rsa_verify_hash: fix possible bleichenbacher signature attack

2014-08-06 15:03:46 +02:00 · 2014-08-06 15:03:46 +02:00 · 5eb9743410
commit 5eb9743410
parent c6dfef95eb
1 changed files with 8 additions and 2 deletions
--- a/src/pk/rsa/rsa_verify_hash.c
+++ b/src/pk/rsa/rsa_verify_hash.c
@ -103,7 +103,7 @@ int rsa_verify_hash_ex(const unsigned char *sig,      unsigned long siglen,
  } else {
    /* PKCS #1 v1.5 decode it */
    unsigned char *out;
-    unsigned long outlen, loid[16];
+    unsigned long outlen, loid[16], reallen;
    int           decoded;
    ltc_asn1_list digestinfo[2], siginfo[2];

@ -145,8 +145,14 @@ int rsa_verify_hash_ex(const unsigned char *sig,      unsigned long siglen,
       goto bail_2;
    }

+    if ((err = der_length_sequence(siginfo, 2, &reallen)) != CRYPT_OK) {
+       XFREE(out);
+       goto bail_2;
+    }
+
    /* test OID */
-    if ((digestinfo[0].size == hash_descriptor[hash_idx].OIDlen) &&
+    if ((reallen == outlen) &&
+        (digestinfo[0].size == hash_descriptor[hash_idx].OIDlen) &&
        (XMEMCMP(digestinfo[0].data, hash_descriptor[hash_idx].OID, sizeof(unsigned long) * hash_descriptor[hash_idx].OIDlen) == 0) &&
        (siginfo[1].size == hashlen) &&
        (XMEMCMP(siginfo[1].data, hash, hashlen) == 0)) {