RFC 3394 section 2 states that we need at least two 64 bit blocks

for wrapping and, accordingly, three 64 bit blocks for unwrapping.
That is: we need at least 16 bytes for wrapping and 24 bytes for
unwrapping.  This also matches the lower bounds that OpenSSL have
in their CRYPTO_128_{un,}wrap() functions.

In fact, if we pass an input with 'inlen < 8' to AES_unwrap_key(),
this results in a segfault since then inlen -= 8 underflows.

Found while playing with the Wycheproof keywrap test vectors.

ok bcook

1 files changed, 6 insertions, 6 deletions

diff --git a/src/lib/libcrypto/aes/aes_wrap.c b/src/lib/libcrypto/aes/aes_wrap.c
index ac2f83a993..b7e08ab75f 100644
--- a/src/lib/libcrypto/aes/aes_wrap.c
+++ b/src/lib/libcrypto/aes/aes_wrap.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: aes_wrap.c,v 1.10 2015/09/10 15:56:24 jsing Exp $ */
+/* $OpenBSD: aes_wrap.c,v 1.11 2018/10/20 15:53:09 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project.
  */
@@ -66,7 +66,8 @@ AES_wrap_key(AES_KEY *key, const unsigned char *iv, unsigned char *out,
 {
         unsigned char *A, B[16], *R;
         unsigned int i, j, t;
-        if ((inlen & 0x7) || (inlen < 8))
+
+        if ((inlen & 0x7) || (inlen < 16))
                 return -1;
         A = B;
         t = 1;
@@ -100,11 +101,10 @@ AES_unwrap_key(AES_KEY *key, const unsigned char *iv, unsigned char *out,
 {
         unsigned char *A, B[16], *R;
         unsigned int i, j, t;
-        inlen -= 8;
-        if (inlen & 0x7)
-                return -1;
-        if (inlen < 8)
+
+        if ((inlen & 0x7) || (inlen < 24))
                 return -1;
+        inlen -= 8;
         A = B;
         t = 6 * (inlen >> 3);
         memcpy(A, in, 8);