File CVE-2018-0487.patch of Package mbedtls.7991

From: Karol Babioch <kbabioch@suse.com>
Date: Wed Feb 14 12:02:46 CET 2018
References: 28a0c727957990ac655cbe40c7eb20b7ef01167d
References: 6a54b0240dea904b5a823b2b1e01b97c37ac2e8f
References: 139108af94951855fd37ba5a1b9d6099e63b20c8
References: b00b0da45227dface23f1d1da2e28a0165d13313
References: 91048a3aac537721a84d964eeaa0de43ba14f791
Upstream: merged

Backport of several upstream commits to fix CVE-2018-0487

---
 library/rsa.c |   27 +++++++++++++++------------
 1 file changed, 15 insertions(+), 12 deletions(-)

Index: library/rsa.c
===================================================================
--- library/rsa.c.orig
+++ library/rsa.c
@@ -1196,11 +1196,12 @@ int rsa_rsassa_pss_verify_ext( rsa_conte
     int ret;
     size_t siglen;
     unsigned char *p;
+    unsigned char *hash_start;
     unsigned char buf[POLARSSL_MPI_MAX_SIZE];
     unsigned char result[POLARSSL_MD_MAX_SIZE];
     unsigned char zeros[8];
     unsigned int hlen;
-    size_t slen, msb;
+    size_t observed_salt_len, msb;
     const md_info_t *md_info;
     md_context_t md_ctx;
 
@@ -1240,7 +1241,6 @@ int rsa_rsassa_pss_verify_ext( rsa_conte
         return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
 
     hlen = md_get_size( md_info );
-    slen = siglen - hlen - 1; /* Currently length of salt + padding */
 
     memset( zeros, 0, 8 );
 
@@ -1248,6 +1248,9 @@ int rsa_rsassa_pss_verify_ext( rsa_conte
     //
     msb = mpi_msb( &ctx->N ) - 1;
 
+    if( buf[0] >> ( 8 - siglen * 8 + msb ) )
+        return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
+
     // Compensate for boundary condition when applying mask
     //
     if( msb % 8 == 0 )
@@ -1255,8 +1258,10 @@ int rsa_rsassa_pss_verify_ext( rsa_conte
         p++;
         siglen -= 1;
     }
-    if( buf[0] >> ( 8 - siglen * 8 + msb ) )
+
+    if( siglen < hlen + 2 )
         return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
+    hash_start = p + siglen - hlen - 1;
 
     md_init( &md_ctx );
     if( ( ret = md_init_ctx( &md_ctx, md_info ) ) != 0 )
@@ -1265,25 +1270,23 @@ int rsa_rsassa_pss_verify_ext( rsa_conte
         return( ret );
     }
 
-    mgf_mask( p, siglen - hlen - 1, p + siglen - hlen - 1, hlen, &md_ctx );
+    mgf_mask( p, siglen - hlen - 1, hash_start, hlen, &md_ctx );
 
     buf[0] &= 0xFF >> ( siglen * 8 - msb );
 
-    while( p < buf + siglen && *p == 0 )
+    while( p < hash_start - 1 && *p == 0 )
         p++;
 
-    if( p == buf + siglen ||
-        *p++ != 0x01 )
+    if( *p++ != 0x01 )
     {
         md_free( &md_ctx );
         return( POLARSSL_ERR_RSA_INVALID_PADDING );
     }
 
-    /* Actual salt len */
-    slen -= p - buf;
+    observed_salt_len = hash_start - p;
 
     if( expected_salt_len != RSA_SALT_LEN_ANY &&
-        slen != (size_t) expected_salt_len )
+        observed_salt_len != (size_t) expected_salt_len )
     {
         md_free( &md_ctx );
         return( POLARSSL_ERR_RSA_INVALID_PADDING );
@@ -1294,12 +1297,12 @@ int rsa_rsassa_pss_verify_ext( rsa_conte
     md_starts( &md_ctx );
     md_update( &md_ctx, zeros, 8 );
     md_update( &md_ctx, hash, hashlen );
-    md_update( &md_ctx, p, slen );
+    md_update( &md_ctx, p, observed_salt_len );
     md_finish( &md_ctx, result );
 
     md_free( &md_ctx );
 
-    if( memcmp( p + slen, result, hlen ) == 0 )
+    if( memcmp( hash_start, result, hlen ) == 0 )
         return( 0 );
     else
         return( POLARSSL_ERR_RSA_VERIFY_FAILED );