RSA PSS: fix minimum length check for keys of size 8N+1
The check introduced by the previous security fix was off by one. It
fixed the buffer overflow but was not compliant with the definition of
PSS which technically led to accepting some invalid signatures (but
not signatures made without the private key).
diff --git a/library/rsa.c b/library/rsa.c
index 9e05b4b..8933aa1 100644
--- a/library/rsa.c
+++ b/library/rsa.c
@@ -1370,9 +1370,6 @@
return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
hlen = mbedtls_md_get_size( md_info );
- if( siglen < hlen + 2 )
- return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
- hash_start = buf + siglen - hlen - 1;
memset( zeros, 0, 8 );
@@ -1391,6 +1388,10 @@
if( buf[0] >> ( 8 - siglen * 8 + msb ) )
return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
+ if( siglen < hlen + 2 )
+ return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
+ hash_start = p + siglen - hlen - 1;
+
mbedtls_md_init( &md_ctx );
if( ( ret = mbedtls_md_setup( &md_ctx, md_info, 0 ) ) != 0 )
{