Add size check for RSA modulus to `mbedtls_rsa_complete`
The function `mbedtls_rsa_complete` is supposed to guarantee that
RSA operations will complete without failure. In contrast, it does
not ensure consistency of parameters, which is the task of the
checking functions `rsa_check_pubkey` and `rsa_check_privkey`.
Previously, the maximum allowed size of the RSA modulus was checked
in `mbedtls_rsa_check_pubkey`. However, exceeding this size would lead
to failure of some RSA operations, hence this check belongs to
`mbedtls_rsa_complete` rather than `mbedtls_rsa_check_pubkey`.
This commit moves it accordingly.
diff --git a/library/rsa.c b/library/rsa.c
index 7931673..ad1ef6d 100644
--- a/library/rsa.c
+++ b/library/rsa.c
@@ -146,8 +146,11 @@
((void) blinding_needed);
#endif
- if( ctx->len != mbedtls_mpi_size( &ctx->N ) )
+ if( ctx->len != mbedtls_mpi_size( &ctx->N ) ||
+ ctx->len > MBEDTLS_MPI_MAX_SIZE )
+ {
return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
+ }
/*
* 1. Modular exponentiation needs positive, odd moduli.
@@ -573,8 +576,7 @@
if( rsa_check_context( ctx, 0 /* public */, 0 /* no blinding */ ) != 0 )
return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED );
- if( mbedtls_mpi_bitlen( &ctx->N ) < 128 ||
- mbedtls_mpi_bitlen( &ctx->N ) > MBEDTLS_MPI_MAX_BITS )
+ if( mbedtls_mpi_bitlen( &ctx->N ) < 128 )
{
return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED );
}