RSA PKCS1v1.5 verification: check padding length The test case was generated by modifying our signature code so that it produces a 7-byte long padding (which also means garbage at the end, so it is essential to check that the error that is detected first is indeed the padding rather than the final length check).

commit: 230ee31a543a79da41cf918f987ecdbf8072b461 [log] [tgz]
author: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com> Thu May 11 12:49:51 2017 +0200
committer: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com> Thu May 11 13:33:13 2017 +0200
tree: c8ed8a9e0f750a7f0af76d897a6f0389946c2958
parent: 63a48d10e94557cb1e226c37face768c5d149f76 [diff] [blame]
diff --git a/library/rsa.c b/library/rsa.c
index e831875..d6b7a03 100644
--- a/library/rsa.c
+++ b/library/rsa.c

@@ -1375,7 +1375,11 @@
             return( MBEDTLS_ERR_RSA_INVALID_PADDING );
         p++;
     }
-    p++;
+    p++; /* skip 00 byte */
+
+    /* We've read: 00 01 PS 00 where PS must be at least 8 bytes */
+    if( p - buf < 11 )
+        return( MBEDTLS_ERR_RSA_INVALID_PADDING );
 
     len = siglen - ( p - buf );
commit	230ee31a543a79da41cf918f987ecdbf8072b461	[log] [tgz]
author	Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>	Thu May 11 12:49:51 2017 +0200
committer	Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>	Thu May 11 13:33:13 2017 +0200
tree	c8ed8a9e0f750a7f0af76d897a6f0389946c2958
parent	63a48d10e94557cb1e226c37face768c5d149f76 [diff] [blame]