Fix two invalid memory reads in RSA OAEP mode.

Submitted by: Ivan Nestlerode <inestlerode@us.ibm.com>
Reviewed by: steve
上级 4bd4afa3
master OpenHarmony-2.2-Beta2 OpenHarmony-2.3-Beta OpenHarmony-3.0-LTS OpenHarmony-3.1-API8-SDK-Public OpenHarmony-3.1-API9-SDK-Canary OpenHarmony-3.1-Beta OpenHarmony-3.1-Release OpenHarmony-3.2-Beta1 OpenHarmony-3.2-Beta2 OpenHarmony-3.2-Beta3 OpenHarmony-3.2-Beta4 OpenHarmony-3.2-Beta5 OpenHarmony-3.2-Release OpenHarmony-4.0-Beta1 OpenHarmony-4.0-Beta2 OpenHarmony-v2.2-Beta OpenHarmony_1.0.1_release OpenHarmony_filemanager_develop_20220505 OpenHarmony_filemanager_develop_20220614 add_issus_pr_template_for_master add_issus_pr_template_for_release feature_IDL_20220811 master_dy monthly_20220614 monthly_20220816 monthly_20221018 monthly_20230815 revert-merge-109-master weekly_20220105 weekly_20220111 weekly_20220118 weekly_20220125 weekly_20220201 weekly_20220208 weekly_20220215 weekly_20220222 weekly_20220301 weekly_20220406 weekly_20220412 weekly_20220419 weekly_20220426 weekly_20220503 weekly_20220510 weekly_20220524 weekly_20220531 weekly_20220607 weekly_20220614 weekly_20220621 weekly_20220628 weekly_20220705 weekly_20220712 weekly_20220719 weekly_20220726 weekly_20220802 weekly_20220809 weekly_20220816 weekly_20220823 weekly_20220830 weekly_20220906 weekly_20220913 weekly_20220920 weekly_20220927 weekly_20221004 weekly_20221011 weekly_20221018 weekly_20221025 weekly_20221101 weekly_20221108 weekly_20221115 weekly_20221122 weekly_20221129 weekly_20221206 weekly_20221213 weekly_20221220 weekly_20221227 weekly_20230103 weekly_20230110 weekly_20230117 weekly_20230124 weekly_20230131 weekly_20230207 weekly_20230214 weekly_20230221 weekly_20230228 weekly_20230307 weekly_20230314 weekly_20230321 weekly_20230328 weekly_20230404 weekly_20230411 weekly_20230418 weekly_20230425 weekly_20230502 weekly_20230509 weekly_20230516 weekly_20230523 weekly_20230530 weekly_20230606 weekly_20230613 weekly_20230619 weekly_20230626 weekly_20230627 weekly_20230704 weekly_20230712 weekly_20230725 weekly_20230801 weekly_20230808 weekly_20230815 weekly_20230822 weekly_20230829 OpenHarmony_v1.1.1-LTS OpenHarmony_release_v1.1.0 OpenHarmony-v4.0-Beta2 OpenHarmony-v4.0-Beta1 OpenHarmony-v3.2.2-Release OpenHarmony-v3.2.1-Release OpenHarmony-v3.2-Release OpenHarmony-v3.2-Beta5 OpenHarmony-v3.2-Beta4 OpenHarmony-v3.2-Beta3 OpenHarmony-v3.2-Beta2 OpenHarmony-v3.2-Beta1 OpenHarmony-v3.1.7-Release OpenHarmony-v3.1.6-Release OpenHarmony-v3.1.5-Release OpenHarmony-v3.1.4-Release OpenHarmony-v3.1.3-Release OpenHarmony-v3.1.2-Release OpenHarmony-v3.1.1-Release OpenHarmony-v3.1-Release OpenHarmony-v3.1-Beta OpenHarmony-v3.0.8-LTS OpenHarmony-v3.0.7-LTS OpenHarmony-v3.0.6-LTS OpenHarmony-v3.0.5-LTS OpenHarmony-v3.0.3-LTS OpenHarmony-v3.0.2-LTS OpenHarmony-v3.0.1-LTS OpenHarmony-v3.0-LTS OpenHarmony-v3.0-Beta1 OpenHarmony-v2.2-Beta2 OpenHarmony-v1.1.5-LTS OpenHarmony-v1.1.4-LTS OpenHarmony-v1.1.3-LTS OpenHarmony-v1.1.2-LTS OpenHarmony-v1.1.1-LTS OpenHarmony-2.0-Canary OpenHarmony-1.0
无相关合并请求
......@@ -685,6 +685,14 @@
[NTT]
Changes between 0.9.8g and 0.9.8h [xx XXX xxxx]
*) RSA OAEP patches to fix two separate invalid memory reads.
The first one involves inputs when 'lzero' is greater than
'SHA_DIGEST_LENGTH' (it would read about SHA_DIGEST_LENGTH bytes
before the beginning of from). The second one involves inputs where
the 'db' section contains nothing but zeroes (there is a one-byte
invalid read after the end of 'db').
[Ivan Nesterlode <inestlerode@us.ibm.com>]
*) Add TLS session ticket callback. This allows an application to set
TLS ticket cipher and HMAC keys rather than relying on hardcoded fixed
......
......@@ -96,6 +96,7 @@ int RSA_padding_check_PKCS1_OAEP(unsigned char *to, int tlen,
const unsigned char *maskeddb;
int lzero;
unsigned char *db = NULL, seed[SHA_DIGEST_LENGTH], phash[SHA_DIGEST_LENGTH];
unsigned char *padded_from;
int bad = 0;
if (--num < 2 * SHA_DIGEST_LENGTH + 1)
......@@ -106,8 +107,6 @@ int RSA_padding_check_PKCS1_OAEP(unsigned char *to, int tlen,
lzero = num - flen;
if (lzero < 0)
{
/* lzero == -1 */
/* signalling this error immediately after detection might allow
* for side-channel attacks (e.g. timing if 'plen' is huge
* -- cf. James H. Manger, "A Chosen Ciphertext Attack on RSA Optimal
......@@ -115,20 +114,28 @@ int RSA_padding_check_PKCS1_OAEP(unsigned char *to, int tlen,
* so we use a 'bad' flag */
bad = 1;
lzero = 0;
flen = num; /* don't overflow the memcpy to padded_from */
}
maskeddb = from - lzero + SHA_DIGEST_LENGTH;
dblen = num - SHA_DIGEST_LENGTH;
db = OPENSSL_malloc(dblen);
db = OPENSSL_malloc(dblen + num);
if (db == NULL)
{
RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_OAEP, ERR_R_MALLOC_FAILURE);
return -1;
}
/* Always do this zero-padding copy (even when lzero == 0)
* to avoid leaking timing info about the value of lzero. */
padded_from = db + dblen;
memset(padded_from, 0, lzero);
memcpy(padded_from + lzero, from, flen);
maskeddb = padded_from + SHA_DIGEST_LENGTH;
MGF1(seed, SHA_DIGEST_LENGTH, maskeddb, dblen);
for (i = lzero; i < SHA_DIGEST_LENGTH; i++)
seed[i] ^= from[i - lzero];
for (i = 0; i < SHA_DIGEST_LENGTH; i++)
seed[i] ^= padded_from[i];
MGF1(db, dblen, seed, SHA_DIGEST_LENGTH);
for (i = 0; i < dblen; i++)
......@@ -143,13 +150,13 @@ int RSA_padding_check_PKCS1_OAEP(unsigned char *to, int tlen,
for (i = SHA_DIGEST_LENGTH; i < dblen; i++)
if (db[i] != 0x00)
break;
if (db[i] != 0x01 || i++ >= dblen)
if (i == dblen || db[i] != 0x01)
goto decoding_err;
else
{
/* everything looks OK */
mlen = dblen - i;
mlen = dblen - ++i;
if (tlen < mlen)
{
RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_OAEP, RSA_R_DATA_TOO_LARGE);
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册
反馈
建议
客服 返回
顶部