From: Niels Möller Date: Thu, 6 May 2021 19:30:23 +0000 (+0200) Subject: Add check that message length to _pkcs1_sec_decrypt is valid. X-Git-Tag: nettle_3.8_release_20220602~118 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=fd6d9ba7ca92912762c072fcf74490bc5d63d633;p=thirdparty%2Fnettle.git Add check that message length to _pkcs1_sec_decrypt is valid. * pkcs1-sec-decrypt.c (_pkcs1_sec_decrypt): Check that message length is valid, for given key size. * testsuite/rsa-sec-decrypt-test.c (test_main): Add test cases for calls to rsa_sec_decrypt specifying a too large message length. (cherry picked from commit 7616541e6eff73353bf682c62e3a68e4fe696707) --- diff --git a/ChangeLog b/ChangeLog index 29d279c3..2538e6c5 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,11 @@ +2021-05-06 Niels Möller + + Bug fixes merged from from 3.7.3 release (starting from 2021-05-06). + * pkcs1-sec-decrypt.c (_pkcs1_sec_decrypt): Check that message + length is valid, for given key size. + * testsuite/rsa-sec-decrypt-test.c (test_main): Add test cases for + calls to rsa_sec_decrypt specifying a too large message length. + 2021-05-23 Niels Möller From Nicolas Mora: Implement aes key wrap and key unwrap (RFC 3394). diff --git a/pkcs1-sec-decrypt.c b/pkcs1-sec-decrypt.c index 4f13080e..16833691 100644 --- a/pkcs1-sec-decrypt.c +++ b/pkcs1-sec-decrypt.c @@ -63,7 +63,9 @@ _pkcs1_sec_decrypt (size_t length, uint8_t *message, volatile int ok; size_t i, t; - assert (padded_message_length >= length); + /* Message independent branch */ + if (length + 11 > padded_message_length) + return 0; t = padded_message_length - length - 1; diff --git a/testsuite/rsa-sec-decrypt-test.c b/testsuite/rsa-sec-decrypt-test.c index fb0ed3a1..3419322e 100644 --- a/testsuite/rsa-sec-decrypt-test.c +++ b/testsuite/rsa-sec-decrypt-test.c @@ -55,6 +55,7 @@ rsa_decrypt_for_test(const struct rsa_public_key *pub, #endif #define PAYLOAD_SIZE 50 +#define DECRYPTED_SIZE 256 void test_main(void) { @@ -63,7 +64,7 @@ test_main(void) struct knuth_lfib_ctx random_ctx; uint8_t plaintext[PAYLOAD_SIZE]; - uint8_t decrypted[PAYLOAD_SIZE]; + uint8_t decrypted[DECRYPTED_SIZE]; uint8_t verifybad[PAYLOAD_SIZE]; unsigned n_size = 1024; mpz_t gibberish; @@ -99,6 +100,20 @@ test_main(void) PAYLOAD_SIZE, decrypted, gibberish) == 1); ASSERT (MEMEQ (PAYLOAD_SIZE, plaintext, decrypted)); + ASSERT (pub.size > 10); + ASSERT (pub.size <= DECRYPTED_SIZE); + + /* Check that too large message length is rejected, largest + valid size is pub.size - 11. */ + ASSERT (!rsa_decrypt_for_test (&pub, &key, &random_ctx, + (nettle_random_func *) knuth_lfib_random, + pub.size - 10, decrypted, gibberish)); + + /* This case used to result in arithmetic underflow and a crash. */ + ASSERT (!rsa_decrypt_for_test (&pub, &key, &random_ctx, + (nettle_random_func *) knuth_lfib_random, + pub.size, decrypted, gibberish)); + /* bad one */ memcpy(decrypted, verifybad, PAYLOAD_SIZE); nettle_mpz_random_size(garbage, &random_ctx,