RSA: Fix another buffer overflow in PSS signature verification
Fix buffer overflow in RSA-PSS signature verification when the masking operation results in an all-zero buffer. This could happen at any key size.
This commit is contained in:
Gilles Peskine
parent
28a0c72795
commit
6a54b0240d
3 changed files with 17 additions and 10 deletions
|
|
@ -1319,10 +1319,11 @@ int mbedtls_rsa_rsassa_pss_verify_ext( mbedtls_rsa_context *ctx,
|
|||
int ret;
|
||||
size_t siglen;
|
||||
unsigned char *p;
|
||||
unsigned char *hash_start;
|
||||
unsigned char result[MBEDTLS_MD_MAX_SIZE];
|
||||
unsigned char zeros[8];
|
||||
unsigned int hlen;
|
||||
size_t slen, msb;
|
||||
size_t observed_salt_len, msb;
|
||||
const mbedtls_md_info_t *md_info;
|
||||
mbedtls_md_context_t md_ctx;
|
||||
unsigned char buf[MBEDTLS_MPI_MAX_SIZE];
|
||||
|
|
@ -1364,7 +1365,7 @@ int mbedtls_rsa_rsassa_pss_verify_ext( mbedtls_rsa_context *ctx,
|
|||
hlen = mbedtls_md_get_size( md_info );
|
||||
if( siglen < hlen + 2 )
|
||||
return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
|
||||
slen = siglen - hlen - 1; /* Currently length of salt + padding */
|
||||
hash_start = buf + siglen - hlen - 1;
|
||||
|
||||
memset( zeros, 0, 8 );
|
||||
|
||||
|
|
@ -1379,6 +1380,7 @@ int mbedtls_rsa_rsassa_pss_verify_ext( mbedtls_rsa_context *ctx,
|
|||
p++;
|
||||
siglen -= 1;
|
||||
}
|
||||
else
|
||||
if( buf[0] >> ( 8 - siglen * 8 + msb ) )
|
||||
return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
|
||||
|
||||
|
|
@ -1389,25 +1391,24 @@ int mbedtls_rsa_rsassa_pss_verify_ext( mbedtls_rsa_context *ctx,
|
|||
return( ret );
|
||||
}
|
||||
|
||||
mgf_mask( p, siglen - hlen - 1, p + siglen - hlen - 1, hlen, &md_ctx );
|
||||
mgf_mask( p, siglen - hlen - 1, hash_start, hlen, &md_ctx );
|
||||
|
||||
buf[0] &= 0xFF >> ( siglen * 8 - msb );
|
||||
|
||||
while( p < buf + siglen && *p == 0 )
|
||||
while( p < hash_start - 1 && *p == 0 )
|
||||
p++;
|
||||
|
||||
if( p == buf + siglen ||
|
||||
if( p == hash_start ||
|
||||
*p++ != 0x01 )
|
||||
{
|
||||
mbedtls_md_free( &md_ctx );
|
||||
return( MBEDTLS_ERR_RSA_INVALID_PADDING );
|
||||
}
|
||||
|
||||
/* Actual salt len */
|
||||
slen -= p - buf;
|
||||
observed_salt_len = hash_start - p;
|
||||
|
||||
if( expected_salt_len != MBEDTLS_RSA_SALT_LEN_ANY &&
|
||||
slen != (size_t) expected_salt_len )
|
||||
observed_salt_len != (size_t) expected_salt_len )
|
||||
{
|
||||
mbedtls_md_free( &md_ctx );
|
||||
return( MBEDTLS_ERR_RSA_INVALID_PADDING );
|
||||
|
|
@ -1419,12 +1420,12 @@ int mbedtls_rsa_rsassa_pss_verify_ext( mbedtls_rsa_context *ctx,
|
|||
mbedtls_md_starts( &md_ctx );
|
||||
mbedtls_md_update( &md_ctx, zeros, 8 );
|
||||
mbedtls_md_update( &md_ctx, hash, hashlen );
|
||||
mbedtls_md_update( &md_ctx, p, slen );
|
||||
mbedtls_md_update( &md_ctx, p, observed_salt_len );
|
||||
mbedtls_md_finish( &md_ctx, result );
|
||||
|
||||
mbedtls_md_free( &md_ctx );
|
||||
|
||||
if( memcmp( p + slen, result, hlen ) == 0 )
|
||||
if( memcmp( hash_start, result, hlen ) == 0 )
|
||||
return( 0 );
|
||||
else
|
||||
return( MBEDTLS_ERR_RSA_VERIFY_FAILED );
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue