RSA PKCS1v1.5 verification: check padding length

The test case was generated by modifying our signature code so that it produces a 7-byte long padding (which also means garbage at the end, so it is essential in to check that the error that is detected first is indeed the padding rather than the final length check).
2025-07-28 00:21:48 +03:00 · 2017-05-11 12:49:51 +02:00
parent b65c2be5f1
commit c1380de887
3 changed files with 15 additions and 1 deletions
--- a/library/rsa.c
+++ b/library/rsa.c
@ -1369,7 +1369,11 @@ int mbedtls_rsa_rsassa_pkcs1_v15_verify( mbedtls_rsa_context *ctx,
            return( MBEDTLS_ERR_RSA_INVALID_PADDING );
        p++;
    }
-    p++;
+    p++; /* skip 00 byte */
+
+    /* We've read: 00 01 PS 00 where PS must be at least 8 bytes */
+    if( p - buf < 11 )
+        return( MBEDTLS_ERR_RSA_INVALID_PADDING );

    len = siglen - ( p - buf );