This makes sense, ok bcook@
On Wed, Oct 17, 2018 at 6:28 PM Theo Buehler wrote:
> The spec, https://tools.ietf.org/html/rfc3394, section 2, states that
> we need at least two 64 bit blocks for wrapping and, accordingly, three
> 64 bit blocks for unwrapping. That is: we need at least 16 bytes for
> wrapping and 24 bytes for unwrapping.
>
> This also matches the lower bounds that OpenSSL have in their
> CRYPTO_128_{un,}wrap() functions.
>
> In fact, if we pass an input with 'inlen < 8' to AES_unwrap_key(),
> this results in a segfault since then inlen -= 8 underflows.
>
> Found while playing with the Wycheproof keywrap test vectors.
>
> Index: aes/aes_wrap.c
> ===
> RCS file: /var/cvs/src/lib/libcrypto/aes/aes_wrap.c,v
> retrieving revision 1.10
> diff -u -p -r1.10 aes_wrap.c
> --- aes/aes_wrap.c 10 Sep 2015 15:56:24 - 1.10
> +++ aes/aes_wrap.c 17 Oct 2018 23:12:19 -
> @@ -66,7 +66,8 @@ AES_wrap_key(AES_KEY *key, const unsigne
> {
> unsigned char *A, B[16], *R;
> unsigned int i, j, t;
> - if ((inlen & 0x7) || (inlen < 8))
> +
> + if ((inlen & 0x7) || (inlen < 16))
> return -1;
> A = B;
> t = 1;
> @@ -100,11 +101,10 @@ AES_unwrap_key(AES_KEY *key, const unsig
> {
> unsigned char *A, B[16], *R;
> unsigned int i, j, t;
> - inlen -= 8;
> - if (inlen & 0x7)
> - return -1;
> - if (inlen < 8)
> +
> + if ((inlen & 0x7) || (inlen < 24))
> return -1;
> + inlen -= 8;
> A = B;
> t = 6 * (inlen >> 3);
> memcpy(A, in, 8);
>
