commit 0e17eb05f88b0171b17fada3b3c41987dc29769b
author Gilles Peskine <Gilles.Peskine@arm.com> Wed May 03 18:32:21 2017 +0200
committer Gilles Peskine <Gilles.Peskine@arm.com> Wed May 03 18:56:10 2017 +0200
tree 19f307accdd82a9c5b9e21c71251094d04278a6b
parent b65c2be5f174468a178b6d9456b20ca969d4a3d6

More length checks in RSA PKCS1v15 verify

Tighten ASN.1 parsing of RSA PKCS#1 v1.5 signatures, to avoid a
potential Bleichenbacher-style attack.

ChangeLog

diff --git a/ChangeLog b/ChangeLog
index 13de867..6673e82 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,11 @@
 mbed TLS ChangeLog (Sorted per branch, date)
 
+= mbed TLS 2.x.x branch released xxxx-xx-xx
+
+Security
+   * Tighten ASN.1 parsing of RSA PKCS#1 v1.5 signatures, to avoid a
+     potential Bleichenbacher-style attack.
+
 = mbed TLS 2.4.2 branch released 2017-03-08
 
 Security

library/rsa.c

diff --git a/library/rsa.c b/library/rsa.c
index 40ef2a9..4d4a00b 100644
--- a/library/rsa.c
+++ b/library/rsa.c
@@ -1337,7 +1337,7 @@
 {
     int ret;
     size_t len, siglen, asn1_len;
-    unsigned char *p, *end;
+    unsigned char *p, *p0, *end;
     mbedtls_md_type_t msg_md_alg;
     const mbedtls_md_info_t *md_info;
     mbedtls_asn1_buf oid;
@@ -1391,23 +1391,27 @@
     /*
      * Parse the ASN.1 structure inside the PKCS#1 v1.5 structure
      */
+    p0 = p;
     if( ( ret = mbedtls_asn1_get_tag( &p, end, &asn1_len,
             MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 )
         return( MBEDTLS_ERR_RSA_VERIFY_FAILED );
 
-    if( asn1_len + 2 != len )
+    if( p != p0 + 2 || asn1_len + 2 != len )
         return( MBEDTLS_ERR_RSA_VERIFY_FAILED );
 
     if( ( ret = mbedtls_asn1_get_tag( &p, end, &asn1_len,
             MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 )
         return( MBEDTLS_ERR_RSA_VERIFY_FAILED );
 
-    if( asn1_len + 6 + hashlen != len )
+    if( p != p0 + 4 || asn1_len + 6 + hashlen != len )
         return( MBEDTLS_ERR_RSA_VERIFY_FAILED );
 
     if( ( ret = mbedtls_asn1_get_tag( &p, end, &oid.len, MBEDTLS_ASN1_OID ) ) != 0 )
         return( MBEDTLS_ERR_RSA_VERIFY_FAILED );
 
+    if( p != p0 + 6 )
+        return( MBEDTLS_ERR_RSA_VERIFY_FAILED );
+
     oid.p = p;
     p += oid.len;
 
@@ -1423,10 +1427,11 @@
     if( ( ret = mbedtls_asn1_get_tag( &p, end, &asn1_len, MBEDTLS_ASN1_NULL ) ) != 0 )
         return( MBEDTLS_ERR_RSA_VERIFY_FAILED );
 
+    p0 = p;
     if( ( ret = mbedtls_asn1_get_tag( &p, end, &asn1_len, MBEDTLS_ASN1_OCTET_STRING ) ) != 0 )
         return( MBEDTLS_ERR_RSA_VERIFY_FAILED );
 
-    if( asn1_len != hashlen )
+    if( p != p0 + 2 || asn1_len != hashlen )
         return( MBEDTLS_ERR_RSA_VERIFY_FAILED );
 
     if( memcmp( p, hash, hashlen ) != 0 )