From d99fe15d9e86c5a4c7546b58f94c9caed68b3953 Mon Sep 17 00:00:00 2001 From: Tobias Brunner Date: Tue, 28 Sep 2021 17:52:08 +0200 Subject: Reject RSASSA-PSS params with negative salt length The `salt_len` member in the struct is of type `ssize_t` because we use negative values for special automatic salt lengths when generating signatures. Not checking this could lead to an integer overflow. The value is assigned to the `len` field of a chunk (`size_t`), which is further used in calculations to check the padding structure and (if that is passed by a matching crafted signature value) eventually a memcpy() that will result in a segmentation fault. Fixes: a22316520b91 ("signature-params: Add functions to parse/build ASN.1 RSASSA-PSS params") Fixes: 7d6b81648b2d ("gmp: Add support for RSASSA-PSS signature verification") Fixes: CVE-2021-41990 Signed-off-by: Daniil Baturin --- src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c') diff --git a/src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c b/src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c index f9bd1d314..3a7750908 100644 --- a/src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c +++ b/src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c @@ -168,7 +168,7 @@ static bool verify_emsa_pss_signature(private_gmp_rsa_public_key_t *this, int i; bool success = FALSE; - if (!params) + if (!params || params->salt_len < 0) { return FALSE; } -- cgit v1.2.3