(LOG_WARN,"decoding private key");
+    return NULL;
+  }
+  if (max_bits >= 0 && rsa_private_key_too_long(rsa, max_bits)) {
+    log_info(LD_CRYPTO, "Private key longer than expected.");
+    RSA_free(rsa);
     return NULL;
   }
   crypto_pk_t *result = crypto_new_pk_from_openssl_rsa_(rsa);
author	Nick Mathewson <nickm@torproject.org>	2020-03-17 15:22:36 -0400
committer	Nick Mathewson <nickm@torproject.org>	2020-03-17 15:22:36 -0400
commit	e0d68ce84fe4536142d7f5e8987a08d9e93ac626 (patch)
tree	2bfedd2a179682aeecd3281f4eec71cff58cfaab /src/lib/crypt_ops
parent	6803373aab2292fe7286d1e19e25d5016b6ac9b8 (diff)
parent	85141a3a74efb0db29ff98667e83b06208d1c926 (diff)
download	tor-e0d68ce84fe4536142d7f5e8987a08d9e93ac626.tar.gz tor-e0d68ce84fe4536142d7f5e8987a08d9e93ac626.zip