From: Tobias Brunner <tobias@strongswan.org>
Date: Tue, 28 Sep 2021 16:00:01 +0000 (+0200)
Subject: gmp: Reject RSASSA-PSS signatures with negative salt length
X-Git-Tag: 5.9.4~7
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=234302a108b490635fb961ebd1404340c46cefc3;p=thirdparty%2Fstrongswan.git

gmp: Reject RSASSA-PSS signatures with negative salt length

The `salt_len` field is signed because negative values are used to indicate
automatic salt lengths when generating signatures.  This must never be the
case when validating them.

Not checking this could lead to an integer overflow below.  The value is
assigned to the `len` field of a chunk (`size_t`), which is further used
in calculations to check the padding structure and (if that is passed by
a matching crafted signature value) eventually a memcpy() that will result
in a segmentation fault.

Fixes: 7d6b81648b2d ("gmp: Add support for RSASSA-PSS signature verification")
Fixes: CVE-2021-41990
---

diff --git a/src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c b/src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c
index f9bd1d314d..3a77509088 100644
--- a/src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c
+++ b/src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c
@@ -168,7 +168,7 @@ static bool verify_emsa_pss_signature(private_gmp_rsa_public_key_t *this,
 	int i;
 	bool success = FALSE;
 
-	if (!params)
+	if (!params || params->salt_len < 0)
 	{
 		return FALSE;
 	}