RSA PSS: fix minimum length check for keys of size 8N+1

The check introduced by the previous security fix was off by one. It
fixed the buffer overflow but was not compliant with the definition of
PSS which technically led to accepting some invalid signatures (but
not signatures made without the private key).
This commit is contained in:
Gilles Peskine 2017-10-18 19:03:42 +02:00
parent 511bb84c60
commit 7addb7f0a0
2 changed files with 5 additions and 4 deletions

View File

@ -1369,9 +1369,6 @@ int rsa_rsassa_pss_verify_ext( rsa_context *ctx,
return( POLARSSL_ERR_RSA_BAD_INPUT_DATA ); return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
hlen = md_get_size( md_info ); hlen = md_get_size( md_info );
if( siglen < hlen + 2 )
return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
hash_start = buf + siglen - hlen - 1;
memset( zeros, 0, 8 ); memset( zeros, 0, 8 );
@ -1390,6 +1387,10 @@ int rsa_rsassa_pss_verify_ext( rsa_context *ctx,
if( buf[0] >> ( 8 - siglen * 8 + msb ) ) if( buf[0] >> ( 8 - siglen * 8 + msb ) )
return( POLARSSL_ERR_RSA_BAD_INPUT_DATA ); return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
if( siglen < hlen + 2 )
return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
hash_start = p + siglen - hlen - 1;
md_init( &md_ctx ); md_init( &md_ctx );
if( ( ret = md_init_ctx( &md_ctx, md_info ) ) != 0 ) if( ( ret = md_init_ctx( &md_ctx, md_info ) ) != 0 )
{ {

View File

@ -817,7 +817,7 @@ pkcs1_rsassa_pss_verify_ext:512:16:"00b076d23250816f9aab02307e452b97f0cae7598369
RSASSA-PSS verify ext, 521-bit key, SHA-512, empty salt, bad signature RSASSA-PSS verify ext, 521-bit key, SHA-512, empty salt, bad signature
depends_on:POLARSSL_SHA512_C depends_on:POLARSSL_SHA512_C
pkcs1_rsassa_pss_verify_ext:521:16:"0131b69860f3cb9bf85ea358fdf2bd2990f1b77a80d6a4fdf817a43dd896bdf7dd26af8ac0237f526e0d33b105c971fdbd4ffa9ece99fc469f31ecf429e8f562c1c3":16:"010001":POLARSSL_MD_SHA512:POLARSSL_MD_SHA512:POLARSSL_MD_SHA512:0:"":"00471794655837da498cbf27242807b40593a353c707eb22fd2cc5a3259e728ac4f1df676043eeec8e16c1175b3d9ac8cae72ec1d5772dd69de71c5677f19031568e":POLARSSL_ERR_RSA_INVALID_PADDING:POLARSSL_ERR_RSA_INVALID_PADDING pkcs1_rsassa_pss_verify_ext:521:16:"0131b69860f3cb9bf85ea358fdf2bd2990f1b77a80d6a4fdf817a43dd896bdf7dd26af8ac0237f526e0d33b105c971fdbd4ffa9ece99fc469f31ecf429e8f562c1c3":16:"010001":POLARSSL_MD_SHA512:POLARSSL_MD_SHA512:POLARSSL_MD_SHA512:0:"":"00471794655837da498cbf27242807b40593a353c707eb22fd2cc5a3259e728ac4f1df676043eeec8e16c1175b3d9ac8cae72ec1d5772dd69de71c5677f19031568e":POLARSSL_ERR_RSA_BAD_INPUT_DATA:POLARSSL_ERR_RSA_BAD_INPUT_DATA
RSASSA-PSS verify ext, all-zero padding, automatic salt length RSASSA-PSS verify ext, all-zero padding, automatic salt length
depends_on:POLARSSL_SHA256_C depends_on:POLARSSL_SHA256_C