crypto/internal/fips140/rsa: check hash length in PKCS#1 v1.5 signatures

This was already checked by crypto/rsa, so there should be no observable change. Change-Id: I2dfbfc7fd710a5782ab1d2eea8be8f5f6a6a6964 Reviewed-on: https://go-review.googlesource.com/c/go/+/765642 LUCI-TryBot-Result: golang-scoped@luci-project-accounts.iam.gserviceaccount.com <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Reviewed-by: Michael Pratt <mpratt@google.com> Auto-Submit: Filippo Valsorda <filippo@golang.org> Reviewed-by: Daniel McCarney <daniel@binaryparadox.net> Reviewed-by: Roland Shoemaker <roland@golang.org>
2026-06-27 19:30:52 +00:00 · 2026-04-11 14:48:19 +02:00 · 2026-04-11 14:48:19 +02:00 · e01f29f918
commit e01f29f918
parent 47cc60743b
1 changed files with 27 additions and 0 deletions
--- a/src/crypto/internal/fips140/rsa/pkcs1v15.go
+++ b/src/crypto/internal/fips140/rsa/pkcs1v15.go
@ -22,6 +22,9 @@ import (
 // For performance, we don't use the generic ASN1 encoder. Rather, we
 // precompute a prefix of the digest value that makes a valid ASN1 DER string
 // with the correct contents.
+//
+// For any new entry, also add the size to [hashSize], and if applicable, add
+// the hash name to [checkApprovedHashName].
 var hashPrefixes = map[string][]byte{
 	"MD5":         {0x30, 0x20, 0x30, 0x0c, 0x06, 0x08, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x02, 0x05, 0x05, 0x00, 0x04, 0x10},
 	"SHA-1":       {0x30, 0x21, 0x30, 0x09, 0x06, 0x05, 0x2b, 0x0e, 0x03, 0x02, 0x1a, 0x05, 0x00, 0x04, 0x14},
@ -69,6 +72,9 @@ func pkcs1v15ConstructEM(pub *PublicKey, hash string, hashed []byte) ([]byte, er
 		if !ok {
 			return nil, errors.New("crypto/rsa: unsupported hash function")
 		}
+		if len(hashed) != hashSize(hash) {
+			return nil, errors.New("crypto/rsa: hashed message length does not match hash function")
+		}
 	}

 	// EM = 0x00 || 0x01 || PS || 0x00 || T
@ -128,6 +134,27 @@ func verifyPKCS1v15(pub *PublicKey, hash string, hashed []byte, sig []byte) erro
 	return nil
 }

+func hashSize(hash string) int {
+	switch hash {
+	case "MD5":
+		return 16
+	case "SHA-1", "RIPEMD-160":
+		return 20
+	case "SHA-224", "SHA-512/224", "SHA3-224":
+		return 28
+	case "SHA-256", "SHA-512/256", "SHA3-256":
+		return 32
+	case "SHA-384", "SHA3-384":
+		return 48
+	case "SHA-512", "SHA3-512":
+		return 64
+	case "MD5+SHA1":
+		return 36
+	default:
+		return -1
+	}
+}
+
 func checkApprovedHashName(hash string) {
 	switch hash {
 	case "SHA-224", "SHA-256", "SHA-384", "SHA-512", "SHA-512/224", "SHA-512/256",