From: Neil Horman <nhorman@openssl.org>
Date: Thu, 20 Feb 2025 12:45:50 +0000 (-0500)
Subject: Fix slh-dsa fuzzer on invalid param inputs
X-Git-Tag: openssl-3.5.0-alpha1~96
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=3be71de4d925a4ef0a053327ff6a83728742c039;p=thirdparty%2Fopenssl.git

Fix slh-dsa fuzzer on invalid param inputs

oss-fuzz issue:
https://issues.oss-fuzz.com/issues/397734693

Fails because the fuzzer occasionaly provides inputs which drives the
fuzzer to create an octet-string for the context_string param which
violates the 255 byte constraint documented on that parameter.

Fix it by detecting that condition, expecting failure in the call to
EVP_sign_message_init, and bailing out when it occurs.

Fixes openssl/project#1109

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26851)
---

diff --git a/fuzz/slh-dsa.c b/fuzz/slh-dsa.c
index ecd5af373cc..6ced4561653 100644
--- a/fuzz/slh-dsa.c
+++ b/fuzz/slh-dsa.c
@@ -319,6 +319,7 @@ static void slh_dsa_sign_verify(uint8_t **buf, size_t *len, void *key1,
     OSSL_PARAM params[4];
     int paramidx = 0;
     int intval;
+    int expect_init_rc = 1;
 
     *buf = consume_uint8t(*buf, len, &selector);
     if (*buf == NULL)
@@ -338,6 +339,11 @@ static void slh_dsa_sign_verify(uint8_t **buf, size_t *len, void *key1,
      */
     msg = (unsigned char *)*buf;
     msg_len = *len;
+
+    /* if msg_len > 255, sign_message_init will fail */
+    if (msg_len > 255)
+        expect_init_rc = 0;
+
     *len = 0;
 
     if (selector & 0x1)
@@ -368,7 +374,15 @@ static void slh_dsa_sign_verify(uint8_t **buf, size_t *len, void *key1,
     sig_alg = EVP_SIGNATURE_fetch(NULL, keytype, NULL);
     OPENSSL_assert(sig_alg != NULL);
 
-    OPENSSL_assert(EVP_PKEY_sign_message_init(ctx, sig_alg, params));
+    OPENSSL_assert(EVP_PKEY_sign_message_init(ctx, sig_alg, params) == expect_init_rc);
+    /*
+     * the context_string parameter can be no more than 255 bytes, so if
+     * our random input buffer is greater than that, we expect failure above,
+     * which we check for.  In that event, theres nothing more we can do here
+     * so bail out
+     */
+    if (expect_init_rc == 0)
+        goto out;
 
     OPENSSL_assert(EVP_PKEY_sign(ctx, NULL, &sig_len, msg, msg_len));
     sig = OPENSSL_zalloc(sig_len);
@@ -379,6 +393,7 @@ static void slh_dsa_sign_verify(uint8_t **buf, size_t *len, void *key1,
     OPENSSL_assert(EVP_PKEY_verify_message_init(ctx, sig_alg, params));
     OPENSSL_assert(EVP_PKEY_verify(ctx, sig, sig_len, msg, msg_len));
 
+out:
     OPENSSL_free(sig);
     EVP_SIGNATURE_free(sig_alg);
     EVP_PKEY_CTX_free(ctx);