gmp: Reject RSASSA-PSS signatures with negative salt length

The `salt_len` field is signed because negative values are used to indicate
automatic salt lengths when generating signatures.  This must never be the
case when validating them.

Not checking this could lead to an integer overflow below.  The value is
assigned to the `len` field of a chunk (`size_t`), which is further used
in calculations to check the padding structure and (if that is passed by
a matching crafted signature value) eventually a memcpy() that will result
in a segmentation fault.

Fixes: 7d6b81648b2d ("gmp: Add support for RSASSA-PSS signature verification")
Fixes: CVE-2021-41990

diff --git a/src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c b/src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c
index f9bd1d314decfa083bd6d382ab189b45d88cd9a7..3a775090883e56fe1bc13b5364b7736b1e722722 100644 (file)
--- a/src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c
+++ b/src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c
@@ -168,7 +168,7 @@ static bool verify_emsa_pss_signature(private_gmp_rsa_public_key_t *this,
        int i;
        bool success = FALSE;
 
-       if (!params)
+       if (!params || params->salt_len < 0)
        {
                return FALSE;
        }