From a82fdf2fcec9f44c7ea06b8d903e57041ae3e873 Mon Sep 17 00:00:00 2001 From: Daniel Wyatt Date: Sun, 26 May 2019 18:58:58 -0400 Subject: Fix PKCS#11 C_Decrypt buffer output size. Section 5.2 of the spec states that there are two ways to call functions that return a variable-length buffer: 1. When the output buffer is NULL, an estimated size is returned (which may be larger than required). 2. When the output buffer is not NULL, the exact size must be returned. So only after the second call to C_Decrypt has the final output size been determined, and we must resize the output buffer. --- src/lib/prov/pkcs11/p11.h | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-) (limited to 'src/lib/prov') diff --git a/src/lib/prov/pkcs11/p11.h b/src/lib/prov/pkcs11/p11.h index 043b1795a..9afedb8c6 100644 --- a/src/lib/prov/pkcs11/p11.h +++ b/src/lib/prov/pkcs11/p11.h @@ -1950,11 +1950,16 @@ class BOTAN_PUBLIC_API(2,0) LowLevel } decrypted_data.resize(decrypted_size); - return C_Decrypt(session, - const_cast(encrypted_data.data()), - static_cast(encrypted_data.size()), - decrypted_data.data(), - &decrypted_size, return_value); + if(!C_Decrypt(session, + const_cast(encrypted_data.data()), + static_cast(encrypted_data.size()), + decrypted_data.data(), + &decrypted_size, return_value)) + { + return false; + } + decrypted_data.resize(decrypted_size); + return true; } /** -- cgit v1.2.3