diff options
| author | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2017-03-09 12:57:41 +0100 |
|---|---|---|
| committer | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2017-03-09 13:22:38 +0100 |
| commit | 06c5989daf082f3edc3f8306671533030220974d (patch) | |
| tree | 4b15a213e42ada02019e9d9779afcbf3578efcd7 | |
| parent | e73501f208625d48db2b111b571421d25a78838f (diff) | |
| download | gnutls-06c5989daf082f3edc3f8306671533030220974d.tar.gz | |
PKCS8/PKCS12: enforce a maximum number of iterations
This prevents denial of service through very large iteration
counts. Issue found via oss-fuzz:
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=434
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
| -rw-r--r-- | lib/x509/common.h | 4 | ||||
| -rw-r--r-- | lib/x509/pkcs7-crypt.c | 4 | ||||
| -rw-r--r-- | lib/x509/privkey_pkcs8_pbes1.c | 2 |
3 files changed, 7 insertions, 3 deletions
diff --git a/lib/x509/common.h b/lib/x509/common.h index 6716939255..b0c1c5e29f 100644 --- a/lib/x509/common.h +++ b/lib/x509/common.h @@ -1,5 +1,6 @@ /* * Copyright (C) 2003-2012 Free Software Foundation, Inc. + * Copyright (C) 2017 Red Hat, Inc. * * Author: Nikos Mavrogiannopoulos * @@ -29,6 +30,9 @@ #include <fips.h> #define MAX_STRING_LEN 512 +/* Set a maximum iteration count over which we refuse to + * decode a file. That is to prevent DoS. */ +#define MAX_ITER_COUNT (10*1024*1024) #define GNUTLS_XML_SHOW_ALL 1 diff --git a/lib/x509/pkcs7-crypt.c b/lib/x509/pkcs7-crypt.c index c15752f995..45233acd8a 100644 --- a/lib/x509/pkcs7-crypt.c +++ b/lib/x509/pkcs7-crypt.c @@ -662,7 +662,7 @@ read_pbkdf2_params(ASN1_TYPE pasn, goto error; } - if (params->iter_count >= INT_MAX || params->iter_count == 0) { + if (params->iter_count >= MAX_ITER_COUNT || params->iter_count == 0) { result = gnutls_assert_val(GNUTLS_E_ILLEGAL_PARAMETER); goto error; } @@ -737,7 +737,7 @@ static int read_pkcs12_kdf_params(ASN1_TYPE pasn, struct pbkdf2_params *params) if (result < 0) return gnutls_assert_val(result); - if (params->iter_count >= INT_MAX || params->iter_count == 0) + if (params->iter_count >= MAX_ITER_COUNT || params->iter_count == 0) return gnutls_assert_val(GNUTLS_E_ILLEGAL_PARAMETER); _gnutls_hard_log("iterationCount: %d\n", params->iter_count); diff --git a/lib/x509/privkey_pkcs8_pbes1.c b/lib/x509/privkey_pkcs8_pbes1.c index 86ba2609f0..1e4ba60aa1 100644 --- a/lib/x509/privkey_pkcs8_pbes1.c +++ b/lib/x509/privkey_pkcs8_pbes1.c @@ -74,7 +74,7 @@ int _gnutls_read_pbkdf1_params(const uint8_t * data, int data_size, goto error; } - if (kdf_params->iter_count >= INT_MAX || kdf_params->iter_count == 0) { + if (kdf_params->iter_count >= MAX_ITER_COUNT || kdf_params->iter_count == 0) { ret = gnutls_assert_val(GNUTLS_E_ILLEGAL_PARAMETER); goto error; } |