@@ -1214,33 +1214,43 @@ int test_wc_RsaDecrypt_BoundsCheck(void)
12141214/*
12151215 * Oversized RSA modulus (mp_bitsused(n) > RSA_MAX_SIZE) must not overflow the
12161216 * static stack buffer used by RsaFunctionCheckIn (DECL_MP_INT_SIZE_DYN).
1217+ *
1218+ * The buffer is sized for RSA_MAX_SIZE digits, and NEW_MP_INT_SIZE would zero
1219+ * mp_bitsused(&key->n) digits of it -- so an oversized modulus must be
1220+ * caught by MP_BITS_OVER_MAX *before* NEW_MP_INT_SIZE is reached. We feed
1221+ * wc_RsaDirect() an input/output buffer matching the oversized modulus byte
1222+ * size so we get past wc_RsaDirect()'s inLen sanity check and reach the
1223+ * RsaFunctionCheckIn() guard inside wc_RsaFunction_ex().
12171224 */
12181225int test_wc_RsaFunctionCheckIn_OversizedModulus (void )
12191226{
12201227 EXPECT_DECLS ;
12211228#if !defined(NO_RSA ) && defined(WC_RSA_NO_PADDING ) && defined(WC_RSA_DIRECT ) && \
12221229 defined(WOLFSSL_PUBLIC_MP ) && !defined(NO_RSA_BOUNDS_CHECK ) && \
1230+ !defined(WOLFSSL_RSA_VERIFY_ONLY ) && !defined(TEST_UNPAD_CONSTANT_TIME ) && \
12231231 (defined(WOLFSSL_SP_MATH ) || defined(WOLFSSL_SP_MATH_ALL )) && \
12241232 !defined(WOLFSSL_SMALL_STACK ) && \
12251233 (defined(USE_CERT_BUFFERS_1024 ) || defined(USE_CERT_BUFFERS_2048 ))
1234+ /* Setting bit RSA_MAX_SIZE makes the modulus RSA_MAX_SIZE+1 bits, i.e.
1235+ * (RSA_MAX_SIZE/8 + 1) bytes -- size buffers accordingly with slack. */
1236+ #define WC_RSA_OVERSIZED_BUF_LEN ((RSA_MAX_SIZE / 8) + 8)
12261237 WC_RNG rng ;
12271238 RsaKey key ;
12281239 const byte * derKey ;
12291240 word32 derKeySz ;
12301241 word32 idx = 0 ;
1231- byte flatC [256 ];
1242+ byte flatC [WC_RSA_OVERSIZED_BUF_LEN ];
12321243 word32 flatCSz ;
1233- byte out [256 ];
1244+ byte out [WC_RSA_OVERSIZED_BUF_LEN ];
12341245 word32 outSz = sizeof (out );
1246+ int encSz ;
12351247
12361248 #ifdef USE_CERT_BUFFERS_1024
12371249 derKey = server_key_der_1024 ;
12381250 derKeySz = (word32 )sizeof_server_key_der_1024 ;
1239- flatCSz = 128 ;
12401251 #else
12411252 derKey = server_key_der_2048 ;
12421253 derKeySz = (word32 )sizeof_server_key_der_2048 ;
1243- flatCSz = 256 ;
12441254 #endif
12451255
12461256 XMEMSET (& key , 0 , sizeof (RsaKey ));
@@ -1251,12 +1261,22 @@ int test_wc_RsaFunctionCheckIn_OversizedModulus(void)
12511261 ExpectIntEQ (wc_RsaPrivateKeyDecode (derKey , & idx , & key , derKeySz ), 0 );
12521262 /* Force modulus bit count above RSA_MAX_SIZE. */
12531263 ExpectIntEQ (mp_set_bit (& key .n , RSA_MAX_SIZE ), 0 );
1254- XMEMSET (flatC , 0 , flatCSz );
1255- ExpectIntEQ (wc_RsaDirect (flatC , flatCSz , out , & outSz , & key ,
1256- RSA_PRIVATE_DECRYPT , & rng ), WC_NO_ERR_TRACE (WC_KEY_SIZE_E ));
1264+
1265+ /* Match wc_RsaDirect()'s inLen check so we actually reach
1266+ * RsaFunctionCheckIn() (where the MP_BITS_OVER_MAX guard lives). */
1267+ encSz = wc_RsaEncryptSize (& key );
1268+ ExpectIntGT (encSz , 0 );
1269+ ExpectIntLE (encSz , (int )sizeof (flatC ));
1270+ if (encSz > 0 && (size_t )encSz <= sizeof (flatC )) {
1271+ flatCSz = (word32 )encSz ;
1272+ XMEMSET (flatC , 0 , flatCSz );
1273+ ExpectIntEQ (wc_RsaDirect (flatC , flatCSz , out , & outSz , & key ,
1274+ RSA_PRIVATE_DECRYPT , & rng ), WC_NO_ERR_TRACE (WC_KEY_SIZE_E ));
1275+ }
12571276
12581277 DoExpectIntEQ (wc_FreeRsaKey (& key ), 0 );
12591278 DoExpectIntEQ (wc_FreeRng (& rng ), 0 );
1279+ #undef WC_RSA_OVERSIZED_BUF_LEN
12601280#endif
12611281 return EXPECT_RESULT ();
12621282} /* END test_wc_RsaFunctionCheckIn_OversizedModulus */
0 commit comments