From: Patrick Steuer <patrick.steuer@de.ibm.com>
Date: Mon, 5 Aug 2019 14:53:16 +0000 (+0200)
Subject: Directly return from final sha3/keccak_final if no bytes are requested
X-Git-Tag: OpenSSL_1_1_1d~54
X-Git-Url: https://git.librecmc.org/?a=commitdiff_plain;h=6087d4a6fb1877c668dcf934da6a2f9e402dff1d;p=oweals%2Fopenssl.git

Directly return from final sha3/keccak_final if no bytes are requested

Requesting zero bytes from shake previously led to out-of-bounds write
on some platforms.

Signed-off-by: Patrick Steuer <patrick.steuer@de.ibm.com>

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9433)

(cherry picked from commit a890ef833d114da3430c2f2efd95e01714704d34)
---

diff --git a/crypto/evp/m_sha3.c b/crypto/evp/m_sha3.c
index 31379c0f6b..b6bbf58211 100644
--- a/crypto/evp/m_sha3.c
+++ b/crypto/evp/m_sha3.c
@@ -108,6 +108,9 @@ static int sha3_final(EVP_MD_CTX *evp_ctx, unsigned char *md)
     size_t bsz = ctx->block_size;
     size_t num = ctx->num;
 
+    if (ctx->md_size == 0)
+        return 1;
+
     /*
      * Pad the data with 10*1. Note that |num| can be |bsz - 1|
      * in which case both byte operations below are performed on