RSA PKCS1v1.5 verification: check padding length The test case was generated by modifying our signature code so that it produces a 7-byte long padding (which also means garbage at the end, so it is essential in to check that the error that is detected first is indeed the padding rather than the final length check).

commit: c1380de88792be5d71417a89df7682df55e73905 [log] [tgz]
author: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com> Thu May 11 12:49:51 2017 +0200
committer: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com> Thu May 11 13:10:13 2017 +0200
tree: b6dd240178efe5c8d1532b9b5015df87d0ef3d17
parent: b65c2be5f174468a178b6d9456b20ca969d4a3d6 [diff] [blame]
diff --git a/library/rsa.c b/library/rsa.c
index 40ef2a9..c8c6d99 100644
--- a/library/rsa.c
+++ b/library/rsa.c

@@ -1369,7 +1369,11 @@
             return( MBEDTLS_ERR_RSA_INVALID_PADDING );
         p++;
     }
-    p++;
+    p++; /* skip 00 byte */
+
+    /* We've read: 00 01 PS 00 where PS must be at least 8 bytes */
+    if( p - buf < 11 )
+        return( MBEDTLS_ERR_RSA_INVALID_PADDING );
 
     len = siglen - ( p - buf );
commit	c1380de88792be5d71417a89df7682df55e73905	[log] [tgz]
author	Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>	Thu May 11 12:49:51 2017 +0200
committer	Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>	Thu May 11 13:10:13 2017 +0200
tree	b6dd240178efe5c8d1532b9b5015df87d0ef3d17
parent	b65c2be5f174468a178b6d9456b20ca969d4a3d6 [diff] [blame]