From f62a5620c69e9f36cf280b236726a3242e059fd0 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Love=20H=C3=B6rnquist=20=C3=85strand?= <lha@kth.se>
Date: Tue, 5 Sep 2006 21:38:44 +0000
Subject: [PATCH] check that there are no extra bytes in the checksum and that
 the parameters are NULL or the NULL-type. All to avoid having excess data
 that can be used to fake the signature.

git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@18031 ec53bebd-3082-4978-b11e-865c3cabbd6b
---
 lib/hx509/crypto.c | 27 +++++++++++++++++++++------
 1 file changed, 21 insertions(+), 6 deletions(-)

diff --git a/lib/hx509/crypto.c b/lib/hx509/crypto.c
index d6299521a..5505eec7e 100644
--- a/lib/hx509/crypto.c
+++ b/lib/hx509/crypto.c
@@ -130,7 +130,7 @@ rsa_verify_signature(const struct signature_alg *sig_alg,
     const SubjectPublicKeyInfo *spi;
     DigestInfo di;
     unsigned char *to;
-    int tosize;
+    int tosize, retsize;
     int ret;
     RSA *rsa;
     RSAPublicKey pk;
@@ -167,21 +167,27 @@ rsa_verify_signature(const struct signature_alg *sig_alg,
 	goto out;
     }
 
-    ret = RSA_public_decrypt(sig->length, (unsigned char *)sig->data, 
-			     to, rsa, RSA_PKCS1_PADDING);
-    if (ret == -1) {
+    retsize = RSA_public_decrypt(sig->length, (unsigned char *)sig->data, 
+				 to, rsa, RSA_PKCS1_PADDING);
+    if (retsize == -1) {
 	ret = HX509_CRYPTO_SIG_INVALID_FORMAT;
 	free(to);
 	goto out;
     }
-    if (ret > tosize)
+    if (retsize > tosize)
 	_hx509_abort("internal rsa decryption failure: ret > tosize");
-    ret = decode_DigestInfo(to, ret, &di, &size);
+    ret = decode_DigestInfo(to, retsize, &di, &size);
     free(to);
     if (ret) {
 	goto out;
     }
 
+    /* Check for extra data inside the sigature */
+    if (size != retsize) {
+	ret = HX509_CRYPTO_SIG_INVALID_FORMAT;
+	goto out;
+    }
+
     if (sig_alg->digest_oid &&
 	heim_oid_cmp(&di.digestAlgorithm.algorithm, 
 		     (*sig_alg->digest_oid)()) != 0) 
@@ -190,6 +196,15 @@ rsa_verify_signature(const struct signature_alg *sig_alg,
 	goto out;
     }
 
+    /* verify that the parameters are NULL or the NULL-type */
+    if (di.digestAlgorithm.parameters != NULL &&
+	(di.digestAlgorithm.parameters->length != 2 ||
+	 memcmp(di.digestAlgorithm.parameters->data, "\x05\x00", 2) != 0))
+    {
+	ret = HX509_CRYPTO_SIG_INVALID_FORMAT;
+	goto out;
+    }
+
     ret = _hx509_verify_signature(NULL,
 				  &di.digestAlgorithm,
 				  data,