代码拉取完成,页面将自动刷新
同步操作将从 src-openEuler/strongswan 强制同步,此操作会覆盖自 Fork 仓库以来所做的任何修改,且无法恢复!!!
确定后同步将在后台操作,完成时将刷新页面,请耐心等待。
From 423a5d56274a1d343e0d2107dfc4fbf0df2dcca5 Mon Sep 17 00:00:00 2001
From: Tobias Brunner <tobias@strongswan.org>
Date: Tue, 28 Sep 2021 17:52:08 +0200
Subject: [PATCH] Reject RSASSA-PSS params with negative salt length
The `salt_len` member in the struct is of type `ssize_t` because we use
negative values for special automatic salt lengths when generating
signatures.
Not checking this could lead to an integer overflow. The value is assigned
to the `len` field of a chunk (`size_t`), which is further used in
calculations to check the padding structure and (if that is passed by a
matching crafted signature value) eventually a memcpy() that will result
in a segmentation fault.
Fixes: a22316520b91 ("signature-params: Add functions to parse/build ASN.1 RSASSA-PSS params")
Fixes: 7d6b81648b2d ("gmp: Add support for RSASSA-PSS signature verification")
Fixes: CVE-2021-41990
---
src/libstrongswan/credentials/keys/signature_params.c | 6 +++++-
src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c | 2 +-
2 files changed, 6 insertions(+), 2 deletions(-)
diff --git a/src/libstrongswan/credentials/keys/signature_params.c b/src/libstrongswan/credentials/keys/signature_params.c
index d89bd2c96bb5..837de8443d43 100644
--- a/src/libstrongswan/credentials/keys/signature_params.c
+++ b/src/libstrongswan/credentials/keys/signature_params.c
@@ -322,7 +322,11 @@ bool rsa_pss_params_parse(chunk_t asn1, int level0, rsa_pss_params_t *params)
case RSASSA_PSS_PARAMS_SALT_LEN:
if (object.len)
{
- params->salt_len = (size_t)asn1_parse_integer_uint64(object);
+ params->salt_len = (ssize_t)asn1_parse_integer_uint64(object);
+ if (params->salt_len < 0)
+ {
+ goto end;
+ }
}
break;
case RSASSA_PSS_PARAMS_TRAILER:
diff --git a/src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c b/src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c
index f9bd1d314dec..3a775090883e 100644
--- a/src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c
+++ b/src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c
@@ -168,7 +168,7 @@ static bool verify_emsa_pss_signature(private_gmp_rsa_public_key_t *this,
int i;
bool success = FALSE;
- if (!params)
+ if (!params || params->salt_len < 0)
{
return FALSE;
}
--
2.25.1
此处可能存在不合适展示的内容,页面不予展示。您可通过相关编辑功能自查并修改。
如您确认内容无涉及 不当用语 / 纯广告导流 / 暴力 / 低俗色情 / 侵权 / 盗版 / 虚假 / 无价值内容或违法国家有关法律法规的内容,可点击提交进行申诉,我们将尽快为您处理。
马建仓 AI 助手