From fd67f61bb4b6f78a989612089b10ab1eccc93894 Mon Sep 17 00:00:00 2001 From: David Benjamin Date: Mon, 20 Mar 2017 19:21:36 -0400 Subject: [PATCH] Fix bounds check in RSA_verify_PKCS1_PSS_mgf1 when sLen is -2. (Imported from upstream's 04cf39207f94abf89b3964c7710f22f829a1a78f.) The other half of the change was fixed earlier, but this logic was still off. This code is kind of a mess and needs a rewrite, but import the change to get it correct and sufficiently tested first. (If we could take the sLen = -2 case away altogether, that would be great...) Change-Id: I5786e980f26648822633fc216315e8f77ed4d45b Reviewed-on: https://boringssl-review.googlesource.com/14321 Reviewed-by: Steven Valdez Commit-Queue: Steven Valdez CQ-Verified: CQ bot account: commit-bot@chromium.org --- crypto/evp/evp_tests.txt | 15 +++++++-------- crypto/rsa/padding.c | 2 +- 2 files changed, 8 insertions(+), 9 deletions(-) diff --git a/crypto/evp/evp_tests.txt b/crypto/evp/evp_tests.txt index 1d57bd53..48121f9c 100644 --- a/crypto/evp/evp_tests.txt +++ b/crypto/evp/evp_tests.txt @@ -277,14 +277,13 @@ Input = "0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF" Output = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa Error = DATA_TOO_LARGE -# TODO(davidben): Add this as a regression test once upstream's fix is imported. -# Verify = RSA-512 -# RSAPadding = PSS -# PSSSaltLength = -2 -# Digest = SHA512 -# Input = "0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF" -# Output = 457001d9ca50a93385fc5ec721c9dbbe7a0f2e9e4a2f846a30a8811dde66347b83901c7492039243537c7a667fafffd69049bcbd36afd0010d9b425e2d8785c1 -# Error = DATA_TOO_LARGE +Verify = RSA-512 +RSAPadding = PSS +PSSSaltLength = -2 +Digest = SHA512 +Input = "0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF" +Output = 457001d9ca50a93385fc5ec721c9dbbe7a0f2e9e4a2f846a30a8811dde66347b83901c7492039243537c7a667fafffd69049bcbd36afd0010d9b425e2d8785c1 +Error = DATA_TOO_LARGE # RSA decrypt diff --git a/crypto/rsa/padding.c b/crypto/rsa/padding.c index 3ed19adc..678457bf 100644 --- a/crypto/rsa/padding.c +++ b/crypto/rsa/padding.c @@ -530,7 +530,7 @@ int RSA_verify_PKCS1_PSS_mgf1(RSA *rsa, const uint8_t *mHash, EM++; emLen--; } - if (emLen < ((int)hLen + sLen + 2)) { + if (emLen < (int)hLen + 2 || emLen < ((int)hLen + sLen + 2)) { /* sLen can be small negative */ OPENSSL_PUT_ERROR(RSA, RSA_R_DATA_TOO_LARGE); goto err;