diff options
author | Kazuki Yamaguchi <k@rhe.jp> | 2021-06-28 17:48:47 +0900 |
---|---|---|
committer | Kazuki Yamaguchi <k@rhe.jp> | 2021-09-27 15:59:58 +0900 |
commit | b8eed2b9b93a98af34d14856def66ee4a062a1f9 (patch) | |
tree | 7648e48bc19b14083bee24ed845980c5820390d0 /ext | |
parent | 87887fec2a2e973ed4e05187f7d05a4cb6d92eaa (diff) | |
download | ruby-openssl-b8eed2b9b93a98af34d14856def66ee4a062a1f9.tar.gz |
pkey: use RSTRING_LENINT() instead of casting to intky/pkey-ec-verify-overflow
RSTRING_LENINT() checks the range of int and raises an exception as
necessary. OpenSSL::PKey::EC#dsa_verify_asn1 currently does not do this,
and giving a too big string to it can trigger a surprising behavior:
ec.dsa_verify_asn1(digest, signature) #=> true
ec.dsa_verify_asn1(digest, signature + "x" * 2**32) #=> true
Reference: https://hackerone.com/reports/1246050
Diffstat (limited to 'ext')
-rw-r--r-- | ext/openssl/ossl_pkey_ec.c | 16 |
1 files changed, 8 insertions, 8 deletions
diff --git a/ext/openssl/ossl_pkey_ec.c b/ext/openssl/ossl_pkey_ec.c index 8bb61124..b47678dc 100644 --- a/ext/openssl/ossl_pkey_ec.c +++ b/ext/openssl/ossl_pkey_ec.c @@ -653,15 +653,15 @@ static VALUE ossl_ec_key_dsa_verify_asn1(VALUE self, VALUE data, VALUE sig) StringValue(data); StringValue(sig); - switch (ECDSA_verify(0, (unsigned char *) RSTRING_PTR(data), RSTRING_LENINT(data), (unsigned char *) RSTRING_PTR(sig), (int)RSTRING_LEN(sig), ec)) { - case 1: return Qtrue; - case 0: return Qfalse; - default: break; + switch (ECDSA_verify(0, (unsigned char *)RSTRING_PTR(data), RSTRING_LENINT(data), + (unsigned char *)RSTRING_PTR(sig), RSTRING_LENINT(sig), ec)) { + case 1: + return Qtrue; + case 0: + return Qfalse; + default: + ossl_raise(eECError, "ECDSA_verify"); } - - ossl_raise(eECError, "ECDSA_verify"); - - UNREACHABLE; } /* |