Skip to content
Permalink
Browse files

rsa_verify_hash: fix possible bleichenbacher signature attack

Fixes CVE-2016-6129

cherry-picked from:
libtom/libtomcrypt@5eb9743

Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
Tested-by: Jens Wiklander <jens.wiklander@linaro.org> (QEMU)
Signed-off-by: Joakim Bech <joakim.bech@linaro.org>
  • Loading branch information
sjaeckel authored and jenswi-linaro committed Aug 26, 2016
1 parent ca39b11 commit 30d13250c390c4f56adefdcd3b64b7cc672f9fe2
Showing with 8 additions and 2 deletions.
  1. +8 −2 core/lib/libtomcrypt/src/pk/rsa/rsa_verify_hash.c
@@ -123,7 +123,7 @@ int rsa_verify_hash_ex(const unsigned char *sig, unsigned long siglen,
} else {
/* LTC_PKCS #1 v1.5 decode it */
unsigned char *out;
unsigned long outlen, loid[16];
unsigned long outlen, loid[16], reallen;
int decoded;
ltc_asn1_list digestinfo[2], siginfo[2];

@@ -165,8 +165,14 @@ int rsa_verify_hash_ex(const unsigned char *sig, unsigned long siglen,
goto bail_2;
}

if ((err = der_length_sequence(siginfo, 2, &reallen)) != CRYPT_OK) {
XFREE(out);
goto bail_2;
}

/* test OID */
if ((digestinfo[0].size == hash_descriptor[hash_idx]->OIDlen) &&
if ((reallen == outlen) &&
(digestinfo[0].size == hash_descriptor[hash_idx]->OIDlen) &&
(XMEMCMP(digestinfo[0].data, hash_descriptor[hash_idx]->OID, sizeof(unsigned long) * hash_descriptor[hash_idx]->OIDlen) == 0) &&
(siginfo[1].size == hashlen) &&
(XMEMCMP(siginfo[1].data, hash, hashlen) == 0)) {

0 comments on commit 30d1325

Please sign in to comment.
You can’t perform that action at this time.