[openssl] master update
Matt Caswell
matt at openssl.org
Tue Feb 16 15:54:28 UTC 2021
The branch master has been updated
via c913dbd7168393f7eab0dd6132d0d2581dd9e485 (commit)
via c9fb704cf3af5524eb8e79961e31b60eee8c3c47 (commit)
via c1ddd392cf9737c09c1f9bf690adfbe596403c5e (commit)
via d9461cbe87b91fec98c4ab99a6f47621390e4aa2 (commit)
via 4357b6174a165f43e5627eb587595f36c4156e4a (commit)
via 55869f594f052561b11a2db6a7c42690051868de (commit)
via 8130d654d1de922ea224fa18ee3bc7262edc39c0 (commit)
from c9e955dd50f30f46555ff837b0bbae63433cef40 (commit)
- Log -----------------------------------------------------------------
commit c913dbd7168393f7eab0dd6132d0d2581dd9e485
Author: Matt Caswell <matt at openssl.org>
Date: Tue Feb 16 12:04:52 2021 +0000
Update CHANGES and NEWS for new release
Reviewed-by: Richard Levitte <levitte at openssl.org>
commit c9fb704cf3af5524eb8e79961e31b60eee8c3c47
Author: Matt Caswell <matt at openssl.org>
Date: Tue Feb 2 17:17:23 2021 +0000
Don't overflow the output length in EVP_CipherUpdate calls
CVE-2021-23840
Reviewed-by: Paul Dale <pauli at openssl.org>
commit c1ddd392cf9737c09c1f9bf690adfbe596403c5e
Author: Matt Caswell <matt at openssl.org>
Date: Fri Jan 22 16:50:11 2021 +0000
Fix rsa_test to properly test RSA_SSLV23_PADDING
We test all three cases:
- An SSLv2 only client talking to a TLS capable server
- A TLS capable client talking to an SSLv2 only server
- A TLS capable client talking to a TLS capable server (should fail due
to detecting a rollback attack)
Reviewed-by: Paul Dale <pauli at openssl.org>
commit d9461cbe87b91fec98c4ab99a6f47621390e4aa2
Author: Matt Caswell <matt at openssl.org>
Date: Fri Jan 22 16:38:50 2021 +0000
Fix the RSA_SSLV23_PADDING padding type
This also fixes the public function RSA_padding_check_SSLv23.
Commit 6555a89 changed the padding check logic in RSA_padding_check_SSLv23
so that padding is rejected if the nul delimiter byte is not immediately
preceded by at least 8 bytes containing 0x03. Prior to that commit the
padding is rejected if it *is* preceded by at least 8 bytes containing 0x03.
Presumably this change was made to be consistent with what it says in
appendix E.3 of RFC 5246. Unfortunately that RFC is in error, and the
original behaviour was correct. This is fixed in later errata issued for
that RFC.
This has no impact on libssl for modern versions of OpenSSL because
there is no protocol support for SSLv2 in these versions. However
applications that call RSA_paddin_check_SSLv23 directly, or use the
RSA_SSLV23_PADDING mode may still be impacted. The effect of the original
error is that an RSA message encrypted by an SSLv2 only client will fail to
be decrypted properly by a TLS capable server, or a message encrypted by a
TLS capable client will fail to decrypt on an SSLv2 only server. Most
significantly an RSA message encrypted by a TLS capable client will be
successfully decrypted by a TLS capable server. This last case should fail
due to a rollback being detected.
Thanks to D. Katz and Joel Luellwitz (both from Trustwave) for reporting
this issue.
CVE-2021-23839
Reviewed-by: Paul Dale <pauli at openssl.org>
commit 4357b6174a165f43e5627eb587595f36c4156e4a
Author: Matt Caswell <matt at openssl.org>
Date: Fri Jan 22 15:49:31 2021 +0000
Refactor rsa_test
Reduce code copying by factoring out common code into a separate function.
Reviewed-by: Paul Dale <pauli at openssl.org>
commit 55869f594f052561b11a2db6a7c42690051868de
Author: Matt Caswell <matt at openssl.org>
Date: Wed Feb 10 16:36:57 2021 +0000
Test that X509_issuer_and_serial_hash doesn't crash
Provide a certificate with a bad issuer and check that
X509_issuer_and_serial_hash doesn't crash.
Reviewed-by: Richard Levitte <levitte at openssl.org>
Reviewed-by: Paul Dale <pauli at openssl.org>
commit 8130d654d1de922ea224fa18ee3bc7262edc39c0
Author: Matt Caswell <matt at openssl.org>
Date: Wed Feb 10 16:10:36 2021 +0000
Fix Null pointer deref in X509_issuer_and_serial_hash()
The OpenSSL public API function X509_issuer_and_serial_hash() attempts
to create a unique hash value based on the issuer and serial number data
contained within an X509 certificate. However it fails to correctly
handle any errors that may occur while parsing the issuer field (which
might occur if the issuer field is maliciously constructed). This may
subsequently result in a NULL pointer deref and a crash leading to a
potential denial of service attack.
The function X509_issuer_and_serial_hash() is never directly called by
OpenSSL itself so applications are only vulnerable if they use this
function directly and they use it on certificates that may have been
obtained from untrusted sources.
CVE-2021-23841
Reviewed-by: Richard Levitte <levitte at openssl.org>
Reviewed-by: Paul Dale <pauli at openssl.org>
-----------------------------------------------------------------------
Summary of changes:
CHANGES.md | 34 ++++++-
NEWS.md | 14 ++-
crypto/err/openssl.txt | 1 +
crypto/evp/evp_enc.c | 26 +++++
crypto/evp/evp_err.c | 4 +-
crypto/rsa/rsa_ssl.c | 10 +-
crypto/x509/x509_cmp.c | 2 +
.../x509/f5ded9e25448f6f47349d012eda2eb4fccbc7c76 | Bin 0 -> 356852 bytes
fuzz/x509.c | 2 +
include/crypto/evperr.h | 2 +-
include/openssl/evperr.h | 1 +
test/rsa_test.c | 107 +++++++++------------
12 files changed, 136 insertions(+), 67 deletions(-)
create mode 100644 fuzz/corpora/x509/f5ded9e25448f6f47349d012eda2eb4fccbc7c76
diff --git a/CHANGES.md b/CHANGES.md
index bda3c44aa1..e45cb3a1fd 100644
--- a/CHANGES.md
+++ b/CHANGES.md
@@ -1487,9 +1487,39 @@ OpenSSL 3.0
OpenSSL 1.1.1
-------------
-### Changes between 1.1.1i and 1.1.1j [xx XXX xxxx]
+### Changes between 1.1.1j and 1.1.1k [xx XXX xxxx]
- * Fixed SRP_Calc_client_key so that it uses constant time. The previous
+### Changes between 1.1.1i and 1.1.1j [16 Feb 2021]
+
+ * Fixed the X509_issuer_and_serial_hash() function. It attempts to
+ create a unique hash value based on the issuer and serial number data
+ contained within an X509 certificate. However it was failing to correctly
+ handle any errors that may occur while parsing the issuer field (which might
+ occur if the issuer field is maliciously constructed). This may subsequently
+ result in a NULL pointer deref and a crash leading to a potential denial of
+ service attack.
+ ([CVE-2021-23841])
+
+ *Matt Caswell*
+
+ * Fixed the RSA_padding_check_SSLv23() function and the RSA_SSLV23_PADDING
+ padding mode to correctly check for rollback attacks. This is considered a
+ bug in OpenSSL 1.1.1 because it does not support SSLv2. In 1.0.2 this is
+ CVE-2021-23839.
+
+ *Matt Caswell*
+
+ Fixed the EVP_CipherUpdate, EVP_EncryptUpdate and EVP_DecryptUpdate
+ functions. Previously they could overflow the output length argument in some
+ cases where the input length is close to the maximum permissable length for
+ an integer on the platform. In such cases the return value from the function
+ call would be 1 (indicating success), but the output length value would be
+ negative. This could cause applications to behave incorrectly or crash.
+ ([CVE-2021-23840])
+
+ *Matt Caswell*
+
+ * Fixed SRP_Calc_client_key so that it runs in constant time. The previous
implementation called BN_mod_exp without setting BN_FLG_CONSTTIME. This
could be exploited in a side channel attack to recover the password. Since
the attack is local host only this is outside of the current OpenSSL
diff --git a/NEWS.md b/NEWS.md
index 2028847247..342e6569f3 100644
--- a/NEWS.md
+++ b/NEWS.md
@@ -80,7 +80,19 @@ OpenSSL 3.0
OpenSSL 1.1.1
-------------
-### Major changes between OpenSSL 1.1.1h and OpenSSL 1.1.1i [under development]
+### Major changes between OpenSSL 1.1.1j and OpenSSL 1.1.1k [under development]
+
+### Major changes between OpenSSL 1.1.1i and OpenSSL 1.1.1j [16 Feb 2021]
+
+ * Fixed a NULL pointer deref in the X509_issuer_and_serial_hash()
+ function ([CVE-2021-23841])
+ * Fixed the RSA_padding_check_SSLv23() function and the RSA_SSLV23_PADDING
+ padding mode to correctly check for rollback attacks
+ * Fixed an overflow in the EVP_CipherUpdate, EVP_EncryptUpdate and
+ EVP_DecryptUpdate functions ([CVE-2021-23840])
+ * Fixed SRP_Calc_client_key so that it runs in constant time
+
+### Major changes between OpenSSL 1.1.1h and OpenSSL 1.1.1i [8 Dec 2020]
* Fixed NULL pointer deref in GENERAL_NAME_cmp ([CVE-2020-1971])
diff --git a/crypto/err/openssl.txt b/crypto/err/openssl.txt
index 0e4f017287..296aa6eaad 100644
--- a/crypto/err/openssl.txt
+++ b/crypto/err/openssl.txt
@@ -708,6 +708,7 @@ EVP_R_ONLY_ONESHOT_SUPPORTED:177:only oneshot supported
EVP_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE:150:\
operation not supported for this keytype
EVP_R_OPERATON_NOT_INITIALIZED:151:operation not initialized
+EVP_R_OUTPUT_WOULD_OVERFLOW:202:output would overflow
EVP_R_PARAMETER_TOO_LARGE:187:parameter too large
EVP_R_PARTIALLY_OVERLAPPING:162:partially overlapping buffers
EVP_R_PBKDF2_ERROR:181:pbkdf2 error
diff --git a/crypto/evp/evp_enc.c b/crypto/evp/evp_enc.c
index b804d74914..f049cb40bb 100644
--- a/crypto/evp/evp_enc.c
+++ b/crypto/evp/evp_enc.c
@@ -11,6 +11,7 @@
#define OPENSSL_SUPPRESS_DEPRECATED
#include <stdio.h>
+#include <limits.h>
#include <assert.h>
#include "internal/cryptlib.h"
#include <openssl/evp.h>
@@ -511,6 +512,18 @@ static int evp_EncryptDecryptUpdate(EVP_CIPHER_CTX *ctx,
return 1;
} else {
j = bl - i;
+
+ /*
+ * Once we've processed the first j bytes from in, the amount of
+ * data left that is a multiple of the block length is:
+ * (inl - j) & ~(bl - 1)
+ * We must ensure that this amount of data, plus the one block that
+ * we process from ctx->buf does not exceed INT_MAX
+ */
+ if (((inl - j) & ~(bl - 1)) > INT_MAX - bl) {
+ ERR_raise(ERR_LIB_EVP, EVP_R_OUTPUT_WOULD_OVERFLOW);
+ return 0;
+ }
memcpy(&(ctx->buf[i]), in, j);
inl -= j;
in += j;
@@ -771,6 +784,19 @@ int EVP_DecryptUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl,
ERR_raise(ERR_LIB_EVP, EVP_R_PARTIALLY_OVERLAPPING);
return 0;
}
+ /*
+ * final_used is only ever set if buf_len is 0. Therefore the maximum
+ * length output we will ever see from evp_EncryptDecryptUpdate is
+ * the maximum multiple of the block length that is <= inl, or just:
+ * inl & ~(b - 1)
+ * Since final_used has been set then the final output length is:
+ * (inl & ~(b - 1)) + b
+ * This must never exceed INT_MAX
+ */
+ if ((inl & ~(b - 1)) > INT_MAX - b) {
+ ERR_raise(ERR_LIB_EVP, EVP_R_OUTPUT_WOULD_OVERFLOW);
+ return 0;
+ }
memcpy(out, ctx->final, b);
out += b;
fix_len = 1;
diff --git a/crypto/evp/evp_err.c b/crypto/evp/evp_err.c
index 33e60145fe..5d9b82c289 100644
--- a/crypto/evp/evp_err.c
+++ b/crypto/evp/evp_err.c
@@ -137,6 +137,8 @@ static const ERR_STRING_DATA EVP_str_reasons[] = {
"operation not supported for this keytype"},
{ERR_PACK(ERR_LIB_EVP, 0, EVP_R_OPERATON_NOT_INITIALIZED),
"operation not initialized"},
+ {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_OUTPUT_WOULD_OVERFLOW),
+ "output would overflow"},
{ERR_PACK(ERR_LIB_EVP, 0, EVP_R_PARAMETER_TOO_LARGE),
"parameter too large"},
{ERR_PACK(ERR_LIB_EVP, 0, EVP_R_PARTIALLY_OVERLAPPING),
@@ -153,7 +155,7 @@ static const ERR_STRING_DATA EVP_str_reasons[] = {
"set default property failure"},
{ERR_PACK(ERR_LIB_EVP, 0, EVP_R_TOO_MANY_RECORDS), "too many records"},
{ERR_PACK(ERR_LIB_EVP, 0, EVP_R_UNABLE_TO_ENABLE_LOCKING),
- "unable to enable parent locking"},
+ "unable to enable locking"},
{ERR_PACK(ERR_LIB_EVP, 0, EVP_R_UNABLE_TO_GET_MAXIMUM_REQUEST_SIZE),
"unable to get maximum request size"},
{ERR_PACK(ERR_LIB_EVP, 0, EVP_R_UNABLE_TO_GET_RANDOM_STRENGTH),
diff --git a/crypto/rsa/rsa_ssl.c b/crypto/rsa/rsa_ssl.c
index 0feef0f655..f89a083095 100644
--- a/crypto/rsa/rsa_ssl.c
+++ b/crypto/rsa/rsa_ssl.c
@@ -68,7 +68,7 @@ int RSA_padding_add_SSLv23(unsigned char *to, int tlen,
/*
* Copy of RSA_padding_check_PKCS1_type_2 with a twist that rejects padding
- * if nul delimiter is not preceded by 8 consecutive 0x03 bytes. It also
+ * if nul delimiter is preceded by 8 consecutive 0x03 bytes. It also
* preserves error code reporting for backward compatibility.
*/
int RSA_padding_check_SSLv23(unsigned char *to, int tlen,
@@ -135,7 +135,13 @@ int RSA_padding_check_SSLv23(unsigned char *to, int tlen,
RSA_R_NULL_BEFORE_BLOCK_MISSING);
mask = ~good;
- good &= constant_time_ge(threes_in_row, 8);
+ /*
+ * Reject if nul delimiter is preceded by 8 consecutive 0x03 bytes. Note
+ * that RFC5246 incorrectly states this the other way around, i.e. reject
+ * if it is not preceded by 8 consecutive 0x03 bytes. However this is
+ * corrected in subsequent errata for that RFC.
+ */
+ good &= constant_time_lt(threes_in_row, 8);
err = constant_time_select_int(mask | good, err,
RSA_R_SSLV3_ROLLBACK_ATTACK);
mask = ~good;
diff --git a/crypto/x509/x509_cmp.c b/crypto/x509/x509_cmp.c
index 8e525a3815..a74311e92d 100644
--- a/crypto/x509/x509_cmp.c
+++ b/crypto/x509/x509_cmp.c
@@ -44,6 +44,8 @@ unsigned long X509_issuer_and_serial_hash(X509 *a)
if (ctx == NULL)
goto err;
f = X509_NAME_oneline(a->cert_info.issuer, NULL, 0);
+ if (f == NULL)
+ goto err;
if (!EVP_DigestInit_ex(ctx, EVP_md5(), NULL))
goto err;
if (!EVP_DigestUpdate(ctx, (unsigned char *)f, strlen(f)))
diff --git a/fuzz/corpora/x509/f5ded9e25448f6f47349d012eda2eb4fccbc7c76 b/fuzz/corpora/x509/f5ded9e25448f6f47349d012eda2eb4fccbc7c76
new file mode 100644
index 0000000000..439c50b013
Binary files /dev/null and b/fuzz/corpora/x509/f5ded9e25448f6f47349d012eda2eb4fccbc7c76 differ
diff --git a/fuzz/x509.c b/fuzz/x509.c
index 858ad61bbf..bf2dfb826d 100644
--- a/fuzz/x509.c
+++ b/fuzz/x509.c
@@ -37,6 +37,8 @@ int FuzzerTestOneInput(const uint8_t *buf, size_t len)
X509_print(bio, x509);
BIO_free(bio);
+ X509_issuer_and_serial_hash(x509);
+
i2d_X509(x509, &der);
OPENSSL_free(der);
diff --git a/include/crypto/evperr.h b/include/crypto/evperr.h
index 2bfc71ad3c..9af2e903f3 100644
--- a/include/crypto/evperr.h
+++ b/include/crypto/evperr.h
@@ -1,6 +1,6 @@
/*
* Generated by util/mkerr.pl DO NOT EDIT
- * Copyright 2020-2020 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
diff --git a/include/openssl/evperr.h b/include/openssl/evperr.h
index 48aa10b84a..a96c684f1f 100644
--- a/include/openssl/evperr.h
+++ b/include/openssl/evperr.h
@@ -97,6 +97,7 @@
# define EVP_R_ONLY_ONESHOT_SUPPORTED 177
# define EVP_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE 150
# define EVP_R_OPERATON_NOT_INITIALIZED 151
+# define EVP_R_OUTPUT_WOULD_OVERFLOW 202
# define EVP_R_PARAMETER_TOO_LARGE 187
# define EVP_R_PARTIALLY_OVERLAPPING 162
# define EVP_R_PBKDF2_ERROR 181
diff --git a/test/rsa_test.c b/test/rsa_test.c
index 6badbc7076..f52053bda1 100644
--- a/test/rsa_test.c
+++ b/test/rsa_test.c
@@ -41,9 +41,8 @@
BN_bin2bn(dmp1, sizeof(dmp1)-1, NULL), \
BN_bin2bn(dmq1, sizeof(dmq1)-1, NULL), \
BN_bin2bn(iqmp, sizeof(iqmp)-1, NULL)); \
- if (c == NULL) \
- return 0; \
- memcpy(c, ctext_ex, sizeof(ctext_ex) - 1); \
+ if (c != NULL) \
+ memcpy(c, ctext_ex, sizeof(ctext_ex) - 1); \
return sizeof(ctext_ex) - 1;
static int key1(RSA *key, unsigned char *c)
@@ -212,16 +211,7 @@ static int key3(RSA *key, unsigned char *c)
SetKey;
}
-static int pad_unknown(void)
-{
- unsigned long l;
- while ((l = ERR_get_error()) != 0)
- if (ERR_GET_REASON(l) == RSA_R_UNKNOWN_PADDING_TYPE)
- return 1;
- return 0;
-}
-
-static int rsa_setkey(RSA** key, unsigned char* ctext, int idx)
+static int rsa_setkey(RSA** key, unsigned char *ctext, int idx)
{
int clen = 0;
@@ -241,63 +231,72 @@ static int rsa_setkey(RSA** key, unsigned char* ctext, int idx)
return clen;
}
-static int test_rsa_pkcs1(int idx)
+static int test_rsa_simple(int idx, int en_pad_type, int de_pad_type,
+ int success, unsigned char *ctext_ex, int *clen,
+ RSA **retkey)
{
int ret = 0;
RSA *key;
unsigned char ptext[256];
unsigned char ctext[256];
static unsigned char ptext_ex[] = "\x54\x85\x9b\x34\x2c\x49\xea\x2a";
- unsigned char ctext_ex[256];
int plen;
- int clen = 0;
+ int clentmp = 0;
int num;
plen = sizeof(ptext_ex) - 1;
- clen = rsa_setkey(&key, ctext_ex, idx);
+ clentmp = rsa_setkey(&key, ctext_ex, idx);
+ if (clen != NULL)
+ *clen = clentmp;
- num = RSA_public_encrypt(plen, ptext_ex, ctext, key,
- RSA_PKCS1_PADDING);
- if (!TEST_int_eq(num, clen))
+ num = RSA_public_encrypt(plen, ptext_ex, ctext, key, en_pad_type);
+ if (!TEST_int_eq(num, clentmp))
goto err;
- num = RSA_private_decrypt(num, ctext, ptext, key, RSA_PKCS1_PADDING);
- if (!TEST_mem_eq(ptext, num, ptext_ex, plen))
- goto err;
+ num = RSA_private_decrypt(num, ctext, ptext, key, de_pad_type);
+ if (success) {
+ if (!TEST_int_gt(num, 0) || !TEST_mem_eq(ptext, num, ptext_ex, plen))
+ goto err;
+ } else {
+ if (!TEST_int_lt(num, 0))
+ goto err;
+ }
ret = 1;
+ if (retkey != NULL) {
+ *retkey = key;
+ key = NULL;
+ }
err:
RSA_free(key);
return ret;
}
+static int test_rsa_pkcs1(int idx)
+{
+ return test_rsa_simple(idx, RSA_PKCS1_PADDING, RSA_PKCS1_PADDING, 1, NULL,
+ NULL, NULL);
+}
+
static int test_rsa_sslv23(int idx)
{
- int ret = 0;
- RSA *key;
- unsigned char ptext[256];
- unsigned char ctext[256];
- static unsigned char ptext_ex[] = "\x54\x85\x9b\x34\x2c\x49\xea\x2a";
- unsigned char ctext_ex[256];
- int plen;
- int clen = 0;
- int num;
+ int ret;
- plen = sizeof(ptext_ex) - 1;
- clen = rsa_setkey(&key, ctext_ex, idx);
+ /* Simulate an SSLv2 only client talking to a TLS capable server */
+ ret = test_rsa_simple(idx, RSA_PKCS1_PADDING, RSA_SSLV23_PADDING, 1, NULL,
+ NULL, NULL);
- num = RSA_public_encrypt(plen, ptext_ex, ctext, key,
- RSA_SSLV23_PADDING);
- if (!TEST_int_eq(num, clen))
- goto err;
+ /* Simulate a TLS capable client talking to an SSLv2 only server */
+ ret &= test_rsa_simple(idx, RSA_SSLV23_PADDING, RSA_PKCS1_PADDING, 1, NULL,
+ NULL, NULL);
- num = RSA_private_decrypt(num, ctext, ptext, key, RSA_SSLV23_PADDING);
- if (!TEST_mem_eq(ptext, num, ptext_ex, plen))
- goto err;
+ /*
+ * Simulate a TLS capable client talking to a TLS capable server. Should
+ * fail due to detecting a rollback attack.
+ */
+ ret &= test_rsa_simple(idx, RSA_SSLV23_PADDING, RSA_SSLV23_PADDING, 0, NULL,
+ NULL, NULL);
- ret = 1;
-err:
- RSA_free(key);
return ret;
}
@@ -314,28 +313,16 @@ static int test_rsa_oaep(int idx)
int num;
int n;
- plen = sizeof(ptext_ex) - 1;
- clen = rsa_setkey(&key, ctext_ex, idx);
-
- num = RSA_public_encrypt(plen, ptext_ex, ctext, key,
- RSA_PKCS1_OAEP_PADDING);
- if (num == -1 && pad_unknown()) {
- TEST_info("Skipping: No OAEP support");
- ret = 1;
- goto err;
- }
- if (!TEST_int_eq(num, clen))
+ if (!test_rsa_simple(idx, RSA_PKCS1_OAEP_PADDING, RSA_PKCS1_OAEP_PADDING, 1,
+ ctext_ex, &clen, &key))
goto err;
- num = RSA_private_decrypt(num, ctext, ptext, key,
- RSA_PKCS1_OAEP_PADDING);
- if (!TEST_mem_eq(ptext, num, ptext_ex, plen))
- goto err;
+ plen = sizeof(ptext_ex) - 1;
/* Different ciphertexts. Try decrypting ctext_ex */
num = RSA_private_decrypt(clen, ctext_ex, ptext, key,
RSA_PKCS1_OAEP_PADDING);
- if (!TEST_mem_eq(ptext, num, ptext_ex, plen))
+ if (num <= 0 || !TEST_mem_eq(ptext, num, ptext_ex, plen))
goto err;
/* Try decrypting corrupted ciphertexts. */
More information about the openssl-commits
mailing list