Headline
CVE-2022-38493: Fix rsa oaep key length check before decryption · babelouest/rhonabwy@dd528b3
Rhonabwy 0.9.99 through 1.1.x before 1.1.7 doesn’t check the RSA private key length before RSA-OAEP decryption. This allows attackers to cause a Denial of Service via a crafted JWE (JSON Web Encryption) token.
@@ -364,6 +364,11 @@ rsa_oaep_sha1_decrypt(const struct rsa_private_key *key,
int res;
struct sha1_ctx ctx;
if (nettle_mpz_sizeinbase_256_u (gibberish) > key->size ||
key->size < (2*SHA1_DIGEST_SIZE)+2) {
return 0;
}
mpz_init(m);
rsa_compute_root(key, m, gibberish);
@@ -384,6 +389,11 @@ rsa_oaep_sha256_decrypt(const struct rsa_private_key *key,
int res;
struct sha256_ctx ctx;
if (nettle_mpz_sizeinbase_256_u (gibberish) > key->size ||
key->size < (2*SHA1_DIGEST_SIZE)+2) {
return 0;
}
mpz_init(m);
rsa_compute_root(key, m, gibberish);