From: Patrick Steuer <patrick.steuer@de.ibm.com>
Date: Mon, 5 Aug 2019 14:53:16 +0000 (+0200)
Subject: Directly return from final sha3/keccak_final if no bytes are requested
X-Git-Tag: openssl-3.0.0-alpha1~1579
X-Git-Url: https://git.librecmc.org/?a=commitdiff_plain;h=a890ef833d114da3430c2f2efd95e01714704d34;p=oweals%2Fopenssl.git

Directly return from final sha3/keccak_final if no bytes are requested

Requesting zero bytes from shake previously led to out-of-bounds write
on some platforms.

Signed-off-by: Patrick Steuer <patrick.steuer@de.ibm.com>

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9433)
---

diff --git a/crypto/sha/sha3.c b/crypto/sha/sha3.c
index 19ef4266d0..fafa3556f3 100644
--- a/crypto/sha/sha3.c
+++ b/crypto/sha/sha3.c
@@ -89,6 +89,9 @@ int sha3_final(unsigned char *md, KECCAK1600_CTX *ctx)
     size_t bsz = ctx->block_size;
     size_t num = ctx->bufsz;
 
+    if (ctx->md_size == 0)
+        return 1;
+
     /*
      * Pad the data with 10*1. Note that |num| can be |bsz - 1|
      * in which case both byte operations below are performed on
diff --git a/providers/common/digests/sha3_prov.c b/providers/common/digests/sha3_prov.c
index 469a1606ff..17b15b7ca2 100644
--- a/providers/common/digests/sha3_prov.c
+++ b/providers/common/digests/sha3_prov.c
@@ -90,10 +90,12 @@ static int keccak_update(void *vctx, const unsigned char *inp, size_t len)
 static int keccak_final(void *vctx, unsigned char *out, size_t *outl,
                         size_t outsz)
 {
-    int ret;
+    int ret = 1;
     KECCAK1600_CTX *ctx = vctx;
 
-    ret = ctx->meth.final(out, ctx);
+    if (outsz > 0)
+        ret = ctx->meth.final(out, ctx);
+
     *outl = ctx->md_size;
     return ret;
 }