Fix bounds check in RSA_verify_PKCS1_PSS_mgf1 when sLen is -2.
(Imported from upstream's 04cf39207f94abf89b3964c7710f22f829a1a78f.)
The other half of the change was fixed earlier, but this logic was still
off. This code is kind of a mess and needs a rewrite, but import the
change to get it correct and sufficiently tested first.
(If we could take the sLen = -2 case away altogether, that would be
great...)
Change-Id: I5786e980f26648822633fc216315e8f77ed4d45b
Reviewed-on: https://boringssl-review.googlesource.com/14321
Reviewed-by: Steven Valdez <svaldez@google.com>
Commit-Queue: Steven Valdez <svaldez@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
diff --git a/crypto/evp/evp_tests.txt b/crypto/evp/evp_tests.txt
index 1d57bd5..48121f9 100644
--- a/crypto/evp/evp_tests.txt
+++ b/crypto/evp/evp_tests.txt
@@ -277,14 +277,13 @@
Output = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
Error = DATA_TOO_LARGE
-# TODO(davidben): Add this as a regression test once upstream's fix is imported.
-# Verify = RSA-512
-# RSAPadding = PSS
-# PSSSaltLength = -2
-# Digest = SHA512
-# Input = "0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF"
-# Output = 457001d9ca50a93385fc5ec721c9dbbe7a0f2e9e4a2f846a30a8811dde66347b83901c7492039243537c7a667fafffd69049bcbd36afd0010d9b425e2d8785c1
-# Error = DATA_TOO_LARGE
+Verify = RSA-512
+RSAPadding = PSS
+PSSSaltLength = -2
+Digest = SHA512
+Input = "0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF"
+Output = 457001d9ca50a93385fc5ec721c9dbbe7a0f2e9e4a2f846a30a8811dde66347b83901c7492039243537c7a667fafffd69049bcbd36afd0010d9b425e2d8785c1
+Error = DATA_TOO_LARGE
# RSA decrypt
diff --git a/crypto/rsa/padding.c b/crypto/rsa/padding.c
index 3ed19ad..678457b 100644
--- a/crypto/rsa/padding.c
+++ b/crypto/rsa/padding.c
@@ -530,7 +530,7 @@
EM++;
emLen--;
}
- if (emLen < ((int)hLen + sLen + 2)) {
+ if (emLen < (int)hLen + 2 || emLen < ((int)hLen + sLen + 2)) {
/* sLen can be small negative */
OPENSSL_PUT_ERROR(RSA, RSA_R_DATA_TOO_LARGE);
goto err;