RSA PKCS1v1.5 verification: check padding length The test case was generated by modifying our signature code so that it produces a 7-byte long padding (which also means garbage at the end, so it is essential to check that the error that is detected first is indeed the padding rather than the final length check).

commit: 230ee31a543a79da41cf918f987ecdbf8072b461 [log] [tgz]
author: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com> Thu May 11 12:49:51 2017 +0200
committer: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com> Thu May 11 13:33:13 2017 +0200
tree: c8ed8a9e0f750a7f0af76d897a6f0389946c2958
parent: 63a48d10e94557cb1e226c37face768c5d149f76 [diff] [blame]
diff --git a/ChangeLog b/ChangeLog
index fe5ce65..9ed4e5b 100644
--- a/ChangeLog
+++ b/ChangeLog

@@ -1,5 +1,11 @@
 mbed TLS ChangeLog (Sorted per branch, date)
 
+= mbed TLS 2.1.x branch released xxxx-xx-xx
+
+Security
+   * Tighten parsing of RSA PKCS#1 v1.5 signatures, to avoid a
+     potential Bleichenbacher/BERserk-style attack.
+
 = mbed TLS 2.1.7 branch released 2017-03-08
 
 Security
commit	230ee31a543a79da41cf918f987ecdbf8072b461	[log] [tgz]
author	Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>	Thu May 11 12:49:51 2017 +0200
committer	Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>	Thu May 11 13:33:13 2017 +0200
tree	c8ed8a9e0f750a7f0af76d897a6f0389946c2958
parent	63a48d10e94557cb1e226c37face768c5d149f76 [diff] [blame]