From b8afe1bb2c8fdd3d85d9c5c669bd0b4f45eb65e9 Mon Sep 17 00:00:00 2001
From: Janos Follath <janos.follath@arm.com>
Date: Tue, 9 Feb 2016 14:51:35 +0000
Subject: [PATCH 1/4] Included test for integer underflow.

---
 library/rsa.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/library/rsa.c b/library/rsa.c
index fba68ddfc..881805ee1 100644
--- a/library/rsa.c
+++ b/library/rsa.c
@@ -720,6 +720,10 @@ int mbedtls_rsa_rsaes_oaep_decrypt( mbedtls_rsa_context *ctx,
      */
     hlen = mbedtls_md_get_size( md_info );
 
+    // checking for integer underflow
+    if( 2 * hlen + 2 > ilen )
+        return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
+
     mbedtls_md_init( &md_ctx );
     mbedtls_md_setup( &md_ctx, md_info, 0 );
 

From eae41bf340bdb280ad2c72db367811c664bf9ac6 Mon Sep 17 00:00:00 2001
From: Janos Follath <janos.follath@arm.com>
Date: Wed, 10 Feb 2016 16:40:16 +0000
Subject: [PATCH 2/4] Add Changelog entry for current branch

---
 ChangeLog | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/ChangeLog b/ChangeLog
index 71aa60567..f37bd9b67 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -2,6 +2,10 @@ mbed TLS ChangeLog (Sorted per branch, date)
 
 = mbed TLS 2.x branch
 
+Security
+   * Fix a potential integer underflow to buffer overread in 
+     mbedtls_rsa_rsaes_oaep_decrypt
+
 Bugfix
    * Fix bug in mbedtls_mpi_add_mpi() that caused wrong results when the three
      arguments where the same (in-place doubling). Found and fixed by Janos

From c17cda1ab9c8b42bfa183830f0acdcbeabcd154c Mon Sep 17 00:00:00 2001
From: Janos Follath <janos.follath@arm.com>
Date: Thu, 11 Feb 2016 11:08:18 +0000
Subject: [PATCH 3/4] Moved underflow test to better reflect time constant
 behaviour.

---
 library/rsa.c | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/library/rsa.c b/library/rsa.c
index 881805ee1..34f9d8b05 100644
--- a/library/rsa.c
+++ b/library/rsa.c
@@ -705,6 +705,12 @@ int mbedtls_rsa_rsaes_oaep_decrypt( mbedtls_rsa_context *ctx,
     if( md_info == NULL )
         return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
 
+    hlen = mbedtls_md_get_size( md_info );
+
+    // checking for integer underflow
+    if( 2 * hlen + 2 > ilen )
+        return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
+
     /*
      * RSA operation
      */
@@ -718,12 +724,6 @@ int mbedtls_rsa_rsaes_oaep_decrypt( mbedtls_rsa_context *ctx,
     /*
      * Unmask data and generate lHash
      */
-    hlen = mbedtls_md_get_size( md_info );
-
-    // checking for integer underflow
-    if( 2 * hlen + 2 > ilen )
-        return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
-
     mbedtls_md_init( &md_ctx );
     mbedtls_md_setup( &md_ctx, md_info, 0 );
 

From bc247c99469028c536c051620f326374cd279414 Mon Sep 17 00:00:00 2001
From: Janos Follath <janos.follath@arm.com>
Date: Thu, 11 Feb 2016 11:15:44 +0000
Subject: [PATCH 4/4] Extended ChangeLog entry

---
 ChangeLog | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/ChangeLog b/ChangeLog
index f37bd9b67..e89e54ad6 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -4,7 +4,8 @@ mbed TLS ChangeLog (Sorted per branch, date)
 
 Security
    * Fix a potential integer underflow to buffer overread in 
-     mbedtls_rsa_rsaes_oaep_decrypt
+     mbedtls_rsa_rsaes_oaep_decrypt. It is not triggerable remotely in
+     SSL/TLS.
 
 Bugfix
    * Fix bug in mbedtls_mpi_add_mpi() that caused wrong results when the three