Merge branch for fix for #502 - Unchecked calls

2025-03-23 06:35:08 +00:00 · 2016-10-14 01:10:02 +01:00 · 2016-10-14 01:10:02 +01:00 · 60371454bd
parent 8a1a91f3da d1ebdf56be
commit 60371454bd
2 changed files with 25 additions and 5 deletions
--- a/6
+++ b/6
@ -7,7 +7,7 @@ Security
     with RFC5116 and could lead to session key recovery in very long TLS
     sessions. (H. Bock, A. Zauner, S. Devlin, J. Somorovsky, P. Jovanovic -
     "Nonce-Disrespecting Adversaries Practical Forgery Attacks on GCM in TLS")
-  * Fix potential stack corruption in mbedtls_x509write_crt_der() and
+   * Fix potential stack corruption in mbedtls_x509write_crt_der() and
     mbedtls_x509write_csr_der() when the signature is copied to the buffer
     without checking whether there is enough space in the destination. The
     issue cannot be triggered remotely. (found by Jethro Beekman)
@ -30,6 +30,10 @@ Bugfix
   * Fix documentation and implementation missmatch for function arguments of
     mbedtls_gcm_finish(). Found by cmiatpaar. #602
   * Guarantee that P>Q at RSA key generation. Found by inestlerode. #558
+   * Fix missing return code check after call to md_init_ctx() that could
+     result in usage of invalid md_ctx in rsa_rsaes_oaep_encrypt(),
+     rsa_rsaes_oaep_decrypt(), rsa_rsassa_pss_sign() and
+     rsa_rsassa_pss_verify_ext(). Fixed by Brian J. Murray. #502

 Changes
   * Add compile time option for relaxed X509 time verification to enable
--- a/library/rsa.c
+++ b/library/rsa.c
@ -547,7 +547,11 @@ int rsa_rsaes_oaep_encrypt( rsa_context *ctx,
    memcpy( p, input, ilen );

    md_init( &md_ctx );
-    md_init_ctx( &md_ctx, md_info );
+    if( ( ret = md_init_ctx( &md_ctx, md_info ) ) != 0 )
+    {
+        md_free( &md_ctx );
+        return( ret );
+    }

    // maskedDB: Apply dbMask to DB
    //
@ -728,7 +732,11 @@ int rsa_rsaes_oaep_decrypt( rsa_context *ctx,
        return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );

    md_init( &md_ctx );
-    md_init_ctx( &md_ctx, md_info );
+    if( ( ret = md_init_ctx( &md_ctx, md_info ) ) != 0 )
+    {
+        md_free( &md_ctx );
+        return( ret );
+    }

    /* Generate lHash */
    md( md_info, label, label_len, lhash );
@ -974,7 +982,11 @@ int rsa_rsassa_pss_sign( rsa_context *ctx,
    p += slen;

    md_init( &md_ctx );
-    md_init_ctx( &md_ctx, md_info );
+    if( ( ret = md_init_ctx( &md_ctx, md_info ) ) != 0 )
+    {
+        md_free( &md_ctx );
+        return( ret );
+    }

    // Generate H = Hash( M' )
    //
@ -1247,7 +1259,11 @@ int rsa_rsassa_pss_verify_ext( rsa_context *ctx,
        return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );

    md_init( &md_ctx );
-    md_init_ctx( &md_ctx, md_info );
+    if( ( ret = md_init_ctx( &md_ctx, md_info ) ) != 0 )
+    {
+        md_free( &md_ctx );
+        return( ret );
+    }

    mgf_mask( p, siglen - hlen - 1, p + siglen - hlen - 1, hlen, &md_ctx );