From 5eb9743410ce4657e9d54fef26a2ee31a1b5dd09 Mon Sep 17 00:00:00 2001 From: Steffen Jaeckel Date: Wed, 6 Aug 2014 15:03:46 +0200 Subject: [PATCH] rsa_verify_hash: fix possible bleichenbacher signature attack --- src/pk/rsa/rsa_verify_hash.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/src/pk/rsa/rsa_verify_hash.c b/src/pk/rsa/rsa_verify_hash.c index 5639cd4..fc000de 100644 --- a/src/pk/rsa/rsa_verify_hash.c +++ b/src/pk/rsa/rsa_verify_hash.c @@ -103,7 +103,7 @@ int rsa_verify_hash_ex(const unsigned char *sig, unsigned long siglen, } else { /* PKCS #1 v1.5 decode it */ unsigned char *out; - unsigned long outlen, loid[16]; + unsigned long outlen, loid[16], reallen; int decoded; ltc_asn1_list digestinfo[2], siginfo[2]; @@ -145,8 +145,14 @@ int rsa_verify_hash_ex(const unsigned char *sig, unsigned long siglen, goto bail_2; } + if ((err = der_length_sequence(siginfo, 2, &reallen)) != CRYPT_OK) { + XFREE(out); + goto bail_2; + } + /* test OID */ - if ((digestinfo[0].size == hash_descriptor[hash_idx].OIDlen) && + if ((reallen == outlen) && + (digestinfo[0].size == hash_descriptor[hash_idx].OIDlen) && (XMEMCMP(digestinfo[0].data, hash_descriptor[hash_idx].OID, sizeof(unsigned long) * hash_descriptor[hash_idx].OIDlen) == 0) && (siginfo[1].size == hashlen) && (XMEMCMP(siginfo[1].data, hash, hashlen) == 0)) {