Received: by 2002:a05:6358:16cc:b0:ea:6187:17c9 with SMTP id r12csp6622495rwl;
        Mon, 9 Jan 2023 10:39:53 -0800 (PST)
X-Google-Smtp-Source: AMrXdXtuNYYKfs6sG+gkA6wdGvTxKSYcRS1uepGtP/PAy/psJZLvEkRl2klaIaGYbnHKiUiUY6qW
X-Received: by 2002:a05:6402:150b:b0:493:a6eb:874e with SMTP id f11-20020a056402150b00b00493a6eb874emr16277986edw.5.1673289592940;
        Mon, 09 Jan 2023 10:39:52 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1673289592; cv=none;
        d=google.com; s=arc-20160816;
        b=Jot2jcAp6dBRWtngxFjLrn9i5w72nCGgEB22wCdP+6/jps8pCt5qrxEIBEEfJZwkpb
         ndEHqbdLUAnnc4CjKE2VjgCFXSTT1huDKmbmIwFVuWgq+kMdFOMovLb0fG5sMRJTmuaE
         mlvxdFj/g8YsOzIQQl1KTacJytSUnaI/NZvtFDpr2Ua6NljhTEzBs5MaVs7DgU7ZpxwX
         0rZUES1+nQfCOUDYRn7XsSaExOAqPY8HbWJkL9AMe392VjcSeFyhnYE2+sGTXzFCza5a
         VdghepbZVVcxCrbUCOzDu1GesoWLiGlVXjC9jSfHzw47xvyTE8b+1YcjfGBcRxM1LVf4
         AS2w==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:to:subject:message-id:date:from:mime-version
         :dkim-signature;
        bh=Nq9gWaBeUb3bCr6q4HAhBECYLpCHapLzwerok5eiN2Y=;
        b=PFSQddVQzK+X83FMArhULW5sKGVW7pOMYYmnT6kcSzwtd2G5qbS+mItQ62MAWnsTh+
         Uu7dfT3TqXnzhhXQ92spUJwZz3LSmjPX2uA58Z64POpi+0jE/K43yOB+EKUwrN3lhrDM
         g4bS3798o3N4NRRwmfgTsst6pRTwEfnIHiWkxZkYp/j2wjYyJ3a941zSEGpLcEXmDKX1
         NLSKrGJ3fbHPYbobuMclnHs/KdVQEUPopioIWh14581RuI5E+6WHe8xiVHfo1r5pIzz3
         kl+W3K/d5pUcPuotgm14DvNSLRn0H/xB5HGmdpWB44Pokx3nNaAvQCOmJFbPX4+JTMhi
         qT8g==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20210112 header.b=G8axkWXr;
       spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Return-Path: <linux-crypto-owner@vger.kernel.org>
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
        by mx.google.com with ESMTP id hr2-20020a1709073f8200b0084c8ac6e0b2si10294834ejc.109.2023.01.09.10.39.15;
        Mon, 09 Jan 2023 10:39:52 -0800 (PST)
Received-SPF: pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20210112 header.b=G8axkWXr;
       spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S237553AbjAISiB (ORCPT <rfc822;vik.reck@gmail.com> + 99 others);
        Mon, 9 Jan 2023 13:38:01 -0500
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:55366 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S234186AbjAISh0 (ORCPT
        <rfc822;linux-crypto@vger.kernel.org>);
        Mon, 9 Jan 2023 13:37:26 -0500
Received: from mail-yw1-x1129.google.com (mail-yw1-x1129.google.com [IPv6:2607:f8b0:4864:20::1129])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id E80BE76822
        for <linux-crypto@vger.kernel.org>; Mon,  9 Jan 2023 10:35:30 -0800 (PST)
Received: by mail-yw1-x1129.google.com with SMTP id 00721157ae682-4b718cab0e4so124562667b3.9
        for <linux-crypto@vger.kernel.org>; Mon, 09 Jan 2023 10:35:30 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20210112;
        h=to:subject:message-id:date:from:mime-version:from:to:cc:subject
         :date:message-id:reply-to;
        bh=Nq9gWaBeUb3bCr6q4HAhBECYLpCHapLzwerok5eiN2Y=;
        b=G8axkWXrmvGMpyYY7iWq/D3gWcV011ie03fgNpiWHWCcdGZEyrLYsm0zWgVDWZ1H51
         L4MdBXqSQ7tx/g1biERnpql7yz4Y1onoEJUEQpumgtsPC1f9fku0SV7xI1tyCBZ5Rbfr
         jBc7yyBhy6emGTnz6u2NbXNNwU18M6ZV9Gg7YFarKJkm4BByomsEfs6jtuNT4KRl2yKA
         Ew2pQBKeP8CEevgPapjxPl16kiFxhWrGwuNndzhp3H9O4Nhnig3KmsYQJO02d8YnaxVU
         B7aouANMrLMzq7y7+G69YvKeDr3DaqgHFtlOcjMNzS1BBVAtx3uahfiDyMDVXc2kZhYz
         RWDw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112;
        h=to:subject:message-id:date:from:mime-version:x-gm-message-state
         :from:to:cc:subject:date:message-id:reply-to;
        bh=Nq9gWaBeUb3bCr6q4HAhBECYLpCHapLzwerok5eiN2Y=;
        b=db4pEwXipL1u4SwrYt/qP1IQ6m2mTMOlPn+6qt4/2hHiVsDzqo5vbU4vTk8M6B3sXP
         WSsii+nmEidMAPLu4M7z8K3WBRpcDhqFK4qVnzw3sDl8JKql3N9xo8H/eS7aQrAQEsBP
         Nk3KW+Q5bQuRXUYv/sEFWjMLpenpayGf8pDpKvr+jcZImYk60UZsDTYX/oV5PNy1X2P1
         MuUnwl4uFyPdrZTVFLkSMNp5C0gdI7cT6LVT9nS4FYhHtMnsDIVtpS8ddzP5HlSPEcp5
         7T3cg41uzUZjLLEWBmoruIgPRitXsb6PYkFsxMZqwkyHO1GtIJR4ZW4GDBmgrD9Ga4q+
         rsIQ==
X-Gm-Message-State: AFqh2krug7Tw1GnVwpn3+ESVScHwG/OCwlbAbSvqlL+SYLE5V3G6ICmO
        mtmUGJyhvEt6H8L7o7Uu99uxbXHN39XNSyL/tChN+dTQrBk=
X-Received: by 2002:a05:690c:d96:b0:478:6ef2:da73 with SMTP id
 da22-20020a05690c0d9600b004786ef2da73mr185587ywb.488.1673289330041; Mon, 09
 Jan 2023 10:35:30 -0800 (PST)
MIME-Version: 1.0
From:   =?UTF-8?B?T25kcmVqIE1vc27DocSNZWs=?= <omosnacek@gmail.com>
Date:   Mon, 9 Jan 2023 19:35:19 +0100
Message-ID: <CAAUqJDsuFT0XBBkOH_OkhXpEJSaZCLP56-MvBMpde=OS-Dt8VQ@mail.gmail.com>
Subject: [BUG] It is possible to circumvent dh_check_params_length() in the
 generic implementation
To:     linux-crypto@vger.kernel.org
Content-Type: text/plain; charset="UTF-8"
X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED,
        DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM,
        RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS autolearn=ham
        autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-crypto.vger.kernel.org>
X-Mailing-List: linux-crypto@vger.kernel.org

Hello,

While debugging an SELinux test that happens to use keyctl(2) with
KEYCTL_DH_COMPUTE, I noticed that mpi_read_raw_data() (used in
crypto/dh.c to import big numbers from byte strings) accepts any
number of leading zero bytes and discards them. This has a bad
implication for dh_set_params(), as it passes the original prime byte
string size to dh_check_params_length(), which means that it is
possible to get it to accept a prime of any size, simply by
left-padding it with zero bytes to the minimum accepted size.

I ran into this because the test was accidentally passing the prime
byte string with an extra zero byte at the beginning (an artifact from
the output of `openssl dhparam -text -2 2048`) and while this ran fine
when the generic "dh" implementation was used, it was failing on
machines where the intel_qat driver was used, which doesn't have this
validation bug.

For me the fix is simply to drop the extra zero byte from the test's
input, but I wanted to report this, so that someone with more vested
interest in the crypto subsystem can fix the prime length validation
issue as well.

Cheers,

Ondrej