Directly return from final sha3/keccak_final if no bytes are requested

Requesting zero bytes from shake previously led to out-of-bounds write on some platforms. Signed-off-by: Patrick Steuer <patrick.steuer@de.ibm.com> Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/9433)
2019-08-05 16:53:16 +02:00 · 2019-08-05 16:53:16 +02:00 · a890ef833d
commit a890ef833d
parent 5be78a88aa
2 changed files with 7 additions and 2 deletions
--- a/crypto/sha/sha3.c
+++ b/crypto/sha/sha3.c
@ -89,6 +89,9 @@ int sha3_final(unsigned char *md, KECCAK1600_CTX *ctx)
    size_t bsz = ctx->block_size;
    size_t num = ctx->bufsz;

+    if (ctx->md_size == 0)
+        return 1;
+
    /*
     * Pad the data with 10*1. Note that |num| can be |bsz - 1|
     * in which case both byte operations below are performed on
--- a/providers/common/digests/sha3_prov.c
+++ b/providers/common/digests/sha3_prov.c
@ -90,10 +90,12 @@ static int keccak_update(void *vctx, const unsigned char *inp, size_t len)
 static int keccak_final(void *vctx, unsigned char *out, size_t *outl,
                        size_t outsz)
 {
-    int ret;
+    int ret = 1;
    KECCAK1600_CTX *ctx = vctx;

-    ret = ctx->meth.final(out, ctx);
+    if (outsz > 0)
+        ret = ctx->meth.final(out, ctx);
+
    *outl = ctx->md_size;
    return ret;
 }