commit ec2a5fdee143f52d5800f2e2f3282634800a46c1
author Gilles Peskine <Gilles.Peskine@arm.com> Fri Oct 05 18:11:27 2018 +0200
committer Gilles Peskine <Gilles.Peskine@arm.com> Fri Oct 05 20:48:20 2018 +0200
tree e8b6037228ae49a51873408ae6799038704de314
parent c5ccd7a1e7ff3c084bd07fa4a6d59284c8a778b4

PKCS#1 v1.5 decoding: fix empty payload case

library/rsa.c

diff --git a/library/rsa.c b/library/rsa.c
index f581fd7..69542f3 100644
--- a/library/rsa.c
+++ b/library/rsa.c
@@ -1522,9 +1522,9 @@
          * where PS must be at least 8 nonzero bytes. */
         bad |= buf[1] ^ MBEDTLS_RSA_CRYPT;
 
-        /* Get padding len, but always read till end of buffer
-         * (minus one, for the 00 byte) */
-        for( i = 2; i < ilen - 1; i++ )
+        /* Read the whole buffer. Set pad_done to nonzero if we find
+         * the 0x00 byte and remember the padding length in pad_count. */
+        for( i = 2; i < ilen; i++ )
         {
             pad_done  |= ((buf[i] | (unsigned char)-buf[i]) >> 7) ^ 1;
             pad_count += ((pad_done | (unsigned char)-pad_done) >> 7) ^ 1;
@@ -1536,9 +1536,10 @@
          * where PS must be at least 8 bytes with the value 0xFF. */
         bad |= buf[1] ^ MBEDTLS_RSA_SIGN;
 
-        /* Get padding len, but always read till end of buffer
-         * (minus one, for the 00 byte) */
-        for( i = 2; i < ilen - 1; i++ )
+        /* Read the whole buffer. Set pad_done to nonzero if we find
+         * the 0x00 byte and remember the padding length in pad_count.
+         * If there's a non-0xff byte in the padding, the padding is bad. */
+        for( i = 2; i < ilen; i++ )
         {
             pad_done |= if_int( buf[i], 0, 1 );
             pad_count += if_int( pad_done, 0, 1 );