From 3a760a1857cc933512519616f4d6220c56c457bc Mon Sep 17 00:00:00 2001
From: Hanno Becker <hanno.becker@arm.com>
Date: Fri, 5 Jan 2018 08:14:49 +0000
Subject: [PATCH] Add size check for RSA modulus to `mbedtls_rsa_complete`

The function `mbedtls_rsa_complete` is supposed to guarantee that
RSA operations will complete without failure. In contrast, it does
not ensure consistency of parameters, which is the task of the
checking functions `rsa_check_pubkey` and `rsa_check_privkey`.

Previously, the maximum allowed size of the RSA modulus was checked
in `mbedtls_rsa_check_pubkey`. However, exceeding this size would lead
to failure of some RSA operations, hence this check belongs to
`mbedtls_rsa_complete` rather than `mbedtls_rsa_check_pubkey`.
This commit moves it accordingly.
---
 library/rsa.c | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/library/rsa.c b/library/rsa.c
index 7931673398..ad1ef6db24 100644
--- a/library/rsa.c
+++ b/library/rsa.c
@@ -146,8 +146,11 @@ static int rsa_check_context( mbedtls_rsa_context const *ctx, int is_priv,
     ((void) blinding_needed);
 #endif
 
-    if( ctx->len != mbedtls_mpi_size( &ctx->N ) )
+    if( ctx->len != mbedtls_mpi_size( &ctx->N ) ||
+        ctx->len > MBEDTLS_MPI_MAX_SIZE )
+    {
         return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
+    }
 
     /*
      * 1. Modular exponentiation needs positive, odd moduli.
@@ -573,8 +576,7 @@ int mbedtls_rsa_check_pubkey( const mbedtls_rsa_context *ctx )
     if( rsa_check_context( ctx, 0 /* public */, 0 /* no blinding */ ) != 0 )
         return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED );
 
-    if( mbedtls_mpi_bitlen( &ctx->N ) < 128 ||
-        mbedtls_mpi_bitlen( &ctx->N ) > MBEDTLS_MPI_MAX_BITS )
+    if( mbedtls_mpi_bitlen( &ctx->N ) < 128 )
     {
         return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED );
     }