rsa_verify_hash: fix possible bleichenbacher signature attack

libtom · Aug 28, 2014 · 5eb9743 · 5eb9743
1 parent c6dfef9
commit 5eb9743
Showing 1 changed file with 8 additions and 2 deletions.
diff --git a/src/pk/rsa/rsa_verify_hash.c b/src/pk/rsa/rsa_verify_hash.c
@@ -103,7 +103,7 @@ int rsa_verify_hash_ex(const unsigned char *sig,      unsigned long siglen,
   } else {
     /* PKCS #1 v1.5 decode it */
     unsigned char *out;
-    unsigned long outlen, loid[16];
+    unsigned long outlen, loid[16], reallen;
     int           decoded;
     ltc_asn1_list digestinfo[2], siginfo[2];
 
@@ -145,8 +145,14 @@ int rsa_verify_hash_ex(const unsigned char *sig,      unsigned long siglen,
        goto bail_2;
     }
 
+    if ((err = der_length_sequence(siginfo, 2, &reallen)) != CRYPT_OK) {
+       XFREE(out);
+       goto bail_2;
+    }
+
     /* test OID */
-    if ((digestinfo[0].size == hash_descriptor[hash_idx].OIDlen) &&
+    if ((reallen == outlen) &&
+        (digestinfo[0].size == hash_descriptor[hash_idx].OIDlen) &&
         (XMEMCMP(digestinfo[0].data, hash_descriptor[hash_idx].OID, sizeof(unsigned long) * hash_descriptor[hash_idx].OIDlen) == 0) &&
         (siginfo[1].size == hashlen) &&
         (XMEMCMP(siginfo[1].data, hash, hashlen) == 0)) {