Skip to content
体验新版
项目
组织
正在加载...
登录
切换导航
打开侧边栏
OpenHarmony
Third Party Openssl
提交
94fd382f
T
Third Party Openssl
项目概览
OpenHarmony
/
Third Party Openssl
1 年多 前同步成功
通知
10
Star
18
Fork
1
代码
文件
提交
分支
Tags
贡献者
分支图
Diff
Issue
0
列表
看板
标记
里程碑
合并请求
0
Wiki
0
Wiki
分析
仓库
DevOps
项目成员
Pages
T
Third Party Openssl
项目概览
项目概览
详情
发布
仓库
仓库
文件
提交
分支
标签
贡献者
分支图
比较
Issue
0
Issue
0
列表
看板
标记
里程碑
合并请求
0
合并请求
0
Pages
分析
分析
仓库分析
DevOps
Wiki
0
Wiki
成员
成员
收起侧边栏
关闭侧边栏
动态
分支图
创建新Issue
提交
Issue看板
提交
94fd382f
编写于
5月 19, 2008
作者:
D
Dr. Stephen Henson
浏览文件
操作
浏览文件
下载
电子邮件补丁
差异文件
Fix two invalid memory reads in RSA OAEP mode.
Submitted by: Ivan Nestlerode <inestlerode@us.ibm.com> Reviewed by: steve
上级
4bd4afa3
变更
2
隐藏空白更改
内联
并排
Showing
2 changed file
with
23 addition
and
8 deletion
+23
-8
CHANGES
CHANGES
+8
-0
crypto/rsa/rsa_oaep.c
crypto/rsa/rsa_oaep.c
+15
-8
未找到文件。
CHANGES
浏览文件 @
94fd382f
...
...
@@ -685,6 +685,14 @@
[NTT]
Changes between 0.9.8g and 0.9.8h [xx XXX xxxx]
*) RSA OAEP patches to fix two separate invalid memory reads.
The first one involves inputs when 'lzero' is greater than
'SHA_DIGEST_LENGTH' (it would read about SHA_DIGEST_LENGTH bytes
before the beginning of from). The second one involves inputs where
the 'db' section contains nothing but zeroes (there is a one-byte
invalid read after the end of 'db').
[Ivan Nesterlode <inestlerode@us.ibm.com>]
*) Add TLS session ticket callback. This allows an application to set
TLS ticket cipher and HMAC keys rather than relying on hardcoded fixed
...
...
crypto/rsa/rsa_oaep.c
浏览文件 @
94fd382f
...
...
@@ -96,6 +96,7 @@ int RSA_padding_check_PKCS1_OAEP(unsigned char *to, int tlen,
const
unsigned
char
*
maskeddb
;
int
lzero
;
unsigned
char
*
db
=
NULL
,
seed
[
SHA_DIGEST_LENGTH
],
phash
[
SHA_DIGEST_LENGTH
];
unsigned
char
*
padded_from
;
int
bad
=
0
;
if
(
--
num
<
2
*
SHA_DIGEST_LENGTH
+
1
)
...
...
@@ -106,8 +107,6 @@ int RSA_padding_check_PKCS1_OAEP(unsigned char *to, int tlen,
lzero
=
num
-
flen
;
if
(
lzero
<
0
)
{
/* lzero == -1 */
/* signalling this error immediately after detection might allow
* for side-channel attacks (e.g. timing if 'plen' is huge
* -- cf. James H. Manger, "A Chosen Ciphertext Attack on RSA Optimal
...
...
@@ -115,20 +114,28 @@ int RSA_padding_check_PKCS1_OAEP(unsigned char *to, int tlen,
* so we use a 'bad' flag */
bad
=
1
;
lzero
=
0
;
flen
=
num
;
/* don't overflow the memcpy to padded_from */
}
maskeddb
=
from
-
lzero
+
SHA_DIGEST_LENGTH
;
dblen
=
num
-
SHA_DIGEST_LENGTH
;
db
=
OPENSSL_malloc
(
dblen
);
db
=
OPENSSL_malloc
(
dblen
+
num
);
if
(
db
==
NULL
)
{
RSAerr
(
RSA_F_RSA_PADDING_CHECK_PKCS1_OAEP
,
ERR_R_MALLOC_FAILURE
);
return
-
1
;
}
/* Always do this zero-padding copy (even when lzero == 0)
* to avoid leaking timing info about the value of lzero. */
padded_from
=
db
+
dblen
;
memset
(
padded_from
,
0
,
lzero
);
memcpy
(
padded_from
+
lzero
,
from
,
flen
);
maskeddb
=
padded_from
+
SHA_DIGEST_LENGTH
;
MGF1
(
seed
,
SHA_DIGEST_LENGTH
,
maskeddb
,
dblen
);
for
(
i
=
lzero
;
i
<
SHA_DIGEST_LENGTH
;
i
++
)
seed
[
i
]
^=
from
[
i
-
lzero
];
for
(
i
=
0
;
i
<
SHA_DIGEST_LENGTH
;
i
++
)
seed
[
i
]
^=
padded_from
[
i
];
MGF1
(
db
,
dblen
,
seed
,
SHA_DIGEST_LENGTH
);
for
(
i
=
0
;
i
<
dblen
;
i
++
)
...
...
@@ -143,13 +150,13 @@ int RSA_padding_check_PKCS1_OAEP(unsigned char *to, int tlen,
for
(
i
=
SHA_DIGEST_LENGTH
;
i
<
dblen
;
i
++
)
if
(
db
[
i
]
!=
0x00
)
break
;
if
(
db
[
i
]
!=
0x01
||
i
++
>=
dblen
)
if
(
i
==
dblen
||
db
[
i
]
!=
0x01
)
goto
decoding_err
;
else
{
/* everything looks OK */
mlen
=
dblen
-
i
;
mlen
=
dblen
-
++
i
;
if
(
tlen
<
mlen
)
{
RSAerr
(
RSA_F_RSA_PADDING_CHECK_PKCS1_OAEP
,
RSA_R_DATA_TOO_LARGE
);
...
...
编辑
预览
Markdown
is supported
0%
请重试
或
添加新附件
.
添加附件
取消
You are about to add
0
people
to the discussion. Proceed with caution.
先完成此消息的编辑!
取消
想要评论请
注册
或
登录