Directly return from final sha3/keccak_final if no bytes are requested

Requesting zero bytes from shake previously led to out-of-bounds write
on some platforms.

Signed-off-by: Patrick Steuer <patrick.steuer@de.ibm.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9433)

diff --git a/crypto/sha/sha3.c b/crypto/sha/sha3.c
index 19ef4266d066ee559d1a5fbe5669a8e44e0eff24..fafa3556f3d6b1708b1d270d2d68fe077b48fae6 100644 (file)
--- a/crypto/sha/sha3.c
+++ b/crypto/sha/sha3.c
@@ -89,6 +89,9 @@ int sha3_final(unsigned char *md, KECCAK1600_CTX *ctx)
     size_t bsz = ctx->block_size;
     size_t num = ctx->bufsz;
 
+    if (ctx->md_size == 0)
+        return 1;
+
     /*
      * Pad the data with 10*1. Note that |num| can be |bsz - 1|
      * in which case both byte operations below are performed on

diff --git a/providers/common/digests/sha3_prov.c b/providers/common/digests/sha3_prov.c
index 469a1606ff3f77ee9807b40df6554bf30f00af9b..17b15b7ca22f86e20d12adac7c550c3c077b4393 100644 (file)
--- a/providers/common/digests/sha3_prov.c
+++ b/providers/common/digests/sha3_prov.c
@@ -90,10 +90,12 @@ static int keccak_update(void *vctx, const unsigned char *inp, size_t len)
 static int keccak_final(void *vctx, unsigned char *out, size_t *outl,
                         size_t outsz)
 {
-    int ret;
+    int ret = 1;
     KECCAK1600_CTX *ctx = vctx;
 
-    ret = ctx->meth.final(out, ctx);
+    if (outsz > 0)
+        ret = ctx->meth.final(out, ctx);
+
     *outl = ctx->md_size;
     return ret;
 }