From 108b29f9d3967dd1e6f2189a83fe627e333b132d Mon Sep 17 00:00:00 2001
From: tb <>
Date: Sat, 20 Oct 2018 15:53:09 +0000
Subject: RFC 3394 section 2 states that we need at least two 64 bit blocks for
 wrapping and, accordingly, three 64 bit blocks for unwrapping. That is: we
 need at least 16 bytes for wrapping and 24 bytes for unwrapping.  This also
 matches the lower bounds that OpenSSL have in their CRYPTO_128_{un,}wrap()
 functions.

In fact, if we pass an input with 'inlen < 8' to AES_unwrap_key(),
this results in a segfault since then inlen -= 8 underflows.

Found while playing with the Wycheproof keywrap test vectors.

ok bcook
---
 src/lib/libcrypto/aes/aes_wrap.c | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/src/lib/libcrypto/aes/aes_wrap.c b/src/lib/libcrypto/aes/aes_wrap.c
index ac2f83a993..b7e08ab75f 100644
--- a/src/lib/libcrypto/aes/aes_wrap.c
+++ b/src/lib/libcrypto/aes/aes_wrap.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: aes_wrap.c,v 1.10 2015/09/10 15:56:24 jsing Exp $ */
+/* $OpenBSD: aes_wrap.c,v 1.11 2018/10/20 15:53:09 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project.
  */
@@ -66,7 +66,8 @@ AES_wrap_key(AES_KEY *key, const unsigned char *iv, unsigned char *out,
 {
 	unsigned char *A, B[16], *R;
 	unsigned int i, j, t;
-	if ((inlen & 0x7) || (inlen < 8))
+
+	if ((inlen & 0x7) || (inlen < 16))
 		return -1;
 	A = B;
 	t = 1;
@@ -100,11 +101,10 @@ AES_unwrap_key(AES_KEY *key, const unsigned char *iv, unsigned char *out,
 {
 	unsigned char *A, B[16], *R;
 	unsigned int i, j, t;
-	inlen -= 8;
-	if (inlen & 0x7)
-		return -1;
-	if (inlen < 8)
+
+	if ((inlen & 0x7) || (inlen < 24))
 		return -1;
+	inlen -= 8;
 	A = B;
 	t = 6 * (inlen >> 3);
 	memcpy(A, in, 8);
-- 
cgit v1.2.3-55-g6feb