commit 6a54b0240dea904b5a823b2b1e01b97c37ac2e8f
author Gilles Peskine <Gilles.Peskine@arm.com> Tue Oct 17 19:02:13 2017 +0200
committer Gilles Peskine <Gilles.Peskine@arm.com> Tue Oct 17 19:12:36 2017 +0200
tree e208cf98605054e4b1ff2f59411eb7bd9de5f8ef
parent 28a0c727957990ac655cbe40c7eb20b7ef01167d

RSA: Fix another buffer overflow in PSS signature verification

Fix buffer overflow in RSA-PSS signature verification when the masking
operation results in an all-zero buffer. This could happen at any key size.

library/rsa.c

diff --git a/library/rsa.c b/library/rsa.c
index a4e3ee6..f9aec22 100644
--- a/library/rsa.c
+++ b/library/rsa.c
@@ -1319,10 +1319,11 @@
     int ret;
     size_t siglen;
     unsigned char *p;
+    unsigned char *hash_start;
     unsigned char result[MBEDTLS_MD_MAX_SIZE];
     unsigned char zeros[8];
     unsigned int hlen;
-    size_t slen, msb;
+    size_t observed_salt_len, msb;
     const mbedtls_md_info_t *md_info;
     mbedtls_md_context_t md_ctx;
     unsigned char buf[MBEDTLS_MPI_MAX_SIZE];
@@ -1364,7 +1365,7 @@
     hlen = mbedtls_md_get_size( md_info );
     if( siglen < hlen + 2 )
         return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
-    slen = siglen - hlen - 1; /* Currently length of salt + padding */
+    hash_start = buf + siglen - hlen - 1;
 
     memset( zeros, 0, 8 );
 
@@ -1379,6 +1380,7 @@
         p++;
         siglen -= 1;
     }
+    else
     if( buf[0] >> ( 8 - siglen * 8 + msb ) )
         return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
 
@@ -1389,25 +1391,24 @@
         return( ret );
     }
 
-    mgf_mask( p, siglen - hlen - 1, p + siglen - hlen - 1, hlen, &md_ctx );
+    mgf_mask( p, siglen - hlen - 1, hash_start, hlen, &md_ctx );
 
     buf[0] &= 0xFF >> ( siglen * 8 - msb );
 
-    while( p < buf + siglen && *p == 0 )
+    while( p < hash_start - 1 && *p == 0 )
         p++;
 
-    if( p == buf + siglen ||
+    if( p == hash_start ||
         *p++ != 0x01 )
     {
         mbedtls_md_free( &md_ctx );
         return( MBEDTLS_ERR_RSA_INVALID_PADDING );
     }
 
-    /* Actual salt len */
-    slen -= p - buf;
+    observed_salt_len = hash_start - p;
 
     if( expected_salt_len != MBEDTLS_RSA_SALT_LEN_ANY &&
-        slen != (size_t) expected_salt_len )
+        observed_salt_len != (size_t) expected_salt_len )
     {
         mbedtls_md_free( &md_ctx );
         return( MBEDTLS_ERR_RSA_INVALID_PADDING );
@@ -1419,12 +1420,12 @@
     mbedtls_md_starts( &md_ctx );
     mbedtls_md_update( &md_ctx, zeros, 8 );
     mbedtls_md_update( &md_ctx, hash, hashlen );
-    mbedtls_md_update( &md_ctx, p, slen );
+    mbedtls_md_update( &md_ctx, p, observed_salt_len );
     mbedtls_md_finish( &md_ctx, result );
 
     mbedtls_md_free( &md_ctx );
 
-    if( memcmp( p + slen, result, hlen ) == 0 )
+    if( memcmp( hash_start, result, hlen ) == 0 )
         return( 0 );
     else
         return( MBEDTLS_ERR_RSA_VERIFY_FAILED );