oqs-provider is a provider for the OpenSSL 3 cryptography library that adds support for post-quantum cryptography in TLS, X.509, and S/MIME using post-quantum algorithms from liboqs.
Impact
Flaws have been identified in the way oqs-provider handles lengths decoded with DECODE_UINT32 at the start of serialized hybrid (traditional + post-quantum) keys and signatures. Unchecked length values are later used for memory reads and writes; malformed input can lead to crashes or information leakage.
Handling of plain/non-hybrid PQ key operation is not affected.
Patches
Fixed in v0.6.1.
Workarounds
None; users must upgrade to v0.6.1.
References
#416
Further details
DECODE_UINT32 is called on user-provided input without any length checks and the decoded classical key lengths and signature lengths are later used for memory reads and writes without any (or very limited) control. This mainly occurs in oqsx_key_op and oqs_sig_verify, as they are provided char * user input. This is the most severe security issue as outsiders could cause crashes or information leakage by providing malformed input.
DECODE_UINT32 is often used to load uint32 values into int's and other integer types, which could cause integer overflows and similar problems as above. This could also be easily exploited.
The patch fixing these problems also adds limited length checks where DECODE_UINT32 is called on an OQSX_KEY hybrid key's private key or public key, just to make sure erroneous behavior is avoided.
Credits
Thank you to Bence Mali, Gergely Nagy, and Zoltán Kővágó of Tresorit for identifying the issue and providing the patch to address it.
oqs-provider is a provider for the OpenSSL 3 cryptography library that adds support for post-quantum cryptography in TLS, X.509, and S/MIME using post-quantum algorithms from liboqs.
Impact
Flaws have been identified in the way oqs-provider handles lengths decoded with
DECODE_UINT32at the start of serialized hybrid (traditional + post-quantum) keys and signatures. Unchecked length values are later used for memory reads and writes; malformed input can lead to crashes or information leakage.Handling of plain/non-hybrid PQ key operation is not affected.
Patches
Fixed in v0.6.1.
Workarounds
None; users must upgrade to v0.6.1.
References
#416
Further details
DECODE_UINT32is called on user-provided input without any length checks and the decoded classical key lengths and signature lengths are later used for memory reads and writes without any (or very limited) control. This mainly occurs inoqsx_key_opandoqs_sig_verify, as they are providedchar *user input. This is the most severe security issue as outsiders could cause crashes or information leakage by providing malformed input.DECODE_UINT32is often used to load uint32 values into int's and other integer types, which could cause integer overflows and similar problems as above. This could also be easily exploited.The patch fixing these problems also adds limited length checks where
DECODE_UINT32is called on anOQSX_KEYhybrid key's private key or public key, just to make sure erroneous behavior is avoided.Credits
Thank you to Bence Mali, Gergely Nagy, and Zoltán Kővágó of Tresorit for identifying the issue and providing the patch to address it.