diff --git a/library/rsa.c b/library/rsa.c index 4d4a00ba3..e97d280eb 100644 --- a/library/rsa.c +++ b/library/rsa.c @@ -1389,27 +1389,28 @@ int mbedtls_rsa_rsassa_pkcs1_v15_verify( mbedtls_rsa_context *ctx, end = p + len; /* - * Parse the ASN.1 structure inside the PKCS#1 v1.5 structure + * Parse the ASN.1 structure inside the PKCS#1 v1.5 structure. + * Insist on 2-byte length tags, to protect against variants of + * Bleichenbacher's forgery attack against lax PKCS#1v1.5 verification. */ p0 = p; if( ( ret = mbedtls_asn1_get_tag( &p, end, &asn1_len, MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 ) return( MBEDTLS_ERR_RSA_VERIFY_FAILED ); - if( p != p0 + 2 || asn1_len + 2 != len ) return( MBEDTLS_ERR_RSA_VERIFY_FAILED ); + p0 = p; if( ( ret = mbedtls_asn1_get_tag( &p, end, &asn1_len, MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 ) return( MBEDTLS_ERR_RSA_VERIFY_FAILED ); - - if( p != p0 + 4 || asn1_len + 6 + hashlen != len ) + if( p != p0 + 2 || asn1_len + 6 + hashlen != len ) return( MBEDTLS_ERR_RSA_VERIFY_FAILED ); + p0 = p; if( ( ret = mbedtls_asn1_get_tag( &p, end, &oid.len, MBEDTLS_ASN1_OID ) ) != 0 ) return( MBEDTLS_ERR_RSA_VERIFY_FAILED ); - - if( p != p0 + 6 ) + if( p != p0 + 2 ) return( MBEDTLS_ERR_RSA_VERIFY_FAILED ); oid.p = p; @@ -1424,13 +1425,15 @@ int mbedtls_rsa_rsassa_pkcs1_v15_verify( mbedtls_rsa_context *ctx, /* * assume the algorithm parameters must be NULL */ + p0 = p; if( ( ret = mbedtls_asn1_get_tag( &p, end, &asn1_len, MBEDTLS_ASN1_NULL ) ) != 0 ) return( MBEDTLS_ERR_RSA_VERIFY_FAILED ); + if( p != p0 + 2 ) + return( MBEDTLS_ERR_RSA_VERIFY_FAILED ); p0 = p; if( ( ret = mbedtls_asn1_get_tag( &p, end, &asn1_len, MBEDTLS_ASN1_OCTET_STRING ) ) != 0 ) return( MBEDTLS_ERR_RSA_VERIFY_FAILED ); - if( p != p0 + 2 || asn1_len != hashlen ) return( MBEDTLS_ERR_RSA_VERIFY_FAILED );