diff --git a/ChangeLog b/ChangeLog index c6cb0e9cb..92410a373 100644 --- a/ChangeLog +++ b/ChangeLog @@ -7,7 +7,7 @@ Security with RFC5116 and could lead to session key recovery in very long TLS sessions. (H. Bock, A. Zauner, S. Devlin, J. Somorovsky, P. Jovanovic - "Nonce-Disrespecting Adversaries Practical Forgery Attacks on GCM in TLS") - * Fix potential stack corruption in mbedtls_x509write_crt_der() and + * Fix potential stack corruption in mbedtls_x509write_crt_der() and mbedtls_x509write_csr_der() when the signature is copied to the buffer without checking whether there is enough space in the destination. The issue cannot be triggered remotely. (found by Jethro Beekman) @@ -30,6 +30,10 @@ Bugfix * Fix documentation and implementation missmatch for function arguments of mbedtls_gcm_finish(). Found by cmiatpaar. #602 * Guarantee that P>Q at RSA key generation. Found by inestlerode. #558 + * Fix missing return code check after call to md_init_ctx() that could + result in usage of invalid md_ctx in rsa_rsaes_oaep_encrypt(), + rsa_rsaes_oaep_decrypt(), rsa_rsassa_pss_sign() and + rsa_rsassa_pss_verify_ext(). Fixed by Brian J. Murray. #502 Changes * Add compile time option for relaxed X509 time verification to enable diff --git a/library/rsa.c b/library/rsa.c index bf77cb5b9..79726c1b5 100644 --- a/library/rsa.c +++ b/library/rsa.c @@ -547,7 +547,11 @@ int rsa_rsaes_oaep_encrypt( rsa_context *ctx, memcpy( p, input, ilen ); md_init( &md_ctx ); - md_init_ctx( &md_ctx, md_info ); + if( ( ret = md_init_ctx( &md_ctx, md_info ) ) != 0 ) + { + md_free( &md_ctx ); + return( ret ); + } // maskedDB: Apply dbMask to DB // @@ -728,7 +732,11 @@ int rsa_rsaes_oaep_decrypt( rsa_context *ctx, return( POLARSSL_ERR_RSA_BAD_INPUT_DATA ); md_init( &md_ctx ); - md_init_ctx( &md_ctx, md_info ); + if( ( ret = md_init_ctx( &md_ctx, md_info ) ) != 0 ) + { + md_free( &md_ctx ); + return( ret ); + } /* Generate lHash */ md( md_info, label, label_len, lhash ); @@ -974,7 +982,11 @@ int rsa_rsassa_pss_sign( rsa_context *ctx, p += slen; md_init( &md_ctx ); - md_init_ctx( &md_ctx, md_info ); + if( ( ret = md_init_ctx( &md_ctx, md_info ) ) != 0 ) + { + md_free( &md_ctx ); + return( ret ); + } // Generate H = Hash( M' ) // @@ -1247,7 +1259,11 @@ int rsa_rsassa_pss_verify_ext( rsa_context *ctx, return( POLARSSL_ERR_RSA_BAD_INPUT_DATA ); md_init( &md_ctx ); - md_init_ctx( &md_ctx, md_info ); + if( ( ret = md_init_ctx( &md_ctx, md_info ) ) != 0 ) + { + md_free( &md_ctx ); + return( ret ); + } mgf_mask( p, siglen - hlen - 1, p + siglen - hlen - 1, hlen, &md_ctx );