提交 108909d3 编写于 作者: B Bernd Edlinger 提交者: Andy Polyakov

Fix a crash or unbounded allocation in RSA_padding_add_PKCS1_PSS_mgf1

and RSA_verify_PKCS1_PSS_mgf1 with 512-bit RSA vs. sha-512.
Reviewed-by: NMatt Caswell <matt@openssl.org>
Reviewed-by: NAndy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2801)
上级 41bee3e8
...@@ -54,6 +54,7 @@ int RSA_verify_PKCS1_PSS_mgf1(RSA *rsa, const unsigned char *mHash, ...@@ -54,6 +54,7 @@ int RSA_verify_PKCS1_PSS_mgf1(RSA *rsa, const unsigned char *mHash,
* Negative sLen has special meanings: * Negative sLen has special meanings:
* -1 sLen == hLen * -1 sLen == hLen
* -2 salt length is autorecovered from signature * -2 salt length is autorecovered from signature
* -3 salt length is maximized
* -N reserved * -N reserved
*/ */
if (sLen == RSA_PSS_SALTLEN_DIGEST) if (sLen == RSA_PSS_SALTLEN_DIGEST)
...@@ -73,9 +74,13 @@ int RSA_verify_PKCS1_PSS_mgf1(RSA *rsa, const unsigned char *mHash, ...@@ -73,9 +74,13 @@ int RSA_verify_PKCS1_PSS_mgf1(RSA *rsa, const unsigned char *mHash,
EM++; EM++;
emLen--; emLen--;
} }
if (emLen < hLen + 2) {
RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1, RSA_R_DATA_TOO_LARGE);
goto err;
}
if (sLen == RSA_PSS_SALTLEN_MAX) { if (sLen == RSA_PSS_SALTLEN_MAX) {
sLen = emLen - hLen - 2; sLen = emLen - hLen - 2;
} else if (emLen < (hLen + sLen + 2)) { /* sLen can be small negative */ } else if (sLen > emLen - hLen - 2) { /* sLen can be small negative */
RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1, RSA_R_DATA_TOO_LARGE); RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1, RSA_R_DATA_TOO_LARGE);
goto err; goto err;
} }
...@@ -157,6 +162,7 @@ int RSA_padding_add_PKCS1_PSS_mgf1(RSA *rsa, unsigned char *EM, ...@@ -157,6 +162,7 @@ int RSA_padding_add_PKCS1_PSS_mgf1(RSA *rsa, unsigned char *EM,
* Negative sLen has special meanings: * Negative sLen has special meanings:
* -1 sLen == hLen * -1 sLen == hLen
* -2 salt length is maximized * -2 salt length is maximized
* -3 same as above (on signing)
* -N reserved * -N reserved
*/ */
if (sLen == RSA_PSS_SALTLEN_DIGEST) if (sLen == RSA_PSS_SALTLEN_DIGEST)
...@@ -174,9 +180,14 @@ int RSA_padding_add_PKCS1_PSS_mgf1(RSA *rsa, unsigned char *EM, ...@@ -174,9 +180,14 @@ int RSA_padding_add_PKCS1_PSS_mgf1(RSA *rsa, unsigned char *EM,
*EM++ = 0; *EM++ = 0;
emLen--; emLen--;
} }
if (emLen < hLen + 2) {
RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_PSS_MGF1,
RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);
goto err;
}
if (sLen == RSA_PSS_SALTLEN_MAX) { if (sLen == RSA_PSS_SALTLEN_MAX) {
sLen = emLen - hLen - 2; sLen = emLen - hLen - 2;
} else if (emLen < (hLen + sLen + 2)) { } else if (sLen > emLen - hLen - 2) {
RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_PSS_MGF1, RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_PSS_MGF1,
RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE); RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);
goto err; goto err;
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册