diff --git a/ChangeLog b/ChangeLog index cd4e206a3e..453ee25bdd 100644 --- a/ChangeLog +++ b/ChangeLog @@ -15,6 +15,7 @@ Bugfix * Allow R and A to point to same mpi in mpi_div_mpi (found by Manuel Pégourié-Gonnard) * Added max length check for rsa_pkcs1_sign with PKCS#1 v2.1 + * Memory leak when using RSA_PKCS_V21 operations fixed Security * Fixed potential memory zeroization on miscrafted RSA key (found by Eloi diff --git a/library/rsa.c b/library/rsa.c index b36801ed43..0ddada2642 100644 --- a/library/rsa.c +++ b/library/rsa.c @@ -420,9 +420,6 @@ int rsa_pkcs1_encrypt( rsa_context *ctx, return( POLARSSL_ERR_RSA_BAD_INPUT_DATA ); memset( output, 0, olen ); - memset( &md_ctx, 0, sizeof( md_context_t ) ); - - md_init_ctx( &md_ctx, md_info ); *p++ = 0; @@ -441,6 +438,8 @@ int rsa_pkcs1_encrypt( rsa_context *ctx, *p++ = 1; memcpy( p, input, ilen ); + md_init_ctx( &md_ctx, md_info ); + // maskedDB: Apply dbMask to DB // mgf_mask( output + hlen + 1, olen - hlen - 1, output + 1, hlen, @@ -450,6 +449,8 @@ int rsa_pkcs1_encrypt( rsa_context *ctx, // mgf_mask( output + 1, hlen, output + hlen + 1, olen - hlen - 1, &md_ctx ); + + md_free_ctx( &md_ctx ); break; #endif @@ -524,7 +525,6 @@ int rsa_pkcs1_decrypt( rsa_context *ctx, return( POLARSSL_ERR_RSA_BAD_INPUT_DATA ); hlen = md_get_size( md_info ); - memset( &md_ctx, 0, sizeof( md_context_t ) ); md_init_ctx( &md_ctx, md_info ); @@ -543,6 +543,7 @@ int rsa_pkcs1_decrypt( rsa_context *ctx, &md_ctx ); p += hlen; + md_free_ctx( &md_ctx ); // Check validity // @@ -756,9 +757,6 @@ int rsa_pkcs1_sign( rsa_context *ctx, return( POLARSSL_ERR_RSA_BAD_INPUT_DATA ); memset( sig, 0, olen ); - memset( &md_ctx, 0, sizeof( md_context_t ) ); - - md_init_ctx( &md_ctx, md_info ); msb = mpi_msb( &ctx->N ) - 1; @@ -775,6 +773,8 @@ int rsa_pkcs1_sign( rsa_context *ctx, memcpy( p, salt, slen ); p += slen; + md_init_ctx( &md_ctx, md_info ); + // Generate H = Hash( M' ) // md_starts( &md_ctx ); @@ -792,6 +792,8 @@ int rsa_pkcs1_sign( rsa_context *ctx, // mgf_mask( sig + offset, olen - hlen - 1 - offset, p, hlen, &md_ctx ); + md_free_ctx( &md_ctx ); + msb = mpi_msb( &ctx->N ) - 1; sig[0] &= 0xFF >> ( olen * 8 - msb ); @@ -962,11 +964,8 @@ int rsa_pkcs1_verify( rsa_context *ctx, hlen = md_get_size( md_info ); slen = siglen - hlen - 1; - memset( &md_ctx, 0, sizeof( md_context_t ) ); memset( zeros, 0, 8 ); - md_init_ctx( &md_ctx, md_info ); - // Note: EMSA-PSS verification is over the length of N - 1 bits // msb = mpi_msb( &ctx->N ) - 1; @@ -981,6 +980,8 @@ int rsa_pkcs1_verify( rsa_context *ctx, if( buf[0] >> ( 8 - siglen * 8 + msb ) ) return( POLARSSL_ERR_RSA_BAD_INPUT_DATA ); + md_init_ctx( &md_ctx, md_info ); + mgf_mask( p, siglen - hlen - 1, p + siglen - hlen - 1, hlen, &md_ctx ); buf[0] &= 0xFF >> ( siglen * 8 - msb ); @@ -988,11 +989,12 @@ int rsa_pkcs1_verify( rsa_context *ctx, while( *p == 0 && p < buf + siglen ) p++; - if( p == buf + siglen ) - return( POLARSSL_ERR_RSA_INVALID_PADDING ); - - if( *p++ != 0x01 ) + if( p == buf + siglen || + *p++ != 0x01 ) + { + md_free_ctx( &md_ctx ); return( POLARSSL_ERR_RSA_INVALID_PADDING ); + } slen -= p - buf; @@ -1004,6 +1006,8 @@ int rsa_pkcs1_verify( rsa_context *ctx, md_update( &md_ctx, p, slen ); md_finish( &md_ctx, result ); + md_free_ctx( &md_ctx ); + if( memcmp( p + slen, result, hlen ) == 0 ) return( 0 ); else