RSA PKCS1v1.5 verification: check padding length The test case was generated by modifying our signature code so that it produces a 7-byte long padding (which also means garbage at the end, so it is essential in to check that the error that is detected first is indeed the padding rather than the final length check).

commit: c1380de88792be5d71417a89df7682df55e73905 [log] [tgz]
author: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com> Thu May 11 12:49:51 2017 +0200
committer: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com> Thu May 11 13:10:13 2017 +0200
tree: b6dd240178efe5c8d1532b9b5015df87d0ef3d17
parent: b65c2be5f174468a178b6d9456b20ca969d4a3d6 [diff] [blame]
diff --git a/ChangeLog b/ChangeLog
index 13de867..4340b42 100644
--- a/ChangeLog
+++ b/ChangeLog

@@ -1,5 +1,11 @@
 mbed TLS ChangeLog (Sorted per branch, date)
 
+= mbed TLS 2.x.x branch released xxxx-xx-xx
+
+Security
+   * Tighten parsing of RSA PKCS#1 v1.5 signatures, to avoid a
+     potential Bleichenbacher/BERserk-style attack.
+
 = mbed TLS 2.4.2 branch released 2017-03-08
 
 Security
commit	c1380de88792be5d71417a89df7682df55e73905	[log] [tgz]
author	Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>	Thu May 11 12:49:51 2017 +0200
committer	Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>	Thu May 11 13:10:13 2017 +0200
tree	b6dd240178efe5c8d1532b9b5015df87d0ef3d17
parent	b65c2be5f174468a178b6d9456b20ca969d4a3d6 [diff] [blame]