The branch master has been updated via 5e047ebf6d36cffee1022e31bbf1ce0bfa63233a (commit) via 108909d30e8ea5ff39439b17b266039be1ec5e84 (commit) from 41bee3e8fb749504f21f78dbf3eca85e5b84820b (commit)
- Log ----------------------------------------------------------------- commit 5e047ebf6d36cffee1022e31bbf1ce0bfa63233a Author: Bernd Edlinger <bernd.edlin...@hotmail.de> Date: Thu Mar 2 13:15:22 2017 +0100 Added a test case for RSA_padding_add_PKCS1_PSS_mgf1. Reviewed-by: Matt Caswell <m...@openssl.org> Reviewed-by: Andy Polyakov <ap...@openssl.org> (Merged from https://github.com/openssl/openssl/pull/2801) commit 108909d30e8ea5ff39439b17b266039be1ec5e84 Author: Bernd Edlinger <bernd.edlin...@hotmail.de> Date: Mon Feb 27 12:40:35 2017 +0100 Fix a crash or unbounded allocation in RSA_padding_add_PKCS1_PSS_mgf1 and RSA_verify_PKCS1_PSS_mgf1 with 512-bit RSA vs. sha-512. Reviewed-by: Matt Caswell <m...@openssl.org> Reviewed-by: Andy Polyakov <ap...@openssl.org> (Merged from https://github.com/openssl/openssl/pull/2801) ----------------------------------------------------------------------- Summary of changes: crypto/rsa/rsa_pss.c | 15 +++++++++++-- test/recipes/15-test_rsapss.t | 49 +++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 62 insertions(+), 2 deletions(-) create mode 100644 test/recipes/15-test_rsapss.t diff --git a/crypto/rsa/rsa_pss.c b/crypto/rsa/rsa_pss.c index 0a6178b..ab9b8e8 100644 --- a/crypto/rsa/rsa_pss.c +++ b/crypto/rsa/rsa_pss.c @@ -54,6 +54,7 @@ int RSA_verify_PKCS1_PSS_mgf1(RSA *rsa, const unsigned char *mHash, * Negative sLen has special meanings: * -1 sLen == hLen * -2 salt length is autorecovered from signature + * -3 salt length is maximized * -N reserved */ if (sLen == RSA_PSS_SALTLEN_DIGEST) @@ -73,9 +74,13 @@ int RSA_verify_PKCS1_PSS_mgf1(RSA *rsa, const unsigned char *mHash, EM++; emLen--; } + if (emLen < hLen + 2) { + RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1, RSA_R_DATA_TOO_LARGE); + goto err; + } if (sLen == RSA_PSS_SALTLEN_MAX) { sLen = emLen - hLen - 2; - } else if (emLen < (hLen + sLen + 2)) { /* sLen can be small negative */ + } else if (sLen > emLen - hLen - 2) { /* sLen can be small negative */ RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1, RSA_R_DATA_TOO_LARGE); goto err; } @@ -157,6 +162,7 @@ int RSA_padding_add_PKCS1_PSS_mgf1(RSA *rsa, unsigned char *EM, * Negative sLen has special meanings: * -1 sLen == hLen * -2 salt length is maximized + * -3 same as above (on signing) * -N reserved */ if (sLen == RSA_PSS_SALTLEN_DIGEST) @@ -174,9 +180,14 @@ int RSA_padding_add_PKCS1_PSS_mgf1(RSA *rsa, unsigned char *EM, *EM++ = 0; emLen--; } + if (emLen < hLen + 2) { + RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_PSS_MGF1, + RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE); + goto err; + } if (sLen == RSA_PSS_SALTLEN_MAX) { sLen = emLen - hLen - 2; - } else if (emLen < (hLen + sLen + 2)) { + } else if (sLen > emLen - hLen - 2) { RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_PSS_MGF1, RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE); goto err; diff --git a/test/recipes/15-test_rsapss.t b/test/recipes/15-test_rsapss.t new file mode 100644 index 0000000..5ab308e --- /dev/null +++ b/test/recipes/15-test_rsapss.t @@ -0,0 +1,49 @@ +#! /usr/bin/env perl +# Copyright 2017 The OpenSSL Project Authors. All Rights Reserved. +# +# Licensed under the OpenSSL license (the "License"). You may not use +# this file except in compliance with the License. You can obtain a copy +# in the file LICENSE in the source distribution or at +# https://www.openssl.org/source/license.html + + +use strict; +use warnings; + +use File::Spec; +use OpenSSL::Test qw/:DEFAULT with srctop_file/; +use OpenSSL::Test::Utils; + +setup("test_rsapss"); + +plan tests => 5; + +#using test/testrsa.pem which happens to be a 512 bit RSA +ok(run(app(['openssl', 'dgst', '-sign', srctop_file('test', 'testrsa.pem'), '-sha1', + '-sigopt', 'rsa_padding_mode:pss', '-sigopt', 'rsa_pss_saltlen:-3', + '-sigopt', 'rsa_mgf1_md:sha512', srctop_file('test', 'testrsa.pem')], + stdout => 'testrsapss.sig')), + "openssl dgst -sign"); + +with({ exit_checker => sub { return shift == 1; } }, + sub { ok(run(app(['openssl', 'dgst', '-sign', srctop_file('test', 'testrsa.pem'), '-sha512', + '-sigopt', 'rsa_padding_mode:pss', '-sigopt', 'rsa_pss_saltlen:-3', + '-sigopt', 'rsa_mgf1_md:sha512', srctop_file('test', 'testrsa.pem')])), + "openssl dgst -sign, expect to fail gracefully"); + ok(run(app(['openssl', 'dgst', '-sign', srctop_file('test', 'testrsa.pem'), '-sha512', + '-sigopt', 'rsa_padding_mode:pss', '-sigopt', 'rsa_pss_saltlen:2147483647', + '-sigopt', 'rsa_mgf1_md:sha1', srctop_file('test', 'testrsa.pem')])), + "openssl dgst -sign, expect to fail gracefully"); + ok(run(app(['openssl', 'dgst', '-prverify', srctop_file('test', 'testrsa.pem'), '-sha512', + '-sigopt', 'rsa_padding_mode:pss', '-sigopt', 'rsa_pss_saltlen:-3', + '-sigopt', 'rsa_mgf1_md:sha512', '-signature', 'testrsapss.sig', + srctop_file('test', 'testrsa.pem')])), + "openssl dgst -prverify, expect to fail gracefully"); + }); + +ok(run(app(['openssl', 'dgst', '-prverify', srctop_file('test', 'testrsa.pem'), '-sha1', + '-sigopt', 'rsa_padding_mode:pss', '-sigopt', 'rsa_pss_saltlen:-3', + '-sigopt', 'rsa_mgf1_md:sha512', '-signature', 'testrsapss.sig', + srctop_file('test', 'testrsa.pem')])), + "openssl dgst -prverify"); +unlink 'testrsapss.sig'; _____ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits