diff options
| author | tb <> | 2022-02-20 19:16:34 +0000 |
|---|---|---|
| committer | tb <> | 2022-02-20 19:16:34 +0000 |
| commit | 198fbf2d5b1990c75989c00e8f6345ae9b2882a5 (patch) | |
| tree | 8ec8cd96e8c5c6afba50c06e999740654d714004 /src/lib | |
| parent | b0b6353830516aef654069487a0443077c480546 (diff) | |
| download | openbsd-198fbf2d5b1990c75989c00e8f6345ae9b2882a5.tar.gz openbsd-198fbf2d5b1990c75989c00e8f6345ae9b2882a5.tar.bz2 openbsd-198fbf2d5b1990c75989c00e8f6345ae9b2882a5.zip | |
Fix a buffer overread in OAEP padding removal
This only occurs on very small payloads and tightly allocated buffers
that don't usually occur in practice.
This is OpenSSL f61c6804
ok inoguchi jsing
Diffstat (limited to 'src/lib')
| -rw-r--r-- | src/lib/libcrypto/rsa/rsa_oaep.c | 22 |
1 files changed, 11 insertions, 11 deletions
diff --git a/src/lib/libcrypto/rsa/rsa_oaep.c b/src/lib/libcrypto/rsa/rsa_oaep.c index aa37868950..932695009f 100644 --- a/src/lib/libcrypto/rsa/rsa_oaep.c +++ b/src/lib/libcrypto/rsa/rsa_oaep.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: rsa_oaep.c,v 1.34 2021/12/12 21:30:14 tb Exp $ */ | 1 | /* $OpenBSD: rsa_oaep.c,v 1.35 2022/02/20 19:16:34 tb Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Copyright 1999-2018 The OpenSSL Project Authors. All Rights Reserved. | 3 | * Copyright 1999-2018 The OpenSSL Project Authors. All Rights Reserved. |
| 4 | * | 4 | * |
| @@ -224,17 +224,16 @@ RSA_padding_check_PKCS1_OAEP_mgf1(unsigned char *to, int tlen, | |||
| 224 | from -= 1 & mask; | 224 | from -= 1 & mask; |
| 225 | *--em = *from & mask; | 225 | *--em = *from & mask; |
| 226 | } | 226 | } |
| 227 | from = em; | ||
| 228 | 227 | ||
| 229 | /* | 228 | /* |
| 230 | * The first byte must be zero, however we must not leak if this is | 229 | * The first byte must be zero, however we must not leak if this is |
| 231 | * true. See James H. Manger, "A Chosen Ciphertext Attack on RSA | 230 | * true. See James H. Manger, "A Chosen Ciphertext Attack on RSA |
| 232 | * Optimal Asymmetric Encryption Padding (OAEP) [...]", CRYPTO 2001). | 231 | * Optimal Asymmetric Encryption Padding (OAEP) [...]", CRYPTO 2001). |
| 233 | */ | 232 | */ |
| 234 | good = constant_time_is_zero(from[0]); | 233 | good = constant_time_is_zero(em[0]); |
| 235 | 234 | ||
| 236 | maskedseed = from + 1; | 235 | maskedseed = em + 1; |
| 237 | maskeddb = from + 1 + mdlen; | 236 | maskeddb = em + 1 + mdlen; |
| 238 | 237 | ||
| 239 | if (PKCS1_MGF1(seed, mdlen, maskeddb, dblen, mgf1md)) | 238 | if (PKCS1_MGF1(seed, mdlen, maskeddb, dblen, mgf1md)) |
| 240 | goto cleanup; | 239 | goto cleanup; |
| @@ -290,15 +289,16 @@ RSA_padding_check_PKCS1_OAEP_mgf1(unsigned char *to, int tlen, | |||
| 290 | * should be noted that failure is indistinguishable from normal | 289 | * should be noted that failure is indistinguishable from normal |
| 291 | * operation if |tlen| is fixed by protocol. | 290 | * operation if |tlen| is fixed by protocol. |
| 292 | */ | 291 | */ |
| 293 | tlen = constant_time_select_int(constant_time_lt(dblen, tlen), dblen, tlen); | 292 | tlen = constant_time_select_int(constant_time_lt(dblen - mdlen - 1, tlen), |
| 293 | dblen - mdlen - 1, tlen); | ||
| 294 | msg_index = constant_time_select_int(good, msg_index, dblen - tlen); | 294 | msg_index = constant_time_select_int(good, msg_index, dblen - tlen); |
| 295 | mlen = dblen - msg_index; | 295 | mlen = dblen - msg_index; |
| 296 | for (from = db + msg_index, mask = good, i = 0; i < tlen; i++) { | 296 | for (mask = good, i = 0; i < tlen; i++) { |
| 297 | unsigned int equals = constant_time_eq(i, mlen); | 297 | unsigned int equals = constant_time_eq(msg_index, dblen); |
| 298 | 298 | ||
| 299 | from -= dblen & equals; /* if (i == mlen) rewind */ | 299 | msg_index -= tlen & equals; /* rewind at EOF */ |
| 300 | mask &= mask ^ equals; /* if (i == mlen) mask = 0 */ | 300 | mask &= ~equals; /* mask = 0 at EOF */ |
| 301 | to[i] = constant_time_select_8(mask, from[i], to[i]); | 301 | to[i] = constant_time_select_8(mask, db[msg_index++], to[i]); |
| 302 | } | 302 | } |
| 303 | 303 | ||
| 304 | /* | 304 | /* |