Skip to content

Commit a1d9afc

Browse files
rheniumrhenium
committed
openssl: avoid NULL dereference in {DH,DSA,RSA}_size()
* ext/openssl/ossl_pkey_dh.c (ossl_dh_compute_key): Check that the DH has 'p' (the prime) before calling DH_size(). We can create a DH with no parameter but DH_size() does not check and dereferences NULL. [ruby-core:75720] [Bug #12428] * ext/openssl/ossl_pkey_dsa.c (ossl_dsa_sign): Ditto. DSA_size() does not check dsa->q. * ext/openssl/ossl_pkey_rsa.c (ossl_rsa_public_encrypt, ossl_rsa_public_decrypt, ossl_rsa_private_encrypt, ossl_rsa_private_decrypt): Ditto. RSA_size() does not check rsa->n. git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@55175 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
1 parent ef10b81 commit a1d9afc

File tree

4 files changed

+32
-9
lines changed

4 files changed

+32
-9
lines changed

ChangeLog

+14
Original file line numberDiff line numberDiff line change
@@ -1,3 +1,17 @@
1+
Thu May 26 14:21:10 2016 Kazuki Yamaguchi <k@rhe.jp>
2+
3+
* ext/openssl/ossl_pkey_dh.c (ossl_dh_compute_key): Check that the DH
4+
has 'p' (the prime) before calling DH_size(). We can create a DH with
5+
no parameter but DH_size() does not check and dereferences NULL.
6+
[ruby-core:75720] [Bug #12428]
7+
8+
* ext/openssl/ossl_pkey_dsa.c (ossl_dsa_sign): Ditto. DSA_size() does
9+
not check dsa->q.
10+
11+
* ext/openssl/ossl_pkey_rsa.c (ossl_rsa_public_encrypt,
12+
ossl_rsa_public_decrypt, ossl_rsa_private_encrypt,
13+
ossl_rsa_private_decrypt): Ditto. RSA_size() does not check rsa->n.
14+
115
Thu May 26 14:13:52 2016 Nobuyoshi Nakada <nobu@ruby-lang.org>
216

317
* include/ruby/ruby.h (rb_scan_args_count): verify length with

ext/openssl/ossl_pkey_dh.c

+2
Original file line numberDiff line numberDiff line change
@@ -501,6 +501,8 @@ ossl_dh_compute_key(VALUE self, VALUE pub)
501501

502502
GetPKeyDH(self, pkey);
503503
dh = pkey->pkey.dh;
504+
if (!dh->p)
505+
ossl_raise(eDHError, "incomplete DH");
504506
pub_key = GetBNPtr(pub);
505507
len = DH_size(dh);
506508
str = rb_str_new(0, len);

ext/openssl/ossl_pkey_dsa.c

+4-3
Original file line numberDiff line numberDiff line change
@@ -488,10 +488,11 @@ ossl_dsa_sign(VALUE self, VALUE data)
488488
VALUE str;
489489

490490
GetPKeyDSA(self, pkey);
491-
StringValue(data);
492-
if (!DSA_PRIVATE(self, pkey->pkey.dsa)) {
491+
if (!pkey->pkey.dsa->q)
492+
ossl_raise(eDSAError, "incomplete DSA");
493+
if (!DSA_PRIVATE(self, pkey->pkey.dsa))
493494
ossl_raise(eDSAError, "Private DSA key needed!");
494-
}
495+
StringValue(data);
495496
str = rb_str_new(0, ossl_dsa_buf_size(pkey));
496497
if (!DSA_sign(0, (unsigned char *)RSTRING_PTR(data), RSTRING_LENINT(data),
497498
(unsigned char *)RSTRING_PTR(str),

ext/openssl/ossl_pkey_rsa.c

+12-6
Original file line numberDiff line numberDiff line change
@@ -382,6 +382,8 @@ ossl_rsa_public_encrypt(int argc, VALUE *argv, VALUE self)
382382
VALUE str, buffer, padding;
383383

384384
GetPKeyRSA(self, pkey);
385+
if (!pkey->pkey.rsa->n)
386+
ossl_raise(eRSAError, "incomplete RSA");
385387
rb_scan_args(argc, argv, "11", &buffer, &padding);
386388
pad = (argc == 1) ? RSA_PKCS1_PADDING : NUM2INT(padding);
387389
StringValue(buffer);
@@ -411,6 +413,8 @@ ossl_rsa_public_decrypt(int argc, VALUE *argv, VALUE self)
411413
VALUE str, buffer, padding;
412414

413415
GetPKeyRSA(self, pkey);
416+
if (!pkey->pkey.rsa->n)
417+
ossl_raise(eRSAError, "incomplete RSA");
414418
rb_scan_args(argc, argv, "11", &buffer, &padding);
415419
pad = (argc == 1) ? RSA_PKCS1_PADDING : NUM2INT(padding);
416420
StringValue(buffer);
@@ -440,9 +444,10 @@ ossl_rsa_private_encrypt(int argc, VALUE *argv, VALUE self)
440444
VALUE str, buffer, padding;
441445

442446
GetPKeyRSA(self, pkey);
443-
if (!RSA_PRIVATE(self, pkey->pkey.rsa)) {
444-
ossl_raise(eRSAError, "private key needed.");
445-
}
447+
if (!pkey->pkey.rsa->n)
448+
ossl_raise(eRSAError, "incomplete RSA");
449+
if (!RSA_PRIVATE(self, pkey->pkey.rsa))
450+
ossl_raise(eRSAError, "private key needed");
446451
rb_scan_args(argc, argv, "11", &buffer, &padding);
447452
pad = (argc == 1) ? RSA_PKCS1_PADDING : NUM2INT(padding);
448453
StringValue(buffer);
@@ -472,9 +477,10 @@ ossl_rsa_private_decrypt(int argc, VALUE *argv, VALUE self)
472477
VALUE str, buffer, padding;
473478

474479
GetPKeyRSA(self, pkey);
475-
if (!RSA_PRIVATE(self, pkey->pkey.rsa)) {
476-
ossl_raise(eRSAError, "private key needed.");
477-
}
480+
if (!pkey->pkey.rsa->n)
481+
ossl_raise(eRSAError, "incomplete RSA");
482+
if (!RSA_PRIVATE(self, pkey->pkey.rsa))
483+
ossl_raise(eRSAError, "private key needed");
478484
rb_scan_args(argc, argv, "11", &buffer, &padding);
479485
pad = (argc == 1) ? RSA_PKCS1_PADDING : NUM2INT(padding);
480486
StringValue(buffer);

0 commit comments

Comments
 (0)