diff options
| author | Bernd Edlinger <bernd.edlinger@hotmail.de> | 2019-02-28 10:08:18 +0100 |
|---|---|---|
| committer | Bernd Edlinger <bernd.edlinger@hotmail.de> | 2019-03-07 23:36:55 +0100 |
| commit | 6555a8941bd6be5790d3b45c41de23234a8e527f (patch) | |
| tree | af55eff2e0d2f9bafdd91fbfe249b288485fe739 /crypto/rsa/rsa_pk1.c | |
| parent | d5e37fc871be6910db931790b70323c78b332dff (diff) | |
Fix memory overrun in rsa padding check functions
Backported from d7f5e5ae6d5
Fixes #8364 and #8357
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/8438)
Diffstat (limited to 'crypto/rsa/rsa_pk1.c')
| -rw-r--r-- | crypto/rsa/rsa_pk1.c | 22 |
1 files changed, 11 insertions, 11 deletions
diff --git a/crypto/rsa/rsa_pk1.c b/crypto/rsa/rsa_pk1.c index 074bc0a939..2c43a54e31 100644 --- a/crypto/rsa/rsa_pk1.c +++ b/crypto/rsa/rsa_pk1.c @@ -241,15 +241,14 @@ int RSA_padding_check_PKCS1_type_2(unsigned char *to, int tlen, from -= 1 & mask; *--em = *from & mask; } - from = em; - good = constant_time_is_zero(from[0]); - good &= constant_time_eq(from[1], 2); + good = constant_time_is_zero(em[0]); + good &= constant_time_eq(em[1], 2); /* scan over padding data */ found_zero_byte = 0; for (i = 2; i < num; i++) { - unsigned int equals0 = constant_time_is_zero(from[i]); + unsigned int equals0 = constant_time_is_zero(em[i]); zero_index = constant_time_select_int(~found_zero_byte & equals0, i, zero_index); @@ -257,7 +256,7 @@ int RSA_padding_check_PKCS1_type_2(unsigned char *to, int tlen, } /* - * PS must be at least 8 bytes long, and it starts two bytes into |from|. + * PS must be at least 8 bytes long, and it starts two bytes into |em|. * If we never found a 0-byte, then |zero_index| is 0 and the check * also fails. */ @@ -285,15 +284,16 @@ int RSA_padding_check_PKCS1_type_2(unsigned char *to, int tlen, * should be noted that failure is indistinguishable from normal * operation if |tlen| is fixed by protocol. */ - tlen = constant_time_select_int(constant_time_lt(num, tlen), num, tlen); + tlen = constant_time_select_int(constant_time_lt(num - 11, tlen), + num - 11, tlen); msg_index = constant_time_select_int(good, msg_index, num - tlen); mlen = num - msg_index; - for (from += msg_index, mask = good, i = 0; i < tlen; i++) { - unsigned int equals = constant_time_eq(i, mlen); + for (mask = good, i = 0; i < tlen; i++) { + unsigned int equals = constant_time_eq(msg_index, num); - from -= tlen & equals; /* if (i == mlen) rewind */ - mask &= mask ^ equals; /* if (i == mlen) mask = 0 */ - to[i] = constant_time_select_8(mask, from[i], to[i]); + msg_index -= tlen & equals; /* rewind at EOF */ + mask &= ~equals; /* mask = 0 at EOF */ + to[i] = constant_time_select_8(mask, em[msg_index++], to[i]); } OPENSSL_cleanse(em, num); |