diff options
author | Jiasheng Jiang <jiasheng@purdue.edu> | 2024-03-22 23:05:00 +0000 |
---|---|---|
committer | Neil Horman <nhorman@openssl.org> | 2024-04-01 13:13:46 -0400 |
commit | ef9ac2f9b8b648406424c7c002fb94b0fae0434a (patch) | |
tree | 0c166c3889d4de01e22dde3b0c6f335ab79758d9 /test | |
parent | 99fe4c10664c2287d34145457823edff3782e413 (diff) |
test/bad_dtls_test.c: Add checks for the EVP_MD_CTX_get_size()
Add the check for the EVP_MD_CTX_get_size() to avoid integer overflow when it is implicitly casted from int to size_t in evp_pkey_ctx_store_cached_data().
The call path is do_PRF() -> EVP_PKEY_CTX_add1_tls1_prf_seed() -> evp_pkey_ctx_set1_octet_string() -> EVP_PKEY_CTX_ctrl() -> evp_pkey_ctx_store_cached_data().
Fixes: 16938284cf ("Add basic test for Cisco DTLS1_BAD_VER and record replay handling")
Signed-off-by: Jiasheng Jiang <jiasheng@purdue.edu>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Todd Short <todd.short@me.com>
Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23952)
Diffstat (limited to 'test')
-rw-r--r-- | test/bad_dtls_test.c | 6 |
1 files changed, 5 insertions, 1 deletions
diff --git a/test/bad_dtls_test.c b/test/bad_dtls_test.c index 2e12de2702..608377c858 100644 --- a/test/bad_dtls_test.c +++ b/test/bad_dtls_test.c @@ -370,6 +370,7 @@ static int send_finished(SSL *s, BIO *rbio) /* Finished MAC (12 bytes) */ }; unsigned char handshake_hash[EVP_MAX_MD_SIZE]; + int md_size; /* Derive key material */ do_PRF(TLS_MD_KEY_EXPANSION_CONST, TLS_MD_KEY_EXPANSION_CONST_SIZE, @@ -381,8 +382,11 @@ static int send_finished(SSL *s, BIO *rbio) if (!EVP_DigestFinal_ex(handshake_md, handshake_hash, NULL)) return 0; + md_size = EVP_MD_CTX_get_size(handshake_md); + if (md_size <= 0) + return 0; do_PRF(TLS_MD_SERVER_FINISH_CONST, TLS_MD_SERVER_FINISH_CONST_SIZE, - handshake_hash, EVP_MD_CTX_get_size(handshake_md), + handshake_hash, md_size, NULL, 0, finished_msg + DTLS1_HM_HEADER_LENGTH, TLS1_FINISH_MAC_LENGTH); |