all messages for Guix-related lists mirrored at yhetil.org
 help / color / mirror / code / Atom feed
blob 297816e6986e190abcffb50c94ea29154625d9e5 2734 bytes (raw)
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78

 
Copied from upstream nettle git repository.
Removed changes to ChangeLog, to allow this patch to apply to nettle-3.5.

From 7616541e6eff73353bf682c62e3a68e4fe696707 Mon Sep 17 00:00:00 2001
From: Niels Möller <nisse@lysator.liu.se>
Date: Thu, 6 May 2021 21:29:56 +0200
Subject: [PATCH] Add check that message length to _pkcs1_sec_decrypt is valid.

* pkcs1-sec-decrypt.c (_pkcs1_sec_decrypt): Check that message
length is valid, for given key size.
* testsuite/rsa-sec-decrypt-test.c (test_main): Add test cases for
calls to rsa_sec_decrypt specifying a too large message length.
---
 ChangeLog                        |  7 +++++++
 pkcs1-sec-decrypt.c              |  4 +++-
 testsuite/rsa-sec-decrypt-test.c | 17 ++++++++++++++++-
 3 files changed, 26 insertions(+), 2 deletions(-)

diff --git a/pkcs1-sec-decrypt.c b/pkcs1-sec-decrypt.c
index 4f13080e..16833691 100644
--- a/pkcs1-sec-decrypt.c
+++ b/pkcs1-sec-decrypt.c
@@ -63,7 +63,9 @@ _pkcs1_sec_decrypt (size_t length, uint8_t *message,
   volatile int ok;
   size_t i, t;
 
-  assert (padded_message_length >= length);
+  /* Message independent branch */
+  if (length + 11 > padded_message_length)
+    return 0;
 
   t = padded_message_length - length - 1;
 
diff --git a/testsuite/rsa-sec-decrypt-test.c b/testsuite/rsa-sec-decrypt-test.c
index fb0ed3a1..3419322e 100644
--- a/testsuite/rsa-sec-decrypt-test.c
+++ b/testsuite/rsa-sec-decrypt-test.c
@@ -55,6 +55,7 @@ rsa_decrypt_for_test(const struct rsa_public_key *pub,
 #endif
 
 #define PAYLOAD_SIZE 50
+#define DECRYPTED_SIZE 256
 void
 test_main(void)
 {
@@ -63,7 +64,7 @@ test_main(void)
   struct knuth_lfib_ctx random_ctx;
 
   uint8_t plaintext[PAYLOAD_SIZE];
-  uint8_t decrypted[PAYLOAD_SIZE];
+  uint8_t decrypted[DECRYPTED_SIZE];
   uint8_t verifybad[PAYLOAD_SIZE];
   unsigned n_size = 1024;
   mpz_t gibberish;
@@ -99,6 +100,20 @@ test_main(void)
                                     PAYLOAD_SIZE, decrypted, gibberish) == 1);
       ASSERT (MEMEQ (PAYLOAD_SIZE, plaintext, decrypted));
 
+      ASSERT (pub.size > 10);
+      ASSERT (pub.size <= DECRYPTED_SIZE);
+
+      /* Check that too large message length is rejected, largest
+	 valid size is pub.size - 11. */
+      ASSERT (!rsa_decrypt_for_test (&pub, &key, &random_ctx,
+				     (nettle_random_func *) knuth_lfib_random,
+				     pub.size - 10, decrypted, gibberish));
+
+      /* This case used to result in arithmetic underflow and a crash. */
+      ASSERT (!rsa_decrypt_for_test (&pub, &key, &random_ctx,
+				     (nettle_random_func *) knuth_lfib_random,
+				     pub.size, decrypted, gibberish));
+
       /* bad one */
       memcpy(decrypted, verifybad, PAYLOAD_SIZE);
       nettle_mpz_random_size(garbage, &random_ctx,
-- 
2.31.1


debug log:

solving 297816e698 ...
found 297816e698 in https://git.savannah.gnu.org/cgit/guix.git

Code repositories for project(s) associated with this external index

	https://git.savannah.gnu.org/cgit/guix.git

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.