AuroraMiddleware/mbedtls
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

More length checks in RSA PKCS1v15 verify

Browse Source 
Tighten ASN.1 parsing of RSA PKCS#1 v1.5 signatures, to avoid a
potential Bleichenbacher-style attack.
This commit is contained in:
Gilles Peskine 2017-05-03 18:32:21 +02:00
parent b65c2be5f1
commit 0e17eb05f8
2 changed files with 15 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
ChangeLog
View File

@ -1,5 +1,11 @@
mbed TLS ChangeLog (Sorted per branch, date) mbed TLS ChangeLog (Sorted per branch, date)
= mbed TLS 2.x.x branch released xxxx-xx-xx
Security
* Tighten ASN.1 parsing of RSA PKCS#1 v1.5 signatures, to avoid a
potential Bleichenbacher-style attack.
= mbed TLS 2.4.2 branch released 2017-03-08 = mbed TLS 2.4.2 branch released 2017-03-08
Security Security

13
library/rsa.c
View File

@ -1337,7 +1337,7 @@ int mbedtls_rsa_rsassa_pkcs1_v15_verify( mbedtls_rsa_context *ctx,
{ {
int ret; int ret;
size_t len, siglen, asn1_len; size_t len, siglen, asn1_len;
unsigned char *p, *end; unsigned char *p, *p0, *end;
mbedtls_md_type_t msg_md_alg; mbedtls_md_type_t msg_md_alg;
const mbedtls_md_info_t *md_info; const mbedtls_md_info_t *md_info;
mbedtls_asn1_buf oid; mbedtls_asn1_buf oid;
@ -1391,23 +1391,27 @@ int mbedtls_rsa_rsassa_pkcs1_v15_verify( mbedtls_rsa_context *ctx,
/* /*
* Parse the ASN.1 structure inside the PKCS#1 v1.5 structure * Parse the ASN.1 structure inside the PKCS#1 v1.5 structure
*/ */
p0 = p;
if( ( ret = mbedtls_asn1_get_tag( &p, end, &asn1_len, if( ( ret = mbedtls_asn1_get_tag( &p, end, &asn1_len,
MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 ) MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 )
return( MBEDTLS_ERR_RSA_VERIFY_FAILED ); return( MBEDTLS_ERR_RSA_VERIFY_FAILED );
if( asn1_len + 2 != len ) if( p != p0 + 2 || asn1_len + 2 != len )
return( MBEDTLS_ERR_RSA_VERIFY_FAILED ); return( MBEDTLS_ERR_RSA_VERIFY_FAILED );
if( ( ret = mbedtls_asn1_get_tag( &p, end, &asn1_len, if( ( ret = mbedtls_asn1_get_tag( &p, end, &asn1_len,
MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 ) MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 )
return( MBEDTLS_ERR_RSA_VERIFY_FAILED ); return( MBEDTLS_ERR_RSA_VERIFY_FAILED );
if( asn1_len + 6 + hashlen != len ) if( p != p0 + 4 || asn1_len + 6 + hashlen != len )
return( MBEDTLS_ERR_RSA_VERIFY_FAILED ); return( MBEDTLS_ERR_RSA_VERIFY_FAILED );
if( ( ret = mbedtls_asn1_get_tag( &p, end, &oid.len, MBEDTLS_ASN1_OID ) ) != 0 ) if( ( ret = mbedtls_asn1_get_tag( &p, end, &oid.len, MBEDTLS_ASN1_OID ) ) != 0 )
return( MBEDTLS_ERR_RSA_VERIFY_FAILED ); return( MBEDTLS_ERR_RSA_VERIFY_FAILED );
if( p != p0 + 6 )
return( MBEDTLS_ERR_RSA_VERIFY_FAILED );
oid.p = p; oid.p = p;
p += oid.len; p += oid.len;
@ -1423,10 +1427,11 @@ int mbedtls_rsa_rsassa_pkcs1_v15_verify( mbedtls_rsa_context *ctx,
if( ( ret = mbedtls_asn1_get_tag( &p, end, &asn1_len, MBEDTLS_ASN1_NULL ) ) != 0 ) if( ( ret = mbedtls_asn1_get_tag( &p, end, &asn1_len, MBEDTLS_ASN1_NULL ) ) != 0 )
return( MBEDTLS_ERR_RSA_VERIFY_FAILED ); return( MBEDTLS_ERR_RSA_VERIFY_FAILED );
p0 = p;
if( ( ret = mbedtls_asn1_get_tag( &p, end, &asn1_len, MBEDTLS_ASN1_OCTET_STRING ) ) != 0 ) if( ( ret = mbedtls_asn1_get_tag( &p, end, &asn1_len, MBEDTLS_ASN1_OCTET_STRING ) ) != 0 )
return( MBEDTLS_ERR_RSA_VERIFY_FAILED ); return( MBEDTLS_ERR_RSA_VERIFY_FAILED );
if( asn1_len != hashlen ) if( p != p0 + 2 || asn1_len != hashlen )
return( MBEDTLS_ERR_RSA_VERIFY_FAILED ); return( MBEDTLS_ERR_RSA_VERIFY_FAILED );
if( memcmp( p, hash, hashlen ) != 0 ) if( memcmp( p, hash, hashlen ) != 0 )