Reject RSASSA-PSS params with negative salt length

The `salt_len` member in the struct is of type `ssize_t` because we use
negative values for special automatic salt lengths when generating
signatures.

Not checking this could lead to an integer overflow.  The value is assigned
to the `len` field of a chunk (`size_t`), which is further used in
calculations to check the padding structure and (if that is passed by a
matching crafted signature value) eventually a memcpy() that will result
in a segmentation fault.

Fixes: a22316520b91 ("signature-params: Add functions to parse/build ASN.1 RSASSA-PSS params")
Fixes: 7d6b81648b2d ("gmp: Add support for RSASSA-PSS signature verification")
Fixes: CVE-2021-41990
Signed-off-by: Daniil Baturin <daniil@baturin.org>

2 files changed, 6 insertions, 2 deletions

diff --git a/src/libstrongswan/credentials/keys/signature_params.c b/src/libstrongswan/credentials/keys/signature_params.c
index d89bd2c96..837de8443 100644
--- a/src/libstrongswan/credentials/keys/signature_params.c
+++ b/src/libstrongswan/credentials/keys/signature_params.c
@@ -322,7 +322,11 @@ bool rsa_pss_params_parse(chunk_t asn1, int level0, rsa_pss_params_t *params)
 			case RSASSA_PSS_PARAMS_SALT_LEN:
 				if (object.len)
 				{
-					params->salt_len = (size_t)asn1_parse_integer_uint64(object);
+					params->salt_len = (ssize_t)asn1_parse_integer_uint64(object);
+					if (params->salt_len < 0)
+					{
+						goto end;
+					}
 				}
 				break;
 			case RSASSA_PSS_PARAMS_TRAILER:
diff --git a/src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c b/src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c
index f9bd1d314..3a7750908 100644
--- a/src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c
+++ b/src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c
@@ -168,7 +168,7 @@ static bool verify_emsa_pss_signature(private_gmp_rsa_public_key_t *this,
 	int i;
 	bool success = FALSE;
 
-	if (!params)
+	if (!params || params->salt_len < 0)
 	{
 		return FALSE;
 	}