summaryrefslogtreecommitdiffstats
path: root/crypto
diff options
context:
space:
mode:
authorJiasheng Jiang <jiasheng@purdue.edu>2024-03-25 21:07:46 +0000
committerNeil Horman <nhorman@openssl.org>2024-03-29 15:34:32 -0400
commite582b2b22bcfbf5ed2b38de5fd1417013028614f (patch)
treebeb8ae1c9b5bd39df3ae0a42225d0af19581fdec /crypto
parent1967539e212c17139dc810096da987c8100b1ba2 (diff)
rsa/rsa_ameth.c: Add the check for the EVP_MD_get_size()
Add the check for the EVP_MD_get_size() to avoid invalid negative numbers. Fixes: 17c63d1cca ("RSA PSS ASN1 signing method") Signed-off-by: Jiasheng Jiang <jiasheng@purdue.edu> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Neil Horman <nhorman@openssl.org> (Merged from https://github.com/openssl/openssl/pull/23973)
Diffstat (limited to 'crypto')
-rw-r--r--crypto/rsa/rsa_ameth.c19
1 files changed, 13 insertions, 6 deletions
diff --git a/crypto/rsa/rsa_ameth.c b/crypto/rsa/rsa_ameth.c
index 148d0bbbd1..3a8ab79cab 100644
--- a/crypto/rsa/rsa_ameth.c
+++ b/crypto/rsa/rsa_ameth.c
@@ -454,15 +454,19 @@ static RSA_PSS_PARAMS *rsa_ctx_to_pss(EVP_PKEY_CTX *pkctx)
EVP_PKEY *pk = EVP_PKEY_CTX_get0_pkey(pkctx);
int saltlen;
int saltlenMax = -1;
+ int md_size;
if (EVP_PKEY_CTX_get_signature_md(pkctx, &sigmd) <= 0)
return NULL;
+ md_size = EVP_MD_get_size(sigmd);
+ if (md_size <= 0)
+ return NULL;
if (EVP_PKEY_CTX_get_rsa_mgf1_md(pkctx, &mgf1md) <= 0)
return NULL;
if (EVP_PKEY_CTX_get_rsa_pss_saltlen(pkctx, &saltlen) <= 0)
return NULL;
if (saltlen == RSA_PSS_SALTLEN_DIGEST) {
- saltlen = EVP_MD_get_size(sigmd);
+ saltlen = md_size;
} else if (saltlen == RSA_PSS_SALTLEN_AUTO_DIGEST_MAX) {
/* FIPS 186-4 section 5 "The RSA Digital Signature Algorithm",
* subsection 5.5 "PKCS #1" says: "For RSASSA-PSS […] the length (in
@@ -472,10 +476,10 @@ static RSA_PSS_PARAMS *rsa_ctx_to_pss(EVP_PKEY_CTX *pkctx)
* Provide a way to use at most the digest length, so that the default
* does not violate FIPS 186-4. */
saltlen = RSA_PSS_SALTLEN_MAX;
- saltlenMax = EVP_MD_get_size(sigmd);
+ saltlenMax = md_size;
}
if (saltlen == RSA_PSS_SALTLEN_MAX || saltlen == RSA_PSS_SALTLEN_AUTO) {
- saltlen = EVP_PKEY_get_size(pk) - EVP_MD_get_size(sigmd) - 2;
+ saltlen = EVP_PKEY_get_size(pk) - md_size - 2;
if ((EVP_PKEY_get_bits(pk) & 0x7) == 1)
saltlen--;
if (saltlen < 0)
@@ -719,7 +723,7 @@ static int rsa_sig_info_set(X509_SIG_INFO *siginf, const X509_ALGOR *sigalg,
const ASN1_STRING *sig)
{
int rv = 0;
- int mdnid, saltlen;
+ int mdnid, saltlen, md_size;
uint32_t flags;
const EVP_MD *mgf1md = NULL, *md = NULL;
RSA_PSS_PARAMS *pss;
@@ -732,6 +736,9 @@ static int rsa_sig_info_set(X509_SIG_INFO *siginf, const X509_ALGOR *sigalg,
pss = ossl_rsa_pss_decode(sigalg);
if (!ossl_rsa_pss_get_param(pss, &md, &mgf1md, &saltlen))
goto err;
+ md_size = EVP_MD_get_size(md);
+ if (md_size <= 0)
+ goto err;
mdnid = EVP_MD_get_type(md);
/*
* For TLS need SHA256, SHA384 or SHA512, digest and MGF1 digest must
@@ -739,12 +746,12 @@ static int rsa_sig_info_set(X509_SIG_INFO *siginf, const X509_ALGOR *sigalg,
*/
if ((mdnid == NID_sha256 || mdnid == NID_sha384 || mdnid == NID_sha512)
&& mdnid == EVP_MD_get_type(mgf1md)
- && saltlen == EVP_MD_get_size(md))
+ && saltlen == md_size)
flags = X509_SIG_INFO_TLS;
else
flags = 0;
/* Note: security bits half number of digest bits */
- secbits = EVP_MD_get_size(md) * 4;
+ secbits = md_size * 4;
/*
* SHA1 and MD5 are known to be broken. Reduce security bits so that
* they're no longer accepted at security level 1. The real values don't