Commit 17ef2916 authored by Ulf Möller's avatar Ulf Möller
Browse files

Check tlen size in all padding_check functions. As called within the rsa 

library, the output buffer always is large enough, but if the tlen
parameter is there, it should be checked in the interest of clarity,
as proposed by David Sacerdote <das33@cornell.edu>.
parent 261b5d96

crypto/rsa/rsa_pk1.c

+11 −1
Original line number Diff line number Diff line
@@ -79,7 +79,7 @@ int RSA_padding_add_PKCS1_type_1(unsigned char *to, int tlen, 
	*(p++)=0;

	*(p++)=1; /* Private Key BT (Block Type) */



	/* padd out with 0xff data */

	/* pad out with 0xff data */

	j=tlen-3-flen;

	memset(p,0xff,j);

	p+=j;
@@ -130,6 +130,11 @@ int RSA_padding_check_PKCS1_type_1(unsigned char *to, int tlen, 
		}

	i++; /* Skip over the '\0' */

	j-=i;

	if (j > tlen)

		{

		RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_1,RSA_R_DATA_TOO_LARGE);

		return(-1);

		}

	memcpy(to,p,(unsigned int)j);



	return(j);
@@ -207,6 +212,11 @@ int RSA_padding_check_PKCS1_type_2(unsigned char *to, int tlen, 
		}

	i++; /* Skip over the '\0' */

	j-=i;

	if (j > tlen)

		{

		RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_2,RSA_R_DATA_TOO_LARGE);

		return(-1);

		}

	memcpy(to,p,(unsigned int)j);



	return(j);

crypto/rsa/rsa_ssl.c

+5 −0
Original line number Diff line number Diff line
@@ -142,6 +142,11 @@ int RSA_padding_check_SSLv23(unsigned char *to, int tlen, unsigned char *from, 


	i++; /* Skip over the '\0' */

	j-=i;

	if (j > tlen)

		{

		RSAerr(RSA_F_RSA_PADDING_CHECK_SSLV23,RSA_R_DATA_TOO_LARGE);

		return(-1);

		}

	memcpy(to,p,(unsigned int)j);



	return(j);