From d4842e400c7d35bab098b92858752f9875d1492c Mon Sep 17 00:00:00 2001 From: David Howells Date: Fri, 21 Sep 2012 23:28:05 +0100 Subject: [PATCH] --- yaml --- r: 334297 b: refs/heads/master c: 0b1568a4536ff287a87908d7fc35c05bd7736a53 h: refs/heads/master i: 334295: 71bdc244ab32cad286b268a82e3d27835fd94092 v: v3 --- [refs] | 2 +- trunk/crypto/asymmetric_keys/rsa.c | 14 +++++++++++--- 2 files changed, 12 insertions(+), 4 deletions(-) diff --git a/[refs] b/[refs] index aa358b448e20..541da90c0ef2 100644 --- a/[refs] +++ b/[refs] @@ -1,2 +1,2 @@ --- -refs/heads/master: 612e0fe99965a4028359cd1da5af56b7f6caf7f6 +refs/heads/master: 0b1568a4536ff287a87908d7fc35c05bd7736a53 diff --git a/trunk/crypto/asymmetric_keys/rsa.c b/trunk/crypto/asymmetric_keys/rsa.c index 9b31ee25a459..4a6a0696f8a3 100644 --- a/trunk/crypto/asymmetric_keys/rsa.c +++ b/trunk/crypto/asymmetric_keys/rsa.c @@ -224,15 +224,23 @@ static int RSA_verify_signature(const struct public_key *key, return -ENOTSUPP; /* (1) Check the signature size against the public key modulus size */ - k = (mpi_get_nbits(key->rsa.n) + 7) / 8; + k = mpi_get_nbits(key->rsa.n); + tsize = mpi_get_nbits(sig->rsa.s); - tsize = (mpi_get_nbits(sig->rsa.s) + 7) / 8; + /* According to RFC 4880 sec 3.2, length of MPI is computed starting + * from most significant bit. So the RFC 3447 sec 8.2.2 size check + * must be relaxed to conform with shorter signatures - so we fail here + * only if signature length is longer than modulus size. + */ pr_devel("step 1: k=%zu size(S)=%zu\n", k, tsize); - if (tsize != k) { + if (k < tsize) { ret = -EBADMSG; goto error; } + /* Round up and convert to octets */ + k = (k + 7) / 8; + /* (2b) Apply the RSAVP1 verification primitive to the public key */ ret = RSAVP1(key, sig->rsa.s, &m); if (ret < 0)