Add check that message length to _pkcs1_sec_decrypt is valid.

author Niels Möller <nisse@lysator.liu.se>

Thu, 6 May 2021 19:30:23 +0000 (21:30 +0200)

committer Niels Möller <nisse@lysator.liu.se>

Tue, 8 Jun 2021 19:29:50 +0000 (21:29 +0200)
author Niels Möller <nisse@lysator.liu.se>
Thu, 6 May 2021 19:30:23 +0000 (21:30 +0200)
committer Niels Möller <nisse@lysator.liu.se>
Tue, 8 Jun 2021 19:29:50 +0000 (21:29 +0200)
diff --git a/ChangeLog b/ChangeLog

index 29d279c3031f3eccdc19ca822fa1f567259f6f70..2538e6c5b6fd3d7c1c9ca038a2c0299982b32b91 100644 (file)
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,11 @@
+2021-05-06  Niels Möller  <nisse@lysator.liu.se>
+
+       Bug fixes merged from from 3.7.3 release (starting from 2021-05-06).
+       * pkcs1-sec-decrypt.c (_pkcs1_sec_decrypt): Check that message
+       length is valid, for given key size.
+       * testsuite/rsa-sec-decrypt-test.c (test_main): Add test cases for
+       calls to rsa_sec_decrypt specifying a too large message length.
+
  2021-05-23  Niels Möller  <nisse@lysator.liu.se>
  
         From Nicolas Mora: Implement aes key wrap and key unwrap (RFC 3394).
diff --git a/pkcs1-sec-decrypt.c b/pkcs1-sec-decrypt.c

index 4f13080e3e90385c43d72bad627c0b052d3e60cd..16833691f59ac1447ff58afd758a2e042ffaef01 100644 (file)
--- a/pkcs1-sec-decrypt.c
+++ b/pkcs1-sec-decrypt.c
@@ -63,7 +63,9 @@ _pkcs1_sec_decrypt (size_t length, uint8_t *message,
    volatile int ok;
    size_t i, t;
  
-  assert (padded_message_length >= length);
+  /* Message independent branch */
+  if (length + 11 > padded_message_length)
+    return 0;
  
    t = padded_message_length - length - 1;
  
diff --git a/testsuite/rsa-sec-decrypt-test.c b/testsuite/rsa-sec-decrypt-test.c

index fb0ed3a1886007fed53fd467d60968cda5007aa8..3419322eeecb08f2ba05abfab39eeb0c279b24ef 100644 (file)
--- a/testsuite/rsa-sec-decrypt-test.c
+++ b/testsuite/rsa-sec-decrypt-test.c
@@ -55,6 +55,7 @@ rsa_decrypt_for_test(const struct rsa_public_key *pub,
  #endif
  
  #define PAYLOAD_SIZE 50
+#define DECRYPTED_SIZE 256
  void
  test_main(void)
  {
@@ -63,7 +64,7 @@ test_main(void)
    struct knuth_lfib_ctx random_ctx;
  
    uint8_t plaintext[PAYLOAD_SIZE];
-  uint8_t decrypted[PAYLOAD_SIZE];
+  uint8_t decrypted[DECRYPTED_SIZE];
    uint8_t verifybad[PAYLOAD_SIZE];
    unsigned n_size = 1024;
    mpz_t gibberish;
@@ -99,6 +100,20 @@ test_main(void)
                                      PAYLOAD_SIZE, decrypted, gibberish) == 1);
        ASSERT (MEMEQ (PAYLOAD_SIZE, plaintext, decrypted));
  
+      ASSERT (pub.size > 10);
+      ASSERT (pub.size <= DECRYPTED_SIZE);
+
+      /* Check that too large message length is rejected, largest
+        valid size is pub.size - 11. */
+      ASSERT (!rsa_decrypt_for_test (&pub, &key, &random_ctx,
+                                    (nettle_random_func *) knuth_lfib_random,
+                                    pub.size - 10, decrypted, gibberish));
+
+      /* This case used to result in arithmetic underflow and a crash. */
+      ASSERT (!rsa_decrypt_for_test (&pub, &key, &random_ctx,
+                                    (nettle_random_func *) knuth_lfib_random,
+                                    pub.size, decrypted, gibberish));
+
        /* bad one */
        memcpy(decrypted, verifybad, PAYLOAD_SIZE);
        nettle_mpz_random_size(garbage, &random_ctx,
author	Niels Möller <nisse@lysator.liu.se>
	Thu, 6 May 2021 19:30:23 +0000 (21:30 +0200)
committer	Niels Möller <nisse@lysator.liu.se>
	Tue, 8 Jun 2021 19:29:50 +0000 (21:29 +0200)
ChangeLog		patch \| blob \| blame \| history
pkcs1-sec-decrypt.c		patch \| blob \| blame \| history
testsuite/rsa-sec-decrypt-test.c		patch \| blob \| blame \| history