fuzz/decoder.c: Limit the key sizes on which checks are run

In particular the DH safe prime check will be limited to 8192 bits and the private and pairwise checks are limited to 16384 bits on any key types. Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> (Merged from https://github.com/openssl/openssl/pull/24049)
author: Tomas Mraz <tomas@openssl.org> 2024-04-05 16:29:53 +0200
committer: Tomas Mraz <tomas@openssl.org> 2024-04-10 09:28:59 +0200
commit: 9fc61ba0a74dfd910c4e96e711291555ac64b2b4 (patch)
tree: d4218fc64f49805375bfb6d12a70f16369a0f924 /fuzz
parent: c89baf871030c811ba316ccbdcea26c294f605ae (diff)
1 files changed, 12 insertions, 3 deletions
diff --git a/fuzz/decoder.c b/fuzz/decoder.c
index 1a6558dbb3..c7b6d02f73 100644
--- a/fuzz/decoder.c
+++ b/fuzz/decoder.c
@@ -64,10 +64,19 @@ int FuzzerTestOneInput(const uint8_t *buf, size_t len)
         EVP_PKEY_free(pkey2);
 
         ctx = EVP_PKEY_CTX_new(pkey, NULL);
-        EVP_PKEY_param_check(ctx);
+        /*
+         * Param check will take too long time on large DH parameters.
+         * Skip it.
+         */
+        if (!EVP_PKEY_is_a(pkey, "DH") || EVP_PKEY_get_bits(pkey) <= 8192)
+            EVP_PKEY_param_check(ctx);
+
         EVP_PKEY_public_check(ctx);
-        EVP_PKEY_private_check(ctx);
-        EVP_PKEY_pairwise_check(ctx);
+        /* Private and pairwise checks are unbounded, skip for large keys. */
+        if (EVP_PKEY_get_bits(pkey) <= 16384) {
+            EVP_PKEY_private_check(ctx);
+            EVP_PKEY_pairwise_check(ctx);
+        }
         OPENSSL_assert(ctx != NULL);
         EVP_PKEY_CTX_free(ctx);
         EVP_PKEY_free(pkey);
author	Tomas Mraz <tomas@openssl.org>	2024-04-05 16:29:53 +0200
committer	Tomas Mraz <tomas@openssl.org>	2024-04-10 09:28:59 +0200
commit	9fc61ba0a74dfd910c4e96e711291555ac64b2b4 (patch)
tree	d4218fc64f49805375bfb6d12a70f16369a0f924 /fuzz
parent	c89baf871030c811ba316ccbdcea26c294f605ae (diff)