Description: rsa_verify_hash: fix possible bleichenbacher signature attack. Author: Steffen Jaeckel <s@jaeckel.eu> Applied-Upstream: https://github.com/libtom/libtomcrypt/commit/5eb9743410ce4657e9d54fef26a2ee31a1b5dd09 Last-Updated: 2016-09-13 --- Index: libtomcrypt/src/pk/rsa/rsa_verify_hash.c =================================================================== --- libtomcrypt.orig/src/pk/rsa/rsa_verify_hash.c +++ libtomcrypt/src/pk/rsa/rsa_verify_hash.c @@ -96,7 +96,7 @@ int rsa_verify_hash_ex(const unsigned ch } else { /* LTC_PKCS #1 v1.5 decode it */ unsigned char *out; - unsigned long outlen, loid[16]; + unsigned long outlen, loid[16], reallen; int decoded; ltc_asn1_list digestinfo[2], siginfo[2]; @@ -138,8 +138,14 @@ int rsa_verify_hash_ex(const unsigned ch goto bail_2; } + if ((err = der_length_sequence(siginfo, 2, &reallen)) != CRYPT_OK) { + XFREE(out); + goto bail_2; + } + /* test OID */ - if ((digestinfo[0].size == hash_descriptor[hash_idx].OIDlen) && + if ((reallen == outlen) && + (digestinfo[0].size == hash_descriptor[hash_idx].OIDlen) && (XMEMCMP(digestinfo[0].data, hash_descriptor[hash_idx].OID, sizeof(unsigned long) * hash_descriptor[hash_idx].OIDlen) == 0) && (siginfo[1].size == hashlen) && (XMEMCMP(siginfo[1].data, hash, hashlen) == 0)) {