RSA PKCS1v1.5 verification: check padding length The test case was generated by modifying our signature code so that it produces a 7-byte long padding (which also means garbage at the end, so it is essential to check that the error that is detected first is indeed the padding rather than the final length check).

commit: 19c10e9984acaef5a5fb4c15965b982fc1728d1f [log] [tgz]
author: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com> Thu May 11 12:49:51 2017 +0200
committer: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com> Thu May 11 13:37:45 2017 +0200
tree: 71abe45658829c1493450fbdd98835b4b722f5dd
parent: 98864d5c0b154eda7aeb2c2bffe7e7e1c97424bc [diff]
diff --git a/library/rsa.c b/library/rsa.c
index 79726c1..9a4134c 100644
--- a/library/rsa.c
+++ b/library/rsa.c

@@ -1376,7 +1376,11 @@
             return( POLARSSL_ERR_RSA_INVALID_PADDING );
         p++;
     }
-    p++;
+    p++; /* skip 00 byte */
+
+    /* We've read: 00 01 PS 00 where PS must be at least 8 bytes */
+    if( p - buf < 11 )
+        return( POLARSSL_ERR_RSA_INVALID_PADDING );
 
     len = siglen - ( p - buf );
commit	19c10e9984acaef5a5fb4c15965b982fc1728d1f	[log] [tgz]
author	Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>	Thu May 11 12:49:51 2017 +0200
committer	Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>	Thu May 11 13:37:45 2017 +0200
tree	71abe45658829c1493450fbdd98835b4b722f5dd
parent	98864d5c0b154eda7aeb2c2bffe7e7e1c97424bc [diff]