diff options
| author | Tomas Mraz <tomas@openssl.org> | 2024-04-05 16:29:53 +0200 |
|---|---|---|
| committer | Tomas Mraz <tomas@openssl.org> | 2024-04-10 09:28:59 +0200 |
| commit | 9fc61ba0a74dfd910c4e96e711291555ac64b2b4 (patch) | |
| tree | d4218fc64f49805375bfb6d12a70f16369a0f924 /fuzz | |
| parent | Fix socket descriptor checks on Windows (diff) | |
| download | openssl-9fc61ba0a74dfd910c4e96e711291555ac64b2b4.tar.xz openssl-9fc61ba0a74dfd910c4e96e711291555ac64b2b4.zip | |
fuzz/decoder.c: Limit the key sizes on which checks are run
In particular the DH safe prime check will be limited to 8192 bits
and the private and pairwise checks are limited to 16384 bits on
any key types.
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/24049)
Diffstat (limited to 'fuzz')
| -rw-r--r-- | fuzz/decoder.c | 15 |
1 files changed, 12 insertions, 3 deletions
diff --git a/fuzz/decoder.c b/fuzz/decoder.c index 1a6558dbb3..c7b6d02f73 100644 --- a/fuzz/decoder.c +++ b/fuzz/decoder.c @@ -64,10 +64,19 @@ int FuzzerTestOneInput(const uint8_t *buf, size_t len) EVP_PKEY_free(pkey2); ctx = EVP_PKEY_CTX_new(pkey, NULL); - EVP_PKEY_param_check(ctx); + /* + * Param check will take too long time on large DH parameters. + * Skip it. + */ + if (!EVP_PKEY_is_a(pkey, "DH") || EVP_PKEY_get_bits(pkey) <= 8192) + EVP_PKEY_param_check(ctx); + EVP_PKEY_public_check(ctx); - EVP_PKEY_private_check(ctx); - EVP_PKEY_pairwise_check(ctx); + /* Private and pairwise checks are unbounded, skip for large keys. */ + if (EVP_PKEY_get_bits(pkey) <= 16384) { + EVP_PKEY_private_check(ctx); + EVP_PKEY_pairwise_check(ctx); + } OPENSSL_assert(ctx != NULL); EVP_PKEY_CTX_free(ctx); EVP_PKEY_free(pkey); |