RSA PSS: fix first byte check for keys of size 8N+1 For a key of size 8N+1, check that the first byte after applying the public key operation is 0 (it could have been 1 instead). The code was incorrectly doing a no-op check instead, which led to invalid signatures being accepted. Not a security flaw, since you would need the private key to craft such an invalid signature, but a bug nonetheless.

commit: 31a2d14b92be6bbf66f3103bbdb04fb3aa26d72f [log] [tgz]
author: Gilles Peskine <Gilles.Peskine@arm.com> Thu Oct 19 15:23:49 2017 +0200
committer: Gilles Peskine <Gilles.Peskine@arm.com> Thu Oct 19 15:43:53 2017 +0200
tree: e3f04cb0e4e6f55d272ea449612c2fe630a086a0
parent: 9e2058281daa77d88cdf17d63cf30dbeaf39905b [diff] [blame]
diff --git a/library/rsa.c b/library/rsa.c
index 8933aa1..d923bc9 100644
--- a/library/rsa.c
+++ b/library/rsa.c

@@ -1377,16 +1377,15 @@
     //
     msb = mbedtls_mpi_bitlen( &ctx->N ) - 1;
 
-    // Compensate for boundary condition when applying mask
-    //
+    if( buf[0] >> ( 8 - siglen * 8 + msb ) )
+        return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
+
+    /* Compensate for boundary condition when applying mask */
     if( msb % 8 == 0 )
     {
         p++;
         siglen -= 1;
     }
-    else
-    if( buf[0] >> ( 8 - siglen * 8 + msb ) )
-        return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
 
     if( siglen < hlen + 2 )
         return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
commit	31a2d14b92be6bbf66f3103bbdb04fb3aa26d72f	[log] [tgz]
author	Gilles Peskine <Gilles.Peskine@arm.com>	Thu Oct 19 15:23:49 2017 +0200
committer	Gilles Peskine <Gilles.Peskine@arm.com>	Thu Oct 19 15:43:53 2017 +0200
tree	e3f04cb0e4e6f55d272ea449612c2fe630a086a0
parent	9e2058281daa77d88cdf17d63cf30dbeaf39905b [diff] [blame]