eden-emu/mbedtls
15
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

RSA PSS: fix first byte check for keys of size 8N+1

Browse source 
For a key of size 8N+1, check that the first byte after applying the
public key operation is 0 (it could have been 1 instead). The code was
incorrectly doing a no-op check instead, which led to invalid
signatures being accepted. Not a security flaw, since you would need the
private key to craft such an invalid signature, but a bug nonetheless.
This commit is contained in:
Gilles Peskine 2017-10-19 15:23:49 +02:00
parent 139108af94
commit b00b0da452
2 changed files with 11 additions and 3 deletions
Download patch file Download diff file Expand all files Collapse all files

6
library/rsa.c
View file

@ -1371,15 +1371,15 @@ int mbedtls_rsa_rsassa_pss_verify_ext( mbedtls_rsa_context *ctx,
*/
msb = mbedtls_mpi_bitlen( &ctx->N ) - 1;
if( buf[0] >> ( 8 - siglen * 8 + msb ) )
return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
/* Compensate for boundary condition when applying mask */
if( msb % 8 == 0 )
{
p++;
siglen -= 1;
}
else
if( buf[0] >> ( 8 - siglen * 8 + msb ) )
return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
if( siglen < hlen + 2 )
return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );