From 03fbceb3f5f614426b0589072b3387360659a7be Mon Sep 17 00:00:00 2001
From: Tobias Brunner <tobias@strongswan.org>
Date: Tue, 28 Sep 2021 17:52:08 +0200
Subject: [PATCH] signature-params: Reject RSASSA-PSS params that result in
 negative salt len

The `salt_len` member in the struct is of type `ssize_t` because we use
negative values for special automatic salt lengths when generating
signatures.  This change ensures that `salt_len` will not overflow the
`len` fields of chunks (`size_t`), which could lead to integer overflows
when validating signatures (see the next commit).

Fixes: a22316520b91 ("signature-params: Add functions to parse/build ASN.1 RSASSA-PSS params")
---
 src/libstrongswan/credentials/keys/signature_params.c  | 6 +++++-
 src/libstrongswan/tests/suites/test_signature_params.c | 6 ++++++
 2 files changed, 11 insertions(+), 1 deletion(-)

diff --git a/src/libstrongswan/credentials/keys/signature_params.c b/src/libstrongswan/credentials/keys/signature_params.c
index d89bd2c96b..837de8443d 100644
--- a/src/libstrongswan/credentials/keys/signature_params.c
+++ b/src/libstrongswan/credentials/keys/signature_params.c
@@ -322,7 +322,11 @@ bool rsa_pss_params_parse(chunk_t asn1, int level0, rsa_pss_params_t *params)
 			case RSASSA_PSS_PARAMS_SALT_LEN:
 				if (object.len)
 				{
-					params->salt_len = (size_t)asn1_parse_integer_uint64(object);
+					params->salt_len = (ssize_t)asn1_parse_integer_uint64(object);
+					if (params->salt_len < 0)
+					{
+						goto end;
+					}
 				}
 				break;
 			case RSASSA_PSS_PARAMS_TRAILER:
diff --git a/src/libstrongswan/tests/suites/test_signature_params.c b/src/libstrongswan/tests/suites/test_signature_params.c
index cbf1a28613..3b946a4e18 100644
--- a/src/libstrongswan/tests/suites/test_signature_params.c
+++ b/src/libstrongswan/tests/suites/test_signature_params.c
@@ -111,6 +111,12 @@ chunk_t rsa_pss_parse_invalid_tests[] = {
 	/* too long trailer */
 	chunk_from_chars(0x30,0x13,0x06,0x09,0x2a,0x86,0x48,0x86,0xf7,0x0d,0x01,0x01,0x0a,0x30,0x06,
 					 0xa3,0x04,0x02,0x02,0x01,0x01),
+	/* invalid salt causing a negative value */
+	chunk_from_chars(0x30,0x4d,0x06,0x09,0x2a,0x86,0x48,0x86,0xf7,0x0d,0x01,0x01,0x0a,0x30,0x40,0xa0,
+					 0x0f,0x30,0x0d,0x06,0x09,0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x02,0x01,0x05,0x00,
+					 0xa1,0x1c,0x30,0x1a,0x06,0x09,0x2a,0x86,0x48,0x86,0xf7,0x0d,0x01,0x01,0x08,0x30,
+					 0x0d,0x06,0x09,0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x02,0x01,0x05,0x00,0xa2,0x0a,
+					 0x02,0x08,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xa3,0x03,0x02,0x01,0x01),
 };
 
 START_TEST(test_rsa_pss_params_parse_invalid)
-- 
2.47.2