More length checks in RSA PKCS1v15 verify
Tighten ASN.1 parsing of RSA PKCS#1 v1.5 signatures, to avoid a
potential Bleichenbacher-style attack.
Backport to 1.3
diff --git a/library/rsa.c b/library/rsa.c
index 79726c1..253adf5 100644
--- a/library/rsa.c
+++ b/library/rsa.c
@@ -1344,7 +1344,7 @@
{
int ret;
size_t len, siglen, asn1_len;
- unsigned char *p, *end;
+ unsigned char *p, *p0, *end;
unsigned char buf[POLARSSL_MPI_MAX_SIZE];
md_type_t msg_md_alg;
const md_info_t *md_info;
@@ -1397,23 +1397,27 @@
// Parse the ASN.1 structure inside the PKCS#1 v1.5 structure
//
+ p0 = p;
if( ( ret = asn1_get_tag( &p, end, &asn1_len,
ASN1_CONSTRUCTED | ASN1_SEQUENCE ) ) != 0 )
return( POLARSSL_ERR_RSA_VERIFY_FAILED );
- if( asn1_len + 2 != len )
+ if( p != p0 + 2 || asn1_len + 2 != len )
return( POLARSSL_ERR_RSA_VERIFY_FAILED );
if( ( ret = asn1_get_tag( &p, end, &asn1_len,
ASN1_CONSTRUCTED | ASN1_SEQUENCE ) ) != 0 )
return( POLARSSL_ERR_RSA_VERIFY_FAILED );
- if( asn1_len + 6 + hashlen != len )
+ if( p != p0 + 4 || asn1_len + 6 + hashlen != len )
return( POLARSSL_ERR_RSA_VERIFY_FAILED );
if( ( ret = asn1_get_tag( &p, end, &oid.len, ASN1_OID ) ) != 0 )
return( POLARSSL_ERR_RSA_VERIFY_FAILED );
+ if( p != p0 + 6 )
+ return( POLARSSL_ERR_RSA_VERIFY_FAILED );
+
oid.p = p;
p += oid.len;
@@ -1429,10 +1433,11 @@
if( ( ret = asn1_get_tag( &p, end, &asn1_len, ASN1_NULL ) ) != 0 )
return( POLARSSL_ERR_RSA_VERIFY_FAILED );
+ p0 = p;
if( ( ret = asn1_get_tag( &p, end, &asn1_len, ASN1_OCTET_STRING ) ) != 0 )
return( POLARSSL_ERR_RSA_VERIFY_FAILED );
- if( asn1_len != hashlen )
+ if( p != p0 + 2 || asn1_len != hashlen )
return( POLARSSL_ERR_RSA_VERIFY_FAILED );
if( memcmp( p, hash, hashlen ) != 0 )