diff options
| author | Kevin Jacobs <kjacobs@mozilla.com> | 2020-07-07 23:44:46 +0000 |
|---|---|---|
| committer | Kevin Jacobs <kjacobs@mozilla.com> | 2020-07-07 23:44:46 +0000 |
| commit | 5d6811941a46cdff1bf067244a05f5c67c2b68e1 (patch) | |
| tree | d061bd9c6c51e379ec1a1dbc78d53525bdd1ec8f /lib/freebl | |
| parent | c3d845a1886a6c20cc75175d9aadc70239209401 (diff) | |
| download | nss-hg-5d6811941a46cdff1bf067244a05f5c67c2b68e1.tar.gz | |
Bug 1067214 - Check minimum padding in RSA_CheckSignRecover. r=rrelyea
This patch adds a check to `RSA_CheckSignRecover` enforcing a minimum padding length of 8 bytes for PKCS #1 v1.5-formatted signatures. In practice, RSA key size requirements already ensure this requirement is met, but smaller (read: broken) key sizes can be used via configuration overrides, and NSS should just follow the spec.
Differential Revision: https://phabricator.services.mozilla.com/D82462
Diffstat (limited to 'lib/freebl')
| -rw-r--r-- | lib/freebl/rsapkcs.c | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/lib/freebl/rsapkcs.c b/lib/freebl/rsapkcs.c index cc17ae2b7..73d40909d 100644 --- a/lib/freebl/rsapkcs.c +++ b/lib/freebl/rsapkcs.c @@ -1409,6 +1409,7 @@ RSA_CheckSignRecover(RSAPublicKey *key, unsigned int modulusLen = rsa_modulusLen(&key->modulus); unsigned int i; unsigned char *buffer = NULL; + unsigned int padLen; if (sigLen != modulusLen) { PORT_SetError(SEC_ERROR_BAD_SIGNATURE); @@ -1446,6 +1447,11 @@ RSA_CheckSignRecover(RSAPublicKey *key, goto done; } } + padLen = i - 2; + if (padLen < RSA_BLOCK_MIN_PAD_LEN) { + PORT_SetError(SEC_ERROR_BAD_SIGNATURE); + goto done; + } if (*outputLen == 0) { PORT_SetError(SEC_ERROR_BAD_SIGNATURE); goto done; |