From 1ee906143c0b0ebb6bcbeb87277833a665e79836 Mon Sep 17 00:00:00 2001 From: "Dr. David von Oheimb" Date: Tue, 29 Oct 2024 19:41:02 +0100 Subject: [PATCH] APPS/pkeyutl: strengthen error message on too long sign/verify input Reviewed-by: Viktor Dukhovni Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/22910) --- apps/pkeyutl.c | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/apps/pkeyutl.c b/apps/pkeyutl.c index 30a4259fe46e6..ca2575bc179cb 100644 --- a/apps/pkeyutl.c +++ b/apps/pkeyutl.c @@ -490,12 +490,14 @@ int pkeyutl_main(int argc, char **argv) /* Sanity check the input if the input is not raw */ if (!rawin - && buf_inlen > EVP_MAX_MD_SIZE - && (pkey_op == EVP_PKEY_OP_SIGN - || pkey_op == EVP_PKEY_OP_VERIFY)) { - BIO_printf(bio_err, - "Error: The input data looks too long to be a hash\n"); - goto end; + && (pkey_op == EVP_PKEY_OP_SIGN || pkey_op == EVP_PKEY_OP_VERIFY + || pkey_op == EVP_PKEY_OP_VERIFYRECOVER)) { + if (buf_inlen > EVP_MAX_MD_SIZE) { + BIO_printf(bio_err, + "Error: The non-raw input data length %d is too long - max supported hashed size is %d\n", + buf_inlen, EVP_MAX_MD_SIZE); + goto end; + } } if (pkey_op == EVP_PKEY_OP_VERIFY) {