public/openssl
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

rsa_pss_compute_saltlen(): Avoid integer overflows and check MD and RSA sizes

Browse source 
Fixes Coverity 1604651

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
(Merged from https://github.com/openssl/openssl/pull/25085)
This commit is contained in:
Tomas Mraz 2024-08-05 15:08:39 +02:00
parent e3e15e77f1
commit 217e215e99
1 changed files with 19 additions and 3 deletions
Download patch file Download diff file Expand all files Collapse all files

22
providers/implementations/signature/rsa_sig.c
View file

@ -216,13 +216,29 @@ static int rsa_pss_compute_saltlen(PROV_RSA_CTX *ctx)
* Provide a way to use at most the digest length, so that the default does
* not violate FIPS 186-4. */
if (saltlen == RSA_PSS_SALTLEN_DIGEST) {
saltlen = EVP_MD_get_size(ctx->md);
if ((saltlen = EVP_MD_get_size(ctx->md)) <= 0) {
ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_DIGEST);
return -1;
}
} else if (saltlen == RSA_PSS_SALTLEN_AUTO_DIGEST_MAX) {
saltlen = RSA_PSS_SALTLEN_MAX;
saltlenMax = EVP_MD_get_size(ctx->md);
if ((saltlenMax = EVP_MD_get_size(ctx->md)) <= 0) {
ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_DIGEST);
return -1;
}
}
if (saltlen == RSA_PSS_SALTLEN_MAX || saltlen == RSA_PSS_SALTLEN_AUTO) {
saltlen = RSA_size(ctx->rsa) - EVP_MD_get_size(ctx->md) - 2;
int mdsize, rsasize;
if ((mdsize = EVP_MD_get_size(ctx->md)) <= 0) {
ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_DIGEST);
return -1;
}
if ((rsasize = RSA_size(ctx->rsa)) <= 2 || rsasize - 2 < mdsize) {
ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY);
return -1;
}
saltlen = rsasize - mdsize - 2;
if ((RSA_bits(ctx->rsa) & 0x7) == 1)
saltlen--;
if (saltlenMax >= 0 && saltlen > saltlenMax)