commit 7addb7f0a0c3f7b2294780022cf8c84990d9bca0
author Gilles Peskine <Gilles.Peskine@arm.com> Wed Oct 18 19:03:42 2017 +0200
committer Gilles Peskine <Gilles.Peskine@arm.com> Wed Oct 18 19:13:22 2017 +0200
tree 40081a5c302842cd8dc3cc8f102be8196e2919cf
parent 511bb84c609e1b39cc9e470f4f9132accb412591

RSA PSS: fix minimum length check for keys of size 8N+1

The check introduced by the previous security fix was off by one. It
fixed the buffer overflow but was not compliant with the definition of
PSS which technically led to accepting some invalid signatures (but
not signatures made without the private key).

library/rsa.c

diff --git a/library/rsa.c b/library/rsa.c
index 56fd792..6b720a4 100644
--- a/library/rsa.c
+++ b/library/rsa.c
@@ -1369,9 +1369,6 @@
         return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
 
     hlen = md_get_size( md_info );
-    if( siglen < hlen + 2 )
-        return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
-    hash_start = buf + siglen - hlen - 1;
 
     memset( zeros, 0, 8 );
 
@@ -1390,6 +1387,10 @@
     if( buf[0] >> ( 8 - siglen * 8 + msb ) )
         return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
 
+    if( siglen < hlen + 2 )
+        return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
+    hash_start = p + siglen - hlen - 1;
+
     md_init( &md_ctx );
     if( ( ret = md_init_ctx( &md_ctx, md_info ) ) != 0 )
     {

tests/suites/test_suite_pkcs1_v21.data

diff --git a/tests/suites/test_suite_pkcs1_v21.data b/tests/suites/test_suite_pkcs1_v21.data
index b396c64..1c41137 100644
--- a/tests/suites/test_suite_pkcs1_v21.data
+++ b/tests/suites/test_suite_pkcs1_v21.data
@@ -817,7 +817,7 @@
 
 RSASSA-PSS verify ext, 521-bit key, SHA-512, empty salt, bad signature
 depends_on:POLARSSL_SHA512_C
-pkcs1_rsassa_pss_verify_ext:521:16:"0131b69860f3cb9bf85ea358fdf2bd2990f1b77a80d6a4fdf817a43dd896bdf7dd26af8ac0237f526e0d33b105c971fdbd4ffa9ece99fc469f31ecf429e8f562c1c3":16:"010001":POLARSSL_MD_SHA512:POLARSSL_MD_SHA512:POLARSSL_MD_SHA512:0:"":"00471794655837da498cbf27242807b40593a353c707eb22fd2cc5a3259e728ac4f1df676043eeec8e16c1175b3d9ac8cae72ec1d5772dd69de71c5677f19031568e":POLARSSL_ERR_RSA_INVALID_PADDING:POLARSSL_ERR_RSA_INVALID_PADDING
+pkcs1_rsassa_pss_verify_ext:521:16:"0131b69860f3cb9bf85ea358fdf2bd2990f1b77a80d6a4fdf817a43dd896bdf7dd26af8ac0237f526e0d33b105c971fdbd4ffa9ece99fc469f31ecf429e8f562c1c3":16:"010001":POLARSSL_MD_SHA512:POLARSSL_MD_SHA512:POLARSSL_MD_SHA512:0:"":"00471794655837da498cbf27242807b40593a353c707eb22fd2cc5a3259e728ac4f1df676043eeec8e16c1175b3d9ac8cae72ec1d5772dd69de71c5677f19031568e":POLARSSL_ERR_RSA_BAD_INPUT_DATA:POLARSSL_ERR_RSA_BAD_INPUT_DATA
 
 RSASSA-PSS verify ext, all-zero padding, automatic salt length
 depends_on:POLARSSL_SHA256_C