From 48320997b49b07b5abadec89c7fbe5d5f3d41da4 Mon Sep 17 00:00:00 2001
From: Daniel Fiala <daniel@openssl.org>
Date: Sun, 19 Jun 2022 23:40:46 +0200
Subject: Add checks for saltlen and trailerfield to rsa key writer.

Fixes openssl#18168.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18615)
---
 providers/common/der/der_rsa_key.c | 9 +++++++++
 1 file changed, 9 insertions(+)

(limited to 'providers')

diff --git a/providers/common/der/der_rsa_key.c b/providers/common/der/der_rsa_key.c
index 81ab0346cf..e1c078b906 100644
--- a/providers/common/der/der_rsa_key.c
+++ b/providers/common/der/der_rsa_key.c
@@ -305,6 +305,15 @@ int ossl_DER_w_RSASSA_PSS_params(WPACKET *pkt, int tag,
     saltlen = ossl_rsa_pss_params_30_saltlen(pss);
     trailerfield = ossl_rsa_pss_params_30_trailerfield(pss);
 
+    if (saltlen < 0) {
+        ERR_raise(ERR_LIB_RSA, RSA_R_INVALID_SALT_LENGTH);
+        return 0;
+    }
+    if (trailerfield != 1) {
+        ERR_raise(ERR_LIB_RSA, RSA_R_INVALID_TRAILER);
+        return 0;
+    }
+
     /* Getting default values */
     default_hashalg_nid = ossl_rsa_pss_params_30_hashalg(NULL);
     default_saltlen = ossl_rsa_pss_params_30_saltlen(NULL);
-- 
cgit v1.2.3