RSA PSS: fix first byte check for keys of size 8N+1 For a key of size 8N+1, check that the first byte after applying the public key operation is 0 (it could have been 1 instead). The code was incorrectly doing a no-op check instead, which led to invalid signatures being accepted. Not a security flaw, since you would need the private key to craft such an invalid signature, but a bug nonetheless.

commit: 5d9224e11cb76712f4416da71715fec09aef12e7 [log] [tgz]
author: Gilles Peskine <Gilles.Peskine@arm.com> Thu Oct 19 15:23:49 2017 +0200
committer: Gilles Peskine <Gilles.Peskine@arm.com> Thu Oct 19 15:47:13 2017 +0200
tree: 2464d899c623ee1cbe60e3f6932fbf9147559703
parent: 7addb7f0a0c3f7b2294780022cf8c84990d9bca0 [diff] [blame]
diff --git a/library/rsa.c b/library/rsa.c
index 6b720a4..923294f 100644
--- a/library/rsa.c
+++ b/library/rsa.c

@@ -1376,6 +1376,9 @@
     //
     msb = mpi_msb( &ctx->N ) - 1;
 
+    if( buf[0] >> ( 8 - siglen * 8 + msb ) )
+        return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
+
     // Compensate for boundary condition when applying mask
     //
     if( msb % 8 == 0 )
@@ -1383,9 +1386,6 @@
         p++;
         siglen -= 1;
     }
-    else
-    if( buf[0] >> ( 8 - siglen * 8 + msb ) )
-        return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
 
     if( siglen < hlen + 2 )
         return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
commit	5d9224e11cb76712f4416da71715fec09aef12e7	[log] [tgz]
author	Gilles Peskine <Gilles.Peskine@arm.com>	Thu Oct 19 15:23:49 2017 +0200
committer	Gilles Peskine <Gilles.Peskine@arm.com>	Thu Oct 19 15:47:13 2017 +0200
tree	2464d899c623ee1cbe60e3f6932fbf9147559703
parent	7addb7f0a0c3f7b2294780022cf8c84990d9bca0 [diff] [blame]