More length checks in RSA PKCS1v15 verify
Added one check that I'd missed, and made the style more uniform.
diff --git a/library/rsa.c b/library/rsa.c
index 4d4a00b..e97d280 100644
--- a/library/rsa.c
+++ b/library/rsa.c
@@ -1389,27 +1389,28 @@
end = p + len;
/*
- * Parse the ASN.1 structure inside the PKCS#1 v1.5 structure
+ * Parse the ASN.1 structure inside the PKCS#1 v1.5 structure.
+ * Insist on 2-byte length tags, to protect against variants of
+ * Bleichenbacher's forgery attack against lax PKCS#1v1.5 verification.
*/
p0 = p;
if( ( ret = mbedtls_asn1_get_tag( &p, end, &asn1_len,
MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 )
return( MBEDTLS_ERR_RSA_VERIFY_FAILED );
-
if( p != p0 + 2 || asn1_len + 2 != len )
return( MBEDTLS_ERR_RSA_VERIFY_FAILED );
+ p0 = p;
if( ( ret = mbedtls_asn1_get_tag( &p, end, &asn1_len,
MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 )
return( MBEDTLS_ERR_RSA_VERIFY_FAILED );
-
- if( p != p0 + 4 || asn1_len + 6 + hashlen != len )
+ if( p != p0 + 2 || asn1_len + 6 + hashlen != len )
return( MBEDTLS_ERR_RSA_VERIFY_FAILED );
+ p0 = p;
if( ( ret = mbedtls_asn1_get_tag( &p, end, &oid.len, MBEDTLS_ASN1_OID ) ) != 0 )
return( MBEDTLS_ERR_RSA_VERIFY_FAILED );
-
- if( p != p0 + 6 )
+ if( p != p0 + 2 )
return( MBEDTLS_ERR_RSA_VERIFY_FAILED );
oid.p = p;
@@ -1424,13 +1425,15 @@
/*
* assume the algorithm parameters must be NULL
*/
+ p0 = p;
if( ( ret = mbedtls_asn1_get_tag( &p, end, &asn1_len, MBEDTLS_ASN1_NULL ) ) != 0 )
return( MBEDTLS_ERR_RSA_VERIFY_FAILED );
+ if( p != p0 + 2 )
+ return( MBEDTLS_ERR_RSA_VERIFY_FAILED );
p0 = p;
if( ( ret = mbedtls_asn1_get_tag( &p, end, &asn1_len, MBEDTLS_ASN1_OCTET_STRING ) ) != 0 )
return( MBEDTLS_ERR_RSA_VERIFY_FAILED );
-
if( p != p0 + 2 || asn1_len != hashlen )
return( MBEDTLS_ERR_RSA_VERIFY_FAILED );